SCP to restrict AWS regions and the weird behaviour of AWS global services

Service Control Policy (SCP)

Introduction

As a best practice to keep the cost under control and to better manage security (Governing and managing 2 AWS regions is naturally convenient compared to managing 10 regions), enterprises typically allow access to some AWS regions. Here is the Service Control Policy (SCP) to restrict regions (from AWS).

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DenyAllOutsideEU",
            "Effect": "Deny",
            "NotAction": [
                "a4b:*",
                "acm:*",
                "aws-marketplace-management:*",
                "aws-marketplace:*",
                "aws-portal:*",
                "budgets:*",
                "ce:*",
                "chime:*",
                "cloudfront:*",
                "config:*",
                "cur:*",
                "directconnect:*",
                "ec2:DescribeRegions",
                "ec2:DescribeTransitGateways",
                "ec2:DescribeVpnGateways",
                "fms:*",
                "globalaccelerator:*",
                "health:*",
                "iam:*",
                "importexport:*",
                "kms:*",
                "mobileanalytics:*",
                "networkmanager:*",
                "organizations:*",
                "pricing:*",
                "route53:*",
                "route53domains:*",
                "s3:GetAccountPublic*",
                "s3:ListAllMyBuckets",
                "s3:PutAccountPublic*",
                "shield:*",
                "sts:*",
                "support:*",
                "trustedadvisor:*",
                "waf-regional:*",
                "waf:*",
                "wafv2:*",
                "wellarchitected:*"
            ],
            "Resource": "*",
            "Condition": {
                "StringNotEquals": {
                    "aws:RequestedRegion": [
                        "eu-central-1",
                        "eu-west-1"
                    ]
                }
            }
        }
    ]
}

The above SCP made me wonder why I can’t just keep it simple to this below. The reason is that I should be able to access global services like IAM, Route53, etc because they are global and do not depend on specific AWS regions. Hence restricting an AWS region through SCP should not have an impact on global services. So I created my version of SCP shown below and attached it to my AWS account.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DisableRegions",
            "Effect": "Deny",
            "Action": [
                "*"
            ],
            "Resource": "*",
            "Condition": {
                "StringNotEquals": {
                    "aws:RequestedRegion": [
                        "us-east-1",
                        "us-east-2"
                    ]
                }
            }
        }
    ]
}

Let’s test this out — IAM works fine

Global service IAM works fine with my version of region-restriction SCP

Route53 seems to work fine

Global service Route53 works fine with my version of region-restriction SCP

But there is issue an with AWS Network manager. We can’t access our global networks. Although Network manager is a global service and the region-restriction SCP should not block it.

Global service AWS Network Manager does not work with my version of region-restriction SCP

Conclusion

Although IAM, Route53, and Network Manager are all global services but they behave differently (not sure why). We can access IAM, Route53 and may be some other services with our version of region-restriction SCP but not Network Manager. That is the reason we have to explicitly allow all the global services (see the AWS version at the top) in the region-restriction SCP to make sure we can successfully access all the global services.

References

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples.html