Enable or disable Amazon Web Services Regions in your account

Regions introduced before March 20, 2019 are enabled by default – Amazon originally enabled all new Amazon Web Services Regions by default, which means you can begin creating and managing resources in these Regions immediately. You cannot enable or disable a Region that is enabled by default. Today, when Amazon adds a Region, the new Region is disabled by default. If you want your users to be able to create and manage resources in a new Region, you first need to enable that Region. The following Regions are enabled by default.

You can use IAM permissions to control access to Regions – Amazon Identity and Access Management (IAM) includes four permissions that let you control which users can enable, disable, get, and list Regions. For more information, see Amazon: Allows enabling and disabling Amazon Web Services Regions in the IAM User Guide. You can also use the aws:RequestedRegion condition key to control access to Amazon Web Services services in an Amazon Web Services Region.

Enabling a Region is free – There is no charge to enable a Region. You're charged only for resources that you create in the new Region.

Disabling a Region disables IAM access to resources in the Region – If you disable a Region that still contains Amazon resources, such as Amazon Elastic Compute Cloud (Amazon EC2) instances, you lose IAM access to the resources in that Region. For example, you can't use the Amazon Web Services Management Console to view or change the configuration of any EC2 instances in a disabled Region.

Charges for active resources continue if you disable a Region – If you disable a Region that still contains Amazon resources, charges for those resources (if any) continue to accrue at the standard rate. For example, if you disable a Region that contains Amazon EC2 instances, you still have to pay the charges for those instances even though the instances are inaccessible.

Disabling a Region isn't always immediately visible – Services and consoles might be temporarily visible after disabling a region. Disabling a Region can takes a few minutes to several hours to take effect.

Enabling a Region takes a few minutes to several hours in some cases – When you enable a Region, Amazon performs actions to prepare your account in that Region, such as distributing your IAM resources to the Region. This process takes a few minutes for most accounts, but can sometimes take several hours. You cannot use the Region until this process is complete.

Organizations can have 50 region-opt requests open at a given time across an Amazon organization – The management account can at any point in time have 50 open requests pending completion for its organization. One request is equal to either an enable or disable of one particular region for one account.

A single account can have 6 region-opt requests in progress at any given time – One request is equal to either an enable or disable of one particular region for one account.

Amazon EventBridge integration – Customers can subscribe to region-opt status update notifications in EventBridge. An EventBridge notification will be created for each status change, allowing customers to automate work flows.

Expressive Region-opt status – Due to the asynchronous nature of enabling/disabling an opt-in region, there are four potential statuses for a region-opt request:

You cannot cancel an opt-in or opt-out when it is in either ENABLING or DISABLING status. Otherwise, a ConflictException will be thrown. A completed (Enabled/Disabled) region-opt request is dependent on the provisioning of key underlying Amazon services. There might be some Amazon services that will not be immediately usable despite the status being ENABLED.

Full integration with Amazon Organizations – A management account can modify or read region-opt for any member account of that Amazon organization. A member account is able to read/write their region state as well.