Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow continuing on scanning errors/support low privilege scanning #126

Closed
lllama opened this issue Jul 9, 2021 · 12 comments
Closed

Allow continuing on scanning errors/support low privilege scanning #126

lllama opened this issue Jul 9, 2021 · 12 comments
Assignees
@jbmchuck

Comments

@lllama
Copy link

lllama commented Jul 9, 2021

I am currently scanning an account in which I have close to full access but, due to compliance and security settings, I am unable to enumerate various settings. (SAML provider information and user access keys, as examples).

It would be useful if the scanning was allowed to continue when access errors are encountered, as I am only interested in the resources that I have access to. This would also help with being able to audit a user's access and ensure they do not have too many privileges.

(One potential way to achieve this could be a settings value that allowed you to exclude certain resources from scanning but that seems a little inelegant, plus could require repeated runs until no errors are generated.)
@lllama
Copy link
Author

lllama commented Jul 12, 2021

One issue with a blanket "continue on error" approach would be that ResourceLinkFields could error if their target wasn't scanned. They would need to be converted into TransientResourceLinkFields in some way.

@jbmchuck jbmchuck self-assigned this Jul 12, 2021
@jbmchuck
Copy link
Contributor

jbmchuck commented Jul 12, 2021
edited
Loading

As you mention there are definitely some challenges to implementing that behavior, though I agree it would be useful. I like the idea of having the ability to specify a resource include/exclude list, it is something I've wanted to implement for some time but have not due to the ResourceLink issue you mention, but I think that may not be too terribly complex to handle. I'll take a look and update this issue in the not too distant future.

@lllama
Copy link
Author

lllama commented Jan 20, 2022

I've just bumped into this again. Thinking out loud: would it be possible to set something in the config that indicates a low-privilege account is being used? Then have ResourceLink etc use that config to decide on how strict they want to be.

@jbmchuck
Copy link
Contributor

Hey @lllama , I've started implementing the ability to ignore specific resources in branch disable-resources. See

https://github.com/tableau/altimeter/blob/disable-resources/conf/current_single_account_skip_iam_policies.toml#L24-L26

This is a work in progress - this disables the scan of the resource but does not yet disable the validation portion for resource links. It is also only implemented in 'local' mode. I'll try to find some time soon to look into updating the validation code to ignore resource links.

@jbmchuck
Copy link
Contributor

Hi @lllama ,

Could you try the disable-resources branch as of 20cfdcb ? I think this will work for your use case...

@lllama
Copy link
Author

lllama commented Feb 26, 2022

Awesome. I'm on leave for a few weeks but will try and look asap when I get back.

@dmoore247
Copy link

Sorry, I'm here for the "me too" with this error No regions found for resource support/severity-level. I can't see a path forward to my eval.

@oleksandr-yatsuk
Copy link

Hey @dmoore247,

I've got the same error, did you manage to fix the "No regions found" error?

@jbmchuck
Copy link
Contributor

jbmchuck commented Nov 8, 2023

@oleksandr-yatsuk assuming you are also experiencing the support/severity-level error could you try 6.4.18 using a config similar to the one here - https://github.com/tableau/altimeter/blob/master/conf/current_single_account_skip_support.toml ?

This configuration uses the ignored_resources setting which allows ignoring specific resource types, in this case the support:severity-level resource which I believe is causing your issue.

@oleksandr-yatsuk
Copy link

The new setting works @jbmchuck.
One question though: I see that in the version released yesterday, there are some dependency inconsistencies between requirements.txt and setup.py files. Is it for some reason?

@jbmchuck
Copy link
Contributor

jbmchuck commented Nov 9, 2023

Thanks for the catch - that was accidental - fixed in 6.4.19 which is now on pypi.

@jbmchuck jbmchuck closed this as completed Nov 9, 2023
@redo-oss
Copy link

hello I am facing the same error, while using a sagemaker jupyter notebook and neptune.
I installed altimeter using the pip command pip install altimeter.

when i run the below command i got this error
!python ~/anaconda3/envs/JupyterSystemEnv/bin/aws2neptune.py lpg
the error message

File "/home/ec2-user/anaconda3/envs/JupyterSystemEnv/lib/python3.10/site-packages/altimeter/aws/scan/account_scanner.py", line 133, in scan
resource_regions = self.account_scan_plan.aws_resource_region_mapping_repo.get_regions(
File "/home/ec2-user/anaconda3/envs/JupyterSystemEnv/lib/python3.10/site-packages/altimeter/aws/resource_service_region_mapping.py", line 55, in get_regions
raise NoRegionsFoundForResource(
altimeter.aws.resource_service_region_mapping.NoRegionsFoundForResource: No regions found for resource support/severity-level

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jbmchuck jbmchuck

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@lllama @dmoore247 @jbmchuck @oleksandr-yatsuk @redo-oss