You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Create an AWS Account and make it part of AWS Org.
2. Configure AWS Region deny for the regions you don't want your organization to use.
3. Try to scan the AWS account.
Logs:
Fails with 'UnauthorizedOperation' exception.
raise error_class(parsed_response, operation_name)\nbotocore.exceptions.ClientError: An error occurred (UnauthorizedOperation) when calling the DescribeVolumes operation: You are not authorized to perform this operation.\n"
Additional context:
'UnauthorizedOperation' need to be added in ERROR_CODES list of aws_handle_regions function
ERROR_CODES = [
'AccessDenied',
'AccessDeniedException',
'AuthFailure',
'InvalidClientTokenId',
'UnrecognizedClientException',
'InternalServerErrorException',
]
The text was updated successfully, but these errors were encountered:
I'm having this same problem, it seems that execution stops when it finds an explicit deny from an SCP
A simple solution could be adding an aws-regions parameter in the execution command
I've run into this same issue, we have implemented AWS Control Tower and so for compliance reasons have limited access to 3 possible regions Cartography did work until we set that up, it would be nice to just limit asset discovery to only specific regions since we know it's impossible to create resources in all ones that are denied.
Title: cartography fails to scan account that has denied regions at org level
Description:
To Reproduce:
Logs:
Additional context:
'UnauthorizedOperation' need to be added in ERROR_CODES list of aws_handle_regions function
ERROR_CODES = [
'AccessDenied',
'AccessDeniedException',
'AuthFailure',
'InvalidClientTokenId',
'UnrecognizedClientException',
'InternalServerErrorException',
]
The text was updated successfully, but these errors were encountered: