1 Answer
- Newest
- Most votes
- Most comments
0
Hello.
You should be able to use the AWS service actions that you want to exclude from region restrictions by adding them to the "NotAction" list, as shown in the policy below.
With the IAM policy below, requests can be made in the region listed in "aws:RequestedRegion".
As an exception, actions listed in the "NotAction" list can be requested from any region.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyAllOutsideRequestedRegions",
"Effect": "Deny",
"NotAction": [
"cloudfront:*",
"iam:*",
"route53:*",
"support:*",
"globalaccelerator:*",
"networkmanager:*",
"shield:*",
"waf:*",
"wafv2:*"
],
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:RequestedRegion": [
"eu-central-1",
"eu-west-1",
"eu-west-2",
"eu-west-3"
]
}
}
},
{
"Sid": "AllowAllActios",
"Effect": "Allow",
"Action": [
"Actions you want to allow"
],
"Resource": "*"
}
]
}
Relevant content
- Accepted Answerasked 2 years ago
- asked a year ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated 4 months ago
Thank you. However, I want an IAM that doesn't need to know every single service provided in the global region.