> ## Documentation Index
> Fetch the complete documentation index at: https://docs.prowler.com/llms.txt
> Use this file to discover all available pages before exploring further.

<AgentInstructions>

## Submitting Feedback

If you encounter incorrect, outdated, or confusing documentation on this page, submit feedback:

POST https://docs.prowler.com/feedback

```json
{
  "path": "/user-guide/providers/aws/regions-and-partitions",
  "feedback": "Description of the issue"
}
```

Only submit feedback when you have something specific and actionable to report.

</AgentInstructions>

# AWS Regions and Partitions

By default Prowler is able to scan the following AWS partitions:

* Commercial: `aws`
* China: `aws-cn`
* European Sovereign Cloud: `aws-eusc`
* GovCloud (US): `aws-us-gov`

<Note>
  To check the available regions for each partition and service, refer to: [aws\_regions\_by\_service.json](https://github.com/prowler-cloud/prowler/blob/master/prowler/providers/aws/aws_regions_by_service.json)
</Note>

## Scanning AWS China, European Sovereign Cloud and GovCloud Partitions in Prowler

When scanning the China (`aws-cn`), European Sovereign Cloud (`aws-eusc`) or GovCloud (`aws-us-gov`) partitions, ensure one of the following:

* Your AWS credentials include a valid region within the desired partition.

* Specify the regions to audit within that partition using the `-f/--region` flag.

<Note>
  Refer to: [https://boto3.amazonaws.com/v1/documentation/api/latest/guide/credentials.html#configuring-credentials](https://boto3.amazonaws.com/v1/documentation/api/latest/guide/credentials.html#configuring-credentials) for more information about the AWS credential configuration.
</Note>

### Scanning Specific Regions

To scan a particular AWS region with Prowler, use:

```console theme={null}
prowler aws -f/--region eu-west-1 us-east-1
```

### Excluding Specific Regions

To scan all supported AWS regions except a specific subset, use the `--excluded-region` flag:

```console theme={null}
prowler aws --excluded-region eu-west-1 me-south-1
```

You can also configure the exclusion list with the `PROWLER_AWS_DISALLOWED_REGIONS` environment variable as a comma-separated list:

```console theme={null}
export PROWLER_AWS_DISALLOWED_REGIONS="eu-west-1,me-south-1"
prowler aws
```

Or with the AWS provider configuration in `config.yaml`:

```yaml theme={null}
aws:
  disallowed_regions:
    - eu-west-1
    - me-south-1
```

When more than one source is set, precedence is:

1. `--excluded-region`
2. `PROWLER_AWS_DISALLOWED_REGIONS`
3. `aws.disallowed_regions` in `config.yaml`

<Note>
  For self-hosted App or API-triggered scans, set `PROWLER_AWS_DISALLOWED_REGIONS` in the runtime environment of the backend scan containers such as `api` and `worker`. The `ui` container does not enforce AWS region selection.
</Note>

### AWS Credentials Configuration

For details on configuring AWS credentials, refer to the following [Botocore](https://github.com/boto/botocore) [file](https://github.com/boto/botocore/blob/22a19ea7c4c2c4dd7df4ab8c32733cba0c7597a4/botocore/data/partitions.json).

## Scanning AWS Partitions in Prowler

### AWS China

To scan an account in the AWS China partition (`aws-cn`):

* By using the `-f/--region` flag:

  ```
  prowler aws --region cn-north-1 cn-northwest-1
  ```

* By using the region configured in your AWS profile at `~/.aws/credentials` or `~/.aws/config`:

  ```
  [default]
  aws_access_key_id = XXXXXXXXXXXXXXXXXXX
  aws_secret_access_key = XXXXXXXXXXXXXXXXXXX
  region = cn-north-1
  ```

<Note>
  With this configuration, all partition regions will be scanned without needing the `-f/--region` flag
</Note>

### AWS GovCloud (US)

To scan an account in the AWS GovCloud (US) partition (`aws-us-gov`):

* By using the `-f/--region` flag:

  ```
  prowler aws --region us-gov-east-1 us-gov-west-1
  ```

* By using the region configured in your AWS profile at `~/.aws/credentials` or `~/.aws/config`:

  ```
  [default]
  aws_access_key_id = XXXXXXXXXXXXXXXXXXX
  aws_secret_access_key = XXXXXXXXXXXXXXXXXXX
  region = us-gov-east-1
  ```

<Note>
  With this configuration, all partition regions will be scanned without needing the `-f/--region` flag
</Note>

### AWS European Sovereign Cloud

To scan an account in the AWS European Sovereign Cloud partition (`aws-eusc`):

* By using the `-f/--region` flag:

  ```
  prowler aws --region eusc-de-east-1
  ```

* By using the region configured in your AWS profile at `~/.aws/credentials` or `~/.aws/config`:

  ```
  [default]
  aws_access_key_id = XXXXXXXXXXXXXXXXXXX
  aws_secret_access_key = XXXXXXXXXXXXXXXXXXX
  region = eusc-de-east-1
  ```

<Note>
  With this configuration, all partition regions will be scanned without needing the `-f/--region` flag
</Note>

### AWS ISO (US & Europe)

The AWS ISO partitions—commonly referred to as "secret partitions"—are air-gapped from the Internet, and Prowler does not have a built-in way to scan them. To audit an AWS ISO partition, manually update [aws\_regions\_by\_service.json](https://github.com/prowler-cloud/prowler/blob/master/prowler/providers/aws/aws_regions_by_service.json) to include the partition, region, and services. For example:

```json theme={null}
"iam": {
    "regions": {
    "aws": [
        "eu-west-1",
        "us-east-1",
    ],
    "aws-cn": [
        "cn-north-1",
        "cn-northwest-1"
    ],
    "aws-eusc": [
        "eusc-de-east-1"
    ],
    "aws-us-gov": [
        "us-gov-east-1",
        "us-gov-west-1"
    ],
    "aws-iso": [
        "aws-iso-global",
        "us-iso-east-1",
        "us-iso-west-1"
    ],
    "aws-iso-b": [
        "aws-iso-b-global",
        "us-isob-east-1"
    ],
    "aws-iso-e": [],
    }
},
```