Amazon: Denies access to Amazon based on the requested Region
This example shows how you might create an identity-based policy that denies access to any actions outside the Regions specified using the
aws:RequestedRegion condition key, except for actions in the services specified using
NotAction. This policy defines permissions for programmatic and console access. To use this policy, replace the italicized placeholder text in the example policy with your own information.
Then, follow the directions in create a policy or edit a policy.
This policy uses the NotAction element with the Deny effect,
which explicitly denies access to all of the actions not
listed in the statement. Actions in the CloudFront, IAM, Route 53, and Amazon Web Services Support services should not be
denied because these are popular Amazon global services with a single endpoint that is
physically located in the us-east-1 Region. Because all requests to these
services are made to the us-east-1 Region, the requests would be denied without
the NotAction element. Edit this element to include actions for other Amazon
global services that you use, such as budgets, globalaccelerator,
importexport, organizations, or waf.
Some other global
services, such as Amazon Chatbot and Amazon Device Farm, are global services with endpoints that are
physically located in the us-west-2 region. To learn about all of the services
that have a single global endpoint, see Amazon Regions and
Endpoints in the Amazon General Reference. For more
information about using the NotAction element with the Deny
effect, see IAM JSON policy elements:
NotAction.
This policy does not allow any actions. Use this policy in combination with other policies that allow specific actions.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyAllOutsideRequestedRegions", "Effect": "Deny", "NotAction": ["cloudfront:*", "iam:*", "route53:*", "support:*"], "Resource": "*", "Condition": { "StringNotEquals": { "aws:RequestedRegion": ["eu-central-1", "eu-west-1", "eu-west-2", "eu-west-3"] } } } ] }