In the context of data residency and compliance, how can you enforce region-based controls across AWS accounts?

Guardrails across AWS Organizations provide durable enforcement of where data can reside. Service Control Policies allow you to centrally deny actions in specific regions for all member accounts, using a condition like aws:RequestedRegion to block resource creation or modification in restricted regions. This centralized boundary applies regardless of individual IAM policies or user permissions, making it a strong foundation for data residency controls. To ensure ongoing compliance, pair these guardrails with AWS Config rules that continuously evaluate resource configurations and region usage, and rely on tagging governance to classify and enforce residency policies. Together, you can detect, report, and remediate any resources created in disallowed regions, keeping data residency in line with requirements. Using IAM policies alone isn’t sufficient for cross-account enforcement, encryption alone doesn’t restrict where data is stored, and placing everything in one region with no controls fails to provide scalable governance.