Add Control Tower regions only SCP. Update README.

README.md

@@ -20,6 +20,8 @@ A repository of community generated Service control policies (SCPs) and referenc
 
 - [s3-us-only-buckets](s3-us-only-buckets.policy) - Allows creation of an S3 bucket only in the US EAST (us-east-1 or us-east-2) or WEST (us-west-1 or us-west-2) regions.
 
+- [control-tower-regions-only](control-tower-regions-only.policy) - Allows actions in only the regions used in AWS Control Tower. A US regions only policy will break some aspects of Control Tower as it requires access to all the regions it is available in. You can further constrain user actions with a separate SCP that only gives access to a subset of the Control Tower regions to a particular group.
+
 ## Reference Links
 
 - [Service Control Policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scp.html) - AWS Organizations - Service Control Policies Documentation

control-tower-regions-only.policy

@@ -0,0 +1,33 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "NotAction": [
+                "iam:*",
+                "organizations:*",
+                "route53:*",
+                "budgets:*",
+                "waf:*",
+                "cloudfront:*",
+                "globalaccelerator:*",
+                "importexport:*",
+                "support:*",
+                "health:*",
+                "route53domains:*"
+            ],
+            "Resource": "*",
+            "Effect": "Deny",
+            "Condition": {
+                "StringNotEquals": {
+                    "aws:RequestedRegion": [
+                        "us-east-1",
+                        "us-east-2",
+                        "us-west-2",
+                        "eu-west-1",
+                        "ap-southeast-2"
+                    ]
+                }
+            }
+        }
+    ]
+}