ERROR status when using permissions boundary with scan lambda IAM role

[kukushking]

Might be related to #531 but not quite sure.

If IAM role used by scanning lambda function has any permissions boundary attached, even if it's allow all, the scan fails with an error:

[ERROR] Exception: 
{
    "source": "serverless-clamscan",
    "input_bucket": "<REMOVED>",
    "input_key": "<REMOVED>",
    "status": "ERROR",
    "message": "Forbidden"
}

Traceback (most recent call last):
  File "/var/lang/lib/python3.8/site-packages/aws_lambda_powertools/metrics/metrics.py", line 184, in decorate
    response = lambda_handler(event, context)
  File "/var/lang/lib/python3.8/site-packages/aws_lambda_powertools/logging/logger.py", line 354, in decorate
    return lambda_handler(event, context, *args, **kwargs)
  File "/var/task/lambda.py", line 78, in lambda_handler
    download_object(input_bucket, input_key, payload_path)
  File "/var/task/lambda.py", line 149, in download_object
    report_failure(
  File "/var/task/lambda.py", line 299, in report_failure
    raise Exception(json.dumps(exception_json))

Steps to reproduce

1. Add the following permissions boundary to the IAM role

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "*",
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

2. Upload the object to the bucket

To add to this, if I remove the deny bucket policy added by ClamAV, this fixes the error as well, even if permissions boundary is still in place. I suspect that has something to do with the identity of the IAM roles that have permission boundaries attached.

Expected behaviour

I expect ClamAV scan to support IAM permission boundaries. Permission boundaries enforced on the stack level is the common security best practice.

[dontirun]

My initial suspicion is that it has something to do with the assumed role principal that is required on the Not Principals line on the bucket policy.

We might need to manually edit the scan lambda function here to see fi we can get more details from the error message

[rickyrich]

I encountered a similar problem. To fix it, I changed the bucket ACL to "Bucket owner enforced".

I have a cross account set-up and the scanning works fine if I upload the files directly to the S3 console. However, it gives an error when the file is uploaded from a lambda function that runs under another account. Upon checking the CloudWatch for the Clamscan function, I saw the the message is "Forbidden".

Then, I realized that the S3 bucket was created with the file owner set to the account used to upload. This breaks the permissions granted via the bucket policy. Everything worked fine after I changed the bucket ACL to "Bucket owner enforced", which is actually the recommended value.

https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html

[vmarinescu]

I am running into the same issue. Applying the 'bucket owner enforced' suggestion did not help in my case.

I added more logs here and I get the following:

An error occurred (403) when calling the HeadObject operation: Forbidden

The execution role assumed by the lambda function has the following permissions (via policy):
<bucket>

• Allow: s3:GetObject*
• Allow: s3:GetBucket*
• Allow: s3:List*

<bucket>/*

• Allow: s3:GetObject*
• Allow: s3:GetBucket*
• Allow: s3:List*

Removing the bucket policy allows for the object to be downloaded and scanned...so I guess something has to be wrong with the 'Principal' part of the statement.
https://github.com/awslabs/cdk-serverless-clamscan/blob/main/src/index.ts#L519

[rickyrich]

vmarinescu, did you try it also on newly uploaded files? Files that have been uploaded prior to the ACL change will remain inaccessible as the updated permissions apply only to new files.

[vmarinescu]

@rickyrich yes, I did. I recreated the CF stack multiple times.

[vmarinescu]

I opened #635 to document what was my issue and how I fixed it.

[dontirun]

This is resolved in v2.4.72, thanks @vmarinescu !