AWS Organizations - Control Access To All Accounts By ISO3166 Region

Question

Hello Team - is there a way to limit logging into any AWS account in Control Tower/Organizations by regions based on ISO 3166? As an example, i dont want anyone from an European IP address to log into any AWS Account in Organizations? I know with SCPs, you can use policies based on IP address, but is there a more wholistic way?

Answer

From the case question I understand that you would like to know if there is a way to limit access to the AWS console by geographic region such as using ISO 3166 codes.

Currently the best way to achieve that would be to restrict access to specific IP addresses with a Service Control Policy. I am attaching the following documentation that goes over this here [1]. There currently isn't another condition like "NotIpAddress" which can be used in order to limit access to the AWS console to specific countries or geographic regions.

I hope you have a great rest of your day!

References

[1] https://aws.amazon.com/premiumsupport/knowledge-center/iam-restrict-calls-ip-addresses/

AWS Organizations - Control Access To All Accounts By ISO3166 Region

Relevant questions

Using Cloud Trail Console to view all events in multi-account CloudTrail ( created via Organizations )

Enabling AWS Configuration on Control Tower Main Account

Many buckets created by AWSConfig StackSet (required for SecurityHub)

Transit Gateway shared with AWS Resource Access Manager (AWS RAM) identify all accounts as external

Issue building Control tower landing zone on a new account - AWS Control Tower setup failed. Be sure your account is subscribed to the AWS EC2 service, then try again

Grant Access to Control Tower created Cloudtrail S3 Bucket

Control Tower dependency to other regions?

Is there any other way to use AWS multi region access point other than cross region replication?

AWS Organizations - Control Access To All Accounts By ISO3166 Region

Unable to Launch AWS Control tower