https://ferkakta.dev/tags/control-tower/Recent content in Control-Tower on ferkakta.devHugoen-USCopyright fizz.Tue, 24 Mar 2026 21:00:00 -0600https://ferkakta.dev/scp-allow-overrides-notaction-deny/Tue, 24 Mar 2026 21:00:00 -0600https://ferkakta.dev/scp-allow-overrides-notaction-deny/<p>I run a multi-tenant SaaS platform on AWS with Control Tower managing the organization. Control Tower deploys a region deny guardrail — an SCP that blocks API calls outside your home region. The mechanism is a <code>NotAction</code> deny: it lists services that are allowed to operate globally (IAM, CloudFront, Route 53, a few dozen others), and denies everything else when <code>aws:RequestedRegion</code> doesn&rsquo;t match your approved list.</p> <p>This guardrail is one of the first things you hit when you try to do anything interesting. And the documentation says you can&rsquo;t override a deny with an allow.</p>