Suggestions: Check for enabled regions

[Fennerr]

New feature motivation

Slightly reduce the number of open file descriptors and number of calls due to connections made to endpoints in regions not in use

Solution Proposed

Use the describe_regions method for the ec2 service to determine enabled regions. Im just not sure which region to make the first call to.

A list of regions can be supplied to prowler, but it would be nice to do this as the default behavior

def get_enabled_regions():
    ec2 = boto3.client('ec2', region_name='eu-west-1')
    response = ec2.describe_regions(AllRegions=False)
    regions = [region['RegionName'] for region in response['Regions']]
    return regions

Describe alternatives you've considered

None

Additional context

No response

[jfagoagas]

@Fennerr That's something we had in the past but right now we scan all regions by default or the ones supplied using the --region flag.

We will test your approach because we can pick one region using this logic https://github.com/prowler-cloud/prowler/blob/master/prowler/providers/aws/aws_provider.py#L286-L298, what do you think?

Maybe we can include a is_region_enabled within the generate_regional_clients function.

[jchrisfarris]

I would start with us-east-1 because that's where global resources usually are (like billing has to be against us-east-1). Alternately make it an option in the config.yaml with us-east-1 the default.

There are two concepts with regions: regions not in use and regions not enabled.

All the regions after and including ap-east-1 (Hong Kong) are opt-in regions. They can be completly disabled. All the regions before Hong Kong (and Osaka which was a weird proto-region before promotion to a full region) are always enabled. You may not have anything there, but it's very important for a tool like prowler to go look in those regions. Sure ControlTower does some gimmicks to create SCPs to prevent users from deploying to those regions, but the endpoints exist, GuardDuty needs to be deployed there, etc.