Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Access Denied due to embedded iam policy cause policies to fail #9455

Open
PratMis opened this issue Apr 22, 2024 · 2 comments
Open

Access Denied due to embedded iam policy cause policies to fail #9455

PratMis opened this issue Apr 22, 2024 · 2 comments
Labels
kind/bug

Comments

@PratMis
Copy link
Collaborator

PratMis commented Apr 22, 2024
edited

Describe the bug

Application teams configure IAM resource policies for resources such as S3 Buckets, SNS Topics, SQS Queues, Lambda Functions, and S3 Glacier Vaults. For example, resource owners can block Cloud Custodian from scanning a resource or set it to deny all.
Custodian execution failures lead to compliance evaluation gaps and stale/incomplete data in downstream compliance reporting tools

What did you expect to happen?

Expectation is to skip the resource that blocks access and proceed with evaluation of other resources

Cloud Provider

Amazon Web Services (AWS)

Cloud Custodian version and dependency information

No response

Policy

No response

Relevant log/traceback output

botocore.errorfactory.AuthorizationErrorException: An error occurred (AuthorizationError) when calling the GetTopicAttributes operation: User: arn:aws:sts::123456789000:assumed-role/CloudCustodian/CloudCustodian is not authorized to perform: SNS:GetTopicAttributes on resource: arn:aws:sns:us-east-1:123456789000:test-resource with an explicit deny in a resource-based policy

Extra information or context

No response
@PratMis PratMis changed the title Access Denied due to embedded iam policy causes policies to fail Access Denied due to embedded iam policy cause policies to fail Apr 22, 2024
@PratMis
Copy link
Collaborator Author

PratMis commented Apr 23, 2024
edited

Error pattern for other resource types. Ugh there are different error types for each resources.

botocore.exceptions.ClientError: An error occurred (AccessDeniedException) when calling the GetRepositoryPolicy operation: User: CloudCustodian is not authorized to perform: ecr:GetRepositoryPolicy on resource: arn:aws:ecr:us-east-1:123456789012:repository/x with an explicit deny in a resource-based policy

botocore.exceptions.ClientError: An error occurred (AccessDeniedException) when calling the GetKeyPolicy operation: User: CloudCustodian is not authorized to perform: kms:GetKeyPolicy on resource: arn:aws:kms:us-east-1:219282823942:key/X because no resource-based policy allows the kms:GetKeyPolicy action

@PratMis PratMis mentioned this issue Apr 23, 2024
Open
@PratMis
Copy link
Collaborator Author

PratMis commented Apr 23, 2024
edited

I did some digging and found that out of the above listed 3 total failures we're seeing only one is caused within detail_spec. The other 2 failures that are shown below are coming from ecr_augment and kms_get_policy_augment and should be tackled separately imo.
I also think since ecr tags and kms embedded policies are additional metadata we capture via additional api calls, we should let those fail and raise errors vs catching them because they could cause a policy to be executed without fetching the right metadata

botocore.exceptions.ClientError: An error occurred (AccessDeniedException) when calling the GetRepositoryPolicy operation: User: CloudCustodian is not authorized to perform: ecr:GetRepositoryPolicy on resource: arn:aws:ecr:us-east-1:123456789012:repository/x with an explicit deny in a resource-based policy

botocore.exceptions.ClientError: An error occurred (AccessDeniedException) when calling the GetKeyPolicy operation: User: CloudCustodian is not authorized to perform: kms:GetKeyPolicy on resource: arn:aws:kms:us-east-1:219282823942:key/X because no resource-based policy allows the kms:GetKeyPolicy action

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@PratMis