search

prowler-cloud / prowler

Prowler is an Open Source Security tool for AWS, Azure, GCP and Kubernetes to do security assessments, audits, incident response, compliance, continuous monitoring, hardening and forensics readiness. Includes CIS, NIST 800, NIST CSF, CISA, FedRAMP, PCI-DSS, GDPR, HIPAA, FFIEC, SOC2, GXP, Well-Architected Security, ENS and more
https://prowler.com
Apache License 2.0
10.51k stars 1.5k forks source link

Prowler gets stuck / fails when running Lambda check against account with LZA #4209

Closed js37 closed 2 weeks ago

js37 commented 2 months ago

Steps to Reproduce

When running this awslambda check on an account that has Landing Zone Accelerator deployed, Prowler gets stuck.

prowler aws -c awslambda_function_no_secrets_in_code

When running in log-level INFO mode, this is the output

Executing 1 check, please wait...

2024-06-07 13:52:53,152 [File: service.py:85]   [Module: service]    INFO: LAMBDA - Starting threads for 'List Functions' function across 17 regions...

2024-06-07 13:52:53,152 [File: awslambda_service.py:29]     [Module: awslambda_service]  INFO: Lambda - Listing Functions...

2024-06-07 13:52:53,152 [File: awslambda_service.py:29]     [Module: awslambda_service]  INFO: Lambda - Listing Functions...

2024-06-07 13:52:53,152 [File: awslambda_service.py:29]     [Module: awslambda_service]  INFO: Lambda - Listing Functions...

2024-06-07 13:52:53,153 [File: awslambda_service.py:29]     [Module: awslambda_service]  INFO: Lambda - Listing Functions...

2024-06-07 13:52:53,153 [File: awslambda_service.py:29]     [Module: awslambda_service]  INFO: Lambda - Listing Functions...

2024-06-07 13:52:53,153 [File: awslambda_service.py:29]     [Module: awslambda_service]  INFO: Lambda - Listing Functions...

2024-06-07 13:52:53,153 [File: awslambda_service.py:29]     [Module: awslambda_service]  INFO: Lambda - Listing Functions...

2024-06-07 13:52:53,153 [File: awslambda_service.py:29]     [Module: awslambda_service]  INFO: Lambda - Listing Functions...

2024-06-07 13:52:53,154 [File: awslambda_service.py:29]     [Module: awslambda_service]  INFO: Lambda - Listing Functions...

2024-06-07 13:52:53,154 [File: awslambda_service.py:29]     [Module: awslambda_service]  INFO: Lambda - Listing Functions...

2024-06-07 13:52:53,667 [File: awslambda_service.py:59]     [Module: awslambda_service]  ERROR: ca-central-1 -- ClientError[32]: An error occurred (AccessDeniedException) when calling the ListFunctions operation: User: <ARN> is not authorized to perform: lambda:ListFunctions on resource: * with an explicit deny in a service control policy

2024-06-07 13:52:53,667 [File: awslambda_service.py:29]     [Module: awslambda_service]  INFO: Lambda - Listing Functions...

2024-06-07 13:52:53,837 [File: awslambda_service.py:29]     [Module: awslambda_service]  INFO: Lambda - Listing Functions...

2024-06-07 13:52:53,906 [File: awslambda_service.py:59]     [Module: awslambda_service]  ERROR: eu-west-3 -- ClientError[32]: An error occurred (AccessDeniedException) when calling the ListFunctions operation: User: <ARN> is not authorized to perform: lambda:ListFunctions on resource: * with an explicit deny in a service control policy

2024-06-07 13:52:53,906 [File: awslambda_service.py:29]     [Module: awslambda_service]  INFO: Lambda - Listing Functions...

2024-06-07 13:52:53,908 [File: awslambda_service.py:59]     [Module: awslambda_service]  ERROR: eu-west-1 -- ClientError[32]: An error occurred (AccessDeniedException) when calling the ListFunctions operation: User: <ARN> is not authorized to perform: lambda:ListFunctions on resource: * with an explicit deny in a service control policy

2024-06-07 13:52:53,913 [File: awslambda_service.py:59]     [Module: awslambda_service]  ERROR: ap-southeast-2 -- ClientError[32]: An error occurred (AccessDeniedException) when calling the ListFunctions operation: User: <ARN> is not authorized to perform: lambda:ListFunctions on resource: * with an explicit deny in a service control policy

2024-06-07 13:52:53,913 [File: awslambda_service.py:29]     [Module: awslambda_service]  INFO: Lambda - Listing Functions...

2024-06-07 13:52:53,914 [File: awslambda_service.py:29]     [Module: awslambda_service]  INFO: Lambda - Listing Functions...

2024-06-07 13:52:53,919 [File: awslambda_service.py:59]     [Module: awslambda_service]  ERROR: eu-central-1 -- ClientError[32]: An error occurred (AccessDeniedException) when calling the ListFunctions operation: User: <ARN> is not authorized to perform: lambda:ListFunctions on resource: * with an explicit deny in a service control policy

2024-06-07 13:52:53,919 [File: awslambda_service.py:29]     [Module: awslambda_service]  INFO: Lambda - Listing Functions...

2024-06-07 13:52:53,936 [File: awslambda_service.py:59]     [Module: awslambda_service]  ERROR: ap-northeast-1 -- ClientError[32]: An error occurred (AccessDeniedException) when calling the ListFunctions operation: User: <ARN> is not authorized to perform: lambda:ListFunctions on resource: * with an explicit deny in a service control policy

2024-06-07 13:52:53,936 [File: awslambda_service.py:29]     [Module: awslambda_service]  INFO: Lambda - Listing Functions...

2024-06-07 13:52:53,979 [File: awslambda_service.py:59]     [Module: awslambda_service]  ERROR: sa-east-1 -- ClientError[32]: An error occurred (AccessDeniedException) when calling the ListFunctions operation: User: <ARN> is not authorized to perform: lambda:ListFunctions on resource: * with an explicit deny in a service control policy

2024-06-07 13:52:53,991 [File: awslambda_service.py:59]     [Module: awslambda_service]  ERROR: eu-north-1 -- ClientError[32]: An error occurred (AccessDeniedException) when calling the ListFunctions operation: User: <ARN> is not authorized to perform: lambda:ListFunctions on resource: * with an explicit deny in a service control policy

2024-06-07 13:52:54,034 [File: awslambda_service.py:59]     [Module: awslambda_service]  ERROR: us-west-1 -- ClientError[32]: An error occurred (AccessDeniedException) when calling the ListFunctions operation: User: <ARN> is not authorized to perform: lambda:ListFunctions on resource: * with an explicit deny in a service control policy

2024-06-07 13:52:54,175 [File: awslambda_service.py:59]     [Module: awslambda_service]  ERROR: eu-west-2 -- ClientError[32]: An error occurred (AccessDeniedException) when calling the ListFunctions operation: User: <ARN> is not authorized to perform: lambda:ListFunctions on resource: * with an explicit deny in a service control policy

2024-06-07 13:52:54,221 [File: awslambda_service.py:59]     [Module: awslambda_service]  ERROR: ap-south-1 -- ClientError[32]: An error occurred (AccessDeniedException) when calling the ListFunctions operation: User: <ARN> is not authorized to perform: lambda:ListFunctions on resource: * with an explicit deny in a service control policy

2024-06-07 13:52:54,427 [File: awslambda_service.py:59]     [Module: awslambda_service]  ERROR: ap-southeast-1 -- ClientError[32]: An error occurred (AccessDeniedException) when calling the ListFunctions operation: User: <ARN> is not authorized to perform: lambda:ListFunctions on resource: * with an explicit deny in a service control policy

2024-06-07 13:52:54,488 [File: awslambda_service.py:59]     [Module: awslambda_service]  ERROR: ap-northeast-3 -- ClientError[32]: An error occurred (AccessDeniedException) when calling the ListFunctions operation: User: <ARN> is not authorized to perform: lambda:ListFunctions on resource: * with an explicit deny in a service control policy

2024-06-07 13:52:54,630 [File: awslambda_service.py:59]     [Module: awslambda_service]  ERROR: ap-northeast-2 -- ClientError[32]: An error occurred (AccessDeniedException) when calling the ListFunctions operation: User: <ARN> is not authorized to perform: lambda:ListFunctions on resource: * with an explicit deny in a service control policy

2024-06-07 13:52:54,630 [File: awslambda_service.py:158]    [Module: awslambda_service]  INFO: Lambda - List Tags...

2024-06-07 13:52:59,531 [File: service.py:85]   [Module: service]    INFO: LAMBDA - Starting threads for 'Get Policy' function across 17 regions...

2024-06-07 13:52:59,535 [File: awslambda_service.py:106]    [Module: awslambda_service]  INFO: Lambda - Getting Policy...

2024-06-07 13:52:59,536 [File: awslambda_service.py:106]    [Module: awslambda_service]  INFO: Lambda - Getting Policy...

2024-06-07 13:52:59,535 [File: awslambda_service.py:106]    [Module: awslambda_service]  INFO: Lambda - Getting Policy...

2024-06-07 13:52:59,537 [File: awslambda_service.py:106]    [Module: awslambda_service]  INFO: Lambda - Getting Policy...

2024-06-07 13:52:59,535 [File: awslambda_service.py:106]    [Module: awslambda_service]  INFO: Lambda - Getting Policy...

2024-06-07 13:52:59,535 [File: awslambda_service.py:106]    [Module: awslambda_service]  INFO: Lambda - Getting Policy...

2024-06-07 13:52:59,539 [File: awslambda_service.py:106]    [Module: awslambda_service]  INFO: Lambda - Getting Policy...

2024-06-07 13:52:59,539 [File: awslambda_service.py:106]    [Module: awslambda_service]  INFO: Lambda - Getting Policy...

2024-06-07 13:52:59,540 [File: awslambda_service.py:106]    [Module: awslambda_service]  INFO: Lambda - Getting Policy...

2024-06-07 13:52:59,535 [File: awslambda_service.py:106]    [Module: awslambda_service]  INFO: Lambda - Getting Policy...

2024-06-07 13:52:59,536 [File: awslambda_service.py:106]    [Module: awslambda_service]  INFO: Lambda - Getting Policy...

2024-06-07 13:52:59,537 [File: awslambda_service.py:106]    [Module: awslambda_service]  INFO: Lambda - Getting Policy...

2024-06-07 13:52:59,537 [File: awslambda_service.py:106]    [Module: awslambda_service]  INFO: Lambda - Getting Policy...

2024-06-07 13:52:59,537 [File: awslambda_service.py:106]    [Module: awslambda_service]  INFO: Lambda - Getting Policy...

2024-06-07 13:52:59,535 [File: awslambda_service.py:106]    [Module: awslambda_service]  INFO: Lambda - Getting Policy...

2024-06-07 13:52:59,537 [File: awslambda_service.py:106]    [Module: awslambda_service]  INFO: Lambda - Getting Policy...

2024-06-07 13:52:59,536 [File: awslambda_service.py:106]    [Module: awslambda_service]  INFO: Lambda - Getting Policy...

2024-06-07 13:53:01,307 [File: service.py:85]   [Module: service]    INFO: LAMBDA - Starting threads for 'Get Function Url Config' function across 17 regions...

2024-06-07 13:53:01,307 [File: awslambda_service.py:129]    [Module: awslambda_service]  INFO: Lambda - Getting Function URL Config...

2024-06-07 13:53:01,307 [File: awslambda_service.py:129]    [Module: awslambda_service]  INFO: Lambda - Getting Function URL Config...

2024-06-07 13:53:01,308 [File: awslambda_service.py:129]    [Module: awslambda_service]  INFO: Lambda - Getting Function URL Config...

2024-06-07 13:53:01,308 [File: awslambda_service.py:129]    [Module: awslambda_service]  INFO: Lambda - Getting Function URL Config...

2024-06-07 13:53:01,309 [File: awslambda_service.py:129]    [Module: awslambda_service]  INFO: Lambda - Getting Function URL Config...

2024-06-07 13:53:01,308 [File: awslambda_service.py:129]    [Module: awslambda_service]  INFO: Lambda - Getting Function URL Config...

2024-06-07 13:53:01,308 [File: awslambda_service.py:129]    [Module: awslambda_service]  INFO: Lambda - Getting Function URL Config...

2024-06-07 13:53:01,308 [File: awslambda_service.py:129]    [Module: awslambda_service]  INFO: Lambda - Getting Function URL Config...

2024-06-07 13:53:01,308 [File: awslambda_service.py:129]    [Module: awslambda_service]  INFO: Lambda - Getting Function URL Config...

2024-06-07 13:53:01,308 [File: awslambda_service.py:129]    [Module: awslambda_service]  INFO: Lambda - Getting Function URL Config...

2024-06-07 13:53:01,308 [File: awslambda_service.py:129]    [Module: awslambda_service]  INFO: Lambda - Getting Function URL Config...

2024-06-07 13:53:01,308 [File: awslambda_service.py:129]    [Module: awslambda_service]  INFO: Lambda - Getting Function URL Config...

2024-06-07 13:53:01,309 [File: awslambda_service.py:129]    [Module: awslambda_service]  INFO: Lambda - Getting Function URL Config...

2024-06-07 13:53:01,308 [File: awslambda_service.py:129]    [Module: awslambda_service]  INFO: Lambda - Getting Function URL Config...

2024-06-07 13:53:01,313 [File: awslambda_service.py:129]    [Module: awslambda_service]  INFO: Lambda - Getting Function URL Config...

2024-06-07 13:53:01,314 [File: awslambda_service.py:129]    [Module: awslambda_service]  INFO: Lambda - Getting Function URL Config...

2024-06-07 13:53:01,314 [File: awslambda_service.py:129]    [Module: awslambda_service]  INFO: Lambda - Getting Function URL Config...

2024-06-07 13:53:05,012 [File: awslambda_service.py:66]     [Module: awslambda_service]  INFO: Lambda - Getting Function Code...

When running in log-level debug, the last thing that would print out is DEBUG: https://awslambda-us-west-2-tasks.s3.us-west-2.amazonaws.com:443 "GET /snapshots/<account ID>/<function name>

I have tested this check, and it works on other accounts.

Expected behavior

I expect the scan to complete. The ClientErrors due to have service control polices is fine. I expect the scan to finish with no results if it is due to a permission problem.

Actual Result with Screenshots or Logs

In description above.

How did you install Prowler?

From pip package (pip install prowler)

Environment Resource

Prowler 4.2.4 (You are running the latest version, yay!)

OS used

MacOS

Prowler version

4.2.4

Pip version

24

Context

No response

jfagoagas commented 2 months ago

Hi @js37 it seems that Prowler is just executing that check. It can take a lot of time if you have a lot of lambdas with a great codebase since Prowler analyzes all the source code in memory while running the check.

How many AWS Lambda Functions do you have in that account?

Thanks for using Prowler 🚀

jfagoagas commented 2 weeks ago

I will close this issue since there is no reply since June. Please @js37 feel free to reopen it if you have any update on the issue or the above comment. If you can, please try that out again with Prowler v4.3.3 and let us know.

Thanks for using Prowler 🚀