diff --git a/catalog/region-restriction-templates/DenyRegions.yaml b/catalog/region-restriction-templates/DenyRegions.yaml
index 31255ee..79ca4ba 100644
--- a/catalog/region-restriction-templates/DenyRegions.yaml
+++ b/catalog/region-restriction-templates/DenyRegions.yaml
@@ -28,6 +28,9 @@
     - "iam:*"
     - "importexport:*"
     - "kms:*"
+    %{ if cloudfront_lambda_edge_enabled == "true" }
+    - "lambda:*"
+    %{ endif }
     - "mobileanalytics:*"
     - "networkmanager:*"
     - "organizations:*"
@@ -37,6 +40,9 @@
     - "s3:GetAccountPublic*"
     - "s3:ListAllMyBuckets"
     - "s3:PutAccountPublic*"
+    %{ if servicequotas_enabled == "true" }
+    - "servicequotas:*"
+    %{ endif }
     - "shield:*"
     - "sts:*"
     - "support:*"
@@ -56,3 +62,20 @@
       %{ endfor }
   resources:
     - "*"
+
+- sid: "DenyLambdaInRegions"
+  effect: "Deny"
+  actions:
+    - "lambda:*"
+  condition:
+    - test: "StringEqualsIgnoreCase"
+      variable: "aws:RequestedRegion"
+      # List of denied regions
+      values:
+      %{ for r in split(",", denied_regions) }
+        %{ if cloudfront_lambda_edge_enabled != "true" || trimspace(r) != "us-east-1" }
+        - ${trimspace(r)}
+        %{ endif }
+      %{ endfor }
+  resources:
+    - "*"
diff --git a/catalog/region-restriction-templates/RestrictToSpecifiedRegions.yaml b/catalog/region-restriction-templates/RestrictToSpecifiedRegions.yaml
index 4f48be3..1f06c23 100644
--- a/catalog/region-restriction-templates/RestrictToSpecifiedRegions.yaml
+++ b/catalog/region-restriction-templates/RestrictToSpecifiedRegions.yaml
@@ -28,6 +28,9 @@
     - "iam:*"
     - "importexport:*"
     - "kms:*"
+    %{ if cloudfront_lambda_edge_enabled == "true" }
+    - "lambda:*"
+    %{ endif }
     - "mobileanalytics:*"
     - "networkmanager:*"
     - "organizations:*"
@@ -37,6 +40,9 @@
     - "s3:GetAccountPublic*"
     - "s3:ListAllMyBuckets"
     - "s3:PutAccountPublic*"
+    %{ if servicequotas_enabled == "true" }
+    - "servicequotas:*"
+    %{ endif }
     - "shield:*"
     - "sts:*"
     - "support:*"
@@ -56,3 +62,22 @@
       %{ endfor }
   resources:
     - "*"
+
+- sid: "RestrictLambdaToSpecifiedRegions"
+  effect: "Deny"
+  actions:
+    - "lambda:*"
+  condition:
+    - test: "StringNotEqualsIgnoreCase"
+      variable: "aws:RequestedRegion"
+      # List of allowed regions
+      values:
+        # Us east-1 required for cloudfront lambda on edge
+      %{ if cloudfront_lambda_edge_enabled == "true" && !contains(split(",", allowed_regions), "us-east-1") }
+        - us-east-1
+      %{ endif }
+      %{ for r in split(",", allowed_regions) }
+        - ${trimspace(r)}
+      %{ endfor }
+  resources:
+    - "*"
diff --git a/examples/complete/fixtures.us-east-2.tfvars b/examples/complete/fixtures.us-east-2.tfvars
index d564a3e..d8bcb79 100644
--- a/examples/complete/fixtures.us-east-2.tfvars
+++ b/examples/complete/fixtures.us-east-2.tfvars
@@ -11,10 +11,12 @@ name = "scp"
 service_control_policy_description = "Test Service Control Policy"
 
 parameters = {
-  ami_creator_account = "account_creator"
-  ami_tag_key         = "ami_tag_key"
-  ami_tag_value       = "ami_tag_value"
-  allowed_regions     = "eu-central-1, eu-west-1"
-  denied_regions      = "sa-east-1"
-  s3_regions_lockdown = "eu-central-1, eu-west-1"
+  ami_creator_account            = "account_creator"
+  ami_tag_key                    = "ami_tag_key"
+  ami_tag_value                  = "ami_tag_value"
+  allowed_regions                = "eu-central-1, eu-west-1"
+  denied_regions                 = "sa-east-1"
+  s3_regions_lockdown            = "eu-central-1, eu-west-1"
+  cloudfront_lambda_edge_enabled = "false"
+  servicequotas_enabled          = "false"
 }