AWS Security ChangesHomeSearch

AWS prescriptive-guidance documentation change

Service: prescriptive-guidance · 2025-07-25 · Documentation medium

File: prescriptive-guidance/latest/privacy-reference-architecture/restrict-data-transfers-across-regions.md

Summary

Added comprehensive SCP for regional data transfer restrictions

Security assessment

Detailed example policy implements data residency controls through region-based access limitations

Diff

diff --git a/prescriptive-guidance/latest/privacy-reference-architecture/restrict-data-transfers-across-regions.md b/prescriptive-guidance/latest/privacy-reference-architecture/restrict-data-transfers-across-regions.md
index 8666e150d..5d4a8ee7f 100644
--- a//prescriptive-guidance/latest/privacy-reference-architecture/restrict-data-transfers-across-regions.md
+++ b//prescriptive-guidance/latest/privacy-reference-architecture/restrict-data-transfers-across-regions.md
@@ -12,0 +13,69 @@ With the exception of two AWS Identity and Access Management (IAM) roles, this s
+    {
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Sid": "DenyAllOutsideEU",
+                "Effect": "Deny",
+                "NotAction": [
+                    "a4b:*",
+                    "acm:*",
+                    "aws-marketplace-management:*",
+                    "aws-marketplace:*",
+                    "aws-portal:*",
+                    "budgets:*",
+                    "ce:*",
+                    "chime:*",
+                    "cloudfront:*",
+                    "config:*",
+                    "cur:*",
+                    "directconnect:*",
+                    "ec2:DescribeRegions",
+                    "ec2:DescribeTransitGateways",
+                    "ec2:DescribeVpnGateways",
+                    "fms:*",
+                    "globalaccelerator:*",
+                    "health:*",
+                    "iam:*",
+                    "importexport:*",
+                    "kms:*",
+                    "mobileanalytics:*",
+                    "networkmanager:*",
+                    "organizations:*",
+                    "pricing:*",
+                    "route53:*",
+                    "route53domains:*",
+                    "route53-recovery-cluster:*",
+                    "route53-recovery-control-config:*",
+                    "route53-recovery-readiness:*",
+                    "s3:GetAccountPublic*",
+                    "s3:ListAllMyBuckets",
+                    "s3:ListMultiRegionAccessPoints",
+                    "s3:PutAccountPublic*",
+                    "shield:*",
+                    "sts:*",
+                    "support:*",
+                    "trustedadvisor:*",
+                    "waf-regional:*",
+                    "waf:*",
+                    "wafv2:*",
+                    "wellarchitected:*"
+                ],
+                "Resource": "*",
+                "Condition": {
+                    "StringNotEquals": {
+                        "aws:RequestedRegion": [
+                            "eu-central-1",
+                            "eu-west-1"
+                        ]
+                    },
+                    "ArnNotLike": {
+                        "aws:PrincipalARN": [
+                            "arn:aws:iam::*:role/Role1AllowedToBypassThisSCP",
+                            "arn:aws:iam::*:role/Role2AllowedToBypassThisSCP"
+                        ]
+                    }
+                }
+            }
+        ]
+    }
+