Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Permission Issues Resolving Previous Findings in Security Hub #711

Closed
gyrospectre opened this issue Dec 17, 2020 · 11 comments
Closed

Permission Issues Resolving Previous Findings in Security Hub #711

gyrospectre opened this issue Dec 17, 2020 · 11 comments

Comments

@gyrospectre
Copy link

I'm running Prowler via an ECS task in Fargate, using an assumed task role with all the right permissions. New findings are getting added to Security Hub fine, via the native SH support (i.e. -S), but existing findings that have since been resolved are failing to update with a permissions error:

An error occurred (AccessDeniedException) when calling the BatchImportFindings operation: User: <redacted> is not authorized to perform: securityhub:BatchImportFindings on resource: arn:aws:securityhub:ap-southeast-2::product/prowler/prowler

Even though that role definitely has that permission. After some debug, it looks like the resolveSecurityHubPreviousFails() function in include/securityhub_integration is using batch-import-findings, rather than the batch-update-findings I would expect. The permissions error seems to be a red herring, and the issue is you cannot update existing findings in this way, using the batch import. I'm not sure if this recently changed with AWS?

Has anyone else experienced this issue? I'm playing with a patch to move this function over to batch-update-findings, so if this is not just something silly I'm doing and is actually a bug, happy to cut a PR for the fix.

@toniblyx
Copy link
Member

Not sure if it is related to this same issue here #705 that I'm working on it. But also, since a month or so, Prowler is an official integrated product to Security Hub so you have to enable it first on each account region you need. See updated documentation here https://github.com/toniblyx/prowler#security-hub-integration. Do you think your issue is related to that?

@gyrospectre
Copy link
Author

Thanks for the response! I did have a look at #705 , but my issue is with a single account, so don't believe it's related. Security Hub appears to be setup properly, I can get findings into SH from Prowler without issue, it just won't update (Archive) existing issues if they are fixed after initially being raised. After patching the code per my original post, everything is working fine (using batch-update-findings instead) - I'm out of the woods now, but if others are also experiencing the same issues I wanted to share my fixes in case it helps others.

@toniblyx
Copy link
Member

Do you mean changing call here https://github.com/toniblyx/prowler/blob/master/include/securityhub_integration#L60 from import to update?

@toniblyx
Copy link
Member

For some reason seems like the fargate execution role is not being assigned properly and it can't do BatchImportFindings. Can you debug that in CloudTrail to see what is it trying to do? it is suspicious to get that AccessDeniedException.

@gyrospectre
Copy link
Author

Do you mean changing call here https://github.com/toniblyx/prowler/blob/master/include/securityhub_integration#L60 from import to update?

Yes, exactly. I created #712 to explain in code. May not be perfect, but is working for me in my environment. I agree the access denied error is suspicious, but I've not been able to work out why using CloudTrail etc., though I have put a fair bit of time into trying to understand why it's happening. I did try opening permissions for that role right up, to allow all Security Hub actions, but that didn't help - seems to suggest that there is not a missing perm that I could just add to fix it. Weird.

@joerg
Copy link

joerg commented Aug 25, 2021

Hi,

I think we stumbled upon the same error when running Prowler. We run it in CodeBuild which is deployed via Terraform and in some accounts the build fails while in other it runs perfectly well.
We thus contacted AWS and got a very interesting answer. I am not allowed to share the full answer but the outline is this:

This permission error (xx is not authorized to perform: securityhub:BatchImportFindings on resource yy) happens to occur when ​there is some invalid value in the finding. This invalid value could be a wrong region, account ID or ARNs. So even with administrative access, one could get a similar error

So an input formatting error is reported as a permission error. Is there some way to print the finding JSON in prowler upon import? Maybe it really is malformed in certain edge cases.
I will try to get more information, but I don't have access to the accounts where this happens, so I am currently not sure how to debug it.

@toniblyx
Copy link
Member

Thanks @joerg, can you confirm the same issue with latest version? and if you can share the finding json that is failing in order to figure out what is wrong.

@joerg
Copy link

joerg commented Aug 31, 2021

I ran the whole thing again with version 2.5 but the error remains. I also did a lot of debugging and tried finding out what could be the error here but so far the input JSON seems correct all the time. We will keep rolling out Prowler to our production accounts and see if more errors pop up and maybe I will be able to see a pattern.
One reason I could think of is that we also run Prowler in the central SecurityHub account that all other accounts in the organization deliver their findings to and there the error pops up the most. In the end, the fact that the SecurityHub API seems to produce unreasonable error messages is not really helping.

@joerg
Copy link

joerg commented Sep 14, 2021

@toniblyx I was able to find the underlying error/bug and it seems that it is not related to the issue. I opened a new issue to work on it #867 .

@toniblyx
Copy link
Member

Just to make this public in order to help @gyrospectre as well.

One way to debug this is running it manually from the same account and region to replicate your codebuild/fargate etc with something like:

bash -x ./prowler -A accountid -R roletoassume -r region -f region -M csv,json,html,json-asff > prowler.log 2>&1

That won't send anything to Security Hub but will generate a large log file with all what it does and the json asff to see what would be trying to send to Security Hub.

xeroxnir added a commit to xeroxnir/prowler that referenced this issue Sep 16, 2021
* Filter by AWS account Id to avoid importing findings from other accounts.
toniblyx added a commit that referenced this issue Sep 21, 2021
…account #711 @xeroxnir

Fix Security Hub conflict with duplicated findings in the management account #711 @xeroxnir
@toniblyx
Copy link
Member

toniblyx commented Nov 4, 2021

This one was fixed here 254cb0c and it is available in branch 2.5.1

@toniblyx toniblyx closed this as completed Nov 4, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants