From 150abce4a877a429cfa6adfd8f4a95a161fc7e8b Mon Sep 17 00:00:00 2001
From: Harsh Mishra <erbeusgriffincasper@gmail.com>
Date: Tue, 3 Mar 2026 12:55:59 +0530
Subject: [PATCH] fix(aws): respect `AWS_ENDPOINT_URL` for STS session creation
 (#10228)

Co-authored-by: Pepe Fagoaga <pepe@prowler.com>
---
 prowler/CHANGELOG.md                     |  1 +
 prowler/providers/aws/aws_provider.py    |  4 +++-
 tests/providers/aws/aws_provider_test.py | 13 +++++++++++++
 3 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/prowler/CHANGELOG.md b/prowler/CHANGELOG.md
index 8f0dcf4b20..ac41676922 100644
--- a/prowler/CHANGELOG.md
+++ b/prowler/CHANGELOG.md
@@ -70,6 +70,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - Standardize resource_id values across Azure checks to use actual Azure resource IDs and prevent duplicate resource entries [(#9994)](https://github.com/prowler-cloud/prowler/pull/9994)
 - VPC endpoint service collection filtering third-party services that caused AccessDenied errors on `DescribeVpcEndpointServicePermissions` [(#10152)](https://github.com/prowler-cloud/prowler/pull/10152)
 - Handle serialization errors in OCSF output for non-serializable resource metadata [(#10129)](https://github.com/prowler-cloud/prowler/pull/10129)
+- Respect `AWS_ENDPOINT_URL` environment variable for STS session creation [(#10228)](https://github.com/prowler-cloud/prowler/pull/10228)
 
 ### 🔐 Security
 
diff --git a/prowler/providers/aws/aws_provider.py b/prowler/providers/aws/aws_provider.py
index 0fde96f278..556b2f33c3 100644
--- a/prowler/providers/aws/aws_provider.py
+++ b/prowler/providers/aws/aws_provider.py
@@ -1475,7 +1475,9 @@ class AwsProvider(Provider):
             sts_client = create_sts_session(session, 'us-west-2')
         """
         try:
-            if aws_region.startswith("cn-"):
+            if os.environ.get("AWS_ENDPOINT_URL"):
+                sts_endpoint_url = os.environ["AWS_ENDPOINT_URL"]
+            elif aws_region.startswith("cn-"):
                 sts_endpoint_url = f"https://sts.{aws_region}.amazonaws.com.cn"
             elif aws_region.startswith("eusc-"):
                 sts_endpoint_url = f"https://sts.{aws_region}.amazonaws.eu"
diff --git a/tests/providers/aws/aws_provider_test.py b/tests/providers/aws/aws_provider_test.py
index 5162a080f2..81ae5b218c 100644
--- a/tests/providers/aws/aws_provider_test.py
+++ b/tests/providers/aws/aws_provider_test.py
@@ -1521,6 +1521,19 @@ aws:
             sts_session._endpoint.host == f"https://sts.{aws_region}.amazonaws.com.cn"
         )
 
+    @mock_aws
+    def test_create_sts_session_custom_endpoint_url(self):
+        custom_endpoint = "http://localhost:4566"
+        current_session = session.Session()
+        aws_region = AWS_REGION_US_EAST_1
+        with mock.patch.dict(os.environ, {"AWS_ENDPOINT_URL": custom_endpoint}):
+            sts_session = AwsProvider.create_sts_session(current_session, aws_region)
+
+        assert sts_session._service_model.service_name == "sts"
+        assert sts_session._client_config.region_name == aws_region
+        assert sts_session._endpoint._endpoint_prefix == "sts"
+        assert sts_session._endpoint.host == custom_endpoint
+
     @mock_aws
     def test_create_sts_session_eusc(self):
         current_session = session.Session()