Amazon: Denies access to Amazon based on the requested Region - Amazon Identity and Access Management
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon: Denies access to Amazon based on the requested Region

This example shows how you might create an identity-based policy that denies access to any actions outside the Regions specified using the aws:RequestedRegion condition key, except for actions in the services specified using NotAction. This policy defines permissions for programmatic and console access. To use this policy, replace the italicized placeholder text in the example policy with your own information. Then, follow the directions in create a policy or edit a policy.

This policy uses the NotAction element with the Deny effect, which explicitly denies access to all of the actions not listed in the statement. Actions in the CloudFront, IAM, Route 53, and Amazon Web Services Support services should not be denied because these are popular Amazon global services with a single endpoint that is physically located in the us-east-1 Region. Because all requests to these services are made to the us-east-1 Region, the requests would be denied without the NotAction element. Edit this element to include actions for other Amazon global services that you use, such as budgets, globalaccelerator, importexport, organizations, or waf. Some other global services, such as Amazon Chatbot and Amazon Device Farm, are global services with endpoints that are physically located in the us-west-2 region. To learn about all of the services that have a single global endpoint, see Amazon Regions and Endpoints in the Amazon Web Services General Reference. For more information about using the NotAction element with the Deny effect, see IAM JSON policy elements: NotAction.

Important

This policy does not allow any actions. Use this policy in combination with other policies that allow specific actions. 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DenyAllOutsideRequestedRegions",
            "Effect": "Deny",
            "NotAction": [
                "cloudfront:*",
                "iam:*",
                "route53:*",
                "support:*"
            ],
            "Resource": "*",
            "Condition": {
                "StringNotEquals": {
                    "aws:RequestedRegion": [
                        "eu-central-1",
                        "eu-west-1",
                        "eu-west-2",
                        "eu-west-3"
                    ]
                }
            }
        }
    ]
}