AWS Organization restricts operations to only the configured AWS Regions with SCP policies
organizations_scp_check_deny_regions
AWS Organizations SCPs limit account actions to approved regions using conditions on aws:RequestedRegion.
This evaluates whether policies exist and fully restrict access to the configured allowlist, rather than only some regions.
Risk
Without comprehensive Region limits, users or attackers can deploy resources in ungoverned locations, bypassing monitoring and guardrails.
Impacts:
- Data outside approved jurisdictions (confidentiality)
- Policy gaps and drift (integrity)
- IR blind spots and unexpected cost (availability)
prowler aws --checks organizations_scp_check_deny_regions
Recommendation
Enforce Region governance with SCPs that allow only approved regions via aws:RequestedRegion conditions (deny-by-default).
Apply across relevant OUs and accounts, with narrow exceptions for required global services. Review often; align to least privilege, data residency, and continuous monitoring.
Remediation
- In the AWS Management Console, go to AWS Organizations
- In Policies, ensure Service control policies are Enabled (click Enable if needed)
- Go to Policies > Service control policies > Create policy
- Paste this JSON as the policy content and save: { "Version": "2012-10-17", "Statement": [{ "Effect": "Deny", "Action": "", "Resource": "", "Condition": {"StringNotEquals": {"aws:RequestedRegion": ["<REGION_1>", "<REGION_2>"]}} }] }
- Attach the policy to the organization root (r-xxxx), target OU, or specific account
- Verify the policy is attached and shows as Applied to the intended target
Source Code
Resource Type
Other