Closed nasutionam closed 7 months ago
Unable to simulate. Drop an email to @nasutionam to seek clarification / arrange an online session
I'm having similar issue here.
To reproduce, run as root user at cloudshell : python3 -m venv . source bin/activate python3 -m pip install --upgrade pip rm -rf service-screener-v2 git clone https://github.com/aws-samples/service-screener-v2.git cd service-screener-v2 pip install -r requirements.txt alias screener="python3 $(pwd)/main.py" screener --regions ap-southeast-3
expected : output.zip
What I got : No output.zip file
(sscreenerv2) bash-5.2# ls -al total 160 drwxr-xr-x 13 root root 4096 Jan 28 14:12 . drwxr-xr-x 6 cloudshell-user cloudshell-user 4096 Jan 28 14:11 .. drwxr-xr-x 3 root root 4096 Jan 28 14:11 adminlte -rw-r--r-- 1 root root 309 Jan 28 14:11 CODE_OF_CONDUCT.md -rw-r--r-- 1 root root 652 Jan 28 14:11 constants.py -rw-r--r-- 1 root root 3160 Jan 28 14:11 CONTRIBUTING.md -rw-r--r-- 1 root root 399 Jan 28 14:11 crossAccounts.sample.json -rw-r--r-- 1 root root 757 Jan 28 14:11 DEVELOPER.md -rw-r--r-- 1 root root 2653 Jan 28 14:11 DISCLAIMER.md -rw-r--r-- 1 root root 1907 Jan 28 14:11 DocLinkValidity.py drwxr-xr-x 2 root root 4096 Jan 28 14:12 fork drwxr-xr-x 7 root root 4096 Jan 28 14:12 frameworks drwxr-xr-x 8 root root 4096 Jan 28 14:11 .git drwxr-xr-x 3 root root 4096 Jan 28 14:11 .github -rw-r--r-- 1 root root 1128 Jan 28 14:11 .gitignore -rw-r--r-- 1 root root 191 Jan 28 14:11 info.json -rw-r--r-- 1 root root 10142 Jan 28 14:11 LICENSE -rw-r--r-- 1 root root 1260 Jan 28 14:11 licenses.txt -rw-r--r-- 1 root root 9720 Jan 28 14:11 main.py -rw-r--r-- 1 root root 1289 Jan 28 14:11 NOTICE drwxr-xr-x 2 root root 4096 Jan 28 14:12 pycache__ -rwxr-xr-x 1 root root 5900 Jan 28 14:11 README.md -rw-r--r-- 1 root root 348 Jan 28 14:11 readme.txt -rwxr-xr-x 1 root root 5818 Jan 28 14:11 reporter.md -rw-r--r-- 1 root root 86 Jan 28 14:11 requirements.txt -rw-r--r-- 1 root root 4044 Jan 28 14:11 RuleCount.py -rw-r--r-- 1 root root 8022 Jan 28 14:11 Screener.py drwxr-xr-x 18 root root 4096 Jan 28 14:12 services drwxr-xr-x 2 root root 4096 Jan 28 14:11 ServiceScreenerV2.egg-info -rw-r--r-- 1 root root 830 Jan 28 14:11 setup.py drwxr-xr-x 2 root root 4096 Jan 28 14:11 templates drwxr-xr-x 3 root root 4096 Jan 28 14:11 usecases drwxr-xr-x 3 root root 4096 Jan 28 14:12 utils
the log :
`(sscreenerv2) bash-5.2# screener --regions ap-southeast-3 -- Acquiring identify info...
================================================= Processing the following account id:
[info] Empty CF stacked created successfully, name:ssv2-ff3b0ecca4fc PREPARING -- RDS::ap-southeast-3 PREPARING -- S3::ap-southeast-3 PREPARING -- IAM::us-east-1 PREPARING -- EC2::ap-southeast-3 ... (S3Account) inspecting Public access configuration not set ... (S3Bucket) inspecting aws-builderday-terraform-state ... (SecretsManager) inspecting passwordsecretmanager AccessDeniedException No access to "/aws/" namespace: aws/service/global-infrastructure is not a valid namespace ... (Cost Explorer Recommendations) inspecting COMPLETED -- RDS::ap-southeast-3 (1.393s) PREPARING -- EFS::ap-southeast-3 ... (S3Bucket) inspecting cf-templates-1xse20i47s0d0-ap-southeast-3 COMPLETED -- EFS::ap-southeast-3 (0.088s) PREPARING -- LAMBDA::ap-southeast-3 ... (Lambda) inspecting SendSecurityHubSummaryEmail AccessDeniedException Unable to determine service/operation name to be authorized. Traceback (most recent call last): File "/home/cloudshell-user/sscreenerv2/service-screener-v2/services/Evaluator.py", line 28, in run getattr(self, method)() File "/home/cloudshell-user/sscreenerv2/service-screener-v2/services/lambda_/drivers/LambdaCommon.py", line 112, in _check_code_signing_disabled code_sign = self.lambda_client.get_function_code_signing_config( File "/home/cloudshell-user/sscreenerv2/lib64/python3.9/site-packages/botocore/client.py", line 530, in _api_call return self._make_api_call(operation_name, kwargs) File "/home/cloudshell-user/sscreenerv2/lib64/python3.9/site-packages/botocore/client.py", line 964, in _make_api_call raise error_class(parsed_response, operation_name) botocore.exceptions.ClientError: An error occurred (AccessDeniedException) when calling the GetFunctionCodeSigningConfig operation: Unable to determine service/operation name to be authorized.
... (IAM::User) inspecting
... (IAM::User) inspecting myfirstuser ... (S3Bucket) inspecting config-bucket- ... (EC2) inspecting i-0299b884105aaa4ac ... (S3Bucket) inspecting sechubautoemail Skipped runtime version check due to unable to locate runtime option path ... (IAM::Role) inspecting builder-day-prod-ec2db-instance-role-20240128140303437400000001 ... (Lambda) inspecting stack-kirim-email-scehub-CustomInsightsFunction-hjYiq1cgjR2s AccessDeniedException Unable to determine service/operation name to be authorized. Traceback (most recent call last): File "/home/cloudshell-user/sscreenerv2/service-screener-v2/services/Evaluator.py", line 28, in run getattr(self, method)() File "/home/cloudshell-user/sscreenerv2/service-screener-v2/services/lambda_/drivers/LambdaCommon.py", line 112, in _check_code_signing_disabled code_sign = self.lambda_client.get_function_code_signing_config( File "/home/cloudshell-user/sscreenerv2/lib64/python3.9/site-packages/botocore/client.py", line 530, in _api_call return self._make_api_call(operation_name, kwargs) File "/home/cloudshell-user/sscreenerv2/lib64/python3.9/site-packages/botocore/client.py", line 964, in _make_api_call raise error_class(parsed_response, operation_name) botocore.exceptions.ClientError: An error occurred (AccessDeniedException) when calling the GetFunctionCodeSigningConfig operation: Unable to determine service/operation name to be authorized. ... (S3Bucket) inspecting sechubexps3bucket ... (EC2) inspecting i-0e84bc29c69b49f25 Skipped runtime version check due to unable to locate runtime option path COMPLETED -- LAMBDA::ap-southeast-3 (3.368s) PREPARING -- GUARDDUTY::ap-southeast-3 COMPLETED -- GUARDDUTY::ap-southeast-3 (0.098s) PREPARING -- CLOUDFRONT::us-east-1 ... (EBS) inspecting vol-040a382963c09de32 COMPLETED -- CLOUDFRONT::us-east-1 (1.16s) PREPARING -- CLOUDTRAIL::ap-southeast-3 ... (EBS) inspecting vol-0e574c527ca422f02 ... (IAM::Role) inspecting builder-day-prod-web-inst-role-20240128140303682100000002 ... (CloudTrail:Common) inspecting COMPLETED -- CLOUDTRAIL::ap-southeast-3 (0.112s) PREPARING -- ELASTICACHE::ap-southeast-3 ... (EBS::Snapshots) inspecting COMPLETED -- ELASTICACHE::ap-southeast-3 (0.117s) PREPARING -- EKS::ap-southeast-3 COMPLETED -- EKS::ap-southeast-3 (0.22s) PREPARING -- DYNAMODB::ap-southeast-3 ... (ASG::Auto Scaling Group) inspecting mywebserver-2024012814030780430000000c ... (Dynamodb::Generic) inspecting ... (EC2::Security Group) inspecting sg-00ba1d9a55082af60 ... (EC2::Security Group) inspecting sg-0297754826a5aca64 ... (EC2::Security Group) inspecting sg-0e18c314fe51d3eb1 ... (EC2::Security Group) inspecting sg-058d06c99fdd4940c ... (Dynamodb::aws-builderday-terraform-state) inspecting ... (Elastic IP Recommendations) inspecting 43.218.246.237 COMPLETED -- EC2::ap-southeast-3 (6.787s) PREPARING -- KMS::ap-southeast-3 ... (IAM::Role) inspecting ec2SSM ... (KMS) inspecting 0caaea1b-ff7a-4eff-ae08-8c59f9563055 (arn:aws:kms:ap-southeast-3:
:key/0caaea1b-ff7a-4eff-ae08-8c59f9563055) Traceback (most recent call last): File "/home/cloudshell-user/sscreenerv2/service-screener-v2/services/Evaluator.py", line 28, in run getattr(self, method)() File "/home/cloudshell-user/sscreenerv2/service-screener-v2/services/kms/drivers/KmsCommon.py", line 42, in _checkPolicyAdminUser parseInfo = pObj.extractPolicyInfo() File "/home/cloudshell-user/sscreenerv2/service-screener-v2/utils/Policy.py", line 88, in extractPolicyInfo policy[effect][statement['Sid']] = {'Principal': statement['Principal'], 'Action': statement['Action']} KeyError: 'Sid' ... (KMS) inspecting 0ff3821a-a0e2-40c0-b813-ccf50656397d (arn:aws:kms:ap-southeast-3:
:key/0ff3821a-a0e2-40c0-b813-ccf50656397d) ... (KMS) inspecting 11a1f7b0-64e5-48bd-9ca9-8d21704671a4 (arn:aws:kms:ap-southeast-3: :key/11a1f7b0-64e5-48bd-9ca9-8d21704671a4) Traceback (most recent call last): File "/home/cloudshell-user/sscreenerv2/service-screener-v2/services/Evaluator.py", line 28, in run getattr(self, method)() File "/home/cloudshell-user/sscreenerv2/service-screener-v2/services/kms/drivers/KmsCommon.py", line 42, in _checkPolicyAdminUser parseInfo = pObj.extractPolicyInfo() File "/home/cloudshell-user/sscreenerv2/service-screener-v2/utils/Policy.py", line 88, in extractPolicyInfo policy[effect][statement['Sid']] = {'Principal': statement['Principal'], 'Action': statement['Action']} KeyError: 'Sid' ... (KMS) inspecting 193c43ff-31af-4565-92e0-d1573b197231 (arn:aws:kms:ap-southeast-3:
:key/193c43ff-31af-4565-92e0-d1573b197231) COMPLETED -- DYNAMODB::ap-southeast-3 (1.983s) PREPARING -- OPENSEARCH::ap-southeast-3 COMPLETED -- OPENSEARCH::ap-southeast-3 (0.078s) Traceback (most recent call last): File "/home/cloudshell-user/sscreenerv2/service-screener-v2/services/Evaluator.py", line 28, in run getattr(self, method)() File "/home/cloudshell-user/sscreenerv2/service-screener-v2/services/kms/drivers/KmsCommon.py", line 42, in _checkPolicyAdminUser parseInfo = pObj.extractPolicyInfo() File "/home/cloudshell-user/sscreenerv2/service-screener-v2/utils/Policy.py", line 88, in extractPolicyInfo policy[effect][statement['Sid']] = {'Principal': statement['Principal'], 'Action': statement['Action']} KeyError: 'Sid' ... (KMS) inspecting 3b8f81e1-567c-47b1-9779-534d2a5a3cb4 (arn:aws:kms:ap-southeast-3:
:key/3b8f81e1-567c-47b1-9779-534d2a5a3cb4) Traceback (most recent call last): File "/home/cloudshell-user/sscreenerv2/service-screener-v2/services/Evaluator.py", line 28, in run getattr(self, method)() File "/home/cloudshell-user/sscreenerv2/service-screener-v2/services/kms/drivers/KmsCommon.py", line 42, in _checkPolicyAdminUser parseInfo = pObj.extractPolicyInfo() File "/home/cloudshell-user/sscreenerv2/service-screener-v2/utils/Policy.py", line 88, in extractPolicyInfo policy[effect][statement['Sid']] = {'Principal': statement['Principal'], 'Action': statement['Action']} KeyError: 'Sid' ... (KMS) inspecting 67c2badc-1d84-4932-886f-92a782e4f368 (arn:aws:kms:ap-southeast-3:
:key/67c2badc-1d84-4932-886f-92a782e4f368) Traceback (most recent call last): File "/home/cloudshell-user/sscreenerv2/service-screener-v2/services/Evaluator.py", line 28, in run getattr(self, method)() File "/home/cloudshell-user/sscreenerv2/service-screener-v2/services/kms/drivers/KmsCommon.py", line 42, in _checkPolicyAdminUser parseInfo = pObj.extractPolicyInfo() File "/home/cloudshell-user/sscreenerv2/service-screener-v2/utils/Policy.py", line 88, in extractPolicyInfo policy[effect][statement['Sid']] = {'Principal': statement['Principal'], 'Action': statement['Action']} KeyError: 'Sid' ... (KMS) inspecting 7e93496e-c475-487f-ae86-6a74d9cc05c4 (arn:aws:kms:ap-southeast-3:
:key/7e93496e-c475-487f-ae86-6a74d9cc05c4) Traceback (most recent call last): File "/home/cloudshell-user/sscreenerv2/service-screener-v2/services/Evaluator.py", line 28, in run getattr(self, method)() File "/home/cloudshell-user/sscreenerv2/service-screener-v2/services/kms/drivers/KmsCommon.py", line 42, in _checkPolicyAdminUser parseInfo = pObj.extractPolicyInfo() File "/home/cloudshell-user/sscreenerv2/service-screener-v2/utils/Policy.py", line 88, in extractPolicyInfo policy[effect][statement['Sid']] = {'Principal': statement['Principal'], 'Action': statement['Action']} KeyError: 'Sid' COMPLETED -- KMS::ap-southeast-3 (2.262s) ... (IAM::Role) inspecting OrganizationAccountAccessRole ... (IAM::Role) inspecting s3fullacessrole ... (IAM::Role) inspecting Sechub_adminrole ... (IAM::Role) inspecting SNSFailureFeedback ... (IAM::Role) inspecting SNSSuccessFeedback ... (IAM::Role) inspecting stack-kirim-email-scehub-CustomInsightsLambdaExecut-x07nBwWpAGeE [!! WARNING !!] Could not connect to the endpoint URL: "https://macie2.ap-southeast-3.amazonaws.com/findings" ... (IAM::Role) inspecting stack-kirim-email-scehub-SendEmailLambdaExecutionRo-g8bCZxb3PVUJ ... (IAM:Account) inspecting NoSuchEntity COMPLETED -- IAM::us-east-1 (31.004s) multiprocessing.pool.RemoteTraceback: """ Traceback (most recent call last): File "/usr/lib64/python3.9/multiprocessing/pool.py", line 125, in worker result = (True, func(*args, **kwds)) File "/usr/lib64/python3.9/multiprocessing/pool.py", line 51, in starmapstar return list(itertools.starmap(args[0], args[1])) File "/home/cloudshell-user/sscreenerv2/service-screener-v2/Screener.py", line 102, in scanByService json.dump(contexts[service[0]], f) File "/usr/lib64/python3.9/json/init.py", line 179, in dump for chunk in iterable: File "/usr/lib64/python3.9/json/encoder.py", line 431, in _iterencode yield from _iterencode_dict(o, _current_indent_level) File "/usr/lib64/python3.9/json/encoder.py", line 405, in _iterencode_dict yield from chunks File "/usr/lib64/python3.9/json/encoder.py", line 405, in _iterencode_dict yield from chunks File "/usr/lib64/python3.9/json/encoder.py", line 405, in _iterencode_dict yield from chunks File "/usr/lib64/python3.9/json/encoder.py", line 325, in _iterencode_list yield from chunks File "/usr/lib64/python3.9/json/encoder.py", line 438, in _iterencode o = _default(o) File "/usr/lib64/python3.9/json/encoder.py", line 179, in default raise TypeError(f'Object of type {o.class.name} ' TypeError: Object of type datetime is not JSON serializable """
The above exception was the direct cause of the following exception:
Traceback (most recent call last): File "/home/cloudshell-user/sscreenerv2/service-screener-v2/main.py", line 195, in
pool.starmap(Screener.scanByService, input_ranges) File "/usr/lib64/python3.9/multiprocessing/pool.py", line 372, in starmap return self._map_async(func, iterable, starmapstar, chunksize).get() File "/usr/lib64/python3.9/multiprocessing/pool.py", line 771, in get raise self._value TypeError: Object of type datetime is not JSON serializable`
Hi can we connect via email? Will like to work closely on this.
kt.xtrik@gmail.com
Sure, Will send you an email shortly after this. What data will you need ?
edit: sent @kuettai an email with my browser info and what command I executed to reproduced the issue
After discussion with @awhitespace , it is likely to due KMS policy checking... have temporary disable KMS from SS default parameter until we resolve. Getting some samples from awhitespace.
Closing this item. Successfully simulate thanks to @awhitespace
Describe the bug Error when using ALL Region Parameter
To Reproduce Steps to reproduce the behavior: python3 -m venv . source bin/activate python3 -m pip install --upgrade pip rm -rf service-screener-v2 git clone https://github.com/aws-samples/service-screener-v2.git cd service-screener-v2 pip install -r requirements.txt alias screener="python3 $(pwd)/main.py" screener --regions ALL
Full commands used to reproduce this bug screener --regions ALL
Expected behavior output.zip
Screenshots COMPLETED -- S3::us-west-2 (11.197s) multiprocessing.pool.RemoteTraceback: """ Traceback (most recent call last): File "/usr/lib64/python3.9/multiprocessing/pool.py", line 125, in worker result = (True, func(*args, **kwds)) File "/usr/lib64/python3.9/multiprocessing/pool.py", line 51, in starmapstar return list(itertools.starmap(args[0], args[1])) File "/home/cloudshell-user/service-screener-v2/Screener.py", line 97, in scanByService json.dump(contexts[service[0]], f) File "/usr/lib64/python3.9/json/init.py", line 179, in dump for chunk in iterable: File "/usr/lib64/python3.9/json/encoder.py", line 431, in _iterencode yield from _iterencode_dict(o, _current_indent_level) File "/usr/lib64/python3.9/json/encoder.py", line 405, in _iterencode_dict yield from chunks File "/usr/lib64/python3.9/json/encoder.py", line 405, in _iterencode_dict yield from chunks File "/usr/lib64/python3.9/json/encoder.py", line 405, in _iterencode_dict yield from chunks File "/usr/lib64/python3.9/json/encoder.py", line 325, in _iterencode_list yield from chunks File "/usr/lib64/python3.9/json/encoder.py", line 438, in _iterencode o = _default(o) File "/usr/lib64/python3.9/json/encoder.py", line 179, in default raise TypeError(f'Object of type {o.class.name} ' TypeError: Object of type datetime is not JSON serializable """
The above exception was the direct cause of the following exception:
Traceback (most recent call last): File "/home/cloudshell-user/service-screener-v2/main.py", line 195, in
pool.starmap(Screener.scanByService, input_ranges)
File "/usr/lib64/python3.9/multiprocessing/pool.py", line 372, in starmap
return self._map_async(func, iterable, starmapstar, chunksize).get()
File "/usr/lib64/python3.9/multiprocessing/pool.py", line 771, in get
raise self._value
TypeError: Object of type datetime is not JSON serializable
AWS CloudShell (please complete the following information):
Execution Environment (PLEASE FILL THIS UP IF YOU ARE NOT RUNNING THIS IN AWS CLOUDSHELL):