WAF++ WAF++
Back to WAF++ Homepage

WAF-SOV-020 – Region Pinning Enforced (IaC)

Pillar: Sovereign | Severity: 🔴 Critical | Category: Data Residency | Automatable: High

Description

Deployments MUST be restricted to permitted sovereign regions through policy-as-code and IaC guardrails. Region constraints must be technically enforced — not merely documented.

Violations MUST be blocked in CI or immediately reported as critical policy exceptions. Every approved exception requires documented approval with a time limit.

Rationale

Documentation alone cannot prevent accidental or intentional deployments into non-sovereign regions. A single unsecured provider configuration or environment variable can silently create workloads outside jurisdictional boundaries.

Region pinning must be enforced on every layer:

  • IaC level: Variable validation in Terraform

  • CI/CD level: OPA/Sentinel policy gate in the build

  • Organization level: SCP / Azure Policy / GCP Org Policy as the last safety net

Threat Context

Risk Description

Accidental deployment

Wrong AWS_DEFAULT_REGION environment variable in the CI pipeline creates resources in US East.

Shadow infrastructure

Developer account without SCP guardrails enables deployments to arbitrary regions.

Provider default fallback

Missing region attribute in the provider block falls back to an undocumented default.

Terraform state leak

State file with sensitive metadata stored in an S3 bucket outside the approved region.

Regulatory Mapping

Framework Controls

GDPR

Art. 44 – General principle for transfers; Art. 46 – Appropriate safeguards

BSI C5:2020

OPS-04 – Data management; INF-01 – Physical location of infrastructure

EUCS (ENISA)

SOV-01 – Data location; SOV-02 – Jurisdictional control

GAIA-X

Sovereign Cloud – Location transparency and data location

ISO 27001:2022

A.8.10 – Information deletion; A.5.29 – Information security during business disruption

BSI C3A:2026

Dimension 4 – Data: Location; Dimension 1 – Strategic: Jurisdictional alignment

Requirement

  • All provider blocks MUST contain an explicit region/location

  • All region/location variables MUST have a validation block with allowed values

  • A deny mechanism (SCP/Azure Policy/Org Policy) MUST be enabled at the organization level

  • The CI/CD process MUST block region violations — a warning alone is insufficient

  • Hardcoded non-sovereign regions (us-, ap-, sa-*) in IaC are prohibited

Implementation Guidance

  1. Define allowed-regions list as a shared variable or locals in a base module.

  2. Add variable validation to every region/location parameter.

  3. Activate AWS SCP with DenyOutsideApprovedRegions at organization level.

  4. Configure Azure Policy or GCP Org Policy as the equivalent.

  5. Implement CI gate: OPA or Sentinel validates the Terraform plan.

  6. Activate drift detection: Scheduled scans find manually created resources.

  7. Formalize exceptions: Every exception requires CISO/DPO approval, is time-limited, and documented.

Maturity Levels

Level Name Criteria

1

Region documented

Permitted regions listed in policy document; no technical enforcement.

2

IaC region constraints set

All provider blocks have an explicit region; region variables with validation block.

3

Full enforcement

CI pipeline blocks non-sovereign deployments; OPA/SCP/Policy in effect; no undocumented exceptions.

4

Continuous drift monitoring

Scheduled scans detect resources outside approved regions; alerts within 1 hour; weekly compliance reports.

5

Automatic remediation

Non-compliant resources are automatically deleted or quarantined; full audit trail of every enforcement action.

Terraform Checks

waf-sov-020.tf.aws.provider-region-in-allowed-list

Checks: AWS Provider must set region explicitly.

Compliant Non-Compliant 
provider "aws" {
  region = var.aws_region
}
 
provider "aws" {
  # region via AWS_DEFAULT_REGION –
  # not sovereign-safe
}

waf-sov-020.tf.aws.region-variable-validation

Checks: Region variables must have a validation block with allowed values.

Compliant Non-Compliant 
variable "aws_region" {
  type    = string
  default = "eu-central-1"
  validation {
    condition = contains([
      "eu-central-1",
      "eu-west-1",
      "eu-north-1"
    ], var.aws_region)
    error_message = <<-EOF
      Region '${var.aws_region}' is not in the
      approved sovereign region list.
    EOF
  }
}
 
variable "aws_region" {
  type    = string
  default = "us-east-1"
  # No validation block –
  # any region is accepted
}

waf-sov-020.tf.aws.no-hardcoded-non-sovereign-region

Checks: No hardcoded non-sovereign region strings (e.g. us-east-1, ap-southeast-1) in IaC.

Compliant Non-Compliant 
provider "aws" {
  region = var.aws_region
  # var.aws_region validated to EU
}
 
provider "aws" {
  region = "us-east-1"  # ❌ Hardcoded
                         # non-sovereign region
}

waf-sov-020.tf.stackit.region-validation

Checks: StackIT region variables must have a validation block.

Compliant Non-Compliant 
variable "stackit_region" {
  type    = string
  default = "eu-central-1"
  validation {
    condition = contains(["eu-central-1", "eu-west-1"], var.stackit_region)
    error_message = "StackIT region must be an approved sovereign region."
  }
}
provider "stackit" {
  region = var.stackit_region
}
 
variable "stackit_region" {
  type    = string
  default = "us-east-1"
  # No validation block
}

waf-sov-020.tf.ovh.location-validation

Checks: OVH location variables must have a validation block.

Compliant Non-Compliant 
variable "ovh_location" {
  type    = string
  default = "DE-FRA"
  validation {
    condition = contains(["DE-FRA", "DE-EDE", "EU-CY"], var.ovh_location)
    error_message = "OVH location must be an approved sovereign region."
  }
}
provider "ovh" {
  endpoint = "ovh-eu"
}
 
variable "ovh_location" {
  type    = string
  default = "US-CA"
  # No validation block
}

waf-sov-020.tf.hcloud.location-validation

Checks: Hetzner Cloud location variables must have a validation block.

Compliant Non-Compliant 
variable "hcloud_location" {
  type    = string
  default = "fsn1"
  validation {
    condition = contains(["fsn1", "nbg1", "hel1"], var.hcloud_location)
    error_message = "Hetzner Cloud location must be an approved sovereign region."
  }
}
resource "hcloud_server" "main" {
  name        = "sovereign-server"
  server_type = "cx22"
  location    = var.hcloud_location
}
 
variable "hcloud_location" {
  type    = string
  default = "us-ca"
  # No validation block
}

SCP Example (Organization Level)

Purpose: Last safety net – prevents API calls outside approved regions.

{
  "Version": "2012-10-17",
  "Statement": [{
    "Sid": "DenyOutsideApprovedRegions",
    "Effect": "Deny",
    "NotAction": ["iam:*","sts:*","route53:*","cloudfront:*"],
    "Resource": "*",
    "Condition": {
      "StringNotEquals": {
        "aws:RequestedRegion": [
          "eu-central-1",
          "eu-west-1",
          "eu-north-1"
        ]
      }
    }
  }]
}

Evidence

Type Required Description

IaC

✅ Required

Terraform code with variable validation blocks for all region/location parameters.

Policy

✅ Required

OPA/Sentinel rules, AWS SCP, Azure Policy, or GCP Org Policy with region restrictions.

Logs

Optional

CI pipeline logs with blocked non-sovereign deployment attempt (as proof of function).

Config

Optional

Cloud provider org-policy export with active region restrictions.

Related Controls

Regulatorisches Mapping

Framework Controls

DSGVO

Art. 44 – Allg. Grundsätze für Übermittlungen; Art. 46 – Geeignete Garantien; Art. 28 – Verarbeitungsvereinbarung

BSI C5:2020

OPS-04 – Datenverwaltung; OPS-05 – Datenleakage-Prävention; SIM-01 – Sicherheitsvorfallmanagement

EUCS (ENISA)

DSP-01 – Datenklassifikation; DSP-02 – Dateninventar und Datenfluss; DSP-03 – Datenverfügbarkeit; DSP-04 – Datenlöschung; IAM-01 – Identität und Zugriff

ISO 27001:2022

A.5.12 – Klassifizierung von Informationen; A.5.13 – Kennzeichnung von Informationen; A.5.33 – Schutz von Aufzeichnungen

ISO 27017

CLD.5.1 – Information security in cloud services; CLD.5.2 – Access control in cloud services

ISO 27018

A.2 – Purpose legitimacy and PII protection; A.10 – Confidentiality and security of PII

BSI C3A:2026

Domain – Datenhoheit; Domain – Cloud-Spezifische Anforderungen

GAIA-X

Sovereign Cloud – Anforderungen an Datenlokation und Transparenz

NIST SP 800-53

SC-1 – Cloud computing security; SC-7 – Boundary protection; SC-8 – Transmission confidentiality

NIST CSF 2.0

GV.PO – Policy; GV.RM – Risk management; GV.SC – Cybersecurity supply chain risk management

FedRAMP

SC-1, SC-7, SC-8 (High baseline)

TISAX

Information security – Data protection; Prototype protection – Sensitive data handling

ANSSI SecNumCloud

Domain – Data protection; Domain – Cloud security

BIO

BIO – Gegevensbescherming; BIO – Cloudbeveiliging

ENS High

ds.info.1 – Datos personales; ds.info.2 – Calificación de la información

UK NCSC CAF

B3 – Understanding data; B4 – System security

CMMC 2.0

SC.L2-3.13.16 – Protect CUI confidentiality at rest

IRAP

ISM – Data protection; ISM – Cloud security

CCCS PBMM

SC-7 – Boundary protection; SC-8 – Transmission confidentiality

MAS TRM

Ch.5 – Technology risk governance; Ch.8 – Cloud computing controls

ISMAP

Data sovereignty and cloud security

FISC

Technical measures – Data protection

Best Practice