Is it possible to restrict AWS users/accounts to a specific region?
Solution 1:
Unfortunately you can't do this globally. However, for each AWS product that supports it, you typically can limit access to a certain region.
For instance, for EC2, you can do the following:
{
"Statement":[{
"Effect":"allow",
"Action":"RunInstances",
"Resource":"*",
"Condition":{
"StringEquals":{
"ec2:Region":"us-west-1"
}
}
}
]
}
Of course, you'd need to issue a deny
rule as well where appropriate.
Here's the documentation for the above.
Solution 2:
Use something like this. This example restricts access to two AWS regions. Modify as needed.
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:RequestedRegion": [
"eu-central-1",
"eu-west-1"
]
}
}
}]
}
Solution 3:
Since April 25th 2018, AWS has a global resource aws:RequestedRegion you can use to limit the regions a user can send requests to. This is independent of the service being regional or not, so you can apply it to all services.
AWS Security Blog
Unfortunately you can't use this in an organization's Service Control Policy to apply it to an account globally, and you must attach the policy to every single principal and audit that this is so, if you want to lock an account to certain regions.
Solution 4:
Accepted answer on this thread gave Syntax Error on Policy
. Below worked for me:
{
"Statement": [
{
"Sid": "Stmt1375943389569",
"Action": "ec2:*",
"Effect": "Allow",
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:Region": "eu-central-1"
}
}
}
]
}
Solution 5:
If you ask only for EC2 actions, then yes, you can limit it as mentioned in other responses. If it's other services, I am not sure you can do it... e.g. AWS Lambda does not seem to have a lambda:region
you can add to a condition.