Cross-Region Resource Creation Compliance

To ensure that AWS resources are not created outside of approved regions, the most effective approach is to enforce restrictions using Service Control Policies (SCPs) if your accounts are part of AWS Organizations. SCPs allow you to define which regions are permitted for resource creation across all accounts. By applying a deny rule that blocks all actions unless the request is made in an allowed region, you can prevent non-compliant resources from ever being created. This approach is proactive and ensures compliance at the control plane level before resources are provisioned.

If SCPs are not yet in place or you need a detection mechanism during a transition period, you can use AWS CloudTrail combined with CloudWatch Logs Insights or EventBridge to monitor and alert on resource creation in disallowed regions. CloudTrail records all Create* and RunInstances API actions, along with the region and the identity that initiated them. You can query these logs to identify any unauthorized resource creation events. EventBridge rules can also be configured to trigger notifications when API calls occur in regions outside your approved list, allowing near realtime detection.

For environments that require automated remediation, you can extend the detection approach by using EventBridge to trigger a Lambda function that rolls back the resource creation, such as terminating an EC2 instance or deleting a newly created resource. This ensures that even if non compliant actions occur, they are quickly corrected and documented. However, this approach is more reactive, and prevention through SCPs is generally recommended whenever possible.

Overall, combining SCPs for prevention with CloudTrail based detection and alerting provides strong governance controls. This ensures that compliance requirements are consistently met and that any deviations are detected and handled promptly.