How would I restrict JupiterOne from attempting to scan an AWS region?

SbDobbs

We have an org policy for newer accounts to only be able to create resources in us-east-1. in older accounts we lock the possible regions for creation to 5 regions. In Cloudtrail, I'm seeing a fair amount of failed API calls to these regions. In the integration job I am also seeing signs of failure.

crystralRamirez

We scan all regions by default. There is not a way to turn it off, per se.This allows J1 to identify if there are any rogue resources created through some loophole or malicious behavior. We typically recommend adding a condition to your AWS Service Control Policies (SCP), like below, to prevent JupiterOne from being denied:

{
    "Version": "2012-10-17",
    "Statement": {
        "Sid": "DenyAllOutsideUSExceptJ1",
        "Effect": "Deny",
        "NotAction": [
                "iam:*",
                "organizations:*",
                "route53:*",
                "budgets:*",
                "waf:*",
                "cloudfront:*",
                "globalaccelerator:*",
                "importexport:*",
                "support:*",
                "directconnect:*"
        ],
        "Resource": "*",
        "Condition": {
            "StringNotEquals": {
                "aws:RequestedRegion": [
                    "us-east-1",
                    "us-east-2",
                    "us-west-1",
                    "us-west-2"
                ]
            },
            "ArnNotLike": {
                "aws:PrincipalArn": "arn:aws:iam::*:role/JupiterOne*"
            }
        }
    }
}