[BUG] Enabling EBS Default Encryption in a non default region fails

[deanillfeld]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Describe the bug

Enabling EBS Default Encryption in a non default region fails due to a V1 STS token being obtained from the global endpoint. (Reference: https://repost.aws/knowledge-center/iam-validate-access-credentials).

Line 80: sts_client: STSClient = session.client("sts", config=BOTO3_CONFIG)

To Reproduce

Steps to reproduce the behavior:

1. Deploy the ec2_default_ebs_encryption with a non default region enabled in Control Tower (I had the error on ap-southeast-4 specifically)
2. Review the Lambda logs for errors in sra.process_enable_ebs_encryption_by_default

Expected behavior

EBS Encryption by Default to be enabled in non default regions.

Deployment Environment (please complete the following information)

• Control Tower with Cloudformation Deployment

Additional context

I was able to temporarily resolve the issue by hard coding a regional sts endpoint. Understand this isnt scaleable and will only be a quick and dirty solution for my environment. sts_client: STSClient = session.client("sts", config=BOTO3_CONFIG, region_name=STS_REGION_ENDPOINT, endpoint_url=f"https://sts.{STS_REGION_ENDPOINT}.amazonaws.com")