Posted On: Jul 28, 2022

AWS Control Tower has updated its Region deny guardrail to include additional AWS global service APIs to assist in retrieving configuration settings, dashboard information, and support for an interactive chat agent. The Region deny guardrail, ‘Deny access to AWS based on the requested AWS Region', assists you in limiting access to AWS services and operations for enrolled accounts in your AWS Control Tower environment. The AWS Control Tower Region deny guardrail helps ensure that any customer data you upload to AWS services is located only in the AWS Regions that you specify. You can select the AWS Region or Regions in which your customer data is stored and processed.

Additions to the Region deny exemptions list include select APIs for AWS Chatbot, Amazon S3 Storage Lens, and Amazon S3 Multi Region Access Points. To see a full list of API exemptions, please see the Region deny guardrail policy . The new Region deny guardrail is available when you update your AWS Control Tower landing zone to version 3.0.

The Region deny feature complements existing Region selection and Region deselection features in AWS Control Tower. Together, these features help you to address compliance and regulatory concerns, while balancing the costs associated with expanding into additional Regions. You can select restricted Regions during the AWS Control Tower set up process, or in the Landing zone settings page. To learn more, see Configure the Region deny guardrail. For a full list of AWS Regions where AWS Control Tower is available, see the AWS Region Table.