[Bug]: extra760 results in success despite errors

[lorchda]

What happened?

In check extra760, the lambda:GetFunction returns a permission denied error, but the function returns a PASS. See logs below (Account ID masked, but otherwise log output captured as-is).

This is a follow-up to #940. The fix mentioned there only considers lambda:ListFunction, but not the lambda:GetFunction, which is the actual culprit.

Error message

7.60 [extra760] Find secrets in Lambda functions code  - lambda [Critical]
An error occurred (AccessDeniedException) when calling the GetFunction operation: User: arn:aws:sts::1234567890:assumed-role/ProwlerXA-CBRole/ProwlerAssessmentSession is not authorized to perform: lambda:GetFunction on resource: arn:aws:lambda:eu-central-1:1234567890:function:CustomControlTowerDeploymentLambda because no identity-based policy allows the lambda:GetFunction action
curl: no URL specified!
curl: try 'curl --help' or 'curl --manual' for more information
unzip:  cannot find or open ./prowler/secrets-1234567890/extra760-CustomControlTowerDeploymentLambda-eu-central-1/CustomControlTowerDeploymentLambda-code.zip, ./prowler/secrets-1234567890/extra760-CustomControlTowerDeploymentLambda-eu-central-1/CustomControlTowerDeploymentLambda-code.zip.zip or ./prowler/secrets-1234567890/extra760-CustomControlTowerDeploymentLambda-eu-central-1/CustomControlTowerDeploymentLambda-code.zip.ZIP.
       PASS! eu-central-1: No secrets found in Lambda function CustomControlTowerDeploymentLambda code

How to reproduce it

Run prowler with check extra760 on an environment with Control Tower.

Expected behavior
A clear and concise description of what you expected to happen.

FAIL! instead of PASS!, and also less noise on the output (curl errors etc.)

Screenshots or Logs
If applicable, add screenshots to help explain your problem.
Also, you can add logs (anonymize them first!). Here a command that may help to share a log
bash -x ./prowler -options > debug.log 2>&1 then attach here debug.log

From where are you running Prowler?
Please, complete the following information:

• Resource: CodeBuild task
• OS: Amazon Linux 2
• AWS-CLI Version [aws --version]:
• Prowler Version [./prowler -V]: Prowler 2.7.0-24January2022
• Shell and version:
• Others:

Additional context
Add any other context about the problem here.

[lazize]

Could you check if your role ProwlerXA-CBRole has the same permissions according to the file below?

As you can see, action lambda:GetFunction was added on 2.7 version.

prowler/iam/create_role_to_assume_cfn.yaml

Line 63 in dcd55db

- 'lambda:GetFunction'

[lazize]

This check has a grep for AccessDenied as below

    if [[ $(echo "$LIST_OF_FUNCTIONS" | grep AccessDenied) ]]; then
      textInfo "$regx: Access Denied trying to list Lambda functions" "$regx" "$lambdafunction"
      continue
    fi

But other checks has a grep with more options, like below

    if [[ $(echo "$SSM_DOCS" | grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError') ]]; then
        textInfo "$regx: Access Denied trying to list documents" "$regx"
        continue
    fi

Should all grep checks for AccessDenied looks like the second one?

[lazize]

This check uses curl -s.
Should it be like curl -s --show-error as suggested on curl documentation? In case of error on curl it will not be suppressed.

   -s, --silent
          Silent or quiet mode. Don't show progress meter or error messages.  Makes Curl mute. It will still output the data you ask for, potentially even to the terminal/stdout unless you redirect
          it.

          Use -S, --show-error in addition to this option to disable progress meter but still show error messages.

[lorchda]

@lazize thank you for the pointer, I confirm the lambda:GetFunction is missing in my role. I initially was thinking that an SCP could be the culprit and didn't check the permissions myself - thank you.

It appears that the role descriptions are not in sync. I am using prowler/util/org-multi-account/serverless_codebuild/templates/ProwlerRole.yaml which did not get the update. See these files:

• https://github.com/prowler-cloud/prowler/blob/master/util/org-multi-account/serverless_codebuild/templates/ProwlerRole.yaml
• https://github.com/prowler-cloud/prowler/blob/master/util/org-multi-account/ProwlerRole.yaml

[lazize]

Those files you mention has much more permissions than others. Even though they are not in sync.

Keep all those files in sync is a very hard job to do it manually. I believe it will need a better mechanism to handle this situation. Just rely on people is not good enough.

[lazize]

@toniblyx How about the questions above about curl and check for AccessDenied?

[toniblyx]

@lazize @lorchda sorry for the late response, yes, we have to fine tune that check and parse the curl error in a better way. Let's see if that can be addressed before 2.8 is release.

[toniblyx]

Thanks @lazize we will review and merge it next week.

[jfagoagas]

Pull Request #1055 has been merged, thank you @lorchda @lazize for this awesome work!!