Pros and cons of restricting user access to certain regions

Question

Hello,
Are there any drawbacks I should be aware of if we restrict user access to only a single region?

We use a variety of AWS services but mainly S3 and Sagemaker Studio. Our team is located in various locations so their default regions are different.  It has been a challenge to keep track of studio instances when they are created in different regions so we are now considering restricting access to a single region. Are there issues that we may face in that case? Any services we may miss?

Accepted Answer

I would take a look at [this](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples_general.html#example-scp-deny-region) for some potential edge cases. In summary, you may need to allow us-east-1 and us-west-2 in addition to whatever regions your team is in since they host some of the global service endpoints (like IAM, Route 53, Global Accelerator, and a few others). For STS, I would use the [regional endpoints](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) if you aren't already.

Pros and cons of restricting user access to certain regions

相关内容