set explicit region for aws scanning

[arudat]

Hi, I searched for an flag where I can set a region for scanning. I found in the offical docs
https://mondoo.com/docs/cnspec/cli/cnspec_scan_aws/
--region string AWS region to scan.
but cnspect scan aws --help says
--region string Region to use for authentication with the API. Note: this does not limit the discovery to the region

So what's the truth? :)

I believe the second one. So back to the question, is there any way to set the explicit region for scanning? I tried it with default region in aws config and also with the env key "AWS_DEFAULT REGION" but no change in my results

• OS: linux/macOS
• OS Version: archlinux
• cnspec 9.14.0

Thank you

[chris-rock]

@arudat Thank you for the report. I think it would be great to add this to cnspec. Until then you can use export AWS_REGION=us-east-1 to set the region.

[chris-rock]

I have to correct myself. The AWS_REGION is only relevant for the credentials. By default, cnquery & cnspec use all regions. We have the option to set the cnquery shell aws --filters but that does not work as intended for all cases right now.

I am going to turn this into a bug since the region filter does not work right now. Until then you can use:

cnquery shell aws --filters all:region=us-east-2 

We need to do the following:

1. Update https://github.com/mondoohq/cnquery/blob/main/providers/aws/config/config.go#L96-L101 to include a better example
2. Extract the region correctly https://github.com/mondoohq/cnquery/blob/main/providers/aws/provider/provider.go#L88-L100, there are three possible values cnquery shell aws --filters region=us-east-2 , cnquery shell aws --filters all:region=us-east-2 and cnquery shell aws --filters ec2:region=us-east-2
3. Double-check why cnquery shell aws --filters ec2:region=us-east-2 does not work.

[vjeffrey]

is the ec2 one not filtering at all? that's meant to filter the ec2 discovery when doing --discover instances