cartography fails to scan account that has denied regions at org level

[VishalAgarW]

Title: cartography fails to scan account that has denied regions at org level

Description:

If you have an AWS Account as part of an AWS Org and Org is configured to deny region (https://docs.aws.amazon.com/controltower/latest/userguide/region-deny.html ), scanning the account crashes when it tries to enumerate resources in the denied regions.

To Reproduce:

1. Create an AWS Account and make it part of AWS Org.
   2. Configure AWS Region deny for the regions you don't want your organization to use.
   3. Try to scan the AWS account.

Logs:

Fails with 'UnauthorizedOperation' exception.
raise error_class(parsed_response, operation_name)\nbotocore.exceptions.ClientError: An error occurred (UnauthorizedOperation) when calling the DescribeVolumes operation: You are not authorized to perform this operation.\n"

Additional context:
'UnauthorizedOperation' need to be added in ERROR_CODES list of aws_handle_regions function
ERROR_CODES = [
'AccessDenied',
'AccessDeniedException',
'AuthFailure',
'InvalidClientTokenId',
'UnrecognizedClientException',
'InternalServerErrorException',
]

[HerRomero]

I'm having this same problem, it seems that execution stops when it finds an explicit deny from an SCP
A simple solution could be adding an aws-regions parameter in the execution command

[HerRomero]

#1011

[CalvinRodo]

I've run into this same issue, we have implemented AWS Control Tower and so for compliance reasons have limited access to 3 possible regions Cartography did work until we set that up, it would be nice to just limit asset discovery to only specific regions since we know it's impossible to create resources in all ones that are denied.

[HerRomero]

Any news on this issue?

[wanisfahmyDE]

+1