Closed apeshimam closed 2 years ago
Hey @apeshimam !
This is the traceback, but it seems the actual error is missing. Is it KeyError
?
yes sorry it is a KeyError.
-> % airiam recommend_groups
____ __ _____ ____ __ __
/ __ \ |__| _ ____|_ _| / __ \ | \ / |
/ / \ \ __ | |/ ___| | | / / \ \ | |\ \ / /| |
/ /____\ \ | | | / | | / /____\ \ | | \ \/ / | |
/ ______ \_| |_| | _| |_ / ______ \ | \ / | |
/_/ \_\_____|__| |_____|/_/ \_\_| \/ |_|
v0.1.57
AirIAM - Least privilege AWS IAM Terraformer
To continuously scan configurations, try the Bridgecrew free community plan.
https://www.bridgecrew.io
INFO:botocore.credentials:Found credentials in shared credentials file: ~/.aws/credentials
IAM FILE NAME ./aircache/829297642418/iam_data.json
Data account id 829297642418
Reusing local data
INFO:root:Analyzing data for account 829297642418
INFO:root:Using the default UserOrganizer
Traceback (most recent call last):
File "/usr/local/bin/airiam", line 5, in <module>
run()
File "/usr/local/lib/python3.9/site-packages/airiam/main.py", line 36, in run
report_with_recommendations = recommend_groups(logger, runtime_results, args.last_used_threshold)
File "/usr/local/lib/python3.9/site-packages/airiam/recommend_groups/recommend_groups.py", line 19, in recommend_groups
runtime_iam_report.set_reorg(organizer.get_user_clusters(runtime_iam_report))
File "/usr/local/lib/python3.9/site-packages/airiam/recommend_groups/recommend_groups.py", line 38, in get_user_clusters
simple_user_clusters = self._create_simple_user_clusters(human_users, iam_data['AccountGroups'], iam_data['AccountPolicies'])
File "/usr/local/lib/python3.9/site-packages/airiam/recommend_groups/recommend_groups.py", line 84, in _create_simple_user_clusters
if PolicyAnalyzer.policy_is_write_access(policy_document):
File "/usr/local/lib/python3.9/site-packages/airiam/find_unused/PolicyAnalyzer.py", line 49, in policy_is_write_access
actions = PolicyAnalyzer._get_policy_actions(policy_document)
File "/usr/local/lib/python3.9/site-packages/airiam/find_unused/PolicyAnalyzer.py", line 25, in _get_policy_actions
actions_list.extend(PolicyAnalyzer.convert_to_list(statement['Action']))
KeyError: 'Action'
Hey @apeshimam !
This means the action is not part of this doc: https://raw.githubusercontent.com/salesforce/policy_sentry/master/policy_sentry/shared/data/iam-definition.json I wonder which action is it... Are you up for debugging?
sorry i just saw this. yeah up for it.
LMK how I can do this?
Hey @nimrodkor happy to help. what do you need from me.
@nimrodkor just wanted to checkin and see if I could help push this along. Thanks.
Hey @apeshimam , I looked into it and it seems this is an unexpected configuration - an Allow
statement with no Action
attribute - possibly this statement has a NotAction
attribute, which is not a good practice.
It is not a good practice to have Allow
with NotAction
because it might lead to implicitly giving permissions.
Added a warning log, let me know if it solved your issue!
š Reproduction steps
airiam terraform
orairiam recommend_groups
š Expected behavior
command completes successfully
š Actual Behavior
Error with the following logs
š» Operating system
MacOS
š§± Your Environment
No response
Python Version
python 3.9.9
checkov-version
didnt use checkov
Share output with the environment variable LOG_LEVEL set to DEBUG
š Have you spent some time to check if this issue has been raised before?