search

trendmicro / cloudone-filestorage-deployment-templates

Apache License 2.0
16 stars 33 forks source link

Converted Lambda's Inline Policies to Managed Policies #74

Closed adv4000 closed 2 years ago

adv4000 commented 2 years ago

Hi, We are using Scanner Stack using your official CloudFormation Template from here: https://github.com/trendmicro/cloudone-filestorage-deployment-templates/blob/master/aws/FSS-Scanner-Stack.template

All your Lambda Functions with IAM roles has Inline IAM Policies, We have NIST compliance pack deployed and check iam-no-inline-policy-check failing due to inline policies in IAM Roles. I have converted all Inline Policies of Lambdas to Managed IAM Policies using CloudFormation Resources Type: AWS::IAM::ManagedPolicy.

Let me know if you need any other info. https://docs.aws.amazon.com/config/latest/developerguide/iam-no-inline-policy-check.html

felipecosta09 commented 2 years ago

Hey @adv4000, sorry that took too long to get started on this!

I've analyzed your feature update to the template and I couldn't make it work, here the error that I've got:

This are the resources that failed to be created: [ScannerDLQ, ScannerDeadLetterLambdaAlias]

Here's from CloudWatch:

Unhandled exception: An error occurred (AccessDeniedException) when calling the GetFunctionConfiguration operation: User: arn:aws:sts::{redacted}:assumed-role/owdjqokwmd-CreateLambdaAliasExecutionRole-17HAFROBW4PE1/owdjqokwmd-CreateLambdaAliasLambda-9bNgR71xwJQh is not authorized to perform: lambda:GetFunctionConfiguration on resource: arn:aws:lambda:us-east-1:{redacted}:function:owdjqokwmd-ScannerDeadLetterLambda-QbPPQi0N5ibC because no identity-based policy allows the lambda:GetFunctionConfiguration action

botocore.exceptions.ClientError: An error occurred (AccessDeniedException) when calling the GetFunctionConfiguration operation: User: arn:aws:sts::{redacted}:assumed-role/owdjqokwmd-CreateLambdaAliasExecutionRole-17HAFROBW4PE1/owdjqokwmd-CreateLambdaAliasLambda-9bNgR71xwJQh is not authorized to perform: lambda:GetFunctionConfiguration on resource: arn:aws:lambda:us-east-1:{redacted}:function:owdjqokwmd-ScannerDeadLetterLambda-QbPPQi0N5ibC because no identity-based policy allows the lambda:GetFunctionConfiguration action

First thing that came to my mind is that since May, we did added features to FSS which results on additional lines in the template so I went back in time to the commit 4ff389b and tried to deploy that template, just to check that there is no backend version issues or anything like that and it did work.

Sound like a silly question, but did you manage to deploy this template at the time? and if yes, can you still do?

adv4000 commented 2 years ago

Yes I have deployed it before submitting PR. Don't have opportunity to deploy it again after 3 months. Sorry.