mondoohq
set explicit region for aws scanning
Hi, I searched for an flag where I can set a region for scanning. I found in the offical docs
https://mondoo.com/docs/cnspec/cli/cnspec_scan_aws/
--region string AWS region to scan.
but cnspect scan aws --help says
--region string Region to use for authentication with the API. Note: this does not limit the discovery to the region
So what's the truth? :)
I believe the second one. So back to the question, is there any way to set the explicit region for scanning? I tried it with default region in aws config and also with the env key "AWS_DEFAULT REGION" but no change in my results
- OS: linux/macOS
- OS Version: archlinux
- cnspec 9.14.0
Thank you
@arudat Thank you for the report. I think it would be great to add this to cnspec. Until then you can use export AWS_REGION=us-east-1 to set the region.
I have to correct myself. The AWS_REGION is only relevant for the credentials. By default, cnquery & cnspec use all regions. We have the option to set the cnquery shell aws --filters but that does not work as intended for all cases right now.
I am going to turn this into a bug since the region filter does not work right now. Until then you can use:
cnquery shell aws --filters all:region=us-east-2
We need to do the following:
- Update https://github.com/mondoohq/cnquery/blob/main/providers/aws/config/config.go#L96-L101 to include a better example
- Extract the region correctly https://github.com/mondoohq/cnquery/blob/main/providers/aws/provider/provider.go#L88-L100, there are three possible values
cnquery shell aws --filters region=us-east-2,cnquery shell aws --filters all:region=us-east-2andcnquery shell aws --filters ec2:region=us-east-2 - Double-check why
cnquery shell aws --filters ec2:region=us-east-2does not work.
is the ec2 one not filtering at all? that's meant to filter the ec2 discovery when doing --discover instances
