Closed defec8edc0de closed 2 years ago
@defec8edc0de Wow !! love to hear you like Steampipe 💯 Very interesting to see a very detailed approach, appreciate your interest.
While we are checking it in detail, in the first place just want to inform you that, some of the tables need to pass the required column as per API requirement.
e.g. - aws_appautoscaling_target: Warning: executeQueries: query 1 of 1 failed: ERROR: rpc error: code = Internal desc = 'List' call is missing required quals: column:'service_namespace' operator: = (SQLSTATE HV000)
The above query can be modeled as (example)
select * from aws_appautoscaling_target where service_namespace = 'dynamodb';
( here the service_namespace
is the required field for list call of aws_appautoscaling_target
)
I guess most of the tables mentioned are similar issues. I am still checking if all the tables fall into the same set of requirements.
Following tables being investigated may require a fix, will keep posted.
- aws_wellarchitected_workload: took to long, likely errors happen in background
- aws_workspaces_workspace: Warning: executeQueries: query 1 of 1 failed: ERROR: rpc error: code = Unknown desc = RequestError: send request failed caused by: Post "https://workspaces.eu-west-3.amazonaws.com/": dial tcp: lookup workspaces.eu-west-3.amazonaws.com on 192.168.234.1:53: read udp 192.168.234.129:52243->192.168.234.1:53: read: connection refused (SQLSTATE HV000)
The ones mentioned in Special authorization required: combination of required column and permission requirement. Which I need to investigate or wait for somebody to respond. These are initial observation
aws_config_conformance_pack: Warning: executeQueries: query 1 of 1 failed: ERROR: rpc error: code = Unknown desc = AccessDeniedException: status code: 400, request id: 8e95747f-baff-41c0-9996-3fe825bfb33f (SQLSTATE HV000)
>> Investigsting
aws_ssoadmin_instance: Warning: executeQueries: query 1 of 1 failed: ERROR: rpc error: code = Unknown desc = AccessDeniedException: User: arn:aws:iam::[redacted]:user/[redacted] is not authorized to perform: sso:ListInstances (SQLSTATE HV000)
>> This is related IAM permission issue for SSO service
aws_organizations_account: 403 because usually you don't have authorization to access the org account in an audit...
>> IAM permission issue to access org level info.
aws_ssoadmin_managed_policy_attachment: Warning: executeQueries: query 1 of 1 failed: ERROR: rpc error: code = Internal desc = 'List' call is missing required quals: column:'permission_set_arn' operator: = (SQLSTATE HV000)
>> Required column should be specified. Refer here
aws_ssoadmin_permission_set: Warning: executeQueries: query 1 of 1 failed: ERROR: rpc error: code = Unknown desc = AccessDeniedException: User: arn:aws:iam::[redacted]:user/[redacted] is not authorized to perform: sso:ListInstances (SQLSTATE HV000)
>> Permission related issue, checking if we can provide more info around it.
A better approach from our side could have been to provide more information around it in the doc. We will definitely work around it to provide this information. Let us know
On further investigation, interestingly we found Conformance Packs does not support in Osaka (ap-northeast-3), hence if the aws.spc
file is having *
in the region, it breaks with the below exception.
aws_config_conformance_pack: Warning: executeQueries: query 1 of 1 failed: ERROR: rpc error: code = Unknown desc = AccessDeniedException: status code: 400, request id: 8e95747f-baff-41c0-9996-3fe825bfb33f (SQLSTATE HV000)
@bigdatasourav any other finding feel free to add here.
@defec8edc0de Thanks for waiting on this, the above had resulted in 2 bugs for which we have the PR ready to go this week.
Describe the bug
When running a bash loop over ALL AWS tables with a multi-region connection (
select * awsaccountxyzwithmfaadminaccess.aws_*
) using the latest Steampipe and AWS plugin version, I discovered the following warnings/exceptions that impede my progress in automating security audits with steampipe (yes I am aware of the CIS mod, its just not enough for me). Please note, surely some of the bugs are covered in other single existing issues in the Github repo already, but I am too lazy to filter those out..Steampipe version (
steampipe -v
) v0.11.2 (under latest Arch Linux Rolling)Plugin version (
steampipe plugin list
) v0.44.0To reproduce
Run the following bash snippet of my automation script, with the following
~/.steampipe/config/aws.spc
that defines anaws
cli connection over all regions with MFA enabled credentials (profileawsaccountxyzwithmfaadminaccessprofile
hasaws_session_token
in~/.aws/credentials
) and access to the target AWS account with "AdministratorAccess
" group permissions:Please note, not all of the queried AWS resources are actually used in my target AWS account (e.g. iam_credential_report etc.), perhaps this could also be a reason for some of the errors listed below in the additoinal context.
Expected behavior
Graceful handling of errors and return of empty results for non-existing resource information. Authorization errors could/should be raised in
--dry-run
? Update: I got informed, some steampipe tables REQUIRE a where clause. Which is expected behaviour. Please ignore errors below where this is the case. Have to do more research.Additional context
Here are the collected errors (as of 17.01.2022):
Thank you, happy fixing and please let me know if you have further questions~~ (I love Steampipe)