search

prowler-cloud / prowler

Prowler is an Open Source Security tool for AWS, Azure, GCP and Kubernetes to do security assessments, audits, incident response, compliance, continuous monitoring, hardening and forensics readiness. Includes CIS, NIST 800, NIST CSF, CISA, FedRAMP, PCI-DSS, GDPR, HIPAA, FFIEC, SOC2, GXP, Well-Architected Security, ENS and more
https://prowler.com
Apache License 2.0
10.8k stars 1.54k forks source link

[Bug]: extra760 results in success despite errors #1014

Closed lorchda closed 2 years ago

lorchda commented 2 years ago

What happened?

In check extra760, the lambda:GetFunction returns a permission denied error, but the function returns a PASS. See logs below (Account ID masked, but otherwise log output captured as-is).

This is a follow-up to #940. The fix mentioned there only considers lambda:ListFunction, but not the lambda:GetFunction, which is the actual culprit.

Error message

7.60 [extra760] Find secrets in Lambda functions code  - lambda [Critical]
An error occurred (AccessDeniedException) when calling the GetFunction operation: User: arn:aws:sts::1234567890:assumed-role/ProwlerXA-CBRole/ProwlerAssessmentSession is not authorized to perform: lambda:GetFunction on resource: arn:aws:lambda:eu-central-1:1234567890:function:CustomControlTowerDeploymentLambda because no identity-based policy allows the lambda:GetFunction action
curl: no URL specified!
curl: try 'curl --help' or 'curl --manual' for more information
unzip:  cannot find or open ./prowler/secrets-1234567890/extra760-CustomControlTowerDeploymentLambda-eu-central-1/CustomControlTowerDeploymentLambda-code.zip, ./prowler/secrets-1234567890/extra760-CustomControlTowerDeploymentLambda-eu-central-1/CustomControlTowerDeploymentLambda-code.zip.zip or ./prowler/secrets-1234567890/extra760-CustomControlTowerDeploymentLambda-eu-central-1/CustomControlTowerDeploymentLambda-code.zip.ZIP.
       PASS! eu-central-1: No secrets found in Lambda function CustomControlTowerDeploymentLambda code

How to reproduce it

Run prowler with check extra760 on an environment with Control Tower.

Expected behavior
A clear and concise description of what you expected to happen.

FAIL! instead of PASS!, and also less noise on the output (curl errors etc.)

Screenshots or Logs
If applicable, add screenshots to help explain your problem. Also, you can add logs (anonymize them first!). Here a command that may help to share a log bash -x ./prowler -options > debug.log 2>&1 then attach here debug.log

From where are you running Prowler?
Please, complete the following information:

Additional context Add any other context about the problem here.

lazize commented 2 years ago

Could you check if your role ProwlerXA-CBRole has the same permissions according to the file below?

As you can see, action lambda:GetFunction was added on 2.7 version. https://github.com/prowler-cloud/prowler/blob/dcd55dbb8f8451fe05489a048183c9c61312c2f7/iam/create_role_to_assume_cfn.yaml#L63

lazize commented 2 years ago

This check has a grep for AccessDenied as below

    if [[ $(echo "$LIST_OF_FUNCTIONS" | grep AccessDenied) ]]; then
      textInfo "$regx: Access Denied trying to list Lambda functions" "$regx" "$lambdafunction"
      continue
    fi

But other checks has a grep with more options, like below

    if [[ $(echo "$SSM_DOCS" | grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError') ]]; then
        textInfo "$regx: Access Denied trying to list documents" "$regx"
        continue
    fi

Should all grep checks for AccessDenied looks like the second one?

lazize commented 2 years ago

This check uses curl -s.
Should it be like curl -s --show-error as suggested on curl documentation? In case of error on curl it will not be suppressed.

   -s, --silent
          Silent or quiet mode. Don't show progress meter or error messages.  Makes Curl mute. It will still output the data you ask for, potentially even to the terminal/stdout unless you redirect
          it.

          Use -S, --show-error in addition to this option to disable progress meter but still show error messages.
lorchda commented 2 years ago

@lazize thank you for the pointer, I confirm the lambda:GetFunction is missing in my role. I initially was thinking that an SCP could be the culprit and didn't check the permissions myself - thank you.

It appears that the role descriptions are not in sync. I am using prowler/util/org-multi-account/serverless_codebuild/templates/ProwlerRole.yaml which did not get the update. See these files:

lazize commented 2 years ago

Those files you mention has much more permissions than others. Even though they are not in sync.

Keep all those files in sync is a very hard job to do it manually. I believe it will need a better mechanism to handle this situation. Just rely on people is not good enough.

lazize commented 2 years ago

@toniblyx How about the questions above about curl and check for AccessDenied?

toniblyx commented 2 years ago

@lazize @lorchda sorry for the late response, yes, we have to fine tune that check and parse the curl error in a better way. Let's see if that can be addressed before 2.8 is release.

toniblyx commented 2 years ago

Thanks @lazize we will review and merge it next week.

jfagoagas commented 2 years ago

Pull Request https://github.com/prowler-cloud/prowler/pull/1055 has been merged, thank you @lorchda @lazize for this awesome work!!