AWS Organizations - Control Access To All Accounts By ISO3166 Region

Question

Hello Team - is there a way to limit logging into any AWS account in Control Tower/Organizations by regions based on ISO 3166? As an example, i dont want anyone from an European IP address to log into any AWS Account in Organizations? I know with SCPs, you can use policies based on IP address, but is there a more wholistic way?

Answer

From the case question I understand that you would like to know if there is a way to limit access to the AWS console by geographic region such as using ISO 3166 codes.

Currently the best way to achieve that would be to restrict access to specific IP addresses with a Service Control Policy. I am attaching the following documentation that goes over this here [1]. There currently isn't another condition like "NotIpAddress" which can be used in order to limit access to the AWS console to specific countries or geographic regions.

I hope you have a great rest of your day!

References

[1] https://aws.amazon.com/premiumsupport/knowledge-center/iam-restrict-calls-ip-addresses/

AWS Organizations - Control Access To All Accounts By ISO3166 Region

相關內容