Customer or accountant says: data EU-only, how do we make that hard?
Don't trust default region selection. Encode it in IaC and in an org policy. Most clouds have an EU-only restriction as a policy template, that's the right layer.
Try this first
- 1AWS: SCP with aws:RequestedRegion in an allow-list of EU regions (e.g. eu-central-1, eu-west-1, eu-west-3). Applies to the whole org.
- 2Azure: Azure Policy 'Allowed locations' at subscription or management-group level. Templates like 'EU only' are standard.
- 3GCP: Organization Policy constraints/gcp.resourceLocations with EU multi-region or specific EU regions.
- 4Note: some services are global (CloudFront, Front Door, IAM itself). They sit separately and have their own data-residency claim from the cloud vendor.
- 5For data in transit: check that backups, snapshots and logs also stay in EU. Default CloudTrail can land in US if you're not careful.
When to bring us in
If your DPIA contractually requires EU-only: encode in policy, IaC and DPA. A privacy lawyer and cloud architect together can usually cover the full scope in half a day.
See also
- Everyone logs in with the AWS root accountRoot is for emergencies and billing. Day-to-day work belongs in IAM users or SSO.
- Every developer has AdministratorAccessAdministratorAccess everywhere is convenient now, painful later. Start with role-based policies.
- Everyone has individual IAM users with their own passwordIdentity Center (formerly AWS SSO) links to your IdP and issues temporary credentials per session.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.