Posted On: Nov 30, 2021

You can now use AWS Control Tower to deny services and operations in your Control Tower environments for the AWS Region(s) of your choice. Region deny capabilities complement existing AWS Control Tower Region selection and Region deselection features, providing you with the capabilities to address compliance and regulatory requirements while improving cost efficiency of expanding into additional Regions.

Control Tower Region deny helps you comply with business policies and regulatory requirements, for example, AWS customers in Germany can deny access to AWS services in regions outside of the Frankfurt region. You can select which regions you would like to restrict our end users from deploying resources to during the Control Tower setup process or in the Landing zone settings page for already established environments. Region deny is available when you update your AWS Control Tower landing zone version. To learn more about Region deny, including which AWS services are exempt, see documentation on Guardrail Reference.

AWS Control Tower offers the easiest way to set up and govern a new, secure, multi-account AWS environment based on AWS best practices. Customers will create new accounts using AWS Control Tower’s account factory and enable governance features such as guardrails, centralized logging and monitoring in supported AWS Regions. To learn more, visit the AWS Control Tower homepage or see the AWS Control Tower User Guide. For a full list of AWS Regions where AWS Control Tower is available, see the AWS Region Table.