Certified Security - Specialty

Sign Up Free or Log In to participate!

resources launched in an unapproved region?

I am having trouble with this question: How can one provide alerts on any resources launched in an unapproved region?

Should I use cloudtrail or cloudwatch for this?

1 Answers

Hi Hadi

Great question!  It’s certainly a good idea to set up alerting for various areas of governance including regions.  I would be proactive for accounts which need to be locked down to specific regions and use a combination of IAM policies and service limits.  If you raise a support request with AWS they will be able to set limits to zero for key services in regions where you mustn’t deploy resources.  In addition you can create some policies which deny access to all services where they are in given regions.  For example:

    "Effect": "Deny",  
    "Action": "*",  
    "Resource": "*",  
    "Condition": {  
        "StringNotEquals": {  
            "aws:RequestedRegion": [  

the above snippet will allow you to deny access to perform API calls outside of us-east-1.  This in combination with service limits in all other regions would be a good way to lock the accounts down.

You can also use CloudFormation StackSets to deploy CloudTrail and Config in all regions. An aggregated view of all accounts and all regions would also let you detect resources in unauthorised regions. Config would help you detect the presence of the resource, whereas CloudTrail would be the service you’d want to use to see who actually created the resource.

Let me know if you think of any other good ways to implement these kinds of controls :c)

Hadi W

Ah! I think that answer is it when you said CloudTrail would be the service to use to see who created the resource. Thank you!

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?