search

matanolabs / matano

Open source security data lake for threat hunting, detection & response, and cybersecurity analytics at petabyte scale on AWS
https://matano.dev
Apache License 2.0
1.44k stars 97 forks source link

matano init error: A PolicyStatement used in an identity-based policy must specify at least one resource. #103

Closed nickchap closed 1 year ago

nickchap commented 1 year ago

I received the following error after running the matano init command on a new install. Looks like validation of an IAM policy is failing because it contains no resources. This is on Mac 10.15.7 .

Welcome to the Matano init wizard. This will get you started with Matano.
Follow the prompts to get started. You can always change these values later.

✔ Which AWS Region to deploy to? · us-east-2
✔ What is the AWS Account ID to deploy to? · my_aws_account_id
✔ Do you have an existing matano directory? (y/N) · false
  I will generate a Matano directory in the current directory.
✔ What is the name of the directory to generate?(use . for current directory) · .
✔ Generated Matano directory at /Users/my_user/matano.
⠇ Initializing AWS environment... (2/3)[14:16:23] CDK toolkit version: 2.54.0 (build 9f41881)
[14:16:23] Command line arguments: {
  _: [ 'bootstrap' ],
  app: '/usr/local/matano-cli/matano-cdk',
  a: '/usr/local/matano-cli/matano-cdk',
  output: '/var/folders/8j/9dry0jvs43v3czwkrxr6wsfw0000gn/T/matanocdkout7s9sla',
  o: '/var/folders/8j/9dry0jvs43v3czwkrxr6wsfw0000gn/T/matanocdkout7s9sla',
  context: [
    'matanoUserDirectory=/Users/my_user/matano',
    'matanoAwsAccountId=my_aws_account_id',
    'matanoAwsRegion=us-east-2',
    'matanoContext={}'
  ],
  c: [
    'matanoUserDirectory=/Users/my_user/matano',
    'matanoAwsAccountId=my_aws_account_id',
    'matanoAwsRegion=us-east-2',
    'matanoContext={}'
  ],
  v: 3,
  verbose: 3,
  lookups: true,
  'ignore-errors': false,
  ignoreErrors: false,
  json: false,
  j: false,
  debug: false,
  ec2creds: undefined,
  i: undefined,
  'version-reporting': undefined,
  versionReporting: undefined,
  'path-metadata': true,
  pathMetadata: true,
  'asset-metadata': true,
  assetMetadata: true,
  'role-arn': undefined,
  r: undefined,
  roleArn: undefined,
  staging: true,
  'no-color': false,
  noColor: false,
  ci: false,
  'bootstrap-bucket-name': undefined,
  b: undefined,
  'toolkit-bucket-name': undefined,
  toolkitBucketName: undefined,
  bootstrapBucketName: undefined,
  'bootstrap-kms-key-id': undefined,
  bootstrapKmsKeyId: undefined,
  'example-permissions-boundary': undefined,
  epb: undefined,
  examplePermissionsBoundary: undefined,
  'custom-permissions-boundary': undefined,
  cpb: undefined,
  customPermissionsBoundary: undefined,
  'bootstrap-customer-key': undefined,
  bootstrapCustomerKey: undefined,
  qualifier: undefined,
  'public-access-block-configuration': undefined,
  publicAccessBlockConfiguration: undefined,
  tags: [],
  t: [],
  execute: true,
  trust: [],
  'trust-for-lookup': [],
  trustForLookup: [],
  'cloudformation-execution-policies': [],
  cloudformationExecutionPolicies: [],
  force: false,
  f: false,
  'termination-protection': undefined,
  terminationProtection: undefined,
  'show-template': false,
  showTemplate: false,
  '$0': '/usr/local/matano-cli/cdk',
  ENVIRONMENTS: [ 'aws://my_aws_account_id/us-east-2' ],
  'E-n-v-i-r-o-n-m-e-n-t-s': [ 'aws://my_aws_account_id/us-east-2' ]
}
[14:16:23] CLI argument context: matanoUserDirectory=/Users/my_user/matano
[14:16:23] CLI argument context: matanoAwsAccountId=my_aws_account_id
[14:16:23] CLI argument context: matanoAwsRegion=us-east-2
[14:16:23] CLI argument context: matanoContext={}
[14:16:23] merged settings: {
  versionReporting: true,
  pathMetadata: true,
  output: '/var/folders/8j/9dry0jvs43v3czwkrxr6wsfw0000gn/T/matanocdkout7s9sla',
  app: '/usr/local/matano-cli/matano-cdk',
  context: {
    matanoUserDirectory: '/Users/my_user/matano',
    matanoAwsAccountId: 'my_aws_account_id',
    matanoAwsRegion: 'us-east-2',
    matanoContext: '{}'
  },
  debug: false,
  assetMetadata: true,
  toolkitBucket: {},
  staging: true,
  bundlingStacks: [],
  lookups: true
}
[14:16:23] [trace] SdkProvider#withAwsCliCompatibleDefaults()
[14:16:23] Determining if we're on an EC2 instance.
[14:16:23] Does not look like an EC2 instance.
[14:16:23] Reading cached notices from /Users/my_user/.cdk/cache/notices.json
[14:16:23] Toolkit stack: CDKToolkit
[14:16:23] Setting "CDK_DEFAULT_REGION" environment variable to us-east-2
[14:16:23] [trace] SdkProvider#defaultAccount()
[14:16:23] [trace]   SdkProvider#defaultCredentials()
[14:16:23] Resolving default credentials
[14:16:23] [trace]   SDK#currentAccount()
[14:16:23] [trace]     SDK#forceCredentialRetrieval()
[14:16:23] Retrieved account ID my_aws_account_id from disk cache
[14:16:23] Setting "CDK_DEFAULT_ACCOUNT" environment variable to my_aws_account_id
[14:16:23] context: {
  matanoUserDirectory: '/Users/my_user/matano',
  matanoAwsAccountId: 'my_aws_account_id',
  matanoAwsRegion: 'us-east-2',
  matanoContext: '{}',
  'aws:cdk:enable-path-metadata': true,
  'aws:cdk:enable-asset-metadata': true,
  'aws:cdk:version-reporting': true,
  'aws:cdk:bundling-stacks': []
}
[14:16:23] outdir: /var/folders/8j/9dry0jvs43v3czwkrxr6wsfw0000gn/T/matanocdkout7s9sla
[14:16:23] env: {
  CDK_DEFAULT_REGION: 'us-east-2',
  CDK_DEFAULT_ACCOUNT: 'my_aws_account_id',
  CDK_OUTDIR: '/var/folders/8j/9dry0jvs43v3czwkrxr6wsfw0000gn/T/matanocdkout7s9sla',
  CDK_CLI_ASM_VERSION: '22.0.0',
  CDK_CLI_VERSION: '2.54.0'
}
⠹ Initializing AWS environment... (2/3)Created temporary directory for configuration files: /var/folders/8j/9dry0jvs43v3czwkrxr6wsfw0000gn/T/mtnconfigYG9pBY/config
⠇ Initializing AWS environment... (2/3)
/snapshot/matano/infra/node_modules/aws-cdk-lib/core/lib/private/synthesis.js:2
  `);throw new Error(`Validation failed with the following errors:
           ^
Error: Validation failed with the following errors:
  [DPMainStack/Transformer/Function/ServiceRole/DefaultPolicy] A PolicyStatement used in an identity-based policy must specify at least one resource.
    at validateTree (/snapshot/matano/infra/node_modules/aws-cdk-lib/core/lib/private/synthesis.js:2:12)
    at Object.synthesize (/snapshot/matano/infra/node_modules/aws-cdk-lib/core/lib/private/synthesis.js:1:647)
    at App.synth (/snapshot/matano/infra/node_modules/aws-cdk-lib/core/lib/stage.js:1:1922)
    at process.<anonymous> (/snapshot/matano/infra/node_modules/aws-cdk-lib/core/lib/app.js:1:1157)
    at Object.onceWrapper (events.js:520:26)
    at process.emit (events.js:412:35)
    at process.emit (/snapshot/matano/infra/node_modules/source-map-support/source-map-support.js:516:21)
[14:16:26] Reading cached notices from /Users/my_user/.cdk/cache/notices.json
[14:16:26] Failed to get tree.json file: Error: /var/folders/8j/9dry0jvs43v3czwkrxr6wsfw0000gn/T/matanocdkout7s9sla/tree.json: ENOENT: no such file or directory, open '/var/folders/8j/9dry0jvs43v3czwkrxr6wsfw0000gn/T/matanocdkout7s9sla/tree.json'. Proceeding with empty tree.

Subprocess exited with error 1
[14:16:26] Error: Subprocess exited with error 1
    at ChildProcess.<anonymous> (/snapshot/node_modules/aws-cdk/lib/api/cxapp/exec.ts:153:23)
    at ChildProcess.emit (events.js:400:28)
    at ChildProcess.emit (domain.js:475:12)
    at Process.ChildProcess._handle.onexit (internal/child_process.js:282:12)
⠏ Initializing AWS environment... (2/3) ›   Error: An error occurred: Command failed with exit code 1: /usr/local/matano-cli/cdk bootstrap aws://my_aws_account_id/us-east-2 --app /usr/local/matano-cli/matano-cdk 
 ›   --output /var/folders/8j/9dry0jvs43v3czwkrxr6wsfw0000gn/T/matanocdkout7s9sla --context matanoUserDirectory=/Users/my_user/matano --context matanoAwsAccountId=my_aws_account_id 
 ›   --context matanoAwsRegion=us-east-2 --context matanoContext={} -vvv
 ›   [14:16:23] CDK toolkit version: 2.54.0 (build 9f41881)
 ›   [14:16:23] Command line arguments: {
 ›     _: [ 'bootstrap' ],
 ›     app: '/usr/local/matano-cli/matano-cdk',
 ›     a: '/usr/local/matano-cli/matano-cdk',
 ›     output: '/var/folders/8j/9dry0jvs43v3czwkrxr6wsfw0000gn/T/matanocdkout7s9sla',
 ›     o: '/var/folders/8j/9dry0jvs43v3czwkrxr6wsfw0000gn/T/matanocdkout7s9sla',
 ›     context: [
 ›       'matanoUserDirectory=/Users/my_user/matano',
 ›       'matanoAwsAccountId=my_aws_account_id',
 ›       'matanoAwsRegion=us-east-2',
 ›       'matanoContext={}'
 ›     ],
 ›     c: [
 ›       'matanoUserDirectory=/Users/my_user/matano',
 ›       'matanoAwsAccountId=my_aws_account_id',
 ›       'matanoAwsRegion=us-east-2',
 ›       'matanoContext={}'
 ›     ],
 ›     v: 3,
 ›     verbose: 3,
 ›     lookups: true,
 ›     'ignore-errors': false,
 ›     ignoreErrors: false,
 ›     json: false,
 ›     j: false,
 ›     debug: false,
 ›     ec2creds: undefined,
 ›     i: undefined,
 ›     'version-reporting': undefined,
 ›     versionReporting: undefined,
 ›     'path-metadata': true,
 ›     pathMetadata: true,
 ›     'asset-metadata': true,
 ›     assetMetadata: true,
 ›     'role-arn': undefined,
 ›     r: undefined,
 ›     roleArn: undefined,
 ›     staging: true,
 ›     'no-color': false,
 ›     noColor: false,
 ›     ci: false,
 ›     'bootstrap-bucket-name': undefined,
 ›     b: undefined,
 ›     'toolkit-bucket-name': undefined,
 ›     toolkitBucketName: undefined,
 ›     bootstrapBucketName: undefined,
 ›     'bootstrap-kms-key-id': undefined,
 ›     bootstrapKmsKeyId: undefined,
 ›     'example-permissions-boundary': undefined,
 ›     epb: undefined,
 ›     examplePermissionsBoundary: undefined,
 ›     'custom-permissions-boundary': undefined,
 ›     cpb: undefined,
 ›     customPermissionsBoundary: undefined,
 ›     'bootstrap-customer-key': undefined,
 ›     bootstrapCustomerKey: undefined,
 ›     qualifier: undefined,
 ›     'public-access-block-configuration': undefined,
 ›     publicAccessBlockConfiguration: undefined,
 ›     tags: [],
 ›     t: [],
 ›     execute: true,
 ›     trust: [],
 ›     'trust-for-lookup': [],
 ›     trustForLookup: [],
 ›     'cloudformation-execution-policies': [],
 ›     cloudformationExecutionPolicies: [],
 ›     force: false,
 ›     f: false,
 ›     'termination-protection': undefined,
 ›     terminationProtection: undefined,
 ›     'show-template': false,
 ›     showTemplate: false,
 ›     '$0': '/usr/local/matano-cli/cdk',
 ›     ENVIRONMENTS: [ 'aws://my_aws_account_id/us-east-2' ],
 ›     'E-n-v-i-r-o-n-m-e-n-t-s': [ 'aws://my_aws_account_id/us-east-2' ]
 ›   }
 ›   [14:16:23] CLI argument context: matanoUserDirectory=/Users/my_user/matano
 ›   [14:16:23] CLI argument context: matanoAwsAccountId=my_aws_account_id
 ›   [14:16:23] CLI argument context: matanoAwsRegion=us-east-2
 ›   [14:16:23] CLI argument context: matanoContext={}
 ›   [14:16:23] merged settings: {
 ›     versionReporting: true,
 ›     pathMetadata: true,
 ›     output: '/var/folders/8j/9dry0jvs43v3czwkrxr6wsfw0000gn/T/matanocdkout7s9sla',
 ›     app: '/usr/local/matano-cli/matano-cdk',
 ›     context: {
 ›       matanoUserDirectory: '/Users/my_user/matano',
 ›       matanoAwsAccountId: 'my_aws_account_id',
 ›       matanoAwsRegion: 'us-east-2',
 ›       matanoContext: '{}'
 ›     },
 ›     debug: false,
 ›     assetMetadata: true,
 ›     toolkitBucket: {},
 ›     staging: true,
 ›     bundlingStacks: [],
 ›     lookups: true
 ›   }
 ›   [14:16:23] [trace] SdkProvider#withAwsCliCompatibleDefaults()
 ›   [14:16:23] Determining if we're on an EC2 instance.
 ›   [14:16:23] Does not look like an EC2 instance.
 ›   [14:16:23] Reading cached notices from /Users/my_user/.cdk/cache/notices.json
 ›   [14:16:23] Toolkit stack: CDKToolkit
 ›   [14:16:23] Setting "CDK_DEFAULT_REGION" environment variable to us-east-2
 ›   [14:16:23] [trace] SdkProvider#defaultAccount()
 ›   [14:16:23] [trace]   SdkProvider#defaultCredentials()
 ›   [14:16:23] Resolving default credentials
 ›   [14:16:23] [trace]   SDK#currentAccount()
 ›   [14:16:23] [trace]     SDK#forceCredentialRetrieval()
 ›   [14:16:23] Retrieved account ID my_aws_account_id from disk cache
 ›   [14:16:23] Setting "CDK_DEFAULT_ACCOUNT" environment variable to my_aws_account_id
 ›   [14:16:23] context: {
 ›     matanoUserDirectory: '/Users/my_user/matano',
 ›     matanoAwsAccountId: 'my_aws_account_id',
 ›     matanoAwsRegion: 'us-east-2',
 ›     matanoContext: '{}',
 ›     'aws:cdk:enable-path-metadata': true,
 ›     'aws:cdk:enable-asset-metadata': true,
 ›     'aws:cdk:version-reporting': true,
 ›     'aws:cdk:bundling-stacks': []
 ›   }
 ›   [14:16:23] outdir: /var/folders/8j/9dry0jvs43v3czwkrxr6wsfw0000gn/T/matanocdkout7s9sla
 ›   [14:16:23] env: {
 ›     CDK_DEFAULT_REGION: 'us-east-2',
 ›     CDK_DEFAULT_ACCOUNT: 'my_aws_account_id',
 ›     CDK_OUTDIR: '/var/folders/8j/9dry0jvs43v3czwkrxr6wsfw0000gn/T/matanocdkout7s9sla',
 ›     CDK_CLI_ASM_VERSION: '22.0.0',
 ›     CDK_CLI_VERSION: '2.54.0'
 ›   }
 ›
 ›   /snapshot/matano/infra/node_modules/aws-cdk-lib/core/lib/private/synthesis.js:2
 ›     `);throw new Error(`Validation failed with the following errors:
 ›              ^
 ›   Error: Validation failed with the following errors:
 ›     [DPMainStack/Transformer/Function/ServiceRole/DefaultPolicy] A PolicyStatement used in an identity-based policy must specify at least one resource.
 ›       at validateTree (/snapshot/matano/infra/node_modules/aws-cdk-lib/core/lib/private/synthesis.js:2:12)
 ›       at Object.synthesize (/snapshot/matano/infra/node_modules/aws-cdk-lib/core/lib/private/synthesis.js:1:647)
 ›       at App.synth (/snapshot/matano/infra/node_modules/aws-cdk-lib/core/lib/stage.js:1:1922)
 ›       at process.<anonymous> (/snapshot/matano/infra/node_modules/aws-cdk-lib/core/lib/app.js:1:1157)
 ›       at Object.onceWrapper (events.js:520:26)
 ›       at process.emit (events.js:412:35)
 ›       at process.emit (/snapshot/matano/infra/node_modules/source-map-support/source-map-support.js:516:21)
 ›   [14:16:26] Reading cached notices from /Users/my_user/.cdk/cache/notices.json
 ›   [14:16:26] Failed to get tree.json file: Error: /var/folders/8j/9dry0jvs43v3czwkrxr6wsfw0000gn/T/matanocdkout7s9sla/tree.json: ENOENT: no such file or directory, open 
 ›   '/var/folders/8j/9dry0jvs43v3czwkrxr6wsfw0000gn/T/matanocdkout7s9sla/tree.json'. Proceeding with empty tree.
 ›
 ›   Subprocess exited with error 1
 ›   [14:16:26] Error: Subprocess exited with error 1
 ›       at ChildProcess.<anonymous> (/snapshot/node_modules/aws-cdk/lib/api/cxapp/exec.ts:153:23)
 ›       at ChildProcess.emit (events.js:400:28)
 ›       at ChildProcess.emit (domain.js:475:12)
 ›       at Process.ChildProcess._handle.onexit (internal/child_process.js:282:12)
 ›   Created temporary directory for configuration files: /var/folders/8j/9dry0jvs43v3czwkrxr6wsfw0000gn/T/mtnconfigYG9pBY/config
Samrose-Ahmed commented 1 year ago

There was a bug where we're adding an empty resource to the IAM policy statement. I've pushed out a change in https://github.com/matanolabs/matano/commit/878543723fd1b8d1256ec7d1353cbe95e9363706 and will kick off a build to release (link).