vmware-samples / secureclouds-remediation-jobs Goto Github PK
View Code? Open in Web Editor NEWSecure State team and its customers can contribute with remediation rules and build a community around it
License: Other
Secure State team and its customers can contribute with remediation rules and build a community around it
License: Other
When enabling the access logging, the target bucket is updated with log delivery acl permissions, even though it might already be present.
This leads to duplicate Grants being added to the target bucket ACL, which if reaches at 99, starts giving Bad Request error on call to put_bucket_acl.
One such example
{'Owner': {'DisplayName': 'awsmasteremail+*******a-022', 'ID': 'b101f924005dbb04273************d43ad46757f21f65c40d48d75368c3'}, 'Grants': [{'Grantee': {'DisplayName': 'awsmasteremail+*******-022', 'ID': 'b101f924005dbb04273************d43ad46757f21f65c40d48d75368c3', 'Type': 'CanonicalUser'}, 'Permission': 'FULL_CONTROL'}, {'Grantee': {'Type': 'Group', 'URI': 'http://acs.amazonaws.com/groups/s3/LogDelivery'}, 'Permission': 'READ_ACP'}, {'Grantee': {'Type': 'Group', 'URI': 'http://acs.amazonaws.com/groups/s3/LogDelivery'}, 'Permission': 'READ_ACP'}, {'Grantee': {'Type': 'Group', 'URI': 'http://acs.amazonaws.com/groups/s3/LogDelivery'}, 'Permission': 'READ_ACP'}, {'Grantee': {'Type': 'Group', 'URI': 'http://acs.amazonaws.com/groups/s3/LogDelivery'}, 'Permission': 'READ_ACP'}, {'Grantee': {'Type': 'Group', 'URI': 'http://acs.amazonaws.com/groups/s3/LogDelivery'}, 'Permission': 'READ_ACP'}, {'Grantee': {'Type': 'Group', 'URI': 'http://acs.amazonaws.com/groups/s3/LogDelivery'}, 'Permission': 'READ_ACP'}, {'Grantee': {'Type': 'Group', 'URI': 'http://acs.amazonaws.com/groups/s3/LogDelivery'}, 'Permission': 'READ_ACP'}, {'Grantee': {'Type': 'Group', 'URI': 'http://acs.amazonaws.com/groups/s3/LogDelivery'}, 'Permission': 'READ_ACP'}, {'Grantee': {'Type': 'Group', 'URI': 'http://acs.amazonaws.com/groups/s3/LogDelivery'}, 'Permission': 'READ_ACP'}, {'Grantee': {'Type': 'Group', 'URI': 'http://acs.amazonaws.com/groups/s3/LogDelivery'}, 'Permission': 'READ_ACP'}, {'Grantee': {'Type': 'Group', 'URI': 'http://acs.amazonaws.com/groups/s3/LogDelivery'}, 'Permission': 'READ_ACP'}, {'Grantee': {'Type': 'Group', 'URI': 'http://acs.amazonaws.com/groups/s3/LogDelivery'}, 'Permission': 'READ_ACP'}, {'Grantee': {'Type': 'Group', 'URI': 'http://acs.amazonaws.com/groups/s3/LogDelivery'}, 'Permission': 'READ_ACP'}, {'Grantee': {'Type': 'Group', 'URI': 'http://acs.amazonaws.com/groups/s3/LogDelivery'}, 'Permission': 'READ_ACP'}, {'Grantee': {'Type': 'Group', 'URI': 'http://acs.amazonaws.com/groups/s3/LogDelivery'}, 'Permission': 'READ_ACP'}, {'Grantee': {'Type': 'Group', 'URI': 'http://acs.amazonaws.com/groups/s3/LogDelivery'}, 'Permission': 'READ_ACP'}, {'Grantee': {'Type': 'Group', 'URI': 'http://acs.amazonaws.com/groups/s3/LogDelivery'}, 'Permission': 'READ_ACP'}, {'Grantee': {'Type': 'Group', 'URI': 'http://acs.amazonaws.com/groups/s3/LogDelivery'}, 'Permission': 'READ_ACP'}, {'Grantee': {'Type': 'Group', 'URI': 'http://acs.amazonaws.com/groups/s3/LogDelivery'}, 'Permission': 'READ_ACP'}, {'Grantee': {'Type': 'Group', 'URI': 'http://acs.amazonaws.com/groups/s3/LogDelivery'}, 'Permission': 'READ_ACP'}, {'Grantee': {'Type': 'Group', 'URI': 'http://acs.amazonaws.com/groups/s3/LogDelivery'}, 'Permission': 'READ_ACP'}, {'Grantee': {'Type': 'Group', 'URI': 'http://acs.amazonaws.com/groups/s3/LogDelivery'}, 'Permission': 'READ_ACP'}, {'Grantee': {'Type': 'Group', 'URI': 'http://acs.amazonaws.com/groups/s3/LogDelivery'}, 'Permission': 'READ_ACP'}, {'Grantee': {'Type': 'Group', 'URI': 'http://acs.amazonaws.com/groups/s3/LogDelivery'}, 'Permission': 'READ_ACP'}, {'Grantee': {'Type': 'Group', 'URI': 'http://acs.amazonaws.com/groups/s3/LogDelivery'}, 'Permission': 'WRITE'}, {'Grantee': {'Type': 'Group', 'URI': 'http://acs.amazonaws.com/groups/s3/LogDelivery'}, 'Permission': 'READ_ACP'}]}
time=2020-11-30T17:10:17.383094Z caller=logger.go:165 level=info message="Starting running job code"
time=2020-11-30T17:10:18.2442037Z caller=logger.go:173 level=info message="INFO:botocore.credentials:Found credentials in environment variables."
time=2020-11-30T17:10:18.3579985Z caller=logger.go:173 level=info message="INFO:root:revoking ivp4 permissions"
time=2020-11-30T17:10:18.411337Z caller=logger.go:173 level=info
INFO:root:revoke_security_group_ingress(CidrIp='0.0.0.0/0' FromPort=22 GroupId='sg-07a383feba0364070' IpProtocol='tcp' ToPort=22)
time=2020-11-30T17:10:19.1057878Z caller=logger.go:173 level=info message="INFO:root:revoking ivp6 permissions"
time=2020-11-30T17:10:19.1474943Z caller=logger.go:173 level=info INFO:root:revoke_security_group_ingress(GroupId='sg-07a383feba0364070' IpPermissions="[{'FromPort': 22, 'IpProtocol': 'tcp', 'Ipv6Ranges': [{'CidrIpv6': '::/0'}]" 'ToPort':22}])=(MISSING)
time=2020-11-30T17:10:19.3514667Z caller=logger.go:173 level=info message="Traceback (most recent call last):"
time=2020-11-30T17:10:19.3985511Z caller=logger.go:173 level=info message="File \"/opt/vss/job-code/security_group_close_port_22/security_group_close_port_22.py\", line 107, in <module>"
time=2020-11-30T17:10:19.4348853Z caller=logger.go:173 level=info message="Process completed with exit code 1"
time=2020-11-30T17:10:19.460516Z caller=logger.go:173 level=info message=sys.exit(SecurityGroupClosePort22().run(sys.argv))
time=2020-11-30T17:10:19.5121224Z caller=logger.go:173 level=info message="File \"/opt/vss/job-code/security_group_close_port_22/security_group_close_port_22.py\", line 103, in run"
time=2020-11-30T17:10:19.5375377Z caller=logger.go:171 level=error LEVEL=ERROR message="error while executing work" error="exit status 1"
time=2020-11-30T17:10:19.5564106Z caller=logger.go:173 level=info message="return self.remediate(client, params[\"security_group_id\"])"
time=2020-11-30T17:10:19.6047974Z caller=logger.go:173 level=info message="File \"/opt/vss/job-code/security_group_close_port_22/security_group_close_port_22.py\", line 79, in remediate"
time=2020-11-30T17:10:19.6370223Z caller=logger.go:171 level=error LEVEL=ERROR message="failed processing message" message_id=0xc00029cf88 error="exit status 1"
time=2020-11-30T17:10:19.6461869Z caller=logger.go:173 level=info message=logcall(
time=2020-11-30T17:10:19.7257327Z caller=logger.go:173 level=info message="File \"/opt/vss/job-code/security_group_close_port_22/security_group_close_port_22.py\", line 30, in logcall"
time=2020-11-30T17:10:19.7858389Z caller=logger.go:173 level=info message="logging.info(f(*args, **kwargs))"
time=2020-11-30T17:10:19.8253081Z caller=logger.go:173 level=info message="File \"/opt/vss/job-code/security_group_close_port_22/.packages/botocore/client.py\", line 316, in _api_call"
time=2020-11-30T17:10:19.861883Z caller=logger.go:173 level=info message="return self._make_api_call(operation_name, kwargs)"
time=2020-11-30T17:10:19.9028428Z caller=logger.go:173 level=info message="File \"/opt/vss/job-code/security_group_close_port_22/.packages/botocore/client.py\", line 635, in _make_api_call"
time=2020-11-30T17:10:19.9448462Z caller=logger.go:173 level=info message="raise error_class(parsed_response, operation_name)"
time=2020-11-30T17:10:19.9860895Z caller=logger.go:173 level=info message="botocore.exceptions.ClientError: An error occurred (InvalidPermission.NotFound) when calling the RevokeSecurityGroupIngress operation: The specified rule does not exist in this security group."
When running the s3_enable_access_logging job without the s3:ListBucket
permissions I'm getting this error: botocore.exceptions.ClientError: An error occurred (403) when calling the HeadBucket operation: Forbidden
.
The job has two issues that needs to be addressed:
s3:ListBucket
Thanks
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.