search

nccgroup / ScoutSuite

Multi-Cloud Security Auditing Tool
GNU General Public License v2.0
6.76k stars 1.07k forks source link

Error awslambda.py L31 #1320

Open cgaudit opened 3 years ago

cgaudit commented 3 years ago

Hi I got the current error while scanning AWS env. which contains Lambda service. 2021-06-15 11:49:07 kali scout[1561] ERROR awslambda.py L31: Failed to get role from managed policies: An error occurred (NoSuchEntity) when calling the GetRole operation: The role with name XXX-dev-getAllTransactionsRole-XXX cannot be found.

What can be the reasons for not founding the Entity?

BR

lowSoA commented 3 years ago

Could you please provide the --debug output?

x4v13r64 commented 3 years ago

We've seen such errors a few times and my theory is that a role was configured on the Lambda which was then deleted. Would have to test to confirm.

cgaudit commented 3 years ago

{ "additional_details": null, "exception": "Failed to get role from managed policies: An error occurred (NoSuchEntity) when calling the GetRole operation: The role with name xxx-dev-getAllTransactionsRole-xxx cannot be found.", "file": "awslambda.py", "line": 31, "traceback": "Traceback (most recent call last):\n File \"/usr/local/lib/python3.9/dist-packages/ScoutSuite/providers/aws/facade/awslambda.py\", line 31, in get_role_with_managed_policies\n role = client.get_role(RoleName=role_name)['Role']\n File \"/usr/local/lib/python3.9/dist-packages/botocore/client.py\", line 386, in _api_call\n return self._make_api_call(operation_name, kwargs)\n File \"/usr/local/lib/python3.9/dist-packages/botocore/client.py\", line 705, in _make_api_call\n raise error_class(parsed_response, operation_name)\nbotocore.errorfactory.NoSuchEntityException: An error occurred (NoSuchEntity) when calling the GetRole operation: The role with name xxx-dev-getAllTransactionsRole-xxx cannot be found.\n" }

cgaudit commented 3 years ago

Hi @lowSoA,

Does that logs enrich us with any insights?

@x4v13r64 is that means that each time a role was deleted will trigger an error?

For which tests does SecurityAudit permission is necessary for?

BR

lowSoA commented 3 years ago

I can confirm this is the behavior in the case explained by @x4v13r64 above.

Tzaoh commented 3 years ago

A similar check to below existing one was done. https://github.com/nccgroup/ScoutSuite/blob/b9b8e201a45bd63835f611eec67fe3bb7c892a0a/ScoutSuite/providers/aws/facade/awslambda.py#L24-L26

For this use case: https://github.com/nccgroup/ScoutSuite/blob/bc9f32eea1388dd102e97244c6b484ba5e0ddfce/ScoutSuite/providers/aws/facade/awslambda.py#L46-L48

Although, we might want to consider to refactor a bit this class (and maybe others were similar things could be happening) in order to use the standard Boto3 exceptions. For this specific use case botocore.errorfactory.NoSuchEntityException could be used. Maybe exposing it from the awslambda.py facade could also be a good approach.