[BUG] Enabling EBS Default Encryption in a non default region fails #222

deanillfeld · 2024-05-31T01:28:44Z

Describe the bug

Enabling EBS Default Encryption in a non default region fails due to a V1 STS token being obtained from the global endpoint. (Reference: https://repost.aws/knowledge-center/iam-validate-access-credentials).

Line 80: sts_client: STSClient = session.client("sts", config=BOTO3_CONFIG)

To Reproduce

Steps to reproduce the behavior:

Deploy the ec2_default_ebs_encryption with a non default region enabled in Control Tower (I had the error on ap-southeast-4 specifically)
Review the Lambda logs for errors in sra.process_enable_ebs_encryption_by_default

Expected behavior

EBS Encryption by Default to be enabled in non default regions.

Deployment Environment (please complete the following information)

Control Tower with Cloudformation Deployment

Additional context

I was able to temporarily resolve the issue by hard coding a regional sts endpoint. Understand this isnt scaleable and will only be a quick and dirty solution for my environment.
sts_client: STSClient = session.client("sts", config=BOTO3_CONFIG, region_name=STS_REGION_ENDPOINT, endpoint_url=f"https://sts.{STS_REGION_ENDPOINT}.amazonaws.com")

The text was updated successfully, but these errors were encountered:

deanillfeld added the bug Something isn't working label May 31, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[BUG] Enabling EBS Default Encryption in a non default region fails #222

[BUG] Enabling EBS Default Encryption in a non default region fails #222

deanillfeld commented May 31, 2024

[BUG] Enabling EBS Default Encryption in a non default region fails #222

[BUG] Enabling EBS Default Encryption in a non default region fails #222

Comments

deanillfeld commented May 31, 2024

Describe the bug

To Reproduce

Expected behavior

Deployment Environment (please complete the following information)

Additional context