diff --git a/docs/tutorials/aws/authentication.md b/docs/tutorials/aws/authentication.md index 7a01e25909..714872b8c4 100644 --- a/docs/tutorials/aws/authentication.md +++ b/docs/tutorials/aws/authentication.md @@ -37,7 +37,3 @@ If your IAM entity enforces MFA you can use `--mfa` and Prowler will ask you to - ARN of your MFA device - TOTP (Time-Based One-Time Password) - -## STS Endpoint Region - -If you are using Prowler in AWS regions that are not enabled by default you need to use the argument `--sts-endpoint-region` to point the AWS STS API calls `assume-role` and `get-caller-identity` to the non-default region, e.g.: `prowler aws --sts-endpoint-region eu-south-2`. diff --git a/docs/tutorials/aws/role-assumption.md b/docs/tutorials/aws/role-assumption.md index 977868c1f6..20ab7ad653 100644 --- a/docs/tutorials/aws/role-assumption.md +++ b/docs/tutorials/aws/role-assumption.md @@ -23,14 +23,6 @@ prowler aws -R arn:aws:iam:::role/ prowler aws -T/--session-duration -I/--external-id -R arn:aws:iam:::role/ ``` -## STS Endpoint Region - -If you are using Prowler in AWS regions that are not enabled by default you need to use the argument `--sts-endpoint-region` to point the AWS STS API calls `assume-role` and `get-caller-identity` to the non-default region, e.g.: `prowler aws --sts-endpoint-region eu-south-2`. - -> Since v3.11.0, Prowler uses a regional token in STS sessions so it can scan all AWS regions without needing the `--sts-endpoint-region` argument. - -> Make sure that you have enabled the AWS Region you want to scan in BOTH AWS Accounts (assumed role account and account from which you assume the role). - ## Role MFA If your IAM Role has MFA configured you can use `--mfa` along with `-R`/`--role ` and Prowler will ask you to input the following values to get a new temporary session for the IAM Role provided: diff --git a/prowler/providers/aws/lib/arguments/arguments.py b/prowler/providers/aws/lib/arguments/arguments.py index 3abd739d5d..67477aca71 100644 --- a/prowler/providers/aws/lib/arguments/arguments.py +++ b/prowler/providers/aws/lib/arguments/arguments.py @@ -26,12 +26,6 @@ def init_parser(self): help="ARN of the role to be assumed", # Pending ARN validation ) - aws_auth_subparser.add_argument( - "--sts-endpoint-region", - nargs="?", - default=None, - help="Specify the AWS STS endpoint region to use. Read more at https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html", - ) aws_auth_subparser.add_argument( "--mfa", action="store_true", diff --git a/prowler/providers/aws/lib/credentials/credentials.py b/prowler/providers/aws/lib/credentials/credentials.py index 8d7984d855..f0865d8f5d 100644 --- a/prowler/providers/aws/lib/credentials/credentials.py +++ b/prowler/providers/aws/lib/credentials/credentials.py @@ -12,12 +12,8 @@ def validate_aws_credentials( session: session, input_regions: list, sts_endpoint_region: str = None ) -> dict: try: - # For a valid STS GetCallerIdentity we have to use the right AWS Region - # Check if the --sts-endpoint-region is set - if sts_endpoint_region is not None: - aws_region = sts_endpoint_region # If there is no region passed with -f/--region/--filter-region - elif input_regions is None or len(input_regions) == 0: + if input_regions is None or len(input_regions) == 0: # If you have a region configured in your AWS config or credentials file if session.region_name is not None: aws_region = session.region_name diff --git a/tests/lib/cli/parser_test.py b/tests/lib/cli/parser_test.py index b0e375c702..a660f7d13d 100644 --- a/tests/lib/cli/parser_test.py +++ b/tests/lib/cli/parser_test.py @@ -998,13 +998,6 @@ class Test_Parser: parsed = self.parser.parse(command) assert parsed.config_file == config_file - def test_aws_parser_sts_endpoint_region(self): - argument = "--sts-endpoint-region" - sts_endpoint_region = "eu-west-1" - command = [prowler_command, argument, sts_endpoint_region] - parsed = self.parser.parse(command) - assert parsed.sts_endpoint_region == sts_endpoint_region - def test_parser_azure_auth_sp(self): argument = "--sp-env-auth" command = [prowler_command, "azure", argument]