search

aws-samples / service-screener-v2

A tool for customers to evaluate their AWS service configurations based on AWS and community best practices and receive recommendations on potential improvements.
Apache License 2.0
167 stars 46 forks source link

Error when using in All Region #47

Closed nasutionam closed 7 months ago

nasutionam commented 8 months ago

Describe the bug Error when using ALL Region Parameter

To Reproduce Steps to reproduce the behavior: python3 -m venv . source bin/activate python3 -m pip install --upgrade pip rm -rf service-screener-v2 git clone https://github.com/aws-samples/service-screener-v2.git cd service-screener-v2 pip install -r requirements.txt alias screener="python3 $(pwd)/main.py" screener --regions ALL

Full commands used to reproduce this bug screener --regions ALL

Expected behavior output.zip

Screenshots COMPLETED -- S3::us-west-2 (11.197s) multiprocessing.pool.RemoteTraceback: """ Traceback (most recent call last): File "/usr/lib64/python3.9/multiprocessing/pool.py", line 125, in worker result = (True, func(*args, **kwds)) File "/usr/lib64/python3.9/multiprocessing/pool.py", line 51, in starmapstar return list(itertools.starmap(args[0], args[1])) File "/home/cloudshell-user/service-screener-v2/Screener.py", line 97, in scanByService json.dump(contexts[service[0]], f) File "/usr/lib64/python3.9/json/init.py", line 179, in dump for chunk in iterable: File "/usr/lib64/python3.9/json/encoder.py", line 431, in _iterencode yield from _iterencode_dict(o, _current_indent_level) File "/usr/lib64/python3.9/json/encoder.py", line 405, in _iterencode_dict yield from chunks File "/usr/lib64/python3.9/json/encoder.py", line 405, in _iterencode_dict yield from chunks File "/usr/lib64/python3.9/json/encoder.py", line 405, in _iterencode_dict yield from chunks File "/usr/lib64/python3.9/json/encoder.py", line 325, in _iterencode_list yield from chunks File "/usr/lib64/python3.9/json/encoder.py", line 438, in _iterencode o = _default(o) File "/usr/lib64/python3.9/json/encoder.py", line 179, in default raise TypeError(f'Object of type {o.class.name} ' TypeError: Object of type datetime is not JSON serializable """

The above exception was the direct cause of the following exception:

Traceback (most recent call last): File "/home/cloudshell-user/service-screener-v2/main.py", line 195, in pool.starmap(Screener.scanByService, input_ranges) File "/usr/lib64/python3.9/multiprocessing/pool.py", line 372, in starmap return self._map_async(func, iterable, starmapstar, chunksize).get() File "/usr/lib64/python3.9/multiprocessing/pool.py", line 771, in get raise self._value TypeError: Object of type datetime is not JSON serializable

AWS CloudShell (please complete the following information):

Execution Environment (PLEASE FILL THIS UP IF YOU ARE NOT RUNNING THIS IN AWS CLOUDSHELL):

kuettai commented 8 months ago

Unable to simulate. Drop an email to @nasutionam to seek clarification / arrange an online session

awhitespace commented 7 months ago

I'm having similar issue here.

To reproduce, run as root user at cloudshell : python3 -m venv . source bin/activate python3 -m pip install --upgrade pip rm -rf service-screener-v2 git clone https://github.com/aws-samples/service-screener-v2.git cd service-screener-v2 pip install -r requirements.txt alias screener="python3 $(pwd)/main.py" screener --regions ap-southeast-3

expected : output.zip

What I got : No output.zip file

(sscreenerv2) bash-5.2# ls -al total 160 drwxr-xr-x 13 root root 4096 Jan 28 14:12 . drwxr-xr-x 6 cloudshell-user cloudshell-user 4096 Jan 28 14:11 .. drwxr-xr-x 3 root root 4096 Jan 28 14:11 adminlte -rw-r--r-- 1 root root 309 Jan 28 14:11 CODE_OF_CONDUCT.md -rw-r--r-- 1 root root 652 Jan 28 14:11 constants.py -rw-r--r-- 1 root root 3160 Jan 28 14:11 CONTRIBUTING.md -rw-r--r-- 1 root root 399 Jan 28 14:11 crossAccounts.sample.json -rw-r--r-- 1 root root 757 Jan 28 14:11 DEVELOPER.md -rw-r--r-- 1 root root 2653 Jan 28 14:11 DISCLAIMER.md -rw-r--r-- 1 root root 1907 Jan 28 14:11 DocLinkValidity.py drwxr-xr-x 2 root root 4096 Jan 28 14:12 fork drwxr-xr-x 7 root root 4096 Jan 28 14:12 frameworks drwxr-xr-x 8 root root 4096 Jan 28 14:11 .git drwxr-xr-x 3 root root 4096 Jan 28 14:11 .github -rw-r--r-- 1 root root 1128 Jan 28 14:11 .gitignore -rw-r--r-- 1 root root 191 Jan 28 14:11 info.json -rw-r--r-- 1 root root 10142 Jan 28 14:11 LICENSE -rw-r--r-- 1 root root 1260 Jan 28 14:11 licenses.txt -rw-r--r-- 1 root root 9720 Jan 28 14:11 main.py -rw-r--r-- 1 root root 1289 Jan 28 14:11 NOTICE drwxr-xr-x 2 root root 4096 Jan 28 14:12 pycache__ -rwxr-xr-x 1 root root 5900 Jan 28 14:11 README.md -rw-r--r-- 1 root root 348 Jan 28 14:11 readme.txt -rwxr-xr-x 1 root root 5818 Jan 28 14:11 reporter.md -rw-r--r-- 1 root root 86 Jan 28 14:11 requirements.txt -rw-r--r-- 1 root root 4044 Jan 28 14:11 RuleCount.py -rw-r--r-- 1 root root 8022 Jan 28 14:11 Screener.py drwxr-xr-x 18 root root 4096 Jan 28 14:12 services drwxr-xr-x 2 root root 4096 Jan 28 14:11 ServiceScreenerV2.egg-info -rw-r--r-- 1 root root 830 Jan 28 14:11 setup.py drwxr-xr-x 2 root root 4096 Jan 28 14:11 templates drwxr-xr-x 3 root root 4096 Jan 28 14:11 usecases drwxr-xr-x 3 root root 4096 Jan 28 14:12 utils

the log :

`(sscreenerv2) bash-5.2# screener --regions ap-southeast-3 -- Acquiring identify info...

================================================= Processing the following account id:

[info] Empty CF stacked created successfully, name:ssv2-ff3b0ecca4fc PREPARING -- RDS::ap-southeast-3 PREPARING -- S3::ap-southeast-3 PREPARING -- IAM::us-east-1 PREPARING -- EC2::ap-southeast-3 ... (S3Account) inspecting Public access configuration not set ... (S3Bucket) inspecting aws-builderday-terraform-state ... (SecretsManager) inspecting passwordsecretmanager AccessDeniedException No access to "/aws/" namespace: aws/service/global-infrastructure is not a valid namespace ... (Cost Explorer Recommendations) inspecting COMPLETED -- RDS::ap-southeast-3 (1.393s) PREPARING -- EFS::ap-southeast-3 ... (S3Bucket) inspecting cf-templates-1xse20i47s0d0-ap-southeast-3 COMPLETED -- EFS::ap-southeast-3 (0.088s) PREPARING -- LAMBDA::ap-southeast-3 ... (Lambda) inspecting SendSecurityHubSummaryEmail AccessDeniedException Unable to determine service/operation name to be authorized. Traceback (most recent call last): File "/home/cloudshell-user/sscreenerv2/service-screener-v2/services/Evaluator.py", line 28, in run getattr(self, method)() File "/home/cloudshell-user/sscreenerv2/service-screener-v2/services/lambda_/drivers/LambdaCommon.py", line 112, in _check_code_signing_disabled code_sign = self.lambda_client.get_function_code_signing_config( File "/home/cloudshell-user/sscreenerv2/lib64/python3.9/site-packages/botocore/client.py", line 530, in _api_call return self._make_api_call(operation_name, kwargs) File "/home/cloudshell-user/sscreenerv2/lib64/python3.9/site-packages/botocore/client.py", line 964, in _make_api_call raise error_class(parsed_response, operation_name) botocore.exceptions.ClientError: An error occurred (AccessDeniedException) when calling the GetFunctionCodeSigningConfig operation: Unable to determine service/operation name to be authorized.

... (IAM::User) inspecting ... (IAM::User) inspecting myfirstuser ... (S3Bucket) inspecting config-bucket- ... (EC2) inspecting i-0299b884105aaa4ac ... (S3Bucket) inspecting sechubautoemail Skipped runtime version check due to unable to locate runtime option path ... (IAM::Role) inspecting builder-day-prod-ec2db-instance-role-20240128140303437400000001 ... (Lambda) inspecting stack-kirim-email-scehub-CustomInsightsFunction-hjYiq1cgjR2s AccessDeniedException Unable to determine service/operation name to be authorized. Traceback (most recent call last): File "/home/cloudshell-user/sscreenerv2/service-screener-v2/services/Evaluator.py", line 28, in run getattr(self, method)() File "/home/cloudshell-user/sscreenerv2/service-screener-v2/services/lambda_/drivers/LambdaCommon.py", line 112, in _check_code_signing_disabled code_sign = self.lambda_client.get_function_code_signing_config( File "/home/cloudshell-user/sscreenerv2/lib64/python3.9/site-packages/botocore/client.py", line 530, in _api_call return self._make_api_call(operation_name, kwargs) File "/home/cloudshell-user/sscreenerv2/lib64/python3.9/site-packages/botocore/client.py", line 964, in _make_api_call raise error_class(parsed_response, operation_name) botocore.exceptions.ClientError: An error occurred (AccessDeniedException) when calling the GetFunctionCodeSigningConfig operation: Unable to determine service/operation name to be authorized.

... (S3Bucket) inspecting sechubexps3bucket ... (EC2) inspecting i-0e84bc29c69b49f25 Skipped runtime version check due to unable to locate runtime option path COMPLETED -- LAMBDA::ap-southeast-3 (3.368s) PREPARING -- GUARDDUTY::ap-southeast-3 COMPLETED -- GUARDDUTY::ap-southeast-3 (0.098s) PREPARING -- CLOUDFRONT::us-east-1 ... (EBS) inspecting vol-040a382963c09de32 COMPLETED -- CLOUDFRONT::us-east-1 (1.16s) PREPARING -- CLOUDTRAIL::ap-southeast-3 ... (EBS) inspecting vol-0e574c527ca422f02 ... (IAM::Role) inspecting builder-day-prod-web-inst-role-20240128140303682100000002 ... (CloudTrail:Common) inspecting COMPLETED -- CLOUDTRAIL::ap-southeast-3 (0.112s) PREPARING -- ELASTICACHE::ap-southeast-3 ... (EBS::Snapshots) inspecting COMPLETED -- ELASTICACHE::ap-southeast-3 (0.117s) PREPARING -- EKS::ap-southeast-3 COMPLETED -- EKS::ap-southeast-3 (0.22s) PREPARING -- DYNAMODB::ap-southeast-3 ... (ASG::Auto Scaling Group) inspecting mywebserver-2024012814030780430000000c ... (Dynamodb::Generic) inspecting ... (EC2::Security Group) inspecting sg-00ba1d9a55082af60 ... (EC2::Security Group) inspecting sg-0297754826a5aca64 ... (EC2::Security Group) inspecting sg-0e18c314fe51d3eb1 ... (EC2::Security Group) inspecting sg-058d06c99fdd4940c ... (Dynamodb::aws-builderday-terraform-state) inspecting ... (Elastic IP Recommendations) inspecting 43.218.246.237 COMPLETED -- EC2::ap-southeast-3 (6.787s) PREPARING -- KMS::ap-southeast-3 ... (IAM::Role) inspecting ec2SSM ... (KMS) inspecting 0caaea1b-ff7a-4eff-ae08-8c59f9563055 (arn:aws:kms:ap-southeast-3::key/0caaea1b-ff7a-4eff-ae08-8c59f9563055) Traceback (most recent call last): File "/home/cloudshell-user/sscreenerv2/service-screener-v2/services/Evaluator.py", line 28, in run getattr(self, method)() File "/home/cloudshell-user/sscreenerv2/service-screener-v2/services/kms/drivers/KmsCommon.py", line 42, in _checkPolicyAdminUser parseInfo = pObj.extractPolicyInfo() File "/home/cloudshell-user/sscreenerv2/service-screener-v2/utils/Policy.py", line 88, in extractPolicyInfo policy[effect][statement['Sid']] = {'Principal': statement['Principal'], 'Action': statement['Action']} KeyError: 'Sid'

... (KMS) inspecting 0ff3821a-a0e2-40c0-b813-ccf50656397d (arn:aws:kms:ap-southeast-3::key/0ff3821a-a0e2-40c0-b813-ccf50656397d) ... (KMS) inspecting 11a1f7b0-64e5-48bd-9ca9-8d21704671a4 (arn:aws:kms:ap-southeast-3::key/11a1f7b0-64e5-48bd-9ca9-8d21704671a4) Traceback (most recent call last): File "/home/cloudshell-user/sscreenerv2/service-screener-v2/services/Evaluator.py", line 28, in run getattr(self, method)() File "/home/cloudshell-user/sscreenerv2/service-screener-v2/services/kms/drivers/KmsCommon.py", line 42, in _checkPolicyAdminUser parseInfo = pObj.extractPolicyInfo() File "/home/cloudshell-user/sscreenerv2/service-screener-v2/utils/Policy.py", line 88, in extractPolicyInfo policy[effect][statement['Sid']] = {'Principal': statement['Principal'], 'Action': statement['Action']} KeyError: 'Sid'

... (KMS) inspecting 193c43ff-31af-4565-92e0-d1573b197231 (arn:aws:kms:ap-southeast-3::key/193c43ff-31af-4565-92e0-d1573b197231) COMPLETED -- DYNAMODB::ap-southeast-3 (1.983s) PREPARING -- OPENSEARCH::ap-southeast-3 COMPLETED -- OPENSEARCH::ap-southeast-3 (0.078s) Traceback (most recent call last): File "/home/cloudshell-user/sscreenerv2/service-screener-v2/services/Evaluator.py", line 28, in run getattr(self, method)() File "/home/cloudshell-user/sscreenerv2/service-screener-v2/services/kms/drivers/KmsCommon.py", line 42, in _checkPolicyAdminUser parseInfo = pObj.extractPolicyInfo() File "/home/cloudshell-user/sscreenerv2/service-screener-v2/utils/Policy.py", line 88, in extractPolicyInfo policy[effect][statement['Sid']] = {'Principal': statement['Principal'], 'Action': statement['Action']} KeyError: 'Sid'

... (KMS) inspecting 3b8f81e1-567c-47b1-9779-534d2a5a3cb4 (arn:aws:kms:ap-southeast-3::key/3b8f81e1-567c-47b1-9779-534d2a5a3cb4) Traceback (most recent call last): File "/home/cloudshell-user/sscreenerv2/service-screener-v2/services/Evaluator.py", line 28, in run getattr(self, method)() File "/home/cloudshell-user/sscreenerv2/service-screener-v2/services/kms/drivers/KmsCommon.py", line 42, in _checkPolicyAdminUser parseInfo = pObj.extractPolicyInfo() File "/home/cloudshell-user/sscreenerv2/service-screener-v2/utils/Policy.py", line 88, in extractPolicyInfo policy[effect][statement['Sid']] = {'Principal': statement['Principal'], 'Action': statement['Action']} KeyError: 'Sid'

... (KMS) inspecting 67c2badc-1d84-4932-886f-92a782e4f368 (arn:aws:kms:ap-southeast-3::key/67c2badc-1d84-4932-886f-92a782e4f368) Traceback (most recent call last): File "/home/cloudshell-user/sscreenerv2/service-screener-v2/services/Evaluator.py", line 28, in run getattr(self, method)() File "/home/cloudshell-user/sscreenerv2/service-screener-v2/services/kms/drivers/KmsCommon.py", line 42, in _checkPolicyAdminUser parseInfo = pObj.extractPolicyInfo() File "/home/cloudshell-user/sscreenerv2/service-screener-v2/utils/Policy.py", line 88, in extractPolicyInfo policy[effect][statement['Sid']] = {'Principal': statement['Principal'], 'Action': statement['Action']} KeyError: 'Sid'

... (KMS) inspecting 7e93496e-c475-487f-ae86-6a74d9cc05c4 (arn:aws:kms:ap-southeast-3::key/7e93496e-c475-487f-ae86-6a74d9cc05c4) Traceback (most recent call last): File "/home/cloudshell-user/sscreenerv2/service-screener-v2/services/Evaluator.py", line 28, in run getattr(self, method)() File "/home/cloudshell-user/sscreenerv2/service-screener-v2/services/kms/drivers/KmsCommon.py", line 42, in _checkPolicyAdminUser parseInfo = pObj.extractPolicyInfo() File "/home/cloudshell-user/sscreenerv2/service-screener-v2/utils/Policy.py", line 88, in extractPolicyInfo policy[effect][statement['Sid']] = {'Principal': statement['Principal'], 'Action': statement['Action']} KeyError: 'Sid'

COMPLETED -- KMS::ap-southeast-3 (2.262s) ... (IAM::Role) inspecting OrganizationAccountAccessRole ... (IAM::Role) inspecting s3fullacessrole ... (IAM::Role) inspecting Sechub_adminrole ... (IAM::Role) inspecting SNSFailureFeedback ... (IAM::Role) inspecting SNSSuccessFeedback ... (IAM::Role) inspecting stack-kirim-email-scehub-CustomInsightsLambdaExecut-x07nBwWpAGeE [!! WARNING !!] Could not connect to the endpoint URL: "https://macie2.ap-southeast-3.amazonaws.com/findings" ... (IAM::Role) inspecting stack-kirim-email-scehub-SendEmailLambdaExecutionRo-g8bCZxb3PVUJ ... (IAM:Account) inspecting NoSuchEntity COMPLETED -- IAM::us-east-1 (31.004s) multiprocessing.pool.RemoteTraceback: """ Traceback (most recent call last): File "/usr/lib64/python3.9/multiprocessing/pool.py", line 125, in worker result = (True, func(*args, **kwds)) File "/usr/lib64/python3.9/multiprocessing/pool.py", line 51, in starmapstar return list(itertools.starmap(args[0], args[1])) File "/home/cloudshell-user/sscreenerv2/service-screener-v2/Screener.py", line 102, in scanByService json.dump(contexts[service[0]], f) File "/usr/lib64/python3.9/json/init.py", line 179, in dump for chunk in iterable: File "/usr/lib64/python3.9/json/encoder.py", line 431, in _iterencode yield from _iterencode_dict(o, _current_indent_level) File "/usr/lib64/python3.9/json/encoder.py", line 405, in _iterencode_dict yield from chunks File "/usr/lib64/python3.9/json/encoder.py", line 405, in _iterencode_dict yield from chunks File "/usr/lib64/python3.9/json/encoder.py", line 405, in _iterencode_dict yield from chunks File "/usr/lib64/python3.9/json/encoder.py", line 325, in _iterencode_list yield from chunks File "/usr/lib64/python3.9/json/encoder.py", line 438, in _iterencode o = _default(o) File "/usr/lib64/python3.9/json/encoder.py", line 179, in default raise TypeError(f'Object of type {o.class.name} ' TypeError: Object of type datetime is not JSON serializable """

The above exception was the direct cause of the following exception:

Traceback (most recent call last): File "/home/cloudshell-user/sscreenerv2/service-screener-v2/main.py", line 195, in pool.starmap(Screener.scanByService, input_ranges) File "/usr/lib64/python3.9/multiprocessing/pool.py", line 372, in starmap return self._map_async(func, iterable, starmapstar, chunksize).get() File "/usr/lib64/python3.9/multiprocessing/pool.py", line 771, in get raise self._value TypeError: Object of type datetime is not JSON serializable`

kuettai commented 7 months ago

Hi can we connect via email? Will like to work closely on this.

kt.xtrik@gmail.com

awhitespace commented 7 months ago

Sure, Will send you an email shortly after this. What data will you need ?

edit: sent @kuettai an email with my browser info and what command I executed to reproduced the issue

kuettai commented 7 months ago

After discussion with @awhitespace , it is likely to due KMS policy checking... have temporary disable KMS from SS default parameter until we resolve. Getting some samples from awhitespace.

kuettai commented 7 months ago

Closing this item. Successfully simulate thanks to @awhitespace