Open sikongwuying opened 1 month ago
Hello @sikongwuying ,
Thanks for reporting this issue. I have been able to reproduce this issue on my end.
The tool uses the API ListRegions
to list the available Regions and then discover existing AWS IAM Access Analyzer external access analyzers. This explains why you are observing this issue for queries that are tied to IAM Access Analyzer findings.
The root-cause is that the API ListRegions, when performed from the management account, should not take the parameter AccountId
. The documentation states The management account can't specify its own AccountId
.
I just updated the code to manage situations where your CLI profile belongs to the management account.
However, the best practice is to use the management account only for tasks that require the management account. I would recommend to use the tool from a security tooling account.
Please pull the latest release and try again your queries, let us know if you have any additional questions.
I am certain that my provided User has the
account: ListRegions
permission and the user is in master account, but when executingdph -- list account all -- export format HTML Excel JSON - lq s3_external.accessreorg'boundary
, there is always an error saying that I do not have permission:is not authorized to perform: account: ListRegions (The management account can only be managed using the standalone context from the management account)
Similar ones include
finds iam aa external access org boundary
,findings sh external access org boundary
.Other requests did not encounter similar errors.