The problem We are heavy users of AWS Organization and Service Control Policy. We are blocking a lot of stuff that is common foot guns and we do not need to deal with on daily basis. One of our polices is to limit regions that are used across the organization. { "Sid": "DenyAccessToBlockedRegions", "Effect": "Deny", "NotAction": [ "cloudfront:", "iam:", "route53:", "support:", "directconnect:" ], "Resource": "", "Condition": { "StringNotEquals": { "aws:RequestedRegion": [ "ca-central-1", "eu-central-1", "eu-west-1", "eu-west-2", "us-east-1", "us-east-2", "us-west-2" ] }, "ArnNotLike": { "aws:PrincipalARN": "arn:aws:iam::*:role/AWSControlTowerExecution" } } } Note It is redacted for simplicity