Closed andrewkrug closed 4 years ago
0xdabbad00
commented
4 years ago I wanted to avoid hard-coding a list as AWS adds more regions, but it could make sense to fall back to a hard-coded list where this call is restricted. There has been this PR to filter on the regions you collect from for this PR https://github.com/duo-labs/cloudmapper/pull/496 and issue https://github.com/duo-labs/cloudmapper/issues/549
dr460neye
commented
4 years ago Thanks for showing up a ticket about this exists already. Please be aware, that thee "hardcoded" region does not only appear in the ec2.describe_regions part. It appears way more often in the meaning of "hardcoded". Maybe a effortless workaround could be, that there is on top of the "default" region also an "api" region. This is available for all services except the "universal/global" ones. This could get rid of the situtation that my "hosting" region is depending somehow on the api region.
0xdabbad00
commented
4 years ago This issue has been resolved via #698 where you can now define which regions to collect from.
CloudMapper uses ec2.describe_regions() to pull back which regions to iterate over. Is there a better way to get this in an org that restricts regions using SCPs? Currently this causes a lot of access denied errors as cloudmapper tries to run describe calls in regions that aren't enabled.