Error awslambda.py L31

[cgaudit]

Hi
I got the current error while scanning AWS env. which contains Lambda service.
2021-06-15 11:49:07 kali scout[1561] ERROR awslambda.py L31: Failed to get role from managed policies: An error occurred (NoSuchEntity) when calling the GetRole operation: The role with name XXX-dev-getAllTransactionsRole-XXX cannot be found.

What can be the reasons for not founding the Entity?

BR

[lowSoA]

Could you please provide the --debug output?

[x4v13r64]

We've seen such errors a few times and my theory is that a role was configured on the Lambda which was then deleted. Would have to test to confirm.

[cgaudit]

{ "additional_details": null, "exception": "Failed to get role from managed policies: An error occurred (NoSuchEntity) when calling the GetRole operation: The role with name xxx-dev-getAllTransactionsRole-xxx cannot be found.", "file": "awslambda.py", "line": 31, "traceback": "Traceback (most recent call last):\n File \"/usr/local/lib/python3.9/dist-packages/ScoutSuite/providers/aws/facade/awslambda.py\", line 31, in get_role_with_managed_policies\n role = client.get_role(RoleName=role_name)['Role']\n File \"/usr/local/lib/python3.9/dist-packages/botocore/client.py\", line 386, in _api_call\n return self._make_api_call(operation_name, kwargs)\n File \"/usr/local/lib/python3.9/dist-packages/botocore/client.py\", line 705, in _make_api_call\n raise error_class(parsed_response, operation_name)\nbotocore.errorfactory.NoSuchEntityException: An error occurred (NoSuchEntity) when calling the GetRole operation: The role with name xxx-dev-getAllTransactionsRole-xxx cannot be found.\n" }

[cgaudit]

Hi @lowSoA,

Does that logs enrich us with any insights?

@x4v13r64 is that means that each time a role was deleted will trigger an error?

For which tests does SecurityAudit permission is necessary for?

BR

[lowSoA]

I can confirm this is the behavior in the case explained by @x4v13r64 above.

[Tzaoh]

A similar check to below existing one was done.

ScoutSuite/ScoutSuite/providers/aws/facade/awslambda.py

Lines 24 to 26 in b9b8e20

	if "ResourceNotFoundException" not in str(e):
	print_exception('Failed to get Lambda access policy: {}'.format(e))
	return None

For this use case:

ScoutSuite/ScoutSuite/providers/aws/facade/awslambda.py

Lines 46 to 48 in bc9f32e

	if "NoSuchEntityException" not in str(e.__class__):
	print_exception('Failed to get role from managed policies: {}'.format(e))
	return None

Although, we might want to consider to refactor a bit this class (and maybe others were similar things could be happening) in order to use the standard Boto3 exceptions. For this specific use case botocore.errorfactory.NoSuchEntityException could be used. Maybe exposing it from the awslambda.py facade could also be a good approach.