ec2:DescribeRegions used even when region is specified

[Hermain]

My company denies ec2:DescribeRegions probably in an effort to prevent us from using any other region than the default one.

Now when I run aws-nuke (v3.27.0) with a config like this:

regions:
  - eu-cental-1
blocklist:
  - "999999999999"  
accounts:
  "1111...": {}  
__global__:
  - property: tag:Purpose
    type: "regex"
    value: "^(?!.*(terratest))"
resource-types:
  includes:
    - S3Bucket

I get the following error:
FATA[0001] failed to get regions: UnauthorizedOperation: You are not authorized to perform this operation. User: ----- is not authorized to perform: ec2:DescribeRegions with an explicit deny in a service control policy

Why is describe regions even executed and why ec2 when I only include buckets?
Is there any way around this?

[Hermain]

I found the --default-region flag now it works:
aws-nuke run --default-region eu-central-1

[ekristen]

It's part of the bootstrap and discovery of the account prior to doing the initial run. I've never heard of blocking that call before, that's strange, it won't prevent you from using another region on it's own.

It is part of an automatic region discovery feature.

[Hermain]

Since using the --default-region flag prevents this blocked call and this seems to be very specific to my organisation I'm content and I close the issue.

[ekristen]

That's interesting. @Hermain it seems that perhaps the DescribeRegions is only blocked in specific regions in your accounts as --default-region would have no impact on whether or not DescribeRegions is called or not, but I'm glad that you have it working.

I do think though that I should make it so that we only call that API if all is specified in the regions config, otherwise it is an unnecessary call to be making.