search

ekristen / aws-nuke

Remove all the resources from an AWS account
https://ekristen.github.io/aws-nuke/
MIT License
165 stars 16 forks source link

ec2:DescribeRegions used even when region is specified #387

Open Hermain opened 2 hours ago

Hermain commented 2 hours ago

My company denies ec2:DescribeRegions probably in an effort to prevent us from using any other region than the default one.

Now when I run aws-nuke (v3.27.0) with a config like this:

regions:
  - eu-cental-1
blocklist:
  - "999999999999"  
accounts:
  "1111...": {}  
__global__:
  - property: tag:Purpose
    type: "regex"
    value: "^(?!.*(terratest))"
resource-types:
  includes:
    - S3Bucket

I get the following error: FATA[0001] failed to get regions: UnauthorizedOperation: You are not authorized to perform this operation. User: ----- is not authorized to perform: ec2:DescribeRegions with an explicit deny in a service control policy

Why is describe regions even executed and why ec2 when I only include buckets? Is there any way around this?

Hermain commented 2 hours ago

I found the --default-region flag now it works: aws-nuke run --default-region eu-central-1

ekristen commented 40 minutes ago

It's part of the bootstrap and discovery of the account prior to doing the initial run. I've never heard of blocking that call before, that's strange, it won't prevent you from using another region on it's own.

It is part of an automatic region discovery feature.