CrowdStrike/cloud-resource-estimator

Skip suspended accounts in AWS when performing discovery against an AWS Organization

musayev-io opened this issue · 0 comments

Issue: When an account is deleted in an AWS Organization, it remains in a suspended state for 90 days before it's permanently removed from the organization. As a result, the script may fail if it attempts to discover and assess an account in suspended state. Therefore, it's important to modify the script to skip any accounts that are in a suspended state during the discovery process.

Background: AWS Organizations places accounts in a suspended state for 90 days after they're deleted from the organization. During this period, the account is inaccessible and cannot be discovered or assessed. If the script attempts to discover and assess a suspended account, it will likely fail and generate errors, which can negatively impact the performance of the script.

Proposed Solution: To address this issue, we recommend modifying the script to skip any accounts that are in a suspended state during the discovery process. This will prevent the script from attempting to assess accounts that cannot be accessed, and avoid generating unnecessary errors.

Example output:

[cloudshell-user@ip-10-6-167-65 cloud-benchmark]$ python3 [aws_cspm_benchmark.py [aws_cspm_benchmark.py]
Cannot access adjacent account:  631025991766 An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts::115255193357:assumed-role/AWSReservedSSO_AWSAdministratorAccess_b737e96d1e697324/[xxxxxxxxxxx@igt.com](mailto:xxxxxxxxxxx@igt.com) is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::631025991766:role/xxxxxxxxxxxxxxxxxxxxxx
Traceback (most recent call last):
  File "aws_cspm_benchmark.py", line 125, in <module>
    for aws in AWSOrgAccess().accounts():
  File "aws_cspm_benchmark.py", line 52, in accounts
    return [self.aws_handle(a) for a in accounts]
  File "aws_cspm_benchmark.py", line 52, in <listcomp>
    return [self.aws_handle(a) for a in accounts]
  File "aws_cspm_benchmark.py", line 60, in aws_handle
    return AWSHandle(aws_session=self.new_session(account['Id']), account_id=account['Id'])  File "aws_cspm_benchmark.py", line 76, in new_session
    raise exc
  File "aws_cspm_benchmark.py", line 66, in new_session
    RoleSessionName=account_id
  File "/home/cloudshell-user/.local/lib/python3.7/site-packages/botocore/client.py", line 530, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/home/cloudshell-user/.local/lib/python3.7/site-packages/botocore/client.py", line 960, in _make_api_call
    raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts::115255193357:assumed-role/AWSReservedSSO_AWSAdministratorAccess_b737e96d1e697324/[xxxxxxxxxxxxxxx@igt.com](mailto:xxxxxxxxxxxxxxx@igt.com) is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::631025991766:role/xxxxxxxxxxxxxxxxxxxxx