+ acm + rds

services/organization/scp-restrict-regions.yaml

@@ -0,0 +1,42 @@
+apiVersion: organizations.aws.m.upbound.io/v1beta1
+kind: Policy
+metadata:
+  name: deny-non-approved-regions
+  namespace: aws-organization
+  labels:
+    policy-type: scp
+    purpose: compliance
+spec:
+  forProvider:
+    name: DenyNonApprovedRegions
+    description: Only allow specific AWS regions for compliance
+    type: SERVICE_CONTROL_POLICY
+    content: |
+      {
+        "Version": "2012-10-17",
+        "Statement": [
+          {
+            "Sid": "DenyNonApprovedRegions",
+            "Effect": "Deny",
+            "Action": "*",
+            "Resource": "*",
+            "Condition": {
+              "StringNotEquals": {
+                "aws:RequestedRegion": [
+                  "eu-west-1",
+                  "us-east-1",
+                  "us-west-2"
+                ]
+              },
+              "ArnNotLike": {
+                "aws:PrincipalArn": [
+                  "arn:aws:iam::*:role/OrganizationAccountAccessRole",
+                  "arn:aws:iam::*:role/Admin*"
+                ]
+              }
+            }
+          }
+        ]
+      }
+  providerConfigRef:
+    name: org-config