AWS: Support for additional regions and partitions

[muratajn]

New feature motivation

Is there a quick way to add additional regions & partitions to aws_regions_by_service.json?

Solution Proposed

is there a script to easily accomplish this?

Describe alternatives you've considered

n/a

Additional context

No response

[jfagoagas]

Hi @muratajn, could you provide us more context about your new feature?

Right now we are getting all the regions and partitions supported by AWS via the SSM parameter /aws/service/global-infrastructure/services. What regions and partitions are you referring to?

Thanks for using Prowler!

[muratajn]

I'm using a region and partition not listed in aws_regions_by_service.json. But when i manually add the new region there, the prowler scans work. However, i'd need to add the region to every service listed in that .json.

Is prowler/util/update_aws_services_regions.py supposed to build that file or is there another way to do this?

[toniblyx]

Hi @muratajn we would like to hear more details about your use case and we can implement a better way to allow custom regions and partitions. Would you like to join our community slack and discuss about it? Link here https://join.slack.com/t/prowler-workspace/shared_invite/zt-1hix76xsl-2uq222JIXrC7Q8It~9ZNog

[jfagoagas]

I'm using a region and partition not listed in aws_regions_by_service.json. But when i manually add the new region there, the prowler scans work. However, i'd need to add the region to every service listed in that .json.

Is prowler/util/update_aws_services_regions.py supposed to build that file or is there another way to do this?

Hi @muratajn, that's interesting. Right now the process to build aws_regions_by_service.json is just calling the prowler/util/update_aws_services_regions.py, and we do it every day automatically. We don't have any builtin way to add more regions/partitions but we could implement that. Also it should be really easy to modify that script to add more data to the partitions/regions/services.

As @toniblyx mentioned it'd great to know more about your use case since that file is the source of truth about services, regions and partitions.

[jfagoagas]

Hi @muratajn, we've updated the Prowler documentation to cover your use case and provide some guidance on how to scan AWS regions and partitions not included in the prowler/util/update_aws_services_regions.py file.

We're going to close this issue, please feel free to reopen it if you experience any issue or if you need something from us.

Thanks for using Prowler 🚀

The changes are included in the following PR #2349 and the new update to the documentation is the following:

---

AWS Regions and Partitions

By default Prowler is able to scan the following AWS partitions:

• Commercial: aws
• China: aws-cn
• GovCloud (US): aws-us-gov

To check the available regions for each partition and service please refer to the following document aws_regions_by_service.json

It is important to take into consideration that to scan the China (aws-cn) or GovCloud (aws-us-gov) partitions it is either required to have a valid region for that partition in your AWS credentials (Refer to https://boto3.amazonaws.com/v1/documentation/api/latest/guide/credentials.html#configuring-credentials for more information) or to specify the regions you want to audit for that partition using the -f/--region flag.

You can get more information about the available partitions and regions in the following Botocore file https://github.com/boto/botocore/blob/22a19ea7c4c2c4dd7df4ab8c32733cba0c7597a4/botocore/data/partitions.json

AWS China

To scan your AWS Account in the China partition (aws-cn):

• Using the -f/--region flag:

  prowler aws --region cn-north-1 cn-northwest-1

• Using the region configured in your AWS profile at ~/.aws/credentials or ~/.aws/config:

  [default]
  aws_access_key_id = XXXXXXXXXXXXXXXXXXX
  aws_secret_access_key = XXXXXXXXXXXXXXXXXXX
  region = cn-north-1

  With this option all the partition regions will be scanned without the need of use the -f/--region flag

AWS GovCloud (US)

To scan your AWS Account in the GovCloud (US) partition (aws-us-gov):

• Using the -f/--region flag:

  prowler aws --region us-gov-east-1 us-gov-west-1

• Using the region configured in your AWS profile at ~/.aws/credentials or ~/.aws/config:

  [default]
  aws_access_key_id = XXXXXXXXXXXXXXXXXXX
  aws_secret_access_key = XXXXXXXXXXXXXXXXXXX
  region = us-gov-east-1

  With this option all the partition regions will be scanned without the need of use the -f/--region flag

AWS ISO (US & Europe)

For the AWS ISO partitions, which are known as "secret partitions" and are air-gapped from the internet there is no builtin way to scanned it. In this scenario if you want to audit an AWS Account in one of the AWS ISO partitions you should manually update the aws_regions_by_service.json and include the partition, region and services, e.g.:

"iam": {
    "regions": {
    "aws": [
        "eu-west-1",
        "us-east-1",
    ],
    "aws-cn": [
        "cn-north-1",
        "cn-northwest-1"
    ],
    "aws-us-gov": [
        "us-gov-east-1",
        "us-gov-west-1"
    ],
    "aws-iso": [
        "aws-iso-global",
        "us-iso-east-1",
        "us-iso-west-1"
    ],
    "aws-iso-b": [
        "aws-iso-b-global",
        "us-isob-east-1"
    ],
    "aws-iso-e": [],
    }
},