WAF++ WAF++
Back to WAF++ Homepage

WAF-SOV-020 – Region Pinning Enforced (IaC)

Pillar: Sovereign | Severity: 🔴 Critical | Category: Data Residency | Automatable: High

Description

Deployments MUST be restricted to permitted sovereign regions through policy-as-code and IaC guardrails. Region constraints must be technically enforced — not merely documented.

Violations MUST be blocked in CI or immediately reported as critical policy exceptions. Every approved exception requires documented approval with a time limit.

Rationale

Documentation alone cannot prevent accidental or intentional deployments into non-sovereign regions. A single unsecured provider configuration or environment variable can silently create workloads outside jurisdictional boundaries.

Region pinning must be enforced on every layer:

  • IaC level: Variable validation in Terraform

  • CI/CD level: OPA/Sentinel policy gate in the build

  • Organization level: SCP / Azure Policy / GCP Org Policy as the last safety net

Threat Context

Risk Description

Accidental deployment

Wrong AWS_DEFAULT_REGION environment variable in the CI pipeline creates resources in US East.

Shadow infrastructure

Developer account without SCP guardrails enables deployments to arbitrary regions.

Provider default fallback

Missing region attribute in the provider block falls back to an undocumented default.

Terraform state leak

State file with sensitive metadata stored in an S3 bucket outside the approved region.

Regulatory Mapping

Framework Controls

GDPR

Art. 44 – General principle for transfers; Art. 46 – Appropriate safeguards

BSI C5:2020

OPS-04 – Data management; INF-01 – Physical location of infrastructure

EUCS (ENISA)

SOV-01 – Data location; SOV-02 – Jurisdictional control

GAIA-X

Sovereign Cloud – Location transparency and data location

ISO 27001:2022

A.8.10 – Information deletion; A.5.29 – Information security during business disruption

Requirement

  • All provider blocks MUST contain an explicit region/location

  • All region/location variables MUST have a validation block with allowed values

  • A deny mechanism (SCP/Azure Policy/Org Policy) MUST be enabled at the organization level

  • The CI/CD process MUST block region violations — a warning alone is insufficient

  • Hardcoded non-sovereign regions (us-, ap-, sa-*) in IaC are prohibited

Implementation Guidance

  1. Define allowed-regions list as a shared variable or locals in a base module.

  2. Add variable validation to every region/location parameter.

  3. Activate AWS SCP with DenyOutsideApprovedRegions at organization level.

  4. Configure Azure Policy or GCP Org Policy as the equivalent.

  5. Implement CI gate: OPA or Sentinel validates the Terraform plan.

  6. Activate drift detection: Scheduled scans find manually created resources.

  7. Formalize exceptions: Every exception requires CISO/DPO approval, is time-limited, and documented.

Maturity Levels

Level Name Criteria

1

Region documented

Permitted regions listed in policy document; no technical enforcement.

2

IaC region constraints set

All provider blocks have an explicit region; region variables with validation block.

3

Full enforcement

CI pipeline blocks non-sovereign deployments; OPA/SCP/Policy in effect; no undocumented exceptions.

4

Continuous drift monitoring

Scheduled scans detect resources outside approved regions; alerts within 1 hour; weekly compliance reports.

5

Automatic remediation

Non-compliant resources are automatically deleted or quarantined; full audit trail of every enforcement action.

Terraform Checks

waf-sov-020.tf.aws.provider-region-in-allowed-list

Checks: AWS Provider must set region explicitly.

Compliant Non-Compliant 
provider "aws" {
  region = var.aws_region
}
 
provider "aws" {
  # region via AWS_DEFAULT_REGION –
  # not sovereign-safe
}

waf-sov-020.tf.aws.region-variable-validation

Checks: Region variables must have a validation block with allowed values.

Compliant Non-Compliant 
variable "aws_region" {
  type    = string
  default = "eu-central-1"
  validation {
    condition = contains([
      "eu-central-1",
      "eu-west-1",
      "eu-north-1"
    ], var.aws_region)
    error_message = <<-EOF
      Region '${var.aws_region}' is not in the
      approved sovereign region list.
    EOF
  }
}
 
variable "aws_region" {
  type    = string
  default = "us-east-1"
  # No validation block –
  # any region is accepted
}

waf-sov-020.tf.aws.no-hardcoded-non-sovereign-region

Checks: No hardcoded non-sovereign region strings (e.g. us-east-1, ap-southeast-1) in IaC.

Compliant Non-Compliant 
provider "aws" {
  region = var.aws_region
  # var.aws_region validated to EU
}
 
provider "aws" {
  region = "us-east-1"  # ❌ Hardcoded
                         # non-sovereign region
}

SCP Example (Organization Level)

Purpose: Last safety net – prevents API calls outside approved regions.

{
  "Version": "2012-10-17",
  "Statement": [{
    "Sid": "DenyOutsideApprovedRegions",
    "Effect": "Deny",
    "NotAction": ["iam:*","sts:*","route53:*","cloudfront:*"],
    "Resource": "*",
    "Condition": {
      "StringNotEquals": {
        "aws:RequestedRegion": [
          "eu-central-1",
          "eu-west-1",
          "eu-north-1"
        ]
      }
    }
  }]
}

Evidence

Type Required Description

IaC

✅ Required

Terraform code with variable validation blocks for all region/location parameters.

Policy

✅ Required

OPA/Sentinel rules, AWS SCP, Azure Policy, or GCP Org Policy with region restrictions.

Logs

Optional

CI pipeline logs with blocked non-sovereign deployment attempt (as proof of function).

Config

Optional

Cloud provider org-policy export with active region restrictions.

Related Controls

Best Practice