Skip to main content
By default Prowler is able to scan the following AWS partitions:
  • Commercial: aws
  • China: aws-cn
  • European Sovereign Cloud: aws-eusc
  • GovCloud (US): aws-us-gov
To check the available regions for each partition and service, refer to: aws_regions_by_service.json

Scanning AWS China, European Sovereign Cloud and GovCloud Partitions in Prowler

When scanning the China (aws-cn), European Sovereign Cloud (aws-eusc) or GovCloud (aws-us-gov) partitions, ensure one of the following:
  • Your AWS credentials include a valid region within the desired partition.
  • Specify the regions to audit within that partition using the -f/--region flag.
Refer to: https://boto3.amazonaws.com/v1/documentation/api/latest/guide/credentials.html#configuring-credentials for more information about the AWS credential configuration.

Scanning Specific Regions

To scan a particular AWS region with Prowler, use: 
prowler aws -f/--region eu-west-1 us-east-1

Excluding Specific Regions

To scan all supported AWS regions except a specific subset, use the --excluded-region flag: 
prowler aws --excluded-region eu-west-1 me-south-1
You can also configure the exclusion list with the PROWLER_AWS_DISALLOWED_REGIONS environment variable as a comma-separated list: 
export PROWLER_AWS_DISALLOWED_REGIONS="eu-west-1,me-south-1"
prowler aws
Or with the AWS provider configuration in config.yaml: 
aws:
  disallowed_regions:
    - eu-west-1
    - me-south-1
When more than one source is set, precedence is:
  1. --excluded-region
  2. PROWLER_AWS_DISALLOWED_REGIONS
  3. aws.disallowed_regions in config.yaml
For self-hosted App or API-triggered scans, set PROWLER_AWS_DISALLOWED_REGIONS in the runtime environment of the backend scan containers such as api and worker. The ui container does not enforce AWS region selection.

AWS Credentials Configuration

For details on configuring AWS credentials, refer to the following Botocore file.

Scanning AWS Partitions in Prowler

AWS China

To scan an account in the AWS China partition (aws-cn):
  • By using the -f/--region flag: 
    prowler aws --region cn-north-1 cn-northwest-1
  • By using the region configured in your AWS profile at ~/.aws/credentials or ~/.aws/config: 
    [default]
aws_access_key_id = XXXXXXXXXXXXXXXXXXX
aws_secret_access_key = XXXXXXXXXXXXXXXXXXX
region = cn-north-1
With this configuration, all partition regions will be scanned without needing the -f/--region flag

AWS GovCloud (US)

To scan an account in the AWS GovCloud (US) partition (aws-us-gov):
  • By using the -f/--region flag: 
    prowler aws --region us-gov-east-1 us-gov-west-1
  • By using the region configured in your AWS profile at ~/.aws/credentials or ~/.aws/config: 
    [default]
aws_access_key_id = XXXXXXXXXXXXXXXXXXX
aws_secret_access_key = XXXXXXXXXXXXXXXXXXX
region = us-gov-east-1
With this configuration, all partition regions will be scanned without needing the -f/--region flag

AWS European Sovereign Cloud

To scan an account in the AWS European Sovereign Cloud partition (aws-eusc):
  • By using the -f/--region flag: 
    prowler aws --region eusc-de-east-1
  • By using the region configured in your AWS profile at ~/.aws/credentials or ~/.aws/config: 
    [default]
aws_access_key_id = XXXXXXXXXXXXXXXXXXX
aws_secret_access_key = XXXXXXXXXXXXXXXXXXX
region = eusc-de-east-1
With this configuration, all partition regions will be scanned without needing the -f/--region flag

AWS ISO (US & Europe)

The AWS ISO partitions—commonly referred to as “secret partitions”—are air-gapped from the Internet, and Prowler does not have a built-in way to scan them. To audit an AWS ISO partition, manually update aws_regions_by_service.json to include the partition, region, and services. For example: 
"iam": {
    "regions": {
    "aws": [
        "eu-west-1",
        "us-east-1",
    ],
    "aws-cn": [
        "cn-north-1",
        "cn-northwest-1"
    ],
    "aws-eusc": [
        "eusc-de-east-1"
    ],
    "aws-us-gov": [
        "us-gov-east-1",
        "us-gov-west-1"
    ],
    "aws-iso": [
        "aws-iso-global",
        "us-iso-east-1",
        "us-iso-west-1"
    ],
    "aws-iso-b": [
        "aws-iso-b-global",
        "us-isob-east-1"
    ],
    "aws-iso-e": [],
    }
},