Open benghaun opened 6 years ago
x4v13r64
commented
6 years ago Thanks for bringing this up, I'll look into it. Can you provide a rough estimate for the number of resources in the account for it to take more then an hour? Scout2 has been run on quite large accounts and it usually doesn't take over 15-20 minutes.
Also you can set it to 5 threads to go a bit faster.
benghaun
commented
6 years ago It can take more than an hour if there are over 10,000 resources, especially when it comes to EBS volume snapshots.
Additionally, while attempting to fix another issue, I came across another problem when it comes to scans that take a long time - when fetching credentials via read_cred, cached credentials are used if available, but this could be problematic with longer scans, since credentials that could be expiring soon (say, in 5 minutes) would still be used, and would likely expire in the middle of a scan.
x4v13r64
commented
6 years ago All right, thanks!
roman-vynar
commented
6 years ago Same here, can we add DurationSeconds to sts_client.assume_role(**sts_args) ?
Note sure if it's better to add an arg to assume_role() call or a field to the existing credentials dict?
assume_role function found in opinel/utils/credentials.py does not support DurationSeconds parameter, unlike the init_sts_session parameter. This creates some issues when using Scout2 to scan large AWS accounts, as the default duration for the credentials using assume_role is only 1 hour, which may not be sufficient for scanning of a large AWS account. Suggest that assume_role should, like init_sts_session, take in a parameter for duration with a large default value.