Policy: AWS > Turbot > Permissions > Lockdown > Region Boundary

Define a list of regions to which API calls can be made. Any API to any region that does not appear in this list will be explicitly denied. The '*' wildcard may be used in these values.

Note that this policy disables the region for ALL users and roles, and Guardrails will have no access to any regions that do not appear in the list.

Global services (such as IAM) are not subject to the Region Boundary

Targets

This policy targets the following resource types:

AWS > Account

Primary Policy

This policy is used with the following primary policy:

AWS > Turbot > Permissions > Lockdown

Controls

Setting this policy configures these controls:

Policy Specification

Schema Type	`array`
Default	`- '*'`

In Your Workspace

Policy Settings by Type report

Developers

Category URI

tmod:@turbot/turbot#/control/categories/iamPermissions

Policy Type URI

tmod:@turbot/aws-iam#/policy/types/permissionsLockdownRegionBoundary

GraphQL

query policyType(id: "tmod:@turbot/aws-iam#/policy/types/permissionsLockdownRegionBoundary") { … }

query policySettings(filter: "policyTypeId:'tmod:@turbot/aws-iam#/policy/types/permissionsLockdownRegionBoundary'") { … }

query policyValues(filter: "policyTypeId:'tmod:@turbot/aws-iam#/policy/types/permissionsLockdownRegionBoundary'") { … }

CLI

Get Policy Type

turbot graphql policy-type --id "tmod:@turbot/aws-iam#/policy/types/permissionsLockdownRegionBoundary"

Get Policy Settings

turbot graphql policy-settings --filter "policyTypeId:tmod:@turbot/aws-iam#/policy/types/permissionsLockdownRegionBoundary"