Generating regional STS endpoints to allow for default EBS encryption in opt-in regions (#284)

* Moving assume_role method to process_enable_ebs_encryption_by_default so that we can build a regional STS endpoint.

* Using AWS_STS_REGIONAL_ENDPOINTS env variable instead of generating regional endpoint.

* Adding entry to changelog and updating table of contents.

* Resolving linting issue W293

Author: boueya

CHANGELOG.md

@@ -3,6 +3,9 @@
 ## Table of Contents<!-- omit in toc -->
 
 - [Introduction](#introduction)
+- [2025-02-04](#2025-02-04)
+- [2025-01-21](#2025-01-21)
+- [2025-01-08](#2025-01-08)
 - [2024-09-18](#2024-09-18)
 - [2024-08-22](#2024-08-22)
 - [2024-07-17](#2024-07-17)
@@ -64,6 +67,10 @@ All notable changes to this project will be documented in this file.
 
 - Added [Bedrock](aws_sra_examples/solutions/genai/bedrock_org) solution to deploy the sra-bedrock-org solution for GenAI deep-dive Bedrock capability one security controls.  See https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1u3sd7f8n)
 
+### Updated<!-- omit in toc -->
+
+- Updated [EC2 Default EBS Encryption](aws_sra_examples/solutions/ec2/ec2_default_ebs_encryption) solution with STS environment variable to enable enforcement in opt-in regions.
+
 ## 2025-01-21
 
 ### Updated<!-- omit in toc -->

aws_sra_examples/solutions/ec2/ec2_default_ebs_encryption/lambda/src/app.py

@@ -76,6 +76,9 @@ def assume_role(role: str, role_session_name: str, account: str = None, session:
     Returns:
         Session object for the specified AWS account
     """
+    # set regional endpoint environment variable to account for potential opt-in regions
+    os.environ["AWS_STS_REGIONAL_ENDPOINTS"] = "regional"
+
     if not session:
         session = boto3.Session()
     sts_client: STSClient = session.client("sts", config=BOTO3_CONFIG)