Guardrail: Deny access to AWS based on the requested AWS RegionInfo - how to customize the Guardrail SCP??

Question

Hello if you use the Region deny option in AWS Control Tower ist set the Guardrail: Deny access to AWS based on the requested AWS RegionInfo. In this Guardrail the SCP is missing the global Service "Artifact" in the SCP Part` "Resource": "*",
      "Effect": "Deny",
      "NotAction": [....`
How can i customize this SCP?

Answer

Hi, I believe the best way to do that is with your own custom SCP deployment rather than use the Region Deny setting in Control Tower, as it can't be modified. You can use the same template that Control Tower uses via [this link](https://docs.aws.amazon.com/controltower/latest/userguide/data-residency-guardrails.html#primary-region-deny-policy). And deploy it via your own processes, which may use [Customizations for Control Tower](https://docs.aws.amazon.com/controltower/latest/userguide/cfct-overview.html), [Account Factory for Terraform](https://docs.aws.amazon.com/controltower/latest/userguide/aft-getting-started.html) or other infrastructure as code process.

Guardrail: Deny access to AWS based on the requested AWS RegionInfo - how to customize the Guardrail SCP??

관련 콘텐츠