Error: creating Organizations Policy: MalformedPolicyDocumentException


I have the following Terraform based on the recommended SCP:

data "aws_iam_policy_document" "restrict-regions-policy" {
  statement {
    sid    = "RegionRestriction"
    effect = "Deny"
    not_actions = [
    actions   = ["*"]
    resources = ["*"]

    condition {
      test     = "StringNotEquals"
      variable = "aws:RequestedRegion"
      values = [

resource "aws_organizations_policy" "restrict-regions" {
  name        = "restrict-regions"
  description = "Deny all regions except the ones we use"
  content     = data.aws_iam_policy_document.restrict-regions-policy.json

When I am trying to deploy it I get the following error:

Plan: 2 to add, 0 to change, 0 to destroy.
aws_organizations_policy.restrict-regions: Creating...
│ Error: creating Organizations Policy (restrict-regions): MalformedPolicyDocumentException: The provided policy document does not meet the requirements of the specified policy type.
│   with aws_organizations_policy.restrict-regions,
│   on line 63, in resource "aws_organizations_policy" "restrict-regions":
│   63: resource "aws_organizations_policy" "restrict-regions" {

I am not sure what is missing from the policy document.

1 Answer
Accepted Answer

I have narrowed it down. Action and NotAction and mutually exclusive. Removing Action fixed the issue.

answered 5 months ago
profile pictureAWS
reviewed 5 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions