This content is part of the Conference Coverage: Your guide to AWS re:Invent 2017 news and analysis

Restrict access to AWS region endpoints for cost savings, security

Enterprises use multiple AWS regions for disaster recovery, but that practice can increase cloud costs and vulnerabilities. Manage access to regions to maintain control.

Amazon regularly adds new AWS regions and availability zones to appeal to more global customers. There are many...

reasons why a business chooses one region over another, and there are just as many reasons to restrict access to some AWS region endpoints and availability zones.

AWS' global coverage makes region choices easier, whether it's based on geographical distance, pricing that's specific to that region or other business requirements. And teams can use multiple AWS region endpoints at the same time for high availability and disaster recovery, but it also comes with more architectural complexity and higher cost.

One region usually provides everything a business needs. So, small to midsize businesses can disable access to regions they don't use. There are several beneficial reasons to restrict access.

Reduce unnecessary spending

Businesses that allow teams to use resources in other regions can see unexpected spending, and charges can be easily overlooked unless the bill is analyzed in detail. This approach also gives false cost predictions, because the accuracy of these predictions relies heavily on having the correct numbers.

Service prices vary per region, and teams can increase spending using a service that costs more in another region. It also can be more expensive to create resources or use services in other AWS region endpoints. For example, if a developer mistakenly creates a Simple Storage Service (S3) bucket outside of his home region, all of his data transfers from that bucket to the production environment in the primary region will no longer be calculated as inter-region data transfers, increasing costs for no good reason.

Take responsibility for security

When an attacker gains access to an AWS account, one common attack involves spinning up a large number of instances in an unused region. They can do this to leech compute power, or just to cause financial damage. 

A compromised user account with unlimited access will dramatically increase your monthly bill.

A compromised user account with unlimited access will dramatically increase your monthly bill. Some instances, like the p2.16xlarge, cost about $15 per hour, and an attack could start multiples of these or any other instances in any region of the world. It can take days -- or even weeks -- before you notice the intrusion.

The AWS shared responsibility model clearly defines the line where Amazon's security responsibility ends, and it is up to you to protect your business. Limit access to resources and follow other best practices to secure your credentials.

Think about the architecture

Most Amazon services are either region-specific -- S3, Elastic Load Balancing and Auto Scaling -- or AZ-specific, such as Elastic Compute Cloud (EC2) and Elastic Block Store. If you start an EC2 instance in a separate region, it can cause issues if your infrastructure is designed for a single region. Unless there is a specific need to test in another AWS region endpoint, limit resources to one region.

Use Amazon Virtual Private Cloud to create separate, isolated networks within a region and conduct tests inside them. If there's a need to use another region, rethink your entire cloud design and adapt it accordingly. It's better to adjust later than constantly run into cloud architecture issues.

How to disable access to other regions

AWS Identity and Access Management (IAM) enables administrators to set user and group permissions to allow or deny access to AWS resources. IAM users are global, so it's important to restrict actions per region and per service, because admins can't use a wild card to disable all services at once in the user policy. Use IAM to limit resources to your primary region by setting permission for all users or their respective groups. This way, IAM only allows actions that match the condition of a specific region request.

Admins also can deny users from taking any action if they don't meet the condition of a region. Apply granular permissions to ensure least privileges on an account. And do not use the root account; these accounts always have full AWS access, so keep them locked and use them only when necessary.

Next Steps

Are your IAM policies enough for your cloud security?

New regulations make AWS add new data center locations

Take a look inside AWS and Azure availability zones

Dig Deeper on AWS security