SP-1078 - Allow S3 Multi Region Endpoint Control Plane Requests to us…

…-west-2 #minor

management-account/terraform/organizations-policy-service-control.tf

@@ -204,6 +204,32 @@ data "aws_iam_policy_document" "deny_non_eu_non_us_east_1_operations" {
     }
   }
 
+  # Deny anything apart from S3 Global Endpoint Management Options in us-west-2
+  statement {
+    effect = "Deny"
+    not_actions = [
+      "s3:CreateMultiRegionAccessPoint",
+      "s3:DeleteMultiRegionAccessPoint",
+      "s3:DescribeMultiRegionAccessPointOperation",
+      "s3:GetMultiRegionAccessPoint",
+      "s3:GetMultiRegionAccessPointPolicy",
+      "s3:GetMultiRegionAccessPointPolicyStatus",
+      "s3:GetMultiRegionAccessPointRoutes",
+      "s3:ListMultiRegionAccessPoints",
+      "s3:PutMultiRegionAccessPointPolicy",
+      "s3:SubmitMultiRegionAccessPointRoutes"
+    ]
+    resources = ["*"]
+
+    condition {
+      test     = "StringEquals"
+      variable = "aws:RequestedRegion"
+      values = [
+        "us-west-2"
+      ]
+    }
+  }
+
   # Deny enablement and deactivation of AWS opt-in regions (as of 04/01/2021)
   # including: Africa (Cape Town), Asia Pacific (Hong Kong), Europe (Milan), Middle East (Bahrain)
   statement {