Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prowler gets stuck / fails when running Lambda check against account with LZA #4209

Closed
js37 opened this issue Jun 7, 2024 · 3 comments
Closed

Prowler gets stuck / fails when running Lambda check against account with LZA #4209

js37 opened this issue Jun 7, 2024 · 3 comments
Assignees
@jfagoagas
Labels
provider/aws Issues/PRs related with the AWS provider question

Comments

@js37
Copy link

js37 commented Jun 7, 2024

Steps to Reproduce

When running this awslambda check on an account that has Landing Zone Accelerator deployed, Prowler gets stuck.

prowler aws -c awslambda_function_no_secrets_in_code

When running in log-level INFO mode, this is the output

Executing 1 check, please wait...

2024-06-07 13:52:53,152 [File: service.py:85] 	[Module: service]	 INFO: LAMBDA - Starting threads for 'List Functions' function across 17 regions...

2024-06-07 13:52:53,152 [File: awslambda_service.py:29] 	[Module: awslambda_service]	 INFO: Lambda - Listing Functions...

2024-06-07 13:52:53,152 [File: awslambda_service.py:29] 	[Module: awslambda_service]	 INFO: Lambda - Listing Functions...

2024-06-07 13:52:53,152 [File: awslambda_service.py:29] 	[Module: awslambda_service]	 INFO: Lambda - Listing Functions...

2024-06-07 13:52:53,153 [File: awslambda_service.py:29] 	[Module: awslambda_service]	 INFO: Lambda - Listing Functions...

2024-06-07 13:52:53,153 [File: awslambda_service.py:29] 	[Module: awslambda_service]	 INFO: Lambda - Listing Functions...

2024-06-07 13:52:53,153 [File: awslambda_service.py:29] 	[Module: awslambda_service]	 INFO: Lambda - Listing Functions...

2024-06-07 13:52:53,153 [File: awslambda_service.py:29] 	[Module: awslambda_service]	 INFO: Lambda - Listing Functions...

2024-06-07 13:52:53,153 [File: awslambda_service.py:29] 	[Module: awslambda_service]	 INFO: Lambda - Listing Functions...

2024-06-07 13:52:53,154 [File: awslambda_service.py:29] 	[Module: awslambda_service]	 INFO: Lambda - Listing Functions...

2024-06-07 13:52:53,154 [File: awslambda_service.py:29] 	[Module: awslambda_service]	 INFO: Lambda - Listing Functions...

2024-06-07 13:52:53,667 [File: awslambda_service.py:59] 	[Module: awslambda_service]	 ERROR: ca-central-1 -- ClientError[32]: An error occurred (AccessDeniedException) when calling the ListFunctions operation: User: <ARN> is not authorized to perform: lambda:ListFunctions on resource: * with an explicit deny in a service control policy

2024-06-07 13:52:53,667 [File: awslambda_service.py:29] 	[Module: awslambda_service]	 INFO: Lambda - Listing Functions...

2024-06-07 13:52:53,837 [File: awslambda_service.py:29] 	[Module: awslambda_service]	 INFO: Lambda - Listing Functions...

2024-06-07 13:52:53,906 [File: awslambda_service.py:59] 	[Module: awslambda_service]	 ERROR: eu-west-3 -- ClientError[32]: An error occurred (AccessDeniedException) when calling the ListFunctions operation: User: <ARN> is not authorized to perform: lambda:ListFunctions on resource: * with an explicit deny in a service control policy

2024-06-07 13:52:53,906 [File: awslambda_service.py:29] 	[Module: awslambda_service]	 INFO: Lambda - Listing Functions...

2024-06-07 13:52:53,908 [File: awslambda_service.py:59] 	[Module: awslambda_service]	 ERROR: eu-west-1 -- ClientError[32]: An error occurred (AccessDeniedException) when calling the ListFunctions operation: User: <ARN> is not authorized to perform: lambda:ListFunctions on resource: * with an explicit deny in a service control policy

2024-06-07 13:52:53,913 [File: awslambda_service.py:59] 	[Module: awslambda_service]	 ERROR: ap-southeast-2 -- ClientError[32]: An error occurred (AccessDeniedException) when calling the ListFunctions operation: User: <ARN> is not authorized to perform: lambda:ListFunctions on resource: * with an explicit deny in a service control policy

2024-06-07 13:52:53,913 [File: awslambda_service.py:29] 	[Module: awslambda_service]	 INFO: Lambda - Listing Functions...

2024-06-07 13:52:53,914 [File: awslambda_service.py:29] 	[Module: awslambda_service]	 INFO: Lambda - Listing Functions...

2024-06-07 13:52:53,919 [File: awslambda_service.py:59] 	[Module: awslambda_service]	 ERROR: eu-central-1 -- ClientError[32]: An error occurred (AccessDeniedException) when calling the ListFunctions operation: User: <ARN> is not authorized to perform: lambda:ListFunctions on resource: * with an explicit deny in a service control policy

2024-06-07 13:52:53,919 [File: awslambda_service.py:29] 	[Module: awslambda_service]	 INFO: Lambda - Listing Functions...

2024-06-07 13:52:53,936 [File: awslambda_service.py:59] 	[Module: awslambda_service]	 ERROR: ap-northeast-1 -- ClientError[32]: An error occurred (AccessDeniedException) when calling the ListFunctions operation: User: <ARN> is not authorized to perform: lambda:ListFunctions on resource: * with an explicit deny in a service control policy

2024-06-07 13:52:53,936 [File: awslambda_service.py:29] 	[Module: awslambda_service]	 INFO: Lambda - Listing Functions...

2024-06-07 13:52:53,979 [File: awslambda_service.py:59] 	[Module: awslambda_service]	 ERROR: sa-east-1 -- ClientError[32]: An error occurred (AccessDeniedException) when calling the ListFunctions operation: User: <ARN> is not authorized to perform: lambda:ListFunctions on resource: * with an explicit deny in a service control policy

2024-06-07 13:52:53,991 [File: awslambda_service.py:59] 	[Module: awslambda_service]	 ERROR: eu-north-1 -- ClientError[32]: An error occurred (AccessDeniedException) when calling the ListFunctions operation: User: <ARN> is not authorized to perform: lambda:ListFunctions on resource: * with an explicit deny in a service control policy

2024-06-07 13:52:54,034 [File: awslambda_service.py:59] 	[Module: awslambda_service]	 ERROR: us-west-1 -- ClientError[32]: An error occurred (AccessDeniedException) when calling the ListFunctions operation: User: <ARN> is not authorized to perform: lambda:ListFunctions on resource: * with an explicit deny in a service control policy

2024-06-07 13:52:54,175 [File: awslambda_service.py:59] 	[Module: awslambda_service]	 ERROR: eu-west-2 -- ClientError[32]: An error occurred (AccessDeniedException) when calling the ListFunctions operation: User: <ARN> is not authorized to perform: lambda:ListFunctions on resource: * with an explicit deny in a service control policy

2024-06-07 13:52:54,221 [File: awslambda_service.py:59] 	[Module: awslambda_service]	 ERROR: ap-south-1 -- ClientError[32]: An error occurred (AccessDeniedException) when calling the ListFunctions operation: User: <ARN> is not authorized to perform: lambda:ListFunctions on resource: * with an explicit deny in a service control policy

2024-06-07 13:52:54,427 [File: awslambda_service.py:59] 	[Module: awslambda_service]	 ERROR: ap-southeast-1 -- ClientError[32]: An error occurred (AccessDeniedException) when calling the ListFunctions operation: User: <ARN> is not authorized to perform: lambda:ListFunctions on resource: * with an explicit deny in a service control policy

2024-06-07 13:52:54,488 [File: awslambda_service.py:59] 	[Module: awslambda_service]	 ERROR: ap-northeast-3 -- ClientError[32]: An error occurred (AccessDeniedException) when calling the ListFunctions operation: User: <ARN> is not authorized to perform: lambda:ListFunctions on resource: * with an explicit deny in a service control policy

2024-06-07 13:52:54,630 [File: awslambda_service.py:59] 	[Module: awslambda_service]	 ERROR: ap-northeast-2 -- ClientError[32]: An error occurred (AccessDeniedException) when calling the ListFunctions operation: User: <ARN> is not authorized to perform: lambda:ListFunctions on resource: * with an explicit deny in a service control policy

2024-06-07 13:52:54,630 [File: awslambda_service.py:158] 	[Module: awslambda_service]	 INFO: Lambda - List Tags...

2024-06-07 13:52:59,531 [File: service.py:85] 	[Module: service]	 INFO: LAMBDA - Starting threads for 'Get Policy' function across 17 regions...

2024-06-07 13:52:59,535 [File: awslambda_service.py:106] 	[Module: awslambda_service]	 INFO: Lambda - Getting Policy...

2024-06-07 13:52:59,536 [File: awslambda_service.py:106] 	[Module: awslambda_service]	 INFO: Lambda - Getting Policy...

2024-06-07 13:52:59,535 [File: awslambda_service.py:106] 	[Module: awslambda_service]	 INFO: Lambda - Getting Policy...

2024-06-07 13:52:59,537 [File: awslambda_service.py:106] 	[Module: awslambda_service]	 INFO: Lambda - Getting Policy...

2024-06-07 13:52:59,535 [File: awslambda_service.py:106] 	[Module: awslambda_service]	 INFO: Lambda - Getting Policy...

2024-06-07 13:52:59,535 [File: awslambda_service.py:106] 	[Module: awslambda_service]	 INFO: Lambda - Getting Policy...

2024-06-07 13:52:59,539 [File: awslambda_service.py:106] 	[Module: awslambda_service]	 INFO: Lambda - Getting Policy...

2024-06-07 13:52:59,539 [File: awslambda_service.py:106] 	[Module: awslambda_service]	 INFO: Lambda - Getting Policy...

2024-06-07 13:52:59,540 [File: awslambda_service.py:106] 	[Module: awslambda_service]	 INFO: Lambda - Getting Policy...

2024-06-07 13:52:59,535 [File: awslambda_service.py:106] 	[Module: awslambda_service]	 INFO: Lambda - Getting Policy...

2024-06-07 13:52:59,536 [File: awslambda_service.py:106] 	[Module: awslambda_service]	 INFO: Lambda - Getting Policy...

2024-06-07 13:52:59,537 [File: awslambda_service.py:106] 	[Module: awslambda_service]	 INFO: Lambda - Getting Policy...

2024-06-07 13:52:59,537 [File: awslambda_service.py:106] 	[Module: awslambda_service]	 INFO: Lambda - Getting Policy...

2024-06-07 13:52:59,537 [File: awslambda_service.py:106] 	[Module: awslambda_service]	 INFO: Lambda - Getting Policy...

2024-06-07 13:52:59,535 [File: awslambda_service.py:106] 	[Module: awslambda_service]	 INFO: Lambda - Getting Policy...

2024-06-07 13:52:59,537 [File: awslambda_service.py:106] 	[Module: awslambda_service]	 INFO: Lambda - Getting Policy...

2024-06-07 13:52:59,536 [File: awslambda_service.py:106] 	[Module: awslambda_service]	 INFO: Lambda - Getting Policy...

2024-06-07 13:53:01,307 [File: service.py:85] 	[Module: service]	 INFO: LAMBDA - Starting threads for 'Get Function Url Config' function across 17 regions...

2024-06-07 13:53:01,307 [File: awslambda_service.py:129] 	[Module: awslambda_service]	 INFO: Lambda - Getting Function URL Config...

2024-06-07 13:53:01,307 [File: awslambda_service.py:129] 	[Module: awslambda_service]	 INFO: Lambda - Getting Function URL Config...

2024-06-07 13:53:01,308 [File: awslambda_service.py:129] 	[Module: awslambda_service]	 INFO: Lambda - Getting Function URL Config...

2024-06-07 13:53:01,308 [File: awslambda_service.py:129] 	[Module: awslambda_service]	 INFO: Lambda - Getting Function URL Config...

2024-06-07 13:53:01,309 [File: awslambda_service.py:129] 	[Module: awslambda_service]	 INFO: Lambda - Getting Function URL Config...

2024-06-07 13:53:01,308 [File: awslambda_service.py:129] 	[Module: awslambda_service]	 INFO: Lambda - Getting Function URL Config...

2024-06-07 13:53:01,308 [File: awslambda_service.py:129] 	[Module: awslambda_service]	 INFO: Lambda - Getting Function URL Config...

2024-06-07 13:53:01,308 [File: awslambda_service.py:129] 	[Module: awslambda_service]	 INFO: Lambda - Getting Function URL Config...

2024-06-07 13:53:01,308 [File: awslambda_service.py:129] 	[Module: awslambda_service]	 INFO: Lambda - Getting Function URL Config...

2024-06-07 13:53:01,308 [File: awslambda_service.py:129] 	[Module: awslambda_service]	 INFO: Lambda - Getting Function URL Config...

2024-06-07 13:53:01,308 [File: awslambda_service.py:129] 	[Module: awslambda_service]	 INFO: Lambda - Getting Function URL Config...

2024-06-07 13:53:01,308 [File: awslambda_service.py:129] 	[Module: awslambda_service]	 INFO: Lambda - Getting Function URL Config...

2024-06-07 13:53:01,309 [File: awslambda_service.py:129] 	[Module: awslambda_service]	 INFO: Lambda - Getting Function URL Config...

2024-06-07 13:53:01,308 [File: awslambda_service.py:129] 	[Module: awslambda_service]	 INFO: Lambda - Getting Function URL Config...

2024-06-07 13:53:01,313 [File: awslambda_service.py:129] 	[Module: awslambda_service]	 INFO: Lambda - Getting Function URL Config...

2024-06-07 13:53:01,314 [File: awslambda_service.py:129] 	[Module: awslambda_service]	 INFO: Lambda - Getting Function URL Config...

2024-06-07 13:53:01,314 [File: awslambda_service.py:129] 	[Module: awslambda_service]	 INFO: Lambda - Getting Function URL Config...

2024-06-07 13:53:05,012 [File: awslambda_service.py:66] 	[Module: awslambda_service]	 INFO: Lambda - Getting Function Code...

When running in log-level debug, the last thing that would print out is
DEBUG: https://awslambda-us-west-2-tasks.s3.us-west-2.amazonaws.com:443 "GET /snapshots/<account ID>/<function name>

I have tested this check, and it works on other accounts.

Expected behavior

I expect the scan to complete. The ClientErrors due to have service control polices is fine. I expect the scan to finish with no results if it is due to a permission problem.

Actual Result with Screenshots or Logs

In description above.

How did you install Prowler?

From pip package (pip install prowler)

Environment Resource

Prowler 4.2.4 (You are running the latest version, yay!)

OS used

MacOS

Prowler version

4.2.4

Pip version

24

Context

No response
@js37 js37 added bug status/needs-triage Issue pending triage labels Jun 7, 2024
@jfagoagas jfagoagas added question and removed bug status/needs-triage Issue pending triage labels Jun 11, 2024
@jfagoagas jfagoagas self-assigned this Jun 11, 2024
@jfagoagas
Copy link
Member

Hi @js37 it seems that Prowler is just executing that check. It can take a lot of time if you have a lot of lambdas with a great codebase since Prowler analyzes all the source code in memory while running the check.

How many AWS Lambda Functions do you have in that account?

Thanks for using Prowler 🚀

@jfagoagas jfagoagas added the provider/aws Issues/PRs related with the AWS provider label Jun 11, 2024
@jfagoagas jfagoagas changed the title [Bug]: Prowler gets stuck / fails when running Lambda check against account with LZA Prowler gets stuck / fails when running Lambda check against account with LZA Jul 17, 2024
@jfagoagas
Copy link
Member

I will close this issue since there is no reply since June. Please @js37 feel free to reopen it if you have any update on the issue or the above comment. If you can, please try that out again with Prowler v4.3.3 and let us know.

Thanks for using Prowler 🚀

@razhamma
Copy link

razhamma commented Sep 6, 2024
edited
Loading

  • Facing same issue.
  • Prowler scan gets stuck on this check awslambda_function_no_secrets_in_code and later on prowler process gets stopped.

Additional Information:

  • Number of Lambda Functions in the account = 2249
  • Prowler running on EC2 instance of type r6i.2xlarge(4 vCPUs and 32GiB RAM)
  • Prowler command is as follow: 
    /usr/local/bin/prowler aws -R arn:$AWSPARTITION:iam::$ACCOUNTID:role/$IAM_CROSS_ACCOUNT_ROLE --compliance aws_well_architected_framework_security_pillar_aws aws_account_security_onboarding_aws aws_audit_manager_control_tower_guardrails_aws aws_foundational_security_best_practices_aws aws_foundational_technical_review_aws aws_well_architected_framework_reliability_pillar_aws cis_3.0_aws -M csv json-ocsf html -f $REGION_LIST ${FINDING_OUTPUT:-} -T 43200 --verbose | tee output/stdout-$ACCOUNTID.txt 1>/dev/null
  • Execution Cycle: 1 Account 3 Regions

Troubleshooting:

  • If supply following arguments, prowler errors out as un-identified arguments DEBUG,INFO,WARNING,ERROR,CRITICAL 
    --log-level {DEBUG,INFO,WARNING,ERROR,CRITICAL} --log-file <file_name>.json
  • Have tried supplying retries-max-attempts 5 to rule out API throttling but no success.

@razhamma razhamma mentioned this issue Sep 6, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jfagoagas jfagoagas

Labels
provider/aws Issues/PRs related with the AWS provider question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jfagoagas @razhamma @js37