[solatic]

> Disable access to services in all non-active regions using SCPs.

This is key advice anyway. When setting up new AWS infrastructure for a new company, set up an AWS organization, and only enable us-east-1 (required for some global services like CloudFront) and maybe one additional region (if you don't want to put all your eggs in the us-east-1 basket). Don't enable additional regions that you don't need. Because most AWS APIs are regional, it makes finding aberrant infrastructure much, much easier, even if you're just combing through the console manually.

[didip]

I would not start by default in us-east-1, unless you want chaos monkey as a feature.

[bcjordan]

Are there any historical metrics out there on uptime/stability by region?

Would be interesting to see a top-line comparison (GCP and Azure regions would also be neat)

[acdha]

It’s not bad advice but I’d do it for latency for western clients more than this — I’ve been running in us-east-1 since the 2000s and there’ve been only a handful of times where we had a production outage on a properly-designed application (a network routing issue in 2011 or 2012, and a couple regional S3 or IAM issues). No, those weren’t perfect but during the same time period our professionally-managed data center resources had multiple weeks of complete downtime versus maybe a day cumulatively.

[thedougd]

I recommend AWS Control Tower for getting this all setup. It's also compatible with Terraform in more than one way.

[bnchandrapal]

Ahhh. AWS Control tower has not cost but it requires AWS Config to be enabled. Config is yet another AWS service that can get costly over time (if continuous monitoring of changes is enabled)