Enable or disable AWS Regions in your account
An AWS Region is a physical location in the world where we have
multiple Availability Zones. Availability Zones consist of one or more discrete AWS data
centers, each with redundant power, networking, and connectivity, housed in separate
facilities. This means that each AWS Region is physically isolated and independent of the
other Regions. Regions provide fault tolerance, stability, and resilience, and can also
reduce latency. For a map of available and upcoming Regions, see Regions and
Availability Zones
The resources that you create in one Region do not exist in any other Region unless you explicitly use a replication feature offered by an AWS service. For example, Amazon S3 and Amazon EC2 support cross-Region replication. Some services, such as AWS Identity and Access Management (IAM), do not have Regional resources.
Your account determines the Regions that are available to you.
-
An AWS account provides multiple Regions so that you can launch AWS resources in locations that meet your requirements. For example, you might want to launch Amazon EC2 instances in Europe to be closer to your European customers or to meet legal requirements.
-
An AWS GovCloud (US-West) account provides access to the AWS GovCloud (US-West) Region and the AWS GovCloud (US-East) Region. For more information, see AWS GovCloud (US)
. -
An Amazon AWS (China) account provides access to the Beijing and Ningxia Regions only. For more information, see Amazon Web Services in China
.
For a list of Region names and their corresponding codes, see Regional
endpoints in the AWS General Reference Guide. For a list
of AWS services supported in each Region (without endpoints), see the AWS
Regional Services List
Important
AWS recommends that you use regional AWS Security Token Service (AWS STS) endpoints instead of the global endpoint to reduce latency. Session tokens from regional AWS STS endpoints are valid in all AWS Regions. If you use regional AWS STS endpoints, you don't need to make any changes. However, session tokens from the global AWS STS endpoint (https://sts.amazonaws.com) are valid only in AWS Regions that you enable, or that are enabled by default. If you intend to enable a new Region for your account, you can either use session tokens from regional AWS STS endpoints or activate the global AWS STS endpoint to issue session tokens that are valid in all AWS Regions. Session tokens that are valid in all Regions are larger. If you store session tokens, these larger tokens might affect your systems. For more information about how AWS STS endpoints work with AWS Regions, see Managing AWS STS in an AWS Region.
Topics
Considerations before enabling and disabling Regions
Before you enable or disable a Region, it's important to consider the following:
-
Regions introduced before March 20, 2019 are enabled by default – AWS originally enabled all new AWS Regions by default, which means you can begin creating and managing resources in these Regions immediately. You cannot enable or disable a Region that is enabled by default. Today, when AWS adds a Region, the new Region is disabled by default. If you want your users to be able to create and manage resources in a new Region, you first need to enable that Region. The following Regions are disabled by default.
Name Code Africa (Cape Town) af-south-1
Asia Pacific (Hong Kong) ap-east-1
Asia Pacific (Hyderabad) ap-south-2
Asia Pacific (Jakarta) ap-southeast-3
Asia Pacific (Melbourne) ap-southeast-4
Canada (Calgary) ca-west-1
Europe (Milan) eu-south-1
Europe (Spain) eu-south-2
Europe (Zurich) eu-central-2
Israel (Tel Aviv) il-central-1
Middle East (Bahrain) me-south-1
Middle East (UAE) me-central-1
-
You can use IAM permissions to control access to Regions – AWS Identity and Access Management (IAM) includes four permissions that let you control which users can enable, disable, get, and list Regions. For more information, see AWS: Allows enabling and disabling AWS Regions in the IAM User Guide. You can also use the
aws:RequestedRegion
condition key to control access to AWS services in an AWS Region. -
Enabling a Region is free – There is no charge to enable a Region. You're charged only for resources that you create in the new Region.
-
Disabling a Region disables IAM access to resources in the Region – If you disable a Region that still contains AWS resources, such as Amazon Elastic Compute Cloud (Amazon EC2) instances, you lose IAM access to the resources in that Region. For example, you can't use the AWS Management Console to view or change the configuration of any EC2 instances in a disabled Region.
-
Charges for active resources continue if you disable a Region – If you disable a Region that still contains AWS resources, charges for those resources (if any) continue to accrue at the standard rate. For example, if you disable a Region that contains Amazon EC2 instances, you still have to pay the charges for those instances even though the instances are inaccessible.
-
Disabling a Region isn't always immediately visible – Services and consoles might be temporarily visible after disabling a region. Disabling a Region can takes a few minutes to several hours to take effect.
-
Enabling a Region takes a few minutes to several hours in some cases – When you enable a Region, AWS performs actions to prepare your account in that Region, such as distributing your IAM resources to the Region. This process takes a few minutes for most accounts, but can sometimes take several hours. You cannot use the Region until this process is complete.
-
Organizations can have 50 region-opt requests open at a given time across an AWS organization – The management account can at any point in time have 50 open requests pending completion for its organization. One request is equal to either an enable or disable of one particular region for one account.
-
A single account can have 6 region-opt requests in progress at any given time – One request is equal to either an enable or disable of one particular region for one account.
-
Amazon EventBridge integration – Customers can subscribe to region-opt status update notifications in EventBridge. An EventBridge notification will be created for each status change, allowing customers to automate work flows.
-
Expressive Region-opt status – Due to the asynchronous nature of enabling/disabling an opt-in region, there are four potential statuses for a region-opt request:
-
ENABLING
-
DISABLING
-
ENABLED
-
DISABLED
You cannot cancel an opt-in or opt-out when it is in either
ENABLING
orDISABLING
status. Otherwise, aConflictException
will be thrown. A completed (Enabled/Disabled) region-opt request is dependent on the provisioning of key underlying AWS services. There might be some AWS services that will not be immediately usable despite the status beingENABLED
. -
-
Full integration with AWS Organizations – A management account can modify or read region-opt for any member account of that AWS organization. A member account is able to read/write their region state as well.
Enable or disable a Region for standalone accounts
To update which Regions your AWS account has access to, perform the steps in the following procedure. The AWS Management Console procedure below always works only in the standalone context. You can use the AWS Management Console to view or update only the available Regions in the account you used to call the operation.
Enable or disable a Region in your organization
To update the enabled Regions for member accounts of your AWS Organizations, perform the steps in the following procedure.
Note
The AWS Organizations managed policies AWSOrganizationsReadOnlyAccess
or
AWSOrganizationsFullAccess
are updated to provide permission to
access the AWS Account Management APIs so you can access account data from the AWS Organizations console.
To view the updated managed policies, see Updates to Organizations AWS managed policies.
Note
Before you can perform these operations from the management account or a delegated admin account in an organization for use with member accounts, you must:
-
Enable all features in your organization to manage settings on your member accounts. This allows admin control over the member accounts. This is set by default when you create your organization. If your organization is set to consolidated billing only, and you want to enable all features, see Enabling all features in your organization.
-
Enable trusted access for the AWS Account Management service. To set this up, see Enable trusted access for AWS Account Management.