Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AccessDeniedException for kms:GetKeyPolicy #671

Closed
andrewkrug opened this issue Mar 2, 2020 · 2 comments · Fixed by #673
Closed

AccessDeniedException for kms:GetKeyPolicy #671

andrewkrug opened this issue Mar 2, 2020 · 2 comments · Fixed by #673
Labels
bug Something isn't working

Comments

@andrewkrug
Copy link
Contributor

Please mention the following:

  • What command was run?
    The collect command

  • Are you working out of a pipenv environment, Docker, or something else?
    Working out of the continuous auditor in Docker + Fargate using cross account roles.

For some accounts with restricted keys the following is logged as an error:

kms.get_key_policy({'KeyId': 'xxx', 'PolicyName': 'default'}): An error occurred (AccessDeniedException) when calling the GetKeyPolicy operation: User: arn:aws:sts::xxx:assumed-role/CloudMapper/botocore-session-xxx is not authorized to perform: kms:GetKeyPolicy on resource: arn:aws:kms:us-west-2:xxx:key/xxx

I think it should likely be added to the list of KMS AccessDenied exceptions here:https://github.com/duo-labs/cloudmapper/blob/master/commands/collect.py#L150 handled for restricted keys. If this is true I will PR a fix.
@andrewkrug
Copy link
Contributor Author

The same could likely be said for: kms.list_grants

@0xdabbad00 0xdabbad00 added the bug Something isn't working label Mar 2, 2020
@0xdabbad00
Copy link
Collaborator

It'd be great to get a PR for this. Thank you.

andrewkrug added a commit to andrewkrug/cloudmapper that referenced this issue Mar 2, 2020
@andrewkrug
fix duo-labs#671 by handling kms exceptions on collect
fe96652
@andrewkrug andrewkrug mentioned this issue Mar 2, 2020
Merged
0xdabbad00 added a commit that referenced this issue Mar 3, 2020
@0xdabbad00
Merge pull request #673 from andrewkrug/fix_671
3af7ba2 
fix #671 by handling kms exceptions on collect
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix #671 by handling kms exceptions on collect andrewkrug/cloudmapper
2 participants
@0xdabbad00 @andrewkrug