diff --git a/api/layer/container.go b/api/layer/container.go
index 64cafb9..e726c2e 100644
--- a/api/layer/container.go
+++ b/api/layer/container.go
@@ -28,7 +28,7 @@ type (
 
 const (
 	attributeLocationConstraint = ".s3-location-constraint"
-	defaultLocationConstraint   = "default"
+	DefaultLocationConstraint   = "default"
 	AttributeLockEnabled        = "LockEnabled"
 )
 
@@ -125,7 +125,7 @@ func (n *layer) createContainer(ctx context.Context, p *CreateBucketParams) (*da
 	var err error
 	ownerID := n.Owner(ctx)
 	if p.LocationConstraint == "" {
-		p.LocationConstraint = defaultLocationConstraint // s3tests_boto3.functional.test_s3:test_bucket_get_location
+		p.LocationConstraint = DefaultLocationConstraint // s3tests_boto3.functional.test_s3:test_bucket_get_location
 	}
 	bktInfo := &data.BucketInfo{
 		Name:               p.Name,
diff --git a/cmd/authmate/main.go b/cmd/authmate/main.go
index 8eab65f..22a168d 100644
--- a/cmd/authmate/main.go
+++ b/cmd/authmate/main.go
@@ -12,6 +12,7 @@ import (
 	"time"
 
 	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
+	"github.com/nspcc-dev/neofs-s3-gw/api/layer"
 	"github.com/nspcc-dev/neofs-s3-gw/authmate"
 	"github.com/nspcc-dev/neofs-s3-gw/internal/neofs"
 	"github.com/nspcc-dev/neofs-s3-gw/internal/version"
@@ -322,6 +323,9 @@ func parsePolicies(val string) (authmate.ContainerPolicies, error) {
 	if err = json.Unmarshal(data, &policies); err != nil {
 		return nil, err
 	}
+	if _, ok := policies[layer.DefaultLocationConstraint]; ok {
+		return nil, fmt.Errorf("config overrides %s location constraint", layer.DefaultLocationConstraint)
+	}
 
 	return policies, nil
 }