Excluding S3 multi-region-access check #5711

qadri99-max · 2024-11-11T09:47:23Z

qadri99-max
Nov 11, 2024

When scanning S3, I am getting connection timeout for https://1234.s3-control.us-west-2.amazonaws.com/v20180820/mrap/instances [s3_service.py:601]

I wanted to exclude this check. So I excluded s3_multi_region_access_point_public_access_block

When I ran the scan, the above check is excluded but I am still getting connection timeout error.

Am I excluding the correct check?
(using Prowler 4.5.0)

thanks

Answered by jfagoagas

Nov 14, 2024

Hello @qadri99-max, with your command you are still executing checks that requires the S3 Control service and probably those are the ones timing out. In your AWS environment, are you doing a intensive usage of S3 and S3 control?

The following are the checks that requires the S3 Control service:

s3_access_point_public_access_block
s3_account_level_public_access_blocks
s3_bucket_level_public_access_block
s3_bucket_policy_public_write_access
s3_bucket_public_access
s3_bucket_public_list_acl
s3_bucket_public_write_acl
s3_multi_region_access_point_public_access_block -> This is the one you are excluding now.

View full answer

jfagoagas · 2024-11-11T11:10:02Z

jfagoagas
Nov 11, 2024
Maintainer

Hello @qadri99-max I think you are doing right excluding a check. The issue I think you are facing could be one of the following:

Another S3 check is being executed, thus the Prowler's S3 service is executed too.
A check from a different service requires S3 to do some extra validation and for that reason the S3 service is executed.

Can you share the arguments you are using to run Prowler?

Thanks!

4 replies

qadri99-max Nov 12, 2024
Author

Thanks for looking into it @jfagoagas
This is how I am running:

prowler aws --verbose -z --services s3 --excluded-checks s3_multi_region_access_point_public_access_block --aws-retries-max-attempts 2 --securityhub -f eu-west-2 --output-bucket my_bucket_name --role $ROLE_TO_ASSUME --log-level ERROR
I have done my best to exclude all other S3 checks to see if any other check is causing issue. But I think excluding others still causes timeout issue with the endpoint

jfagoagas Nov 14, 2024
Maintainer

Hello @qadri99-max, with your command you are still executing checks that requires the S3 Control service and probably those are the ones timing out. In your AWS environment, are you doing a intensive usage of S3 and S3 control?

The following are the checks that requires the S3 Control service:

s3_access_point_public_access_block
s3_account_level_public_access_blocks
s3_bucket_level_public_access_block
s3_bucket_policy_public_write_access
s3_bucket_public_access
s3_bucket_public_list_acl
s3_bucket_public_write_acl
s3_multi_region_access_point_public_access_block -> This is the one you are excluding now.

Answer selected by qadri99-max

qadri99-max Nov 14, 2024
Author

You are genius. Thanks very much.
By excluding all the above checks, I dont get error now. cheers

jfagoagas Nov 14, 2024
Maintainer

Thank you for using Prowler 🚀

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Excluding S3 multi-region-access check #5711

{{title}}

Replies: 1 comment 4 replies

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

Select a reply

Excluding S3 multi-region-access check #5711

qadri99-max Nov 11, 2024

Replies: 1 comment · 4 replies

jfagoagas Nov 11, 2024 Maintainer

qadri99-max Nov 12, 2024 Author

jfagoagas Nov 14, 2024 Maintainer

qadri99-max Nov 14, 2024 Author

jfagoagas Nov 14, 2024 Maintainer

qadri99-max
Nov 11, 2024

Replies: 1 comment 4 replies

jfagoagas
Nov 11, 2024
Maintainer

qadri99-max Nov 12, 2024
Author

jfagoagas Nov 14, 2024
Maintainer

qadri99-max Nov 14, 2024
Author

jfagoagas Nov 14, 2024
Maintainer