I’m trying to put together a high level process for denying access to specific AWS regions and I’m realizing this is a bit more difficult then I originally thought.
From reading this, it seems many global services require access to us-east-1, but this isn’t guaranteed.
> Some other global services, such as AWS Chatbot and AWS Device Farm, are global services with endpoints that are physically located in the us-west-2
region.
Is anyone aware of a up to date list of all AWS global services along with what regions they depend on? I.E if you use this service, you do not want to deny access via SCP policies to X region.
Secondly does anyone have any advice for testing SCPs that disable regions? I imagine you would want to check usage in CloudTrail before hand (may not catch data plane events though) as well as IAM last accessed info before hand (no history), anything else worth checking here?