Closed Fennerr closed 10 months ago
@Fennerr That's something we had in the past but right now we scan all regions by default or the ones supplied using the --region
flag.
We will test your approach because we can pick one region using this logic https://github.com/prowler-cloud/prowler/blob/master/prowler/providers/aws/aws_provider.py#L286-L298, what do you think?
Maybe we can include a is_region_enabled
within the generate_regional_clients
function.
I would start with us-east-1 because that's where global resources usually are (like billing has to be against us-east-1). Alternately make it an option in the config.yaml with us-east-1 the default.
There are two concepts with regions: regions not in use and regions not enabled.
All the regions after and including ap-east-1 (Hong Kong) are opt-in regions. They can be completly disabled. All the regions before Hong Kong (and Osaka which was a weird proto-region before promotion to a full region) are always enabled. You may not have anything there, but it's very important for a tool like prowler to go look in those regions. Sure ControlTower does some gimmicks to create SCPs to prevent users from deploying to those regions, but the endpoints exist, GuardDuty needs to be deployed there, etc.
New feature motivation
Slightly reduce the number of open file descriptors and number of calls due to connections made to endpoints in regions not in use
Solution Proposed
Use the describe_regions method for the ec2 service to determine enabled regions. Im just not sure which region to make the first call to.
A list of regions can be supplied to prowler, but it would be nice to do this as the default behavior
Describe alternatives you've considered
None
Additional context
No response