search

aws-solutions / account-assessment-for-aws-organizations

Account Assessment for AWS Organizations programmatically scans all AWS accounts in an AWS Organization for identity-based and resource-based policies with Organization-based conditions.
Apache License 2.0
25 stars 10 forks source link

Autodetect regions #4

Open devt opened 1 year ago

devt commented 1 year ago

Use case In a large org with many accounts optional regions are enabled only in several dozens accounts and we don't necessarily have a list, If we run for all optional regions, we get lots of errors (several hundreds of accounts report 4-5 errors about regions not being present)

Auto detect what regions to scan Would like the code to operate in all regions which are enabled for the specific account

Additional context Above implies we make a call to ec2.describe_regions for each account and this is what determines which regions are scanned

groverlalit commented 1 year ago

Thanks for opening this feature request. We have added this to our backlog and will review in the next release planning.

groverlalit commented 5 months ago

We reviewed this issue and will be supporting this feature request. However, we will implement list_regions API call using 'account' client instead of describe_regions using 'ec2' client.

The prefer to use list_regions API because it allows us to provide RegionOptStatusContains=['ENABLED'|'ENABLED_BY_DEFAULT']