Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: Prowler gets stuck / fails when running Lambda check against account with LZA #4209

Open
js37 opened this issue Jun 7, 2024 · 1 comment
Open

[Bug]: Prowler gets stuck / fails when running Lambda check against account with LZA #4209

js37 opened this issue Jun 7, 2024 · 1 comment
Assignees
@jfagoagas
Labels
provider/aws Issues/PRs related with the AWS provider question

Comments

@js37
Copy link

js37 commented Jun 7, 2024

Steps to Reproduce

When running this awslambda check on an account that has Landing Zone Accelerator deployed, Prowler gets stuck.

prowler aws -c awslambda_function_no_secrets_in_code

When running in log-level INFO mode, this is the output

Executing 1 check, please wait...

2024-06-07 13:52:53,152 [File: service.py:85] 	[Module: service]	 INFO: LAMBDA - Starting threads for 'List Functions' function across 17 regions...

2024-06-07 13:52:53,152 [File: awslambda_service.py:29] 	[Module: awslambda_service]	 INFO: Lambda - Listing Functions...

2024-06-07 13:52:53,152 [File: awslambda_service.py:29] 	[Module: awslambda_service]	 INFO: Lambda - Listing Functions...

2024-06-07 13:52:53,152 [File: awslambda_service.py:29] 	[Module: awslambda_service]	 INFO: Lambda - Listing Functions...

2024-06-07 13:52:53,153 [File: awslambda_service.py:29] 	[Module: awslambda_service]	 INFO: Lambda - Listing Functions...

2024-06-07 13:52:53,153 [File: awslambda_service.py:29] 	[Module: awslambda_service]	 INFO: Lambda - Listing Functions...

2024-06-07 13:52:53,153 [File: awslambda_service.py:29] 	[Module: awslambda_service]	 INFO: Lambda - Listing Functions...

2024-06-07 13:52:53,153 [File: awslambda_service.py:29] 	[Module: awslambda_service]	 INFO: Lambda - Listing Functions...

2024-06-07 13:52:53,153 [File: awslambda_service.py:29] 	[Module: awslambda_service]	 INFO: Lambda - Listing Functions...

2024-06-07 13:52:53,154 [File: awslambda_service.py:29] 	[Module: awslambda_service]	 INFO: Lambda - Listing Functions...

2024-06-07 13:52:53,154 [File: awslambda_service.py:29] 	[Module: awslambda_service]	 INFO: Lambda - Listing Functions...

2024-06-07 13:52:53,667 [File: awslambda_service.py:59] 	[Module: awslambda_service]	 ERROR: ca-central-1 -- ClientError[32]: An error occurred (AccessDeniedException) when calling the ListFunctions operation: User: <ARN> is not authorized to perform: lambda:ListFunctions on resource: * with an explicit deny in a service control policy

2024-06-07 13:52:53,667 [File: awslambda_service.py:29] 	[Module: awslambda_service]	 INFO: Lambda - Listing Functions...

2024-06-07 13:52:53,837 [File: awslambda_service.py:29] 	[Module: awslambda_service]	 INFO: Lambda - Listing Functions...

2024-06-07 13:52:53,906 [File: awslambda_service.py:59] 	[Module: awslambda_service]	 ERROR: eu-west-3 -- ClientError[32]: An error occurred (AccessDeniedException) when calling the ListFunctions operation: User: <ARN> is not authorized to perform: lambda:ListFunctions on resource: * with an explicit deny in a service control policy

2024-06-07 13:52:53,906 [File: awslambda_service.py:29] 	[Module: awslambda_service]	 INFO: Lambda - Listing Functions...

2024-06-07 13:52:53,908 [File: awslambda_service.py:59] 	[Module: awslambda_service]	 ERROR: eu-west-1 -- ClientError[32]: An error occurred (AccessDeniedException) when calling the ListFunctions operation: User: <ARN> is not authorized to perform: lambda:ListFunctions on resource: * with an explicit deny in a service control policy

2024-06-07 13:52:53,913 [File: awslambda_service.py:59] 	[Module: awslambda_service]	 ERROR: ap-southeast-2 -- ClientError[32]: An error occurred (AccessDeniedException) when calling the ListFunctions operation: User: <ARN> is not authorized to perform: lambda:ListFunctions on resource: * with an explicit deny in a service control policy

2024-06-07 13:52:53,913 [File: awslambda_service.py:29] 	[Module: awslambda_service]	 INFO: Lambda - Listing Functions...

2024-06-07 13:52:53,914 [File: awslambda_service.py:29] 	[Module: awslambda_service]	 INFO: Lambda - Listing Functions...

2024-06-07 13:52:53,919 [File: awslambda_service.py:59] 	[Module: awslambda_service]	 ERROR: eu-central-1 -- ClientError[32]: An error occurred (AccessDeniedException) when calling the ListFunctions operation: User: <ARN> is not authorized to perform: lambda:ListFunctions on resource: * with an explicit deny in a service control policy

2024-06-07 13:52:53,919 [File: awslambda_service.py:29] 	[Module: awslambda_service]	 INFO: Lambda - Listing Functions...

2024-06-07 13:52:53,936 [File: awslambda_service.py:59] 	[Module: awslambda_service]	 ERROR: ap-northeast-1 -- ClientError[32]: An error occurred (AccessDeniedException) when calling the ListFunctions operation: User: <ARN> is not authorized to perform: lambda:ListFunctions on resource: * with an explicit deny in a service control policy

2024-06-07 13:52:53,936 [File: awslambda_service.py:29] 	[Module: awslambda_service]	 INFO: Lambda - Listing Functions...

2024-06-07 13:52:53,979 [File: awslambda_service.py:59] 	[Module: awslambda_service]	 ERROR: sa-east-1 -- ClientError[32]: An error occurred (AccessDeniedException) when calling the ListFunctions operation: User: <ARN> is not authorized to perform: lambda:ListFunctions on resource: * with an explicit deny in a service control policy

2024-06-07 13:52:53,991 [File: awslambda_service.py:59] 	[Module: awslambda_service]	 ERROR: eu-north-1 -- ClientError[32]: An error occurred (AccessDeniedException) when calling the ListFunctions operation: User: <ARN> is not authorized to perform: lambda:ListFunctions on resource: * with an explicit deny in a service control policy

2024-06-07 13:52:54,034 [File: awslambda_service.py:59] 	[Module: awslambda_service]	 ERROR: us-west-1 -- ClientError[32]: An error occurred (AccessDeniedException) when calling the ListFunctions operation: User: <ARN> is not authorized to perform: lambda:ListFunctions on resource: * with an explicit deny in a service control policy

2024-06-07 13:52:54,175 [File: awslambda_service.py:59] 	[Module: awslambda_service]	 ERROR: eu-west-2 -- ClientError[32]: An error occurred (AccessDeniedException) when calling the ListFunctions operation: User: <ARN> is not authorized to perform: lambda:ListFunctions on resource: * with an explicit deny in a service control policy

2024-06-07 13:52:54,221 [File: awslambda_service.py:59] 	[Module: awslambda_service]	 ERROR: ap-south-1 -- ClientError[32]: An error occurred (AccessDeniedException) when calling the ListFunctions operation: User: <ARN> is not authorized to perform: lambda:ListFunctions on resource: * with an explicit deny in a service control policy

2024-06-07 13:52:54,427 [File: awslambda_service.py:59] 	[Module: awslambda_service]	 ERROR: ap-southeast-1 -- ClientError[32]: An error occurred (AccessDeniedException) when calling the ListFunctions operation: User: <ARN> is not authorized to perform: lambda:ListFunctions on resource: * with an explicit deny in a service control policy

2024-06-07 13:52:54,488 [File: awslambda_service.py:59] 	[Module: awslambda_service]	 ERROR: ap-northeast-3 -- ClientError[32]: An error occurred (AccessDeniedException) when calling the ListFunctions operation: User: <ARN> is not authorized to perform: lambda:ListFunctions on resource: * with an explicit deny in a service control policy

2024-06-07 13:52:54,630 [File: awslambda_service.py:59] 	[Module: awslambda_service]	 ERROR: ap-northeast-2 -- ClientError[32]: An error occurred (AccessDeniedException) when calling the ListFunctions operation: User: <ARN> is not authorized to perform: lambda:ListFunctions on resource: * with an explicit deny in a service control policy

2024-06-07 13:52:54,630 [File: awslambda_service.py:158] 	[Module: awslambda_service]	 INFO: Lambda - List Tags...

2024-06-07 13:52:59,531 [File: service.py:85] 	[Module: service]	 INFO: LAMBDA - Starting threads for 'Get Policy' function across 17 regions...

2024-06-07 13:52:59,535 [File: awslambda_service.py:106] 	[Module: awslambda_service]	 INFO: Lambda - Getting Policy...

2024-06-07 13:52:59,536 [File: awslambda_service.py:106] 	[Module: awslambda_service]	 INFO: Lambda - Getting Policy...

2024-06-07 13:52:59,535 [File: awslambda_service.py:106] 	[Module: awslambda_service]	 INFO: Lambda - Getting Policy...

2024-06-07 13:52:59,537 [File: awslambda_service.py:106] 	[Module: awslambda_service]	 INFO: Lambda - Getting Policy...

2024-06-07 13:52:59,535 [File: awslambda_service.py:106] 	[Module: awslambda_service]	 INFO: Lambda - Getting Policy...

2024-06-07 13:52:59,535 [File: awslambda_service.py:106] 	[Module: awslambda_service]	 INFO: Lambda - Getting Policy...

2024-06-07 13:52:59,539 [File: awslambda_service.py:106] 	[Module: awslambda_service]	 INFO: Lambda - Getting Policy...

2024-06-07 13:52:59,539 [File: awslambda_service.py:106] 	[Module: awslambda_service]	 INFO: Lambda - Getting Policy...

2024-06-07 13:52:59,540 [File: awslambda_service.py:106] 	[Module: awslambda_service]	 INFO: Lambda - Getting Policy...

2024-06-07 13:52:59,535 [File: awslambda_service.py:106] 	[Module: awslambda_service]	 INFO: Lambda - Getting Policy...

2024-06-07 13:52:59,536 [File: awslambda_service.py:106] 	[Module: awslambda_service]	 INFO: Lambda - Getting Policy...

2024-06-07 13:52:59,537 [File: awslambda_service.py:106] 	[Module: awslambda_service]	 INFO: Lambda - Getting Policy...

2024-06-07 13:52:59,537 [File: awslambda_service.py:106] 	[Module: awslambda_service]	 INFO: Lambda - Getting Policy...

2024-06-07 13:52:59,537 [File: awslambda_service.py:106] 	[Module: awslambda_service]	 INFO: Lambda - Getting Policy...

2024-06-07 13:52:59,535 [File: awslambda_service.py:106] 	[Module: awslambda_service]	 INFO: Lambda - Getting Policy...

2024-06-07 13:52:59,537 [File: awslambda_service.py:106] 	[Module: awslambda_service]	 INFO: Lambda - Getting Policy...

2024-06-07 13:52:59,536 [File: awslambda_service.py:106] 	[Module: awslambda_service]	 INFO: Lambda - Getting Policy...

2024-06-07 13:53:01,307 [File: service.py:85] 	[Module: service]	 INFO: LAMBDA - Starting threads for 'Get Function Url Config' function across 17 regions...

2024-06-07 13:53:01,307 [File: awslambda_service.py:129] 	[Module: awslambda_service]	 INFO: Lambda - Getting Function URL Config...

2024-06-07 13:53:01,307 [File: awslambda_service.py:129] 	[Module: awslambda_service]	 INFO: Lambda - Getting Function URL Config...

2024-06-07 13:53:01,308 [File: awslambda_service.py:129] 	[Module: awslambda_service]	 INFO: Lambda - Getting Function URL Config...

2024-06-07 13:53:01,308 [File: awslambda_service.py:129] 	[Module: awslambda_service]	 INFO: Lambda - Getting Function URL Config...

2024-06-07 13:53:01,309 [File: awslambda_service.py:129] 	[Module: awslambda_service]	 INFO: Lambda - Getting Function URL Config...

2024-06-07 13:53:01,308 [File: awslambda_service.py:129] 	[Module: awslambda_service]	 INFO: Lambda - Getting Function URL Config...

2024-06-07 13:53:01,308 [File: awslambda_service.py:129] 	[Module: awslambda_service]	 INFO: Lambda - Getting Function URL Config...

2024-06-07 13:53:01,308 [File: awslambda_service.py:129] 	[Module: awslambda_service]	 INFO: Lambda - Getting Function URL Config...

2024-06-07 13:53:01,308 [File: awslambda_service.py:129] 	[Module: awslambda_service]	 INFO: Lambda - Getting Function URL Config...

2024-06-07 13:53:01,308 [File: awslambda_service.py:129] 	[Module: awslambda_service]	 INFO: Lambda - Getting Function URL Config...

2024-06-07 13:53:01,308 [File: awslambda_service.py:129] 	[Module: awslambda_service]	 INFO: Lambda - Getting Function URL Config...

2024-06-07 13:53:01,308 [File: awslambda_service.py:129] 	[Module: awslambda_service]	 INFO: Lambda - Getting Function URL Config...

2024-06-07 13:53:01,309 [File: awslambda_service.py:129] 	[Module: awslambda_service]	 INFO: Lambda - Getting Function URL Config...

2024-06-07 13:53:01,308 [File: awslambda_service.py:129] 	[Module: awslambda_service]	 INFO: Lambda - Getting Function URL Config...

2024-06-07 13:53:01,313 [File: awslambda_service.py:129] 	[Module: awslambda_service]	 INFO: Lambda - Getting Function URL Config...

2024-06-07 13:53:01,314 [File: awslambda_service.py:129] 	[Module: awslambda_service]	 INFO: Lambda - Getting Function URL Config...

2024-06-07 13:53:01,314 [File: awslambda_service.py:129] 	[Module: awslambda_service]	 INFO: Lambda - Getting Function URL Config...

2024-06-07 13:53:05,012 [File: awslambda_service.py:66] 	[Module: awslambda_service]	 INFO: Lambda - Getting Function Code...

When running in log-level debug, the last thing that would print out is
DEBUG: https://awslambda-us-west-2-tasks.s3.us-west-2.amazonaws.com:443 "GET /snapshots/<account ID>/<function name>

I have tested this check, and it works on other accounts.

Expected behavior

I expect the scan to complete. The ClientErrors due to have service control polices is fine. I expect the scan to finish with no results if it is due to a permission problem.

Actual Result with Screenshots or Logs

In description above.

How did you install Prowler?

From pip package (pip install prowler)

Environment Resource

Prowler 4.2.4 (You are running the latest version, yay!)

OS used

MacOS

Prowler version

4.2.4

Pip version

24

Context

No response
@js37 js37 added bug status/needs-triage Issue pending triage labels Jun 7, 2024
@jfagoagas jfagoagas added question and removed bug status/needs-triage Issue pending triage labels Jun 11, 2024
@jfagoagas jfagoagas self-assigned this Jun 11, 2024
@jfagoagas
Copy link
Member

Hi @js37 it seems that Prowler is just executing that check. It can take a lot of time if you have a lot of lambdas with a great codebase since Prowler analyzes all the source code in memory while running the check.

How many AWS Lambda Functions do you have in that account?

Thanks for using Prowler 🚀

@jfagoagas jfagoagas added the provider/aws Issues/PRs related with the AWS provider label Jun 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jfagoagas jfagoagas

Labels
provider/aws Issues/PRs related with the AWS provider question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jfagoagas @js37