How do I enforce a policy to block access to specific regions without updating all of my policies?

amazon-web-services amazon-iam

Service Control Policies do exactly what you've asked for. You can block regions, but beware some services are global so need to be whitelisted. For example IAM, WAF, Route53, CloudFront, some parts of S3 need to be whitelisted to run outside the permitted regions.

The AWS Service Control Policy Example page has this as the first example as it's the most common use case for SCPs. This policy denies regions outside the two listed, it's easy to change

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DenyAllOutsideEU",
            "Effect": "Deny",
            "NotAction": [
                "a4b:*",
                "acm:*",
                "aws-marketplace-management:*",
                "aws-marketplace:*",
                "aws-portal:*",
                "awsbillingconsole:*",
                "budgets:*",
                "ce:*",
                "chime:*",
                "cloudfront:*",
                "config:*",
                "cur:*",
                "directconnect:*",
                "ec2:DescribeRegions",
                "ec2:DescribeTransitGateways",
                "ec2:DescribeVpnGateways",
                "fms:*",
                "globalaccelerator:*",
                "health:*",
                "iam:*",
                "importexport:*",
                "kms:*",
                "mobileanalytics:*",
                "networkmanager:*",
                "organizations:*",
                "pricing:*",
                "route53:*",
                "route53domains:*",
                "s3:GetAccountPublic*",
                "s3:ListAllMyBuckets",
                "s3:PutAccountPublic*",
                "shield:*",
                "sts:*",
                "support:*",
                "trustedadvisor:*",
                "waf-regional:*",
                "waf:*",
                "wafv2:*",
                "wellarchitected:*"
            ],
            "Resource": "*",
            "Condition": {
                "StringNotEquals": {
                    "aws:RequestedRegion": [
                        "eu-central-1",
                        "eu-west-1"
                    ]
                },
                "ArnNotLike": {
                    "aws:PrincipalARN": [
                        "arn:aws:iam::*:role/Role1AllowedToBypassThisSCP",
                        "arn:aws:iam::*:role/Role2AllowedToBypassThisSCP"
                    ]
                }
            }
        }
    ]
}

Related

How can I transfer a dedicated bare metal server into a VM?
Boot without nftables | Debian 10
Viewing previous query results from SQL Server Management Studio
Running a script using service in Debian 10
Why might a return statement in nginx.conf return a plain text file location to the browser instead of the actual file to be rendered?
automated creation of a configuration file with ansible (or something else)
How to in-place register a VM to the host's default location
Accurate identities related to $\sum\limits_{n=0}^{\infty}\frac{(2n)!}{(n!)^3}x^n$ and $\sum\limits_{n=0}^{\infty}\frac{(2n)!}{(n!)^4}x^n$
The first Stiefel-Whitney class is zero if and only if the bundle is orientable
$f_n(x_n) \rightarrow f(x) $ by uniform convergence
A Good Book for Mathematical Probability Theory [duplicate]
A Brownian motion $B$ that is discontinuous at an independent, uniformly distributed random variable $U(0,1)$