How would I restrict JupiterOne from attempting to scan an AWS region?

We have an org policy for newer accounts to only be able to create resources in us-east-1. in older accounts we lock the possible regions for creation to 5 regions. In Cloudtrail, I'm seeing a fair amount of failed API calls to these regions. In the integration job I am also seeing signs of failure.


  • crystralRamirez
    crystralRamirez ✭✭✭✭✭
    We scan all regions by default. There is not a way to turn it off, per se.This allows J1 to identify if there are any rogue resources created through some loophole or malicious behavior. We typically recommend adding a condition to your AWS Service Control Policies (SCP), like below, to prevent JupiterOne from being denied:
        "Version": "2012-10-17",
        "Statement": {
            "Sid": "DenyAllOutsideUSExceptJ1",
            "Effect": "Deny",
            "NotAction": [
            "Resource": "*",
            "Condition": {
                "StringNotEquals": {
                    "aws:RequestedRegion": [
                "ArnNotLike": {
                    "aws:PrincipalArn": "arn:aws:iam::*:role/JupiterOne*"

This Month's Leaders