Docs: Disabling specific regions

[matt-mccarty-clearscale]

Document how to disable specific regions in specific accounts/ous.

Attempt 1

aws account disable-region --region-name=us-east-1 --account-id ACCOUNTID

An error occurred (AccessDeniedException) when calling the DisableRegion operation: User: USERARN is not authorized to perform: account:DisableRegion (Your organization must first enable trusted access with AWS Account Management.)

Attempt 2

Enable AWS Account Management

https://docs.aws.amazon.com/accounts/latest/reference/using-orgs-trusted-access.html

New Error

aws account disable-region --region-name=us-east-1 --account-id ACCOUNTID

An error occurred (ValidationException) when calling the DisableRegion operation: us-east-1 is not a valid region for opt-in or opt-out.

Attempt 3: LZ Region Deny Policy

Region deny policy control for landing zone - CTMULTISERVICEPV1

https://docs.aws.amazon.com/controltower/latest/userguide/region-deny.html

Attempt 4

Using an SCP worked in the end

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": "*",
            "Resource": "*",
            "Condition": {
                "StringNotEquals": {
                    "aws:RequestedRegion": "us-west-2"
                }
            }
        }
    ]
}