search

bridgecrewio / AirIAM

Least privilege AWS IAM Terraformer
https://airiam.io
Apache License 2.0
774 stars 78 forks source link

šŸ› Bug Report: Unable to run recommend_groups or terraform #100

Closed apeshimam closed 2 years ago

apeshimam commented 2 years ago

šŸ‘Ÿ Reproduction steps

airiam terraform or airiam recommend_groups

šŸ‘ Expected behavior

command completes successfully

šŸ‘Ž Actual Behavior

Error with the following logs

Traceback (most recent call last):
  File "/usr/local/bin/airiam", line 5, in <module>
    run()
  File "/usr/local/lib/python3.9/site-packages/airiam/main.py", line 36, in run
    report_with_recommendations = recommend_groups(logger, runtime_results, args.last_used_threshold)
  File "/usr/local/lib/python3.9/site-packages/airiam/recommend_groups/recommend_groups.py", line 19, in recommend_groups
    runtime_iam_report.set_reorg(organizer.get_user_clusters(runtime_iam_report))
  File "/usr/local/lib/python3.9/site-packages/airiam/recommend_groups/recommend_groups.py", line 38, in get_user_clusters
    simple_user_clusters = self._create_simple_user_clusters(human_users, iam_data['AccountGroups'], iam_data['AccountPolicies'])
  File "/usr/local/lib/python3.9/site-packages/airiam/recommend_groups/recommend_groups.py", line 84, in _create_simple_user_clusters
    if PolicyAnalyzer.policy_is_write_access(policy_document):
  File "/usr/local/lib/python3.9/site-packages/airiam/find_unused/PolicyAnalyzer.py", line 49, in policy_is_write_access
    actions = PolicyAnalyzer._get_policy_actions(policy_document)
  File "/usr/local/lib/python3.9/site-packages/airiam/find_unused/PolicyAnalyzer.py", line 25, in _get_policy_actions
    actions_list.extend(PolicyAnalyzer.convert_to_list(statement['Action']))

šŸ’» Operating system

MacOS

šŸ§± Your Environment

No response

Python Version

python 3.9.9

checkov-version

didnt use checkov

Share output with the environment variable LOG_LEVEL set to DEBUG

Traceback (most recent call last):
  File "/usr/local/bin/airiam", line 5, in <module>
    run()
  File "/usr/local/lib/python3.9/site-packages/airiam/main.py", line 36, in run
    report_with_recommendations = recommend_groups(logger, runtime_results, args.last_used_threshold)
  File "/usr/local/lib/python3.9/site-packages/airiam/recommend_groups/recommend_groups.py", line 19, in recommend_groups
    runtime_iam_report.set_reorg(organizer.get_user_clusters(runtime_iam_report))
  File "/usr/local/lib/python3.9/site-packages/airiam/recommend_groups/recommend_groups.py", line 38, in get_user_clusters
    simple_user_clusters = self._create_simple_user_clusters(human_users, iam_data['AccountGroups'], iam_data['AccountPolicies'])
  File "/usr/local/lib/python3.9/site-packages/airiam/recommend_groups/recommend_groups.py", line 84, in _create_simple_user_clusters
    if PolicyAnalyzer.policy_is_write_access(policy_document):
  File "/usr/local/lib/python3.9/site-packages/airiam/find_unused/PolicyAnalyzer.py", line 49, in policy_is_write_access
    actions = PolicyAnalyzer._get_policy_actions(policy_document)
  File "/usr/local/lib/python3.9/site-packages/airiam/find_unused/PolicyAnalyzer.py", line 25, in _get_policy_actions
    actions_list.extend(PolicyAnalyzer.convert_to_list(statement['Action']))

šŸ‘€ Have you spent some time to check if this issue has been raised before?

nimrodkor commented 2 years ago

Hey @apeshimam !

This is the traceback, but it seems the actual error is missing. Is it KeyError?

apeshimam commented 2 years ago

yes sorry it is a KeyError.

apeshimam commented 2 years ago 
-> % airiam recommend_groups

     ____      __           _____      ____     __        __
    / __ \    |__|  _  ____|_   _|    / __ \   |   \    /   |
   / /  \ \    __  | |/ ___| | |     / /  \ \  | |\ \  / /| |
  / /____\ \  |  | |   /     | |    / /____\ \ | | \ \/ / | |
 /  ______  \_|  |_|  |     _| |_  /  ______  \  |  \  /  | |
/_/        \_\_____|__|    |_____|/_/        \_\_|   \/   |_|
v0.1.57

AirIAM - Least privilege AWS IAM Terraformer

To continuously scan configurations, try the Bridgecrew free community plan.
https://www.bridgecrew.io

INFO:botocore.credentials:Found credentials in shared credentials file: ~/.aws/credentials
IAM FILE NAME ./aircache/829297642418/iam_data.json
Data account  id 829297642418
Reusing local data
INFO:root:Analyzing data for account 829297642418
INFO:root:Using the default UserOrganizer
Traceback (most recent call last):
  File "/usr/local/bin/airiam", line 5, in <module>
    run()
  File "/usr/local/lib/python3.9/site-packages/airiam/main.py", line 36, in run
    report_with_recommendations = recommend_groups(logger, runtime_results, args.last_used_threshold)
  File "/usr/local/lib/python3.9/site-packages/airiam/recommend_groups/recommend_groups.py", line 19, in recommend_groups
    runtime_iam_report.set_reorg(organizer.get_user_clusters(runtime_iam_report))
  File "/usr/local/lib/python3.9/site-packages/airiam/recommend_groups/recommend_groups.py", line 38, in get_user_clusters
    simple_user_clusters = self._create_simple_user_clusters(human_users, iam_data['AccountGroups'], iam_data['AccountPolicies'])
  File "/usr/local/lib/python3.9/site-packages/airiam/recommend_groups/recommend_groups.py", line 84, in _create_simple_user_clusters
    if PolicyAnalyzer.policy_is_write_access(policy_document):
  File "/usr/local/lib/python3.9/site-packages/airiam/find_unused/PolicyAnalyzer.py", line 49, in policy_is_write_access
    actions = PolicyAnalyzer._get_policy_actions(policy_document)
  File "/usr/local/lib/python3.9/site-packages/airiam/find_unused/PolicyAnalyzer.py", line 25, in _get_policy_actions
    actions_list.extend(PolicyAnalyzer.convert_to_list(statement['Action']))
KeyError: 'Action'
nimrodkor commented 2 years ago

Hey @apeshimam !

This means the action is not part of this doc: https://raw.githubusercontent.com/salesforce/policy_sentry/master/policy_sentry/shared/data/iam-definition.json I wonder which action is it... Are you up for debugging?

apeshimam commented 2 years ago

sorry i just saw this. yeah up for it.

apeshimam commented 2 years ago

LMK how I can do this?

apeshimam commented 2 years ago

Hey @nimrodkor happy to help. what do you need from me.

apeshimam commented 2 years ago

@nimrodkor just wanted to checkin and see if I could help push this along. Thanks.

nimrodkor commented 2 years ago

Hey @apeshimam , I looked into it and it seems this is an unexpected configuration - an Allow statement with no Action attribute - possibly this statement has a NotAction attribute, which is not a good practice. It is not a good practice to have Allow with NotAction because it might lead to implicitly giving permissions. Added a warning log, let me know if it solved your issue!