Closed ghost closed 5 years ago
This looks to be a duplicate of https://github.com/nccgroup/ScoutSuite/issues/381.
To confirm run without specifying the ap-east-1
region.
Hi, Tried Scan without specifying the ap-east-1 region, (UnrecognizedClientException) and (InvalidClientTokenId) these issues are resolved.
But now getting following errors:
Task exception was never retrieved
future: <Task finished coro=<IAMFacade._get_and_set_user_groups() done, defined at /home/ec2-user/ScoutSuite/ScoutSuite/providers/aws/facade/iam.py:122> exception=ClientError('An error occurred (Throttling) when calling the ListGroupsForUser operation (reached max retries: 4): Rate exceeded')>
Traceback (most recent call last):
File "/home/ec2-user/ScoutSuite/ScoutSuite/providers/aws/facade/iam.py", line 124, in _get_and_set_user_groups
'iam', None, self.session, 'list_groups_for_user', 'Groups', UserName=user['UserName'])
File "/home/ec2-user/ScoutSuite/ScoutSuite/providers/aws/facade/utils.py", line 28, in get_all_pages
service, region, session, paginator_name, [entity], *paginator_args)
File "/home/ec2-user/ScoutSuite/ScoutSuite/providers/aws/facade/utils.py", line 58, in get_multiple_entities_from_all_pages
return await run_concurrently(lambda: AWSFacadeUtils._get_all_pages_from_paginator(paginator, entities))
File "/usr/lib/python3.7/concurrent/futures/thread.py", line 57, in run
result = self.fn(self.args, **self.kwargs)
File "/home/ec2-user/ScoutSuite/ScoutSuite/providers/aws/facade/utils.py", line 58, in
Please help me with this.
Looks like you're being rate limited by AWS, try running with a lower count of --max-workers
(e.g. 5).
Hi, Sorry my bad I was on another branch, issues we were facing was with 5.1.0, now we switched to master branch paginator issues are resolved but facing IAM related issues.
2019-07-12 09:49:55 kali scout[2678] ERROR s3.py L144: Failed to get bucket policy for test-bucket: An error occurred (AccessDenied) when calling the GetBucketPolicy operation: Access Denied 2019-07-12 09:49:55 kali scout[2678] ERROR s3.py L86: Failed to get web hosting configuration for test-bucket-2: An error occurred (AccessDenied) when calling the GetBucketWebsite operation: Access Denied Task exception was never retrieved future: <Task finished coro=<Groups.fetch_all() done, defined at /home/ec2-user/ScoutSuite/ScoutSuite/providers/aws/resources/iam/groups.py:5> exception=KeyError('Users')> Traceback (most recent call last): File "/home/ec2-user/ScoutSuite/ScoutSuite/providers/aws/resources/iam/groups.py", line 8, in fetch_all name, resource = self._parse_group(raw_group) File "/home/ec2-user/ScoutSuite/ScoutSuite/providers/aws/resources/iam/groups.py", line 18, in _parse_group raw_group['users'] = raw_group.pop('Users') KeyError: 'Users' 2019-07-12 09:49:55 kali scout[2678] ERROR services.py L53: Could not fetch iam configuration: None
Please advise as appropriate.
Looks to me like you aren't running Scout with the appropriate permissions?
These buckets are private for which access is denied, it(private bucket) can be a reason for these errors??
Shouldn't be, just means the principal you're running Scout with doesn't have sufficient privileges on that bucket.
I am seeing similar issue with s3 buckets. I do have permissions as specified here on S3 Buckets - https://github.com/nccgroup/ScoutSuite/wiki/AWS-Minimal-Privileges-Policy
Have you confirmed that these buckets don't have resource-policies that disallow those actions? The policy you linked explicitly includes the actions disallowed in your output.
Issues are resolved, listed regions with aws-cli and mentioned only those regions while performing the scan.
Hello Team, We have followed the steps mentioned in the document https://github.com/nccgroup/ScoutSuite/wiki/Amazon-Web-Services, created a new user with ReadOnlyAccess and SecurityAudit policies attached to it. ScoutSuit is installed on Kali Linux . We have tried using both the below commands:
Still getting multiple errors while ScoutSuit scan as follows : 2019-07-11 10:48:34 kali scout[4703] ERROR config.py L20: Failed to get Config recorders: An error occurred (UnrecognizedClientException) when calling the DescribeConfigurationRecorders operation: The security token included in the request is invalid. 2019-07-11 10:48:34 kali scout[4703] ERROR config.py L11: Failed to get Config rules: An error occurred (UnrecognizedClientException) when calling the DescribeConfigRules operation: The security token included in the request is invalid. 2019-07-11 10:48:35 kali scout[4703] ERROR elasticache.py L48: Failed to get ElastiCache security groups: An error occurred (InvalidClientTokenId) when calling the DescribeCacheSecurityGroups operation: The security token included in the request is invalid. 2019-07-11 10:48:35 kali scout[4703] ERROR ec2.py L65: Failed to describe EC2 VPC: An error occurred (AuthFailure) when calling the DescribeVpcs operation: AWS was not able to validate the provided access credentials 2019-07-11 10:48:35 kali scout[4703] ERROR elasticache.py L80: Failed to describe cache parameter groups: An error occurred (InvalidClientTokenId) when calling the DescribeCacheParameterGroups operation: The security token included in the request is invalid. 2019-07-11 10:48:38 kali scout[4703] ERROR awslambda.py L9: Failed to get Lambda functions: An error occurred (UnrecognizedClientException) when calling the ListFunctions operation: The security token included in the request is invalid. 2019-07-11 10:48:38 kali scout[4703] ERROR ec2.py L65: Failed to describe EC2 VPC: An error occurred (AuthFailure) when calling the DescribeVpcs operation: AWS was not able to validate the provided access credentials. 2019-07-11 10:48:39 kali scout[4703] ERROR elb.py L52: Failed to describe ELB policies: An error occurred (InvalidClientTokenId) when calling the DescribeLoadBalancers operation: The security token included in the request is invalid. 2019-07-11 10:48:40 kali scout[4703] ERROR cloudtrail.py L13: Failed to describe CloudTrail trail: An error occurred (UnrecognizedClientException) when calling the DescribeTrails operation: The security token included in the request is invalid. 2019-07-11 10:48:41 kali scout[4703] ERROR cloudwatch.py L10: Failed to get CloudWatch alarms: An error occurred (InvalidClientTokenId) when calling the DescribeAlarms operation: The security token included in the request is invalid.
Reports are being generated but findings for some services are not opening. Please advise as appropriate.