Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

steampipe-mod-aws-perimeter crashing in ECS #684

Open
adnankoroth opened this issue Jan 20, 2025 · 0 comments
Open

steampipe-mod-aws-perimeter crashing in ECS #684

adnankoroth opened this issue Jan 20, 2025 · 0 comments
Labels
bug Something isn't working

Comments

@adnankoroth
Copy link

adnankoroth commented Jan 20, 2025
edited
Loading

Describe the bug
When running the steampipe-plugin-aws for perimeter security checks on AWS ECS, the following issues were observed:
1. Unexpected AWS permission errors:
• Despite granting AdministratorAccess to both the ECS task role and the target account role, errors such as RepositoryPolicyNotFoundException still occur.
• Running the same queries locally with AWS SSO does not face these issues, raising the question of whether additional resource-based policies are required for ECS that aren’t needed locally.
• Even resources that are not in use are incorrectly flagged with errors.
2. JSON export failure:
• When the AWS permission errors occur, exporting results to JSON crashes with the following error:
Error: invalid character ',' looking for beginning of value
• This suggests that the AWS permission error responses are not being properly handled, leading to corrupted JSON output.
• The issue closely resembles the problem mentioned in a related Powerpipe [issue #665]
(#665).

Powerpipe version (powerpipe -v)
• Steampipe version: 1.0.1
• Powerpipe version: 1.0.1
• AWS plugin version: 1.5.0
• Mod-perimeter version: 1.0.1

To reproduce
Deploy Steampipe on an AWS ECS task
Attempt to export the query results to JSON.

Expected behavior
• The AWS perimeter security checks should execute successfully without encountering permission errors when administrator permissions are granted.
• JSON export should not crash due to AWS permission errors but instead handle them gracefully.

Additional context
• Not an IAM issue: Administrator access was provided, and some data is successfully retrieved before the error occurs.
• Not a memory issue: The ECS task was run with sufficient resources (4vCPU 8GB RAM), ruling out resource constraints.
• Queries run successfully in a local environment using AWS SSO credentials, but fail on ECS with the same permissions.
• The errors are affecting all resources, even those that are not actively in use.
• ECS task is running in a private subnet with outbound access via a NAT gateway.
• JSON export crashes when permission errors occur, potentially due to improper handling of AWS API responses.
@adnankoroth adnankoroth added the bug Something isn't working label Jan 20, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@adnankoroth