prowler icon indicating copy to clipboard operation
prowler copied to clipboard

Published 20 hours ago verified publisher icon prowler-cloud

Prowler gets stuck / fails when running Lambda check against account with LZA

Open js37 opened this issue 8 months ago • 1 comments

Steps to Reproduce

When running this awslambda check on an account that has Landing Zone Accelerator deployed, Prowler gets stuck.

prowler aws -c awslambda_function_no_secrets_in_code

When running in log-level INFO mode, this is the output

Executing 1 check, please wait...

2024-06-07 13:52:53,152 [File: service.py:85] 	[Module: service]	 INFO: LAMBDA - Starting threads for 'List Functions' function across 17 regions...

2024-06-07 13:52:53,152 [File: awslambda_service.py:29] 	[Module: awslambda_service]	 INFO: Lambda - Listing Functions...

2024-06-07 13:52:53,152 [File: awslambda_service.py:29] 	[Module: awslambda_service]	 INFO: Lambda - Listing Functions...

2024-06-07 13:52:53,152 [File: awslambda_service.py:29] 	[Module: awslambda_service]	 INFO: Lambda - Listing Functions...

2024-06-07 13:52:53,153 [File: awslambda_service.py:29] 	[Module: awslambda_service]	 INFO: Lambda - Listing Functions...

2024-06-07 13:52:53,153 [File: awslambda_service.py:29] 	[Module: awslambda_service]	 INFO: Lambda - Listing Functions...

2024-06-07 13:52:53,153 [File: awslambda_service.py:29] 	[Module: awslambda_service]	 INFO: Lambda - Listing Functions...

2024-06-07 13:52:53,153 [File: awslambda_service.py:29] 	[Module: awslambda_service]	 INFO: Lambda - Listing Functions...

2024-06-07 13:52:53,153 [File: awslambda_service.py:29] 	[Module: awslambda_service]	 INFO: Lambda - Listing Functions...

2024-06-07 13:52:53,154 [File: awslambda_service.py:29] 	[Module: awslambda_service]	 INFO: Lambda - Listing Functions...

2024-06-07 13:52:53,154 [File: awslambda_service.py:29] 	[Module: awslambda_service]	 INFO: Lambda - Listing Functions...

2024-06-07 13:52:53,667 [File: awslambda_service.py:59] 	[Module: awslambda_service]	 ERROR: ca-central-1 -- ClientError[32]: An error occurred (AccessDeniedException) when calling the ListFunctions operation: User: <ARN> is not authorized to perform: lambda:ListFunctions on resource: * with an explicit deny in a service control policy

2024-06-07 13:52:53,667 [File: awslambda_service.py:29] 	[Module: awslambda_service]	 INFO: Lambda - Listing Functions...

2024-06-07 13:52:53,837 [File: awslambda_service.py:29] 	[Module: awslambda_service]	 INFO: Lambda - Listing Functions...

2024-06-07 13:52:53,906 [File: awslambda_service.py:59] 	[Module: awslambda_service]	 ERROR: eu-west-3 -- ClientError[32]: An error occurred (AccessDeniedException) when calling the ListFunctions operation: User: <ARN> is not authorized to perform: lambda:ListFunctions on resource: * with an explicit deny in a service control policy

2024-06-07 13:52:53,906 [File: awslambda_service.py:29] 	[Module: awslambda_service]	 INFO: Lambda - Listing Functions...

2024-06-07 13:52:53,908 [File: awslambda_service.py:59] 	[Module: awslambda_service]	 ERROR: eu-west-1 -- ClientError[32]: An error occurred (AccessDeniedException) when calling the ListFunctions operation: User: <ARN> is not authorized to perform: lambda:ListFunctions on resource: * with an explicit deny in a service control policy

2024-06-07 13:52:53,913 [File: awslambda_service.py:59] 	[Module: awslambda_service]	 ERROR: ap-southeast-2 -- ClientError[32]: An error occurred (AccessDeniedException) when calling the ListFunctions operation: User: <ARN> is not authorized to perform: lambda:ListFunctions on resource: * with an explicit deny in a service control policy

2024-06-07 13:52:53,913 [File: awslambda_service.py:29] 	[Module: awslambda_service]	 INFO: Lambda - Listing Functions...

2024-06-07 13:52:53,914 [File: awslambda_service.py:29] 	[Module: awslambda_service]	 INFO: Lambda - Listing Functions...

2024-06-07 13:52:53,919 [File: awslambda_service.py:59] 	[Module: awslambda_service]	 ERROR: eu-central-1 -- ClientError[32]: An error occurred (AccessDeniedException) when calling the ListFunctions operation: User: <ARN> is not authorized to perform: lambda:ListFunctions on resource: * with an explicit deny in a service control policy

2024-06-07 13:52:53,919 [File: awslambda_service.py:29] 	[Module: awslambda_service]	 INFO: Lambda - Listing Functions...

2024-06-07 13:52:53,936 [File: awslambda_service.py:59] 	[Module: awslambda_service]	 ERROR: ap-northeast-1 -- ClientError[32]: An error occurred (AccessDeniedException) when calling the ListFunctions operation: User: <ARN> is not authorized to perform: lambda:ListFunctions on resource: * with an explicit deny in a service control policy

2024-06-07 13:52:53,936 [File: awslambda_service.py:29] 	[Module: awslambda_service]	 INFO: Lambda - Listing Functions...

2024-06-07 13:52:53,979 [File: awslambda_service.py:59] 	[Module: awslambda_service]	 ERROR: sa-east-1 -- ClientError[32]: An error occurred (AccessDeniedException) when calling the ListFunctions operation: User: <ARN> is not authorized to perform: lambda:ListFunctions on resource: * with an explicit deny in a service control policy

2024-06-07 13:52:53,991 [File: awslambda_service.py:59] 	[Module: awslambda_service]	 ERROR: eu-north-1 -- ClientError[32]: An error occurred (AccessDeniedException) when calling the ListFunctions operation: User: <ARN> is not authorized to perform: lambda:ListFunctions on resource: * with an explicit deny in a service control policy

2024-06-07 13:52:54,034 [File: awslambda_service.py:59] 	[Module: awslambda_service]	 ERROR: us-west-1 -- ClientError[32]: An error occurred (AccessDeniedException) when calling the ListFunctions operation: User: <ARN> is not authorized to perform: lambda:ListFunctions on resource: * with an explicit deny in a service control policy

2024-06-07 13:52:54,175 [File: awslambda_service.py:59] 	[Module: awslambda_service]	 ERROR: eu-west-2 -- ClientError[32]: An error occurred (AccessDeniedException) when calling the ListFunctions operation: User: <ARN> is not authorized to perform: lambda:ListFunctions on resource: * with an explicit deny in a service control policy

2024-06-07 13:52:54,221 [File: awslambda_service.py:59] 	[Module: awslambda_service]	 ERROR: ap-south-1 -- ClientError[32]: An error occurred (AccessDeniedException) when calling the ListFunctions operation: User: <ARN> is not authorized to perform: lambda:ListFunctions on resource: * with an explicit deny in a service control policy

2024-06-07 13:52:54,427 [File: awslambda_service.py:59] 	[Module: awslambda_service]	 ERROR: ap-southeast-1 -- ClientError[32]: An error occurred (AccessDeniedException) when calling the ListFunctions operation: User: <ARN> is not authorized to perform: lambda:ListFunctions on resource: * with an explicit deny in a service control policy

2024-06-07 13:52:54,488 [File: awslambda_service.py:59] 	[Module: awslambda_service]	 ERROR: ap-northeast-3 -- ClientError[32]: An error occurred (AccessDeniedException) when calling the ListFunctions operation: User: <ARN> is not authorized to perform: lambda:ListFunctions on resource: * with an explicit deny in a service control policy

2024-06-07 13:52:54,630 [File: awslambda_service.py:59] 	[Module: awslambda_service]	 ERROR: ap-northeast-2 -- ClientError[32]: An error occurred (AccessDeniedException) when calling the ListFunctions operation: User: <ARN> is not authorized to perform: lambda:ListFunctions on resource: * with an explicit deny in a service control policy

2024-06-07 13:52:54,630 [File: awslambda_service.py:158] 	[Module: awslambda_service]	 INFO: Lambda - List Tags...

2024-06-07 13:52:59,531 [File: service.py:85] 	[Module: service]	 INFO: LAMBDA - Starting threads for 'Get Policy' function across 17 regions...

2024-06-07 13:52:59,535 [File: awslambda_service.py:106] 	[Module: awslambda_service]	 INFO: Lambda - Getting Policy...

2024-06-07 13:52:59,536 [File: awslambda_service.py:106] 	[Module: awslambda_service]	 INFO: Lambda - Getting Policy...

2024-06-07 13:52:59,535 [File: awslambda_service.py:106] 	[Module: awslambda_service]	 INFO: Lambda - Getting Policy...

2024-06-07 13:52:59,537 [File: awslambda_service.py:106] 	[Module: awslambda_service]	 INFO: Lambda - Getting Policy...

2024-06-07 13:52:59,535 [File: awslambda_service.py:106] 	[Module: awslambda_service]	 INFO: Lambda - Getting Policy...

2024-06-07 13:52:59,535 [File: awslambda_service.py:106] 	[Module: awslambda_service]	 INFO: Lambda - Getting Policy...

2024-06-07 13:52:59,539 [File: awslambda_service.py:106] 	[Module: awslambda_service]	 INFO: Lambda - Getting Policy...

2024-06-07 13:52:59,539 [File: awslambda_service.py:106] 	[Module: awslambda_service]	 INFO: Lambda - Getting Policy...

2024-06-07 13:52:59,540 [File: awslambda_service.py:106] 	[Module: awslambda_service]	 INFO: Lambda - Getting Policy...

2024-06-07 13:52:59,535 [File: awslambda_service.py:106] 	[Module: awslambda_service]	 INFO: Lambda - Getting Policy...

2024-06-07 13:52:59,536 [File: awslambda_service.py:106] 	[Module: awslambda_service]	 INFO: Lambda - Getting Policy...

2024-06-07 13:52:59,537 [File: awslambda_service.py:106] 	[Module: awslambda_service]	 INFO: Lambda - Getting Policy...

2024-06-07 13:52:59,537 [File: awslambda_service.py:106] 	[Module: awslambda_service]	 INFO: Lambda - Getting Policy...

2024-06-07 13:52:59,537 [File: awslambda_service.py:106] 	[Module: awslambda_service]	 INFO: Lambda - Getting Policy...

2024-06-07 13:52:59,535 [File: awslambda_service.py:106] 	[Module: awslambda_service]	 INFO: Lambda - Getting Policy...

2024-06-07 13:52:59,537 [File: awslambda_service.py:106] 	[Module: awslambda_service]	 INFO: Lambda - Getting Policy...

2024-06-07 13:52:59,536 [File: awslambda_service.py:106] 	[Module: awslambda_service]	 INFO: Lambda - Getting Policy...

2024-06-07 13:53:01,307 [File: service.py:85] 	[Module: service]	 INFO: LAMBDA - Starting threads for 'Get Function Url Config' function across 17 regions...

2024-06-07 13:53:01,307 [File: awslambda_service.py:129] 	[Module: awslambda_service]	 INFO: Lambda - Getting Function URL Config...

2024-06-07 13:53:01,307 [File: awslambda_service.py:129] 	[Module: awslambda_service]	 INFO: Lambda - Getting Function URL Config...

2024-06-07 13:53:01,308 [File: awslambda_service.py:129] 	[Module: awslambda_service]	 INFO: Lambda - Getting Function URL Config...

2024-06-07 13:53:01,308 [File: awslambda_service.py:129] 	[Module: awslambda_service]	 INFO: Lambda - Getting Function URL Config...

2024-06-07 13:53:01,309 [File: awslambda_service.py:129] 	[Module: awslambda_service]	 INFO: Lambda - Getting Function URL Config...

2024-06-07 13:53:01,308 [File: awslambda_service.py:129] 	[Module: awslambda_service]	 INFO: Lambda - Getting Function URL Config...

2024-06-07 13:53:01,308 [File: awslambda_service.py:129] 	[Module: awslambda_service]	 INFO: Lambda - Getting Function URL Config...

2024-06-07 13:53:01,308 [File: awslambda_service.py:129] 	[Module: awslambda_service]	 INFO: Lambda - Getting Function URL Config...

2024-06-07 13:53:01,308 [File: awslambda_service.py:129] 	[Module: awslambda_service]	 INFO: Lambda - Getting Function URL Config...

2024-06-07 13:53:01,308 [File: awslambda_service.py:129] 	[Module: awslambda_service]	 INFO: Lambda - Getting Function URL Config...

2024-06-07 13:53:01,308 [File: awslambda_service.py:129] 	[Module: awslambda_service]	 INFO: Lambda - Getting Function URL Config...

2024-06-07 13:53:01,308 [File: awslambda_service.py:129] 	[Module: awslambda_service]	 INFO: Lambda - Getting Function URL Config...

2024-06-07 13:53:01,309 [File: awslambda_service.py:129] 	[Module: awslambda_service]	 INFO: Lambda - Getting Function URL Config...

2024-06-07 13:53:01,308 [File: awslambda_service.py:129] 	[Module: awslambda_service]	 INFO: Lambda - Getting Function URL Config...

2024-06-07 13:53:01,313 [File: awslambda_service.py:129] 	[Module: awslambda_service]	 INFO: Lambda - Getting Function URL Config...

2024-06-07 13:53:01,314 [File: awslambda_service.py:129] 	[Module: awslambda_service]	 INFO: Lambda - Getting Function URL Config...

2024-06-07 13:53:01,314 [File: awslambda_service.py:129] 	[Module: awslambda_service]	 INFO: Lambda - Getting Function URL Config...

2024-06-07 13:53:05,012 [File: awslambda_service.py:66] 	[Module: awslambda_service]	 INFO: Lambda - Getting Function Code...

When running in log-level debug, the last thing that would print out is DEBUG: https://awslambda-us-west-2-tasks.s3.us-west-2.amazonaws.com:443 "GET /snapshots/<account ID>/<function name>

I have tested this check, and it works on other accounts.

Expected behavior

I expect the scan to complete. The ClientErrors due to have service control polices is fine. I expect the scan to finish with no results if it is due to a permission problem.

Actual Result with Screenshots or Logs

In description above.

How did you install Prowler?

From pip package (pip install prowler)

Environment Resource

Prowler 4.2.4 (You are running the latest version, yay!)

OS used

MacOS

Prowler version

4.2.4

Pip version

24

Context

No response

js37 avatar Jun 07 '24 21:06 js37