skyscanner / lambdaguard Goto Github PK

AWS Serverless Security

License: Apache License 2.0

Makefile 1.26% Dockerfile 0.61% Python 90.55% HTML 6.08% JavaScript 1.49%

aws aws-lambda serverless-security hacking sqs sns kms lambda dynamodb iam

lambdaguard's Introduction

LambdaGuard

AWS Lambda is an event-driven, serverless computing platform provided by Amazon Web Services. It is a computing service that runs code in response to events and automatically manages the computing resources required by that code.

LambdaGuard is an AWS Lambda auditing tool designed to create asset visibility and provide actionable results. It provides a meaningful overview in terms of statistical analysis, AWS service dependencies and configuration checks from the security perspective.

Requirements

Python 3.6+
Java 11 (optional for SonarQube)

Install

From PyPI

pip3 install lambdaguard

From Github

git clone https://github.com/Skyscanner/lambdaguard
cd lambdaguard
sudo make install

AWS Access

You will need a set of AWS access keys and permissions to run LambdaGuard.

make aws

Create a profile in ~/.aws/credentials with the newly created keys.

[LambdaGuardProfile]
aws_access_key_id = ...
aws_secret_access_key = ...

Alternatively, you can use the keys directly as CLI arguments (not recommended).

Run

lambdaguard --help
lambdaguard --function arn:aws:lambda:function
lambdaguard --input function-arns.txt
lambdaguard --output /tmp/lambdaguard
lambdaguard --profile LambdaGuardProfile
lambdaguard --keys ACCESS_KEY_ID SECRET_ACCESS_KEY
lambdaguard --region eu-west-1
lambdaguard --verbose

SonarQube: Static Code Analysis

Download sonar-scanner-cli

https://github.com/SonarSource/sonar-scanner-cli

Build SonarQube

make sonarqube

Use SonarQube

lambdaguard --sonarqube config.json

Config should have the following format:

{
    "command": "sonar-scanner -X",
    "url": "http://localhost:9000",
    "login": "admin",
    "password": "admin"
}

Development

make -B clean
make dev
. dev/bin/activate
make install-dev
make test

lambdaguard's People

Contributors

Stargazers

Watchers

Forkers

poeblu cloudvisor sessin docebo-legacy wvides andrea-spoldi guerilla7 nyamamura1102 noninik chubbymaggie optionalg hackmycontrolsystem ckabalan evil5hadow ray1345 liavnave coffeecoco bridgecrewio cmorell morkot hannreddy lagebaue j-arinam coglostro acumenix mr-person imohd23 mmg1 nwestfall jpbowie akainettey sbryan77 chandanrjit ipk1 c0ntr07 hashishrajan tiamat-tech zcachorro ua-solsen pentagramz samuelriesz jankal13 franklinharry calbeeming0530 elprofesor123 deldennis vguerrapdel mbenziane cgarces c1x1x00xxpentium jaguar13 dhennon-martins isabella232 brinhosa nanaao highfeature cheahengsoon 5l1v3r1 wanglibin1314 rizz226 lorienpatt 0xsojalsec xkillbit jahithoque ajit1433 iq-scm

lambdaguard's Issues

Error Running Lambda Guard

We're running LambdaGuard using your library, but it stopped working in late December 2021.

We run it from a Github Action (below), which was running successfully each week

name: Lambda Guard
on:
  workflow_dispatch:
  schedule:
  - cron: "0 0 * * SUN" # every Sunday at midnight

jobs:
  lambda-guard:
    name: Run LambdaGuard
    runs-on: ubuntu-latest
    steps:
      - name: Checkout LambdaGuard
        uses: actions/checkout@v2
        with:
          repository: skyscanner/lambdaguard
      - name: Python Version
        run: |
            python --version
      - name: Build LambdaGuard
        run: |
            sudo make install
      - name: Run LambdaGuard
        run: |
            lambdaguard --verbose --keys  ${{ secrets.AWS_ACCESS_KEY_ID }} ${{ secrets.AWS_SECRET_ACCESS_KEY }}
      - name: Archive results
        uses: actions/upload-artifact@v2
        with:
          name: LambdaGuard Report
          path: lambdaguard_output/report.html

We now see an error in step Run LambdaGuard with the following output

Run lambdaguard --verbose --keys  *** ***
  lambdaguard --verbose --keys  *** ***
  shell: /usr/bin/bash -e {0}
Traceback (most recent call last):
  File "/usr/bin/lambdaguard", line 33, in <module>
    sys.exit(load_entry_point('LambdaGuard', 'console_scripts', 'lambdaguard')())
  File "/usr/bin/lambdaguard", line 22, in importlib_load_entry_point
    for entry_point in distribution(dist_name).entry_points
  File "/usr/lib/python3.8/importlib/metadata.py", line 503, in distribution
    return Distribution.from_name(distribution_name)
  File "/usr/lib/python3.8/importlib/metadata.py", line 177, in from_name
    raise PackageNotFoundError(name)
importlib.metadata.PackageNotFoundError: LambdaGuard
Error: Process completed with exit code 1.

Outputs of other steps are as follows

Build LambdaGuard

Run sudo make install
  sudo make install
  shell: /usr/bin/bash -e {0}
pip3 install -e .
Obtaining file:///home/runner/work/siberia-aws-middleware/siberia-aws-middleware
  Installing build dependencies: started
  Installing build dependencies: finished with status 'done'
  Getting requirements to build wheel: started
  Getting requirements to build wheel: finished with status 'done'
  Installing backend dependencies: started
  Installing backend dependencies: finished with status 'done'
    Preparing wheel metadata: started
    Preparing wheel metadata: finished with status 'done'
Requirement already satisfied: requests in /usr/lib/python3/dist-packages (from LambdaGuard==2.4.3) (2.22.0)
Collecting boto3
  Downloading boto3-1.20.26-py3-none-any.whl (131 kB)
Collecting argparse
  Downloading argparse-1.4.0-py2.py3-none-any.whl (23 kB)
Collecting botocore<1.24.0,>=1.23.26
  Downloading botocore-1.23.26-py3-none-any.whl (8.5 MB)
Collecting jmespath<1.0.0,>=0.7.1
  Downloading jmespath-0.10.0-py2.py3-none-any.whl (24 kB)
Collecting s3transfer<0.6.0,>=0.5.0
  Downloading s3transfer-0.5.0-py3-none-any.whl (79 kB)
Collecting python-dateutil<3.0.0,>=2.1
  Downloading python_dateutil-2.8.2-py2.py3-none-any.whl (247 kB)
Requirement already satisfied: urllib3<1.27,>=1.25.4 in /usr/lib/python3/dist-packages (from botocore<1.24.0,>=1.23.26->boto3->LambdaGuard==2.4.3) (1.25.8)
Requirement already satisfied: six>=1.5 in /usr/lib/python3/dist-packages (from python-dateutil<3.0.0,>=2.1->botocore<1.24.0,>=1.23.26->boto3->LambdaGuard==2.4.3) (1.14.0)
Installing collected packages: python-dateutil, jmespath, botocore, s3transfer, boto3, argparse, LambdaGuard
  Running setup.py develop for LambdaGuard
Successfully installed LambdaGuard argparse-1.4.0 boto3-1.20.26 botocore-1.23.26 jmespath-0.10.0 python-dateutil-2.8.2 s3transfer-0.5.0

Python Version

Run python --version
  python --version
  shell: /usr/bin/bash -e {0}
Python 3.8.10

Thank you for any help you can provide

cannot print help message

When running --help this is the error that is returned:

./lambdaguard --help
Traceback (most recent call last):
File "./lambdaguard", line 17, in
lambdaguard.run()
File "/usr/local/lib/python3.6/dist-packages/lambdaguard/init.py", line 64, in run
args = parse_args(arguments)
File "/usr/local/lib/python3.6/dist-packages/lambdaguard/utils/cli.py", line 62, in parse_args
args = argsParser.parse_known_args()[0]
File "/usr/lib/python3.6/argparse.py", line 1775, in parse_known_args
namespace, args = self._parse_known_args(args, namespace)
File "/usr/lib/python3.6/argparse.py", line 1981, in _parse_known_args
start_index = consume_optional(start_index)
File "/usr/lib/python3.6/argparse.py", line 1921, in consume_optional
take_action(action, args, option_string)
File "/usr/lib/python3.6/argparse.py", line 1849, in take_action
action(self, namespace, argument_values, option_string)
File "/usr/lib/python3.6/argparse.py", line 1033, in call
parser.print_help()
File "/usr/lib/python3.6/argparse.py", line 2375, in print_help
self._print_message(self.format_help(), file)
File "/usr/lib/python3.6/argparse.py", line 2381, in _print_message
file.write(message)
UnicodeEncodeError: 'ascii' codec can't encode character '\xeb' in position 483: ordinal not in range(128)

Command not found

I have tried to install Lambdaguard locally on my Mac running Catalina 10.15.7. The download from worked fine, but I get "zsh: command not found: lambdaguard" every time I try to run it. I attempted to install using the "sudo make install" command from the Github repo, but still the command is not found in my terminal. Am I missing something here?

Bug running SonarQube via Lambdaguard?

hi :) - thanks for the tool. I'm looking to start using this for our dev teams and was playing with it.

Lambdaguard without SQ seems to run okay so far but I run into an error while integrating it with SonarQube. So here's where I stand:

SonarQube server is running on port 9000
SonarQube scanner is configured correctly and runs (java -jar sonar-scanner etc etc) and the output shows up in the SonarQube server
config.json is created and configured as discussed in the README. Here is the file:

{
    "command": "java -jar /Users/arvind/Downloads/sonar-scanner-4.4.0.2170-macosx/lib/sonar-scanner-cli-4.4.0.2170.jar -X -Dsonar.projectKey=test -Dsonar.sources=. -Dsonar.host.url=http://localhost:9000 -Dsonar.login=<KEY>",
    "url": "http://localhost:9000",
    "login": "admin",
    "password": "*****"
}

Running lambdaguard gives me an error though as follows.

(lambdaguard) arvind@Arvinds-MacBook-Pro lambdaguard % more lambdaguard_output/lambdaguard.log 
[2020-07-07 12:10] [arn:aws:lambda:us-west-2:ACCTID:function:GetAccessKeys]
Traceback (most recent call last):
  File "/Users/arvind/.local/share/virtualenvs/lambdaguard-EVx5Vuzh/lib/python3.7/site-packages/lambdaguard/core/Lambda.py", line 193, in get_security
    self.args
  File "/Users/arvind/.local/share/virtualenvs/lambdaguard-EVx5Vuzh/lib/python3.7/site-packages/lambdaguard/security/Scan.py", line 48, in __init__
    self.scan()
  File "/Users/arvind/.local/share/virtualenvs/lambdaguard-EVx5Vuzh/lib/python3.7/site-packages/lambdaguard/security/Scan.py", line 205, in scan
    self.report['runtime']
  File "/Users/arvind/.local/share/virtualenvs/lambdaguard-EVx5Vuzh/lib/python3.7/site-packages/lambdaguard/security/Scan.py", line 230, in scan_sonarqube
    for _ in self.sonarqube.scan(codeURL, runtime):
  File "/Users/arvind/.local/share/virtualenvs/lambdaguard-EVx5Vuzh/lib/python3.7/site-packages/lambdaguard/security/SonarQube.py", line 88, in scan
    sh(shsplit(self.config['command']), stdout=DEVNULL, stderr=DEVNULL)
  File "/usr/local/Cellar/python/3.7.4_1/Frameworks/Python.framework/Versions/3.7/lib/python3.7/subprocess.py", line 347, in check_call
    raise CalledProcessError(retcode, cmd)
subprocess.CalledProcessError: Command '['java', '-jar', '/Users/arvind/Downloads/sonar-scanner-4.4.0.2170-macosx/lib/sonar-scanner-cli-4.4.0.2170.jar', '-X', '-Dsonar.projectKey=test', '-Dsonar.sources=.', '-Dsonar.host.url=http://localhost:9000', '-Dsonar.login=<KEY>']' returned non-zero exit status 1.

[2020-07-07 12:10] [arn:aws:lambda:us-west-2:ACCTID:function:GetAccessKeys]
Traceback (most recent call last):
  File "/Users/arvind/.local/share/virtualenvs/lambdaguard-EVx5Vuzh/lib/python3.7/site-packages/lambdaguard/__init__.py", line 159, in run
    statistics.parse(lmbd.report())
  File "/Users/arvind/.local/share/virtualenvs/lambdaguard-EVx5Vuzh/lib/python3.7/site-packages/lambdaguard/visibility/Statistics.py", line 68, in parse
    self.save(verbose=verbose)
  File "/Users/arvind/.local/share/virtualenvs/lambdaguard-EVx5Vuzh/lib/python3.7/site-packages/lambdaguard/visibility/Statistics.py", line 72, in save
    with self.path.joinpath('statistics.json').open('w') as f:
  File "/usr/local/Cellar/python/3.7.4_1/Frameworks/Python.framework/Versions/3.7/lib/python3.7/pathlib.py", line 1193, in open
    opener=self._opener)
  File "/usr/local/Cellar/python/3.7.4_1/Frameworks/Python.framework/Versions/3.7/lib/python3.7/pathlib.py", line 1046, in _opener
    return self._accessor.open(self, flags, mode)
FileNotFoundError: [Errno 2] No such file or directory: 'lambdaguard_output/statistics.json'

Thoughts on what I am doing wrong if anything or if this is a bug? If its the latter, I'm happy to try and fix it, but a pointer would be nice :). Thanks.

Static code analysis -> only with SonarQube ?

Hello Artëm Tsvetkov,
Firstly, thanks a lot for your well-done article on:
https://medium.com/@SkyscannerEng/introducing-lambdaguard-a-security-scanner-for-aws-lambda-f5c6e23f8345

After finishing to read your presentation about LambdaGuard and to look this Git,
I was wondering if it could be possible to use a different than SonarQube static code analyzer with LambdaGuard ? Or it's built-in parallel with SonarQube and is dependent on it...

I really hope you can help me to know a bit more about this !

Level:high warning on api gateway despite alternative auth settings

Thanks for publishing a great tool! We've been using it and have a question/feedback:

We have some functions invoked by api-gateway. In one case, a method has Authorization: IAM enabled. In another case, the method has API Key: Required.

Both of these functions incur the HIGH | Service is publicly accessible due to missing Resource-based policy warning.

However, an APIGW with a resource policy such as the one below, does not incur the same warning.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::1234567890:root"
            },
            "Action": "execute-api:Invoke"
        }
    ]
}

Is there a difference between a broad-scoped resource policy on the APIGW like this and using Authorization: AWS_IAM at the method level?

`make aws` fails with 'aws/iam-user.json'

Hi, I get the following error when I run make aws:

An error occurred (ValidationError) when calling the CreateChangeSet operation: Template format error: Outputs name 'aws_access_key_id' is non alphanumeric.

I have valid keys defined in ~/.aws/credentials

thanks

AttributeError: 'NoneType' object has no attribute 'arn'

I've reviewed #27 but it appears that I'm having the same issue.

Here are my steps to reproduce.

First, I'm using Docker version 19.03.8 on macOS:

jeremyturner: docker --version
Docker version 19.03.8, build afacb8b

I started the following container:

docker run -it --entrypoint /bin/ash hashicorp/terraform:latest

Changed to the home folder:

/ # cd ~/
~ # pwd
/root

Installed pip3:

echo "**** install Python ****" && \
    apk add --no-cache python3 && \
    if [ ! -e /usr/bin/python ]; then ln -sf python3 /usr/bin/python ; fi && \
    \
    echo "**** install pip ****" && \
    python3 -m ensurepip && \
    rm -r /usr/lib/python*/ensurepip && \
    pip3 install --no-cache --upgrade pip setuptools wheel && \
    if [ ! -e /usr/bin/pip ]; then ln -s pip3 /usr/bin/pip ; fi

Installed lambdaguard:

~ # pip3 install lambdaguard

~ # lambdaguard -V
2.4.1

In my case, I'm using JumpCloud as the IdP to my AWS account so I'm using a tool called SAML2AWS:

CURRENT_VERSION=2.25.0
wget https://github.com/Versent/saml2aws/releases/download/v${CURRENT_VERSION}/saml2aws_${CURRENT_VERSION}_linux_amd64.tar.gz
tar -xzvf saml2aws_${CURRENT_VERSION}_linux_amd64.tar.gz -C /bin/
chmod u+x /bin/saml2aws

Here is what the configuration looks like (small typo with the profile name):

~ # saml2aws configure -a LambdaGuardProfile
? Please choose a provider: JumpCloud
? AWS Profile LamdaGuardProfile
? URL https://sso.jumpcloud.com/saml2/aws-test-admin
? Username [email protected]

account {
  URL: https://sso.jumpcloud.com/saml2/aws-test-admin
  Username: [email protected]
  Provider: JumpCloud
  MFA: Auto
  SkipVerify: false
  AmazonWebservicesURN: urn:amazon:webservices
  SessionDuration: 3600
  Profile: LamdaGuardProfile
  RoleARN: 
}

Configuration saved for IDP account: LambdaGuardProfile

Now I login to the IdP to configure my .aws/credentials file:

~ # saml2aws login -a LambdaGuardProfile
Using IDP Account LambdaGuardProfile to access JumpCloud https://sso.jumpcloud.com/saml2/aws-test-admin
To use saved password just hit enter.
? Username [email protected]
? Password ************

Authenticating as [email protected] ...
? MFA Token 000000
Selected role: arn:aws:iam::XXXXXXXXXXXX:role/Admin
Requesting AWS credentials using SAML assertion
Logged in as: arn:aws:sts::XXXXXXXXXXXX:assumed-role/Admin/[email protected]

Your new access key pair has been stored in the AWS configuration
Note that it will expire at 2020-04-09 15:10:47 +0000 UTC
To use this credential, call the AWS CLI with the --profile option (e.g. aws --profile LamdaGuardProfile ec2 describe-instances).

Here we can confirm that the credentials are stored:

~ # cat .aws/credentials 
[LamdaGuardProfile]
aws_access_key_id        = AKIAIOSFODNN7EXAMPLE
aws_secret_access_key    = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
aws_session_token        = BLAHBLAHETCETC
aws_security_token       = BLAHBLAHETCETC
x_principal_arn          = arn:aws:sts::XXXXXXXXXXXX:assumed-role/Admin/[email protected]
x_security_token_expires = 2020-04-09T15:10:47Z

When I run lambdaguard it seems to work:

~ # lambdaguard -v -p LamdaGuardProfile

         `.::////::.`
      ./osssssoossssso/.
    -osss/-`      .-/ssso-
  `osso-  .++++:      -osso`
 `oss/    .//oss-       /sss`
 +ss+        -sss.       /sso
.sss`       .sssso`      `sss.   LambdaGuard v2.4.1
-sso       :ssooss+       oss-
.sss`     /ss+``oss/     `sss.
 +ss+   `oss/   .sss///  /sso
 `oss/`.oso-     -ssso+./sso`
  `+sso:          .`  -oss+`
    -osss+-.`    `.-+ssso-
      ./osssssssssssso/.
         `.-:////:-.`

Loading regions (ap-east-1)
Loading regions (ap-northeast-1)
Loading regions (ap-northeast-2)
Loading regions (ap-south-1)
Loading regions (ap-southeast-1)
Loading regions (ap-southeast-2)
<snip>
Loading identity
          UserId......... AKIAIOSFODNN7EXAMPLE:[email protected]
          Account........ XXXXXXXXXXX
          Arn............ arn:aws:sts::XXXXXXXXXXX:assumed-role/Admin/[email protected]
[ 1/20 ] somethingsomethingFunction01
[ 1/20 ] somethingsomethingFunction02
         <snip>
         <snip>
          Security....... 0
          Triggers....... 0
          Resources...... 0
          Layers......... 0
          Runtimes....... 0
          Regions........ 0

          Report......... lambdaguard_output/report.html
          Log............ lambdaguard_output/lambdaguard.log

However, when I view the lambdaguard.log I get:

[2020-04-09 14:12] [arn:aws:lambda:ap-northeast-1:XXXXXXXXXXX:function:somethingsomethingFunction01]
Traceback (most recent call last):
  File "/usr/lib/python3.8/site-packages/lambdaguard/core/Lambda.py", line 63, in get_function
    if self.identity.acl.allowed("lambda:GetFunction"):
  File "/usr/lib/python3.8/site-packages/lambdaguard/utils/acl.py", line 97, in allowed
    simulation_results = self.client.simulate_custom_policy(
  File "/usr/lib/python3.8/site-packages/botocore/client.py", line 316, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/usr/lib/python3.8/site-packages/botocore/client.py", line 612, in _make_api_call
    http, parsed_response = self._make_request(
  File "/usr/lib/python3.8/site-packages/botocore/client.py", line 632, in _make_request
    return self._endpoint.make_request(operation_model, request_dict)
  File "/usr/lib/python3.8/site-packages/botocore/endpoint.py", line 102, in make_request
    return self._send_request(request_dict, operation_model)
  File "/usr/lib/python3.8/site-packages/botocore/endpoint.py", line 132, in _send_request
    request = self.create_request(request_dict, operation_model)
  File "/usr/lib/python3.8/site-packages/botocore/endpoint.py", line 115, in create_request
    self._event_emitter.emit(event_name, request=request,
  File "/usr/lib/python3.8/site-packages/botocore/hooks.py", line 356, in emit
    return self._emitter.emit(aliased_event_name, **kwargs)
  File "/usr/lib/python3.8/site-packages/botocore/hooks.py", line 228, in emit
    return self._emit(event_name, kwargs)
  File "/usr/lib/python3.8/site-packages/botocore/hooks.py", line 211, in _emit
    response = handler(**kwargs)
  File "/usr/lib/python3.8/site-packages/botocore/signers.py", line 90, in handler
    return self.sign(operation_name, request)
  File "/usr/lib/python3.8/site-packages/botocore/signers.py", line 160, in sign
    auth.add_auth(request)
  File "/usr/lib/python3.8/site-packages/botocore/auth.py", line 357, in add_auth
    raise NoCredentialsError
botocore.exceptions.NoCredentialsError: Unable to locate credentials

[2020-04-09 14:12] [arn:aws:lambda:ap-northeast-1:XXXXXXXXXXXX:function:somethingsomethingFunction01]
Traceback (most recent call last):
  File "/usr/lib/python3.8/site-packages/lambdaguard/core/Lambda.py", line 192, in get_security
    self.report(),
  File "/usr/lib/python3.8/site-packages/lambdaguard/core/Lambda.py", line 216, in report
    'role': self.role.arn.full,
AttributeError: 'NoneType' object has no attribute 'arn'

So I tried again but this time by creating an AWS IAM user with an Access and Secret Key:

~ # lambdaguard -v -p LamdaGuardProfile

         `.::////::.`
      ./osssssoossssso/.
    -osss/-`      .-/ssso-
  `osso-  .++++:      -osso`
 `oss/    .//oss-       /sss`
 +ss+        -sss.       /sso
.sss`       .sssso`      `sss.   LambdaGuard v2.4.1
-sso       :ssooss+       oss-
.sss`     /ss+``oss/     `sss.
 +ss+   `oss/   .sss///  /sso
 `oss/`.oso-     -ssso+./sso`
  `+sso:          .`  -oss+`
    -osss+-.`    `.-+ssso-
      ./osssssssssssso/.
         `.-:////:-.`

Loading regions (ap-east-1)
Loading regions (ap-northeast-1)
Loading regions (ap-northeast-2)
<snip>
<snip>
Loading identity
          UserId......... AIDATQ2EXAMPLEBLAHETC
          Account........ XXXXXXXXXXXX
          Arn............ arn:aws:iam::XXXXXXXXXXXX:user/lambdaguard

[ 1/20 ] somethingsomethingFunction01
[ 1/20 ] somethingsomethingFunction02
<snip>
          Lambdas........ 0
          Security....... 0
          Triggers....... 0
          Resources...... 0
          Layers......... 0
          Runtimes....... 0
          Regions........ 0

          Report......... lambdaguard_output/report.html
          Log............ lambdaguard_output/lambdaguard.log

I'm getting the same error in the logs:

[2020-04-09 14:54] [arn:aws:lambda:ap-northeast-1:XXXXXXXXXXX:function:somethingsomethingFunction01]
Traceback (most recent call last):
  File "/usr/lib/python3.8/site-packages/lambdaguard/core/Lambda.py", line 63, in get_function
    if self.identity.acl.allowed("lambda:GetFunction"):
  File "/usr/lib/python3.8/site-packages/lambdaguard/utils/acl.py", line 97, in allowed  
    simulation_results = self.client.simulate_custom_policy(
  File "/usr/lib/python3.8/site-packages/botocore/client.py", line 316, in _api_call     
    return self._make_api_call(operation_name, kwargs)
  File "/usr/lib/python3.8/site-packages/botocore/client.py", line 612, in _make_api_call
    http, parsed_response = self._make_request(
  File "/usr/lib/python3.8/site-packages/botocore/client.py", line 632, in _make_request 
    return self._endpoint.make_request(operation_model, request_dict)
  File "/usr/lib/python3.8/site-packages/botocore/endpoint.py", line 102, in make_request
    return self._send_request(request_dict, operation_model)
  File "/usr/lib/python3.8/site-packages/botocore/endpoint.py", line 132, in _send_request
    request = self.create_request(request_dict, operation_model)
  File "/usr/lib/python3.8/site-packages/botocore/endpoint.py", line 115, in create_request
    self._event_emitter.emit(event_name, request=request,
  File "/usr/lib/python3.8/site-packages/botocore/hooks.py", line 356, in emit
    return self._emitter.emit(aliased_event_name, **kwargs)
  File "/usr/lib/python3.8/site-packages/botocore/hooks.py", line 228, in emit
    return self._emit(event_name, kwargs)
  File "/usr/lib/python3.8/site-packages/botocore/hooks.py", line 211, in _emit
    response = handler(**kwargs)
  File "/usr/lib/python3.8/site-packages/botocore/signers.py", line 90, in handler       
    return self.sign(operation_name, request)
  File "/usr/lib/python3.8/site-packages/botocore/signers.py", line 160, in sign
    auth.add_auth(request)
  File "/usr/lib/python3.8/site-packages/botocore/auth.py", line 357, in add_auth        
    raise NoCredentialsError
botocore.exceptions.NoCredentialsError: Unable to locate credentials
         
[2020-04-09 14:54] [arn:aws:lambda:ap-northeast-1:XXXXXXXXXXXX:function:somethingsomethingFunction01]
Traceback (most recent call last):
  File "/usr/lib/python3.8/site-packages/lambdaguard/core/Lambda.py", line 192, in get_security
    self.report(),
  File "/usr/lib/python3.8/site-packages/lambdaguard/core/Lambda.py", line 216, in report
    'role': self.role.arn.full,
AttributeError: 'NoneType' object has no attribute 'arn'

I thought maybe the problem was that I didn't have the AWS CLI installed so I tried that:

~ # pip install awscli
Collecting awscli
<snip>
~ # aws --version
aws-cli/1.18.39 Python/3.8.2 Linux/4.19.76-linuxkit botocore/1.15.39

However, the results are the same.

Perhaps I'm missing something simple?

Note that for the first assume role profile my IAM policy is full administrator and for the second IAM user with Access Key and Secret, the IAM policy was the AWS managed ReadOnlyAccess IAM policy.

apigateway managment apis failing due to no resourceMethods

When using a policy to access apigateway managment apis, we recieve an error when we are accessing resources that are outside of a specific api (apikeys, usageplan). These resources have no resourceMethods in them, because they are not associated with any specific api that contains resourceMethods.
https://github.com/Skyscanner/LambdaGuard/blob/master/lambdaguard/security/Public.py
The above class is posting an error when we are trying to use these resources, when it should really just return if self.item.resources is empty, unless you have some other reason it should fail?
https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonapigatewaymanagement.html#amazonapigatewaymanagement
Using these resources the lambda is failing, as these resources are outside of a specific api in apigateway service.

arn:${Partition}:apigateway:${Region}::/usageplans/${UsagePlanId}/keys
arn:${Partition}:apigateway:${Region}::/apikeys

Using get_function_configuration instead of get_function

Hi!

I'm looking through this project - it is super cool!
However, I experienced some permissions issues. When diving deeper, I found out it's using the method get_function - when my permissions are for get_function_configuration only. I checked - and most of the value can still be received from calling the less intrusive get_function_configuration.

If you'd like, I can open a PR for it. I think it would be useful to other audits / scans of the account.

WDYT?

LambdaGuard doesn't support running in multi-region

Currently, region is one of the parameters inputted, with the default being eu-west-1 . I think a better approach is if region isn't specified - scan all available regions.
I think a list which covers most of the cases can be created statically, and a dynamic list can probably be queried somehow.

AttributeError: 'NoneType' object has no attribute 'arn'

Hi,

I'm getting the following issue: AttributeError: 'NoneType' object has no attribute 'arn'
This is how the arn looks like:
arn:aws:lambda:eu-central-1:1234:function:myfunction

or even
./lambdaguard --function arn:aws:lambda:eu-central-1:1234:function:*

provides the same error.

Any idea what I'm missing?

Cheers!

IAM permissions

Hi,

I'd like to run this on it's own instance as part of my security tooling.

It would be really useful to know which IAM permissions LambdaGuard needs to run, so I can create the relevant instance profile.

Thanks :)

Lambdaguard fails for policy if statement is an object

We have a lambda with the following policy:

{
  "Document": {
    "Version": "2012-10-17",
    "Statement": {
      "Effect": "Allow",
      "Action": [
        "xray:PutTraceSegments",
        "xray:PutTelemetryRecords"
      ],
      "Resource": ["*"]
    }
  },
  "VersionId": "v1",
  "IsDefaultVersion": true
}

This causes the following error:

Traceback (most recent call last):
  File "/Library/Frameworks/Python.framework/Versions/3.7/bin/lambdaguard", line 11, in <module>
    load_entry_point('LambdaGuard', 'console_scripts', 'lambdaguard')()
  File "/Users/nimrod/development/lambdaguard/lambdaguard/__init__.py", line 74, in run
    writes = LambdaWrite(args)
  File "/Users/nimrod/development/lambdaguard/lambdaguard/security/LambdaWrite.py", line 66, in __init__
    self.get_writes()
  File "/Users/nimrod/development/lambdaguard/lambdaguard/security/LambdaWrite.py", line 70, in get_writes
    for lambda_arn, actions in self.parse(policy):
  File "/Users/nimrod/development/lambdaguard/lambdaguard/security/LambdaWrite.py", line 105, in parse
    if statement['Effect'] != 'Allow':
TypeError: string indices must be integers

Run LambdaGuard in Lambda

Goal

Deploy LambdaGuard as a Lambda across all regions using CloudFormation StackSets.

Issue

After reading through the code, unless I am mistaken, it seems that the project depends on the presence of AWS credentials being present.

Contribution

If my understanding is indeed correct, would you accept a PR that decouples the need for credentials, and allow for use of IAM permissions from within the Lambda Runtime?

Thanks!

Thank you for this tool, and for your consideration.

Security stats not showing on HTML report using --input

Hi,

Installed via pip3 --user install lambdaguard.

Running lambdaguard --function <function_arn> --verbose works fine.

However, putting a bunch of functions in a text file, and running lambdaguard --input arns.txt --verbose does not generate the proper HTML report. The security.json file is fine and has all the information expected, however.

The security info does not show neither in the top level stats, nor when drilling through in the individual function. It is blank.

Lambdaguard with Sonarqube : Require documentation

hi @adeptex ,

I want to do static code analysis of lambda function code using sonarqube.
All I found was below link which gives a brief about using lambdaguard with sonarqube.
https://github.com/Skyscanner/LambdaGuard/blob/master/README.md

Is there any detail documentation with example for the same ?

Multi account reports

Hi,
Not an issue, more a question. Looking for some information.
I'm running this against multiple accounts, output saved into separate directories.
I was wondering, if it would be possible, to have lambdaguard not only write to the output directory, but also updating a central location, where we would have a report for all accounts into one.
I guess it should be possible, is this something you are planning on maybe?

Thank you!

An error occurred (InvalidClientTokenId) when calling the SimulateCustomPolicy operation: The security token included in the request is invalid

I don't know if you've stumbled upon this before, but i keep getting this error.
Setup: Running in AWS Cloud9.
Running:
lambdaguard --keys aws_access_key_id aws_secret_access_key --region eu-west-3

An example:

[2020-08-19 16:44] [arn:aws:lambda:eu-west-3:365579225032:function:vf-backend-test-test-readUserSettings]
Traceback (most recent call last):
File "/home/ec2-user/.local/lib/python3.6/site-packages/lambdaguard/core/Lambda.py", line 63, in get_function
if self.identity.acl.allowed("lambda:GetFunction"):
File "/home/ec2-user/.local/lib/python3.6/site-packages/lambdaguard/utils/acl.py", line 99, in allowed
ActionNames=[action]
File "/home/ec2-user/.local/lib/python3.6/site-packages/botocore/client.py", line 316, in _api_call
return self._make_api_call(operation_name, kwargs)
File "/home/ec2-user/.local/lib/python3.6/site-packages/botocore/client.py", line 635, in _make_api_call
raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (InvalidClientTokenId) when calling the SimulateCustomPolicy operation: The security token included in the request is invalid

Issue running Sonarqube on Apple's M1 chip

Although Docker does already support the Apple M1 chip, Sonarqube does apparently not: SonarSource/docker-sonarqube#475

This also results in an error message when trying to run "make sonarqube". However, the issue can be bypassed through the usage of the this adjusted sonarqube docker and some adjustments to the dockerfile.

Best regards

Lambdaguard permmisions

Hi,
Which AWS permissions are required to run the program and what requires to run it except the installation?
Thank's in advance

Getting error using cli object has no attribute 'arn'

When I run lambdaguard --function 'myarfunction' --profile myprofile --region region --verbose i getting those errors:
/lambdaguard/core/Lambda.py", line 184, in report 'role': self.role.arn.full, AttributeError: 'NoneType' object has no attribute 'arn'

Should I install some dependency?

AttributeError: 'STS' object has no attribute 'list_policies_granting_service_access'

We have been facing the following issue since the release of version 2.3.9.

It's running in Jenkins, which uses the withAws() plugin to assume a role in a different AWS account.
This is using a Python Virtual environment on Python 3.7.4.

+ pip3 install lambdaguard
Collecting lambdaguard
  Using cached https://files.pythonhosted.org/packages/1f/03/0cd88b8597c3f6aee213ab084f8cd39ac0f95f6922f6678bc8ee33f3b419/LambdaGuard-2.3.9-py3-none-any.whl
Collecting argparse (from lambdaguard)
  Using cached https://files.pythonhosted.org/packages/f2/94/3af39d34be01a24a6e65433d19e107099374224905f1e0cc6bbe1fd22a2f/argparse-1.4.0-py2.py3-none-any.whl
Collecting requests (from lambdaguard)
  Using cached https://files.pythonhosted.org/packages/51/bd/23c926cd341ea6b7dd0b2a00aba99ae0f828be89d72b2190f27c11d4b7fb/requests-2.22.0-py2.py3-none-any.whl
Collecting boto3 (from lambdaguard)
  Using cached https://files.pythonhosted.org/packages/ea/4f/a75bf88d30b79e08dd7930d9643aded0a79c9f696b307f353bb33f62cc5b/boto3-1.11.7-py2.py3-none-any.whl
Collecting chardet<3.1.0,>=3.0.2 (from requests->lambdaguard)
  Using cached https://files.pythonhosted.org/packages/bc/a9/01ffebfb562e4274b6487b4bb1ddec7ca55ec7510b22e4c51f14098443b8/chardet-3.0.4-py2.py3-none-any.whl
Collecting urllib3!=1.25.0,!=1.25.1,<1.26,>=1.21.1 (from requests->lambdaguard)
  Using cached https://files.pythonhosted.org/packages/e8/74/6e4f91745020f967d09332bb2b8b9b10090957334692eb88ea4afe91b77f/urllib3-1.25.8-py2.py3-none-any.whl
Collecting certifi>=2017.4.17 (from requests->lambdaguard)
  Using cached https://files.pythonhosted.org/packages/b9/63/df50cac98ea0d5b006c55a399c3bf1db9da7b5a24de7890bc9cfd5dd9e99/certifi-2019.11.28-py2.py3-none-any.whl
Collecting idna<2.9,>=2.5 (from requests->lambdaguard)
  Using cached https://files.pythonhosted.org/packages/14/2c/cd551d81dbe15200be1cf41cd03869a46fe7226e7450af7a6545bfc474c9/idna-2.8-py2.py3-none-any.whl
Collecting jmespath<1.0.0,>=0.7.1 (from boto3->lambdaguard)
  Using cached https://files.pythonhosted.org/packages/83/94/7179c3832a6d45b266ddb2aac329e101367fbdb11f425f13771d27f225bb/jmespath-0.9.4-py2.py3-none-any.whl
Collecting s3transfer<0.4.0,>=0.3.0 (from boto3->lambdaguard)
  Using cached https://files.pythonhosted.org/packages/de/6d/27abf73e66a05726dd52fb3a6645417b5dc86d90488b59589296dafbf054/s3transfer-0.3.1-py2.py3-none-any.whl
Collecting botocore<1.15.0,>=1.14.7 (from boto3->lambdaguard)
  Using cached https://files.pythonhosted.org/packages/10/d7/da416c5d6a8c61796dbc37875c886955798ca88385882725049af49d417a/botocore-1.14.7-py2.py3-none-any.whl
Collecting python-dateutil<3.0.0,>=2.1 (from botocore<1.15.0,>=1.14.7->boto3->lambdaguard)
  Using cached https://files.pythonhosted.org/packages/d4/70/d60450c3dd48ef87586924207ae8907090de0b306af2bce5d134d78615cb/python_dateutil-2.8.1-py2.py3-none-any.whl
Collecting docutils<0.16,>=0.10 (from botocore<1.15.0,>=1.14.7->boto3->lambdaguard)
  Using cached https://files.pythonhosted.org/packages/22/cd/a6aa959dca619918ccb55023b4cb151949c64d4d5d55b3f4ffd7eee0c6e8/docutils-0.15.2-py3-none-any.whl
Collecting six>=1.5 (from python-dateutil<3.0.0,>=2.1->botocore<1.15.0,>=1.14.7->boto3->lambdaguard)
  Using cached https://files.pythonhosted.org/packages/65/eb/1f97cb97bfc2390a276969c6fae16075da282f5058082d4cb10c6c5c1dba/six-1.14.0-py2.py3-none-any.whl
Installing collected packages: argparse, chardet, urllib3, certifi, idna, requests, jmespath, six, python-dateutil, docutils, botocore, s3transfer, boto3, lambdaguard
Successfully installed argparse-1.4.0 boto3-1.11.7 botocore-1.14.7 certifi-2019.11.28 chardet-3.0.4 docutils-0.15.2 idna-2.8 jmespath-0.9.4 lambdaguard-2.3.9 python-dateutil-2.8.1 requests-2.22.0 s3transfer-0.3.1 six-1.14.0 urllib3-1.25.8
[Pipeline] sh
+ lambdaguard --input lambda_functions.txt --verbose
Traceback (most recent call last):
  File "/home/jenkins/workspace/project/Job/.pyenv-usr-bin-python3/bin/lambdaguard", line 10, in <module>
    sys.exit(run())
  File "/home/jenkins/workspace/project/Job/.pyenv-usr-bin-python3/lib64/python3.7/site-packages/lambdaguard/__init__.py", line 65, in run
    identity = STS(f'arn:aws:sts:{args.region}', args.profile, args.keys[0], args.keys[1])
  File "/home/jenkins/workspace/project/Job/.pyenv-usr-bin-python3/lib64/python3.7/site-packages/lambdaguard/core/STS.py", line 26, in __init__
    self.acl = ACL(self.caller['Arn'])
  File "/home/jenkins/workspace/project/Job/.pyenv-usr-bin-python3/lib64/python3.7/site-packages/lambdaguard/utils/acl.py", line 24, in __init__
    self.get_permissions()
  File "/home/jenkins/workspace/project/Job/.pyenv-usr-bin-python3/lib64/python3.7/site-packages/lambdaguard/utils/acl.py", line 27, in get_permissions
    service_access_policies = self.client.list_policies_granting_service_access(
  File "/home/jenkins/workspace/project/Job/.pyenv-usr-bin-python3/lib64/python3.7/site-packages/botocore/client.py", line 526, in __getattr__
    self.__class__.__name__, item)
AttributeError: 'STS' object has no attribute 'list_policies_granting_service_access'

It still works when using 2.3.8.

LambdaGuard Gives me the error : Missing both lambda:GetFunction and lambda:GetFunctionConfiguration

Also the profile has completely admin access I get the above mentioned error and no report.

wildcard actions not handled properly

This tool does not handle wildcards in IAM policy actions properly, because it only does literal string matches. For example, the PrivilegeEscalation class will not detect any issue if my policy grants "iam:Create*". All the IAM policy checking logic needs to be rewritten to treat wildcards as actual wildcards (perhaps via regex) instead of only doing literal string matches.