Cannot Restrict AWS Regions in my Account

Question

I would like to disable all but one region in an AWS account. I have followed the instruction in the documentation precisely.

Following these instructions leads me to this list of regions.

Unfortunately, (Hong Kong notwithstanding) none of the regions in this list appear to be editable in any way. In other words, I cannot disable any of these regions. My goal is to have an account where only one region (us-west-2) is usable.

How can I accomplish this? The documentation seems to be incorrect or incomplete.

Note: This AWS Account is part of an Organization and it is not the root account of the Organization. This may be a source of discrepancy between my setup and the documentation.

p.s.: I just noticed that the documentation says "Not all regions can be disabled." I previously thought this meant "you cannot disable all regions" but I guess it means that there are regions which cannot be disabled.

So I guess the question becomes, how can I disable all but one region, for all services and actions using a policy? What would that policy JSON look like? I tried but could not come up with a valid policy.

Answer 1

Only new regions (launched March 2019 or later) can be enabled/disabled at this time.

It's always been possible to restrict regions by setting up a policy condition, e.g.,:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "ec2:*",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ec2:Region": "eu-central-1"
                }
            }
        }
    ]
}

This works fine if limiting for just one service, but is a pain if we want to limit many services since the condition we specified (ec2:Region) is only valid for EC2 actions.

Since last year, there's a new way to control access across many services using aws:RequestedRegion. Here's an example from AWS documentation limiting some EC2, RDS and Lambda actions to one specific region:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:RunInstances",
                "rds:CreateDBInstance",
                "rds:CreateDBCluster",
                "lambda:CreateFunction",
                "lambda:InvokeFunction"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:RequestedRegion": "eu-central-1"
                }
            }
        }
    ]
}

See the AWS Security Blog for the full policy example.