-
Notifications
You must be signed in to change notification settings - Fork 149
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Handle access denied exceptions on resources #666
Comments
This was referenced Jun 21, 2021
Blocked by deep mode refactoring |
19 tasks
I have a similar use case. One of my top-secret S3 buckets has a strict access policy that will prevent driftctl to scan it (and return a very expected 403). Here's the policy: {
"Version": "2012-10-17",
"Id": "S3PolicyId1",
"Statement": [
{
"Sid": "IPAllow",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::yaddabucket0130",
"arn:aws:s3:::yaddabucket0130/*"
],
"Condition": {
"NotIpAddress": {
"aws:SourceIp": "1.2.3.4/32"
}
}
}
] |
LGTM Context: 1 S3 bucket in the account has an explicit ban for my IP ("yaddabucket0130"). Using 0.13 ❯ LOG_LEVEL=error driftctl scan
Scanned states (1)
AccessDenied: Access Denied
status code: 403, request id: PC50JPFPQJSP0735, host id: /GGji2ootu3WqRQNX7hEQxdAmXJSP5B1uYo3Dpo8unwmCXjLQJUF1fLsnTACjg70PMuN+VK8LvU= Using 0.14-pre ❯ LOG_LEVEL=error driftctl-pre scan
Scanned states (1)
Found resources not covered by IaC:
aws_s3_bucket:
- a-bucket-filled-with-files
- [...]
-
Ignoring aws_s3_bucket.yaddabucket0130 from drift calculation: Listing aws_s3_bucket is forbidden.
It seems that we got access denied exceptions while listing resources.
The latest minimal read-only IAM policy for driftctl is always available here, please update yours: https://docs.driftctl.com/aws/policy |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
We want to handle access denied exceptions when reading resources details.
Environment
How to reproduce
#665 (comment)
Possible Solution
We need to do string matching on error strings coming from
ReadResource
We can reproduce an error behavior by enabling listing but deny every detail fetcher call (remove
lambda:GetFunction
from policy)We can retrieve the error string with :
err.Error()
Error should be handled in
scanner.go
when we iterate on details fetcher, like we did above for enumeration errorsWe should test behavior for every kind of resource since AWS does not return the same error code.
If we match an access denied exception, we should send an alert and skip the resource.
The text was updated successfully, but these errors were encountered: