Prowler is initiating IAM service while scanning Cloudwatch

[qadri99-max]

While scanning for Cloudwatch service only, I get ConnectionTimeoutError for endpoint iam.amazonaws.com [file: iam_service.py]

I am not sure why Prowler would be using IAM while scanning Cloudwatch?

Is there a way to force Prowler to move on to next scan if it encounters connection issues to an endpoint?

I am using Prowler 4.5.0

(I know the solution is to add IAM to my VPC endpoints but its not feasible yet)

[qadri99-max]

Also, while scanning elb or eventbridge services, I get error for acm endpoint, even though I am not scanning acm

[jfagoagas]

Hello @qadri99-max, actually the CloudWatch service has the check cloudwatch_cross_account_sharing_disabled which reviews if CloudWatch has allowed cross-account sharing, looking for the presence of the IAM Role CloudWatch-CrossAccountSharingRole. That's the reason why CloudWatch needs to setup the IAM client.

Regarding the other services:

• ELB has the check elb_ssl_listeners_use_acm_certificate which requires to call ACM APIs to see if a Certificate is configured.
• Regarding EventBridge I can't see any of the checks calling a different service. Could you review what API calls are being executed in your environment while running Prowler?

Thanks!

[qadri99-max]

Thanks @jfagoagas
1 - Do you think I can use --excluded-checks cloudwatch_cross_account_sharing_disabled elb_ssl_listeners_use_acm_certificate to exclude these checks while scanning cloudwatch and elb?

2 - Is there a way to force Prowler to move on to next scan if it encounters connection issues to an endpoint?

thanks

[jfagoagas]

1. Sure thing, you can exclude those checks if you don't want to scan them.
2. What do you mean by "move on to next scan"? If you are talking about connect timeouts, by default boto3 is configured to retry several times and then it'll continue onto the next operation.