Copyright (c) 2026 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.

1.4.2. Edge Locations and Global vs. Regional Services

First Principle: AWS services operate at different geographic scopes — some are global (available everywhere with one configuration), some are Regional (isolated per-Region), and some operate at edge locations (close to end users). Understanding which scope each service operates at determines how you configure security controls for it.

Global Services have a single configuration that applies worldwide:

  • IAM: Users, roles, policies — global. An IAM role created in any Region is usable everywhere.
  • CloudFront: CDN distributions serve content from 400+ edge locations globally.
  • Route 53: DNS operates globally across all Regions.
  • AWS Organizations / SCPs: Organizational policies apply across all Regions and accounts.

Regional Services are isolated per-Region and must be configured in each Region:

  • VPC: Each VPC exists in one Region. Security groups and NACLs are Regional.
  • S3: Buckets exist in one Region (though accessible globally by default).
  • KMS: Keys exist in one Region. Cross-Region use requires multi-Region keys.
  • GuardDuty / Security Hub: Must be enabled in each Region you want to monitor.

Edge Locations process traffic at points closest to end users:

  • CloudFront: Caches content at edge, enforces viewer protocol policies
  • WAF: When associated with CloudFront, WAF rules execute at the edge — blocking attacks before they reach your origin
  • Shield: DDoS protection operates at both edge and Regional levels

The security implication: if you enable GuardDuty in only one Region, attackers can operate undetected in other Regions. Security services must be enabled in ALL Regions where you have resources — and ideally in all Regions to detect unauthorized activity.

⚠️ Exam Trap: If a question mentions "organization-wide threat detection," the answer likely involves enabling GuardDuty through a delegated administrator account across ALL Regions — not just the primary Region.

Scenario: An organization enables Security Hub only in their primary Region (us-east-1). An attacker launches EC2 instances in ap-southeast-1 using compromised credentials. The security team doesn't detect the activity for weeks.

Reflection Question: Why must security monitoring services be enabled in all Regions, not just the Regions where you deploy resources?

Alvin Varughese
Written byAlvin Varughese
Founder15 professional certifications