v1.0.0-dev Lambda Client Error

[danieladams456]

Describe the bug
UnrecognizedClientException during Lambda checks

To Reproduce
Steps to reproduce the behavior, please include information on suspected users/roles that are the source of the issue when possible:

1. Checkout branch v1.0.0-dev
2. Use Python 3 (all my dependencies are installed here, so tried to use it instead of 2. Works on master branch)
3. Run the script
   • python3 pmapper.py --profile personal graph --create
   • python3 pmapper.py graph --create
4. Majority of the script works, but then I get a invalid security token on the Lambda checks
   • I tried copying my specific profile information to the default profile to detect if it is losing the profile name at some point, but it seems to have the same behavior

Expected behavior
Lambda to succeed as other services did.

Error Stack

running edge check for service: iam
running edge check for service: lambda
Searching through Lambda-supported regions for existing functions.
Traceback (most recent call last):
File "pmapper.py", line 12, in
sys.exit(main())
File "/REDACTED_HOMEDIR/code/PMapper/principalmapper/main.py", line 168, in main
handle_graph(parsed_args)
File "/REDACTED_HOMEDIR/code/PMapper/principalmapper/main.py", line 188, in handle_graph
graph = principalmapper.graphing.graph_actions.create_new_graph(session, checker_map.keys(), parsed_args.debug)
File "/REDACTED_HOMEDIR/code/PMapper/principalmapper/graphing/graph_actions.py", line 35, in create_new_graph
return gathering.create_graph(session, metadata, service_list, sys.stdout, debug)
File "/REDACTED_HOMEDIR/code/PMapper/principalmapper/graphing/gathering.py", line 40, in create_graph
edges_result = edge_identification.obtain_edges(session, service_list, nodes_result, output, debug)
File "/REDACTED_HOMEDIR/code/PMapper/principalmapper/graphing/edge_identification.py", line 43, in obtain_edges
result.extend(checker_obj.return_edges(nodes, output, debug))
File "/REDACTED_HOMEDIR/code/PMapper/principalmapper/graphing/lambda_edges.py", line 35, in return_edges
for page in paginator.paginate(PaginationConfig={'PageSize': 25}):
File "/REDACTED_HOMEDIR/Library/Python/3.7/lib/python/site-packages/botocore/paginate.py", line 255, in iter
response = self._make_request(current_kwargs)
File "/REDACTED_HOMEDIR/Library/Python/3.7/lib/python/site-packages/botocore/paginate.py", line 332, in _make_request
return self._method(**current_kwargs)
File "/REDACTED_HOMEDIR/Library/Python/3.7/lib/python/site-packages/botocore/client.py", line 357, in _api_call
return self._make_api_call(operation_name, kwargs)
File "/REDACTED_HOMEDIR/Library/Python/3.7/lib/python/site-packages/botocore/client.py", line 661, in _make_api_call
raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (UnrecognizedClientException) when calling the ListFunctions operation: The security token included in the request is invalid.

[ncc-erik-steringer]

Oooh, this smells like the issue in ScoutSuite/botocore surrounding the ap-east-1 region and regions that are disabled. I'll dig in more tonight.

[danieladams456]

Could be! I haven't enabled any of the new regions on this account.

[danieladams456]

I was able to reproduce with the following test script what is happening in lambda_edges.py.

import botocore.session
session = botocore.session.Session(profile='personal')
client = session.create_client('lambda', region_name='ap-east-1')
client.list_functions()

Error stack:

File "", line 1, in
File "/REDACTED_HOMEDIR/Library/Python/3.7/lib/python/site-packages/botocore/client.py", line 357, in _api_call
return self._make_api_call(operation_name, kwargs)
File "/REDACTED_HOMEDIR/Library/Python/3.7/lib/python/site-packages/botocore/client.py", line 661, in _make_api_call
raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (UnrecognizedClientException) when calling the ListFunctions operation: The security token included in the request is invalid.

[ncc-erik-steringer]

The v1.0.0-dev branch pulls a list of regions to check with the following line of code (/principalmapper/graphing/lambda_edges.py).

            lambda_regions = self.session.get_available_regions('lambda')

I expected that the returned list would exclude disabled regions. I'll have to add an extra few lines of code instead. Should be fixed by 1.0.0 release.

The master branch has a hardcoded list of regions (which is not a good solution, but it prevented this issue ironically).

[danieladams456]

One more comment... A bit ago I was POCing an AWS Organizations SCP that would deny any API call outside of US regions. That wouldn't explicitly disable them (which only seems to work on regions launched after March 20, 2019), but API calls would still fail.

[ncc-erik-steringer]

Just pushed 6046c00 to fix this in v1.0.0-dev.

[danieladams456]

Works great - thank you!