AWS Regions and Partitions¶
By default Prowler is able to scan the following AWS partitions:
- Commercial:
aws
- China:
aws-cn
- GovCloud (US):
aws-us-gov
Note
To check the available regions for each partition and service, refer to: aws_regions_by_service.json
Scanning AWS China and GovCloud Partitions in Prowler¶
When scanning the China (aws-cn
) or GovCloud (aws-us-gov
), ensure one of the following:
-
Your AWS credentials include a valid region within the desired partition.
-
Specify the regions to audit within that partition using the
-f/--region
flag.
Note
Refer to: https://boto3.amazonaws.com/v1/documentation/api/latest/guide/credentials.html#configuring-credentials for more information about the AWS credential configuration.
Scanning Specific Regions¶
To scan a particular AWS region with Prowler, use:
AWS Credentials Configuration¶
For details on configuring AWS credentials, refer to the following Botocore file.
Scanning AWS Partitions in Prowler¶
AWS China¶
To scan an account in the AWS China partition (aws-cn
):
-
By using the
-f/--region
flag: -
By using the region configured in your AWS profile at
~/.aws/credentials
or~/.aws/config
:
Note
With this configuration, all partition regions will be scanned without needing the -f/--region
flag
AWS GovCloud (US)¶
To scan an account in the AWS GovCloud (US) partition (aws-us-gov
):
-
By using the
-f/--region
flag: -
By using the region configured in your AWS profile at
~/.aws/credentials
or~/.aws/config
:
Note
With this configuration, all partition regions will be scanned without needing the -f/--region
flag
AWS ISO (US \& Europe)¶
The AWS ISO partitions—commonly referred to as "secret partitions"—are air-gapped from the Internet, and Prowler does not have a built-in way to scan them. To audit an AWS ISO partition, manually update aws_regions_by_service.json to include the partition, region, and services. For example:
"iam": {
"regions": {
"aws": [
"eu-west-1",
"us-east-1",
],
"aws-cn": [
"cn-north-1",
"cn-northwest-1"
],
"aws-us-gov": [
"us-gov-east-1",
"us-gov-west-1"
],
"aws-iso": [
"aws-iso-global",
"us-iso-east-1",
"us-iso-west-1"
],
"aws-iso-b": [
"aws-iso-b-global",
"us-isob-east-1"
],
"aws-iso-e": [],
}
},