Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Enabling EBS Default Encryption in a non default region fails #222

Open
deanillfeld opened this issue May 31, 2024 · 2 comments · May be fixed by #284
Open

[BUG] Enabling EBS Default Encryption in a non default region fails #222

deanillfeld opened this issue May 31, 2024 · 2 comments · May be fixed by #284
Labels
bug Something isn't working

Comments

@deanillfeld
Copy link

deanillfeld commented May 31, 2024
edited by mlfulleraws
Loading

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Describe the bug

Enabling EBS Default Encryption in a non default region fails due to a V1 STS token being obtained from the global endpoint. (Reference: https://repost.aws/knowledge-center/iam-validate-access-credentials).

Line 80: sts_client: STSClient = session.client("sts", config=BOTO3_CONFIG)

To Reproduce

Steps to reproduce the behavior:

  1. Deploy the ec2_default_ebs_encryption with a non default region enabled in Control Tower (I had the error on ap-southeast-4 specifically)
  2. Review the Lambda logs for errors in sra.process_enable_ebs_encryption_by_default

Expected behavior

EBS Encryption by Default to be enabled in non default regions.

Deployment Environment (please complete the following information)

  • Control Tower with Cloudformation Deployment

Additional context

I was able to temporarily resolve the issue by hard coding a regional sts endpoint. Understand this isnt scaleable and will only be a quick and dirty solution for my environment.
sts_client: STSClient = session.client("sts", config=BOTO3_CONFIG, region_name=STS_REGION_ENDPOINT, endpoint_url=f"https://sts.{STS_REGION_ENDPOINT}.amazonaws.com")

@deanillfeld deanillfeld added the bug Something isn't working label May 31, 2024
@mlfulleraws mlfulleraws moved this to Suggestions / Considerations (LOOKING FOR CONTRIBUTORS) in Security Reference Architecture (SRA) Jul 25, 2024
@boueya
Copy link
Contributor

boueya commented Jan 22, 2025

Hey @deanillfeld ,
I was unable to duplicate this issue.
Have you encountered this issue for other standard non-default regions?
ap-southeast-4 is an opt-in region and is not enabled by default, which may have something to do with the issue that you're encountering.

@deanillfeld
Copy link
Author

Hi @boueya, I haven't ended up trying to enable any further non default regions since this one.

I think it's related to this https://repost.aws/knowledge-center/iam-validate-access-credentials. The non default regions don't accept V1 STS tokens and require V2 STS tokens while the global STS endpoint generates V1 tokens.

@boueya boueya linked a pull request Jan 24, 2025 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
Security Reference Architecture (SRA)
Status: Planned for future quarters (Q4'24/Q1'25) / Not Started (Looking for contributors)
Milestone
No milestone
2 participants
@deanillfeld @boueya