本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。 # 限制跨 的資料傳輸 AWS 區域 **調查** 我們希望聽到您的意見。請進行[簡短的問卷](https://amazonmr.au1.qualtrics.com/jfe/form/SV_cMxJ0MG3jU91Fk2),以提供對 AWS PRA 的意見回饋。 除了兩個 AWS Identity and Access Management (IAM) 角色之外,此服務控制政策會拒絕對 `eu-west-1`和 AWS 區域 以外的[區域 AWS 服務](https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/regional-services.html)進行 API 呼叫`eu-central-1`。此 SCP 可協助防止在未經核准的區域中建立 AWS 儲存和處理服務。這有助於防止 AWS 服務 這些區域中的 一起處理個人資料。此政策使用 `NotAction` 參數,因為它會考慮[全域 AWS 服務](https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/global-services.html),例如 IAM,以及與全域服務整合的服務,例如 AWS Key Management Service (AWS KMS) 和 Amazon CloudFront。在參數值中,您可以將這些全域和其他不適用的服務指定為例外狀況。如需此政策如何協助保護組織中隱私權和個人資料的詳細資訊,請參閱本指南[AWS Organizations](org-management-account.md#aws-organizations)中的 。 ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "DenyAllOutsideEU", "Effect": "Deny", "NotAction": [ "a4b:*", "acm:*", "aws-marketplace-management:*", "aws-marketplace:*", "aws-portal:*", "budgets:*", "ce:*", "cloudfront:*", "config:*", "cur:*", "directconnect:*", "ec2:DescribeRegions", "ec2:DescribeTransitGateways", "ec2:DescribeVpnGateways", "fms:*", "globalaccelerator:*", "health:*", "iam:*", "importexport:*", "kms:*", "mobileanalytics:*", "networkmanager:*", "organizations:*", "pricing:*", "route53:*", "route53domains:*", "route53-recovery-cluster:*", "route53-recovery-control-config:*", "route53-recovery-readiness:*", "s3:GetAccountPublic*", "s3:ListAllMyBuckets", "s3:ListMultiRegionAccessPoints", "s3:PutAccountPublic*", "shield:*", "sts:*", "support:*", "trustedadvisor:*", "waf-regional:*", "waf:*", "wafv2:*", "wellarchitected:*" ], "Resource": "*", "Condition": { "StringNotEquals": { "aws:RequestedRegion": [ "eu-central-1", "eu-west-1" ] }, "ArnNotLike": { "aws:PrincipalARN": [ "arn:aws:iam::*:role/Role1AllowedToBypassThisSCP", "arn:aws:iam::*:role/Role2AllowedToBypassThisSCP" ] } } } ] } ```