-
Notifications
You must be signed in to change notification settings - Fork 64
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ERROR status when using permissions boundary with scan lambda IAM role #532
Comments
My initial suspicion is that it has something to do with the assumed role principal that is required on the We might need to manually edit the scan lambda function here to see fi we can get more details from the error message |
I encountered a similar problem. To fix it, I changed the bucket ACL to "Bucket owner enforced". I have a cross account set-up and the scanning works fine if I upload the files directly to the S3 console. However, it gives an error when the file is uploaded from a lambda function that runs under another account. Upon checking the CloudWatch for the Clamscan function, I saw the the message is "Forbidden". Then, I realized that the S3 bucket was created with the file owner set to the account used to upload. This breaks the permissions granted via the bucket policy. Everything worked fine after I changed the bucket ACL to "Bucket owner enforced", which is actually the recommended value. https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html |
I am running into the same issue. Applying the 'bucket owner enforced' suggestion did not help in my case. I added more logs here and I get the following:
The execution role assumed by the lambda function has the following permissions (via policy):
Removing the bucket policy allows for the object to be downloaded and scanned...so I guess something has to be wrong with the 'Principal' part of the statement. |
vmarinescu, did you try it also on newly uploaded files? Files that have been uploaded prior to the ACL change will remain inaccessible as the updated permissions apply only to new files. |
@rickyrich yes, I did. I recreated the CF stack multiple times. |
I opened #635 to document what was my issue and how I fixed it. |
This is resolved in |
Might be related to #531 but not quite sure.
If IAM role used by scanning lambda function has any permissions boundary attached, even if it's allow all, the scan fails with an error:
Steps to reproduce
To add to this, if I remove the deny bucket policy added by ClamAV, this fixes the error as well, even if permissions boundary is still in place. I suspect that has something to do with the identity of the IAM roles that have permission boundaries attached.
Expected behaviour
I expect ClamAV scan to support IAM permission boundaries. Permission boundaries enforced on the stack level is the common security best practice.
The text was updated successfully, but these errors were encountered: