Issue: When an account is deleted in an AWS Organization, it remains in a suspended state for 90 days before it's permanently removed from the organization. As a result, the script may fail if it attempts to discover and assess an account in suspended state. Therefore, it's important to modify the script to skip any accounts that are in a suspended state during the discovery process.
Background: AWS Organizations places accounts in a suspended state for 90 days after they're deleted from the organization. During this period, the account is inaccessible and cannot be discovered or assessed. If the script attempts to discover and assess a suspended account, it will likely fail and generate errors, which can negatively impact the performance of the script.
Proposed Solution: To address this issue, we recommend modifying the script to skip any accounts that are in a suspended state during the discovery process. This will prevent the script from attempting to assess accounts that cannot be accessed, and avoid generating unnecessary errors.
Example output:
[cloudshell-user@ip-10-6-167-65 cloud-benchmark]$ python3 [aws_cspm_benchmark.py [aws_cspm_benchmark.py]
Cannot access adjacent account: 631025991766 An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts::115255193357:assumed-role/AWSReservedSSO_AWSAdministratorAccess_b737e96d1e697324/[xxxxxxxxxxx@igt.com](mailto:xxxxxxxxxxx@igt.com) is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::631025991766:role/xxxxxxxxxxxxxxxxxxxxxx
Traceback (most recent call last):
File "aws_cspm_benchmark.py", line 125, in <module>
for aws in AWSOrgAccess().accounts():
File "aws_cspm_benchmark.py", line 52, in accounts
return [self.aws_handle(a) for a in accounts]
File "aws_cspm_benchmark.py", line 52, in <listcomp>
return [self.aws_handle(a) for a in accounts]
File "aws_cspm_benchmark.py", line 60, in aws_handle
return AWSHandle(aws_session=self.new_session(account['Id']), account_id=account['Id']) File "aws_cspm_benchmark.py", line 76, in new_session
raise exc
File "aws_cspm_benchmark.py", line 66, in new_session
RoleSessionName=account_id
File "/home/cloudshell-user/.local/lib/python3.7/site-packages/botocore/client.py", line 530, in _api_call
return self._make_api_call(operation_name, kwargs)
File "/home/cloudshell-user/.local/lib/python3.7/site-packages/botocore/client.py", line 960, in _make_api_call
raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts::115255193357:assumed-role/AWSReservedSSO_AWSAdministratorAccess_b737e96d1e697324/[xxxxxxxxxxxxxxx@igt.com](mailto:xxxxxxxxxxxxxxx@igt.com) is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::631025991766:role/xxxxxxxxxxxxxxxxxxxxx
Issue: When an account is deleted in an AWS Organization, it remains in a suspended state for 90 days before it's permanently removed from the organization. As a result, the script may fail if it attempts to discover and assess an account in suspended state. Therefore, it's important to modify the script to skip any accounts that are in a suspended state during the discovery process.
Background: AWS Organizations places accounts in a suspended state for 90 days after they're deleted from the organization. During this period, the account is inaccessible and cannot be discovered or assessed. If the script attempts to discover and assess a suspended account, it will likely fail and generate errors, which can negatively impact the performance of the script.
Proposed Solution: To address this issue, we recommend modifying the script to skip any accounts that are in a suspended state during the discovery process. This will prevent the script from attempting to assess accounts that cannot be accessed, and avoid generating unnecessary errors.
Example output: