Skip to content
This repository has been archived by the owner on Nov 19, 2023. It is now read-only.

revoke IAM function is broken #207

Open
deepakdimri-ce opened this issue Apr 20, 2021 · 2 comments
Open

revoke IAM function is broken #207

deepakdimri-ce opened this issue Apr 20, 2021 · 2 comments

Comments

@deepakdimri-ce
Copy link

revoke IAM function is not removing anomalous IAM grant and failing with the error. The sequence of event is. Editor Role is added to the user -> ETD detect the anomalous IAM grant ->notification is sent to pub/sub topic -> router function is triggered and it ends with below error:

  "textPayload": "Function error: rule \"primitive_roles_used\" not found\n",
  "insertId": "000000-04a48b94-c35c-46c6-992a-3d69008063ac",
  "resource": {
    "type": "cloud_function",
    "labels": {
      "project_id": "contextawaredemo",
      "region": "us-central1",
      "function_name": "Router"
    }
  },
  "timestamp": "2021-04-20T16:52:01.517Z",
  "severity": "ERROR",
  "labels": {
    "execution_id": "3wveqhtzcx7u"
  },
  "logName": "projects/contextawaredemo/logs/cloudfunctions.googleapis.com%2Fcloud-functions",
  "trace": "projects/contextawaredemo/traces/595dd3806b3d87fc755af0d321519a7d",
  "receiveTimestamp": "2021-04-20T16:52:10.760507042Z"
}{
  "textPayload": "Function execution took 795 ms, finished with status: 'error'",
  "insertId": "000000-9bc7c7f2-94b9-4223-b5a6-152edc834e56",
  "resource": {
    "type": "cloud_function",
    "labels": {
      "region": "us-central1",
      "function_name": "Router",
      "project_id": "contextawaredemo"
    }
  },
  "timestamp": "2021-04-20T16:52:01.518602264Z",
  "severity": "DEBUG",
  "labels": {
    "execution_id": "3wveqhtzcx7u"
  },
  "logName": "projects/contextawaredemo/logs/cloudfunctions.googleapis.com%2Fcloud-functions",
  "trace": "projects/contextawaredemo/traces/595dd3806b3d87fc755af0d321519a7d",
  "receiveTimestamp": "2021-04-20T16:52:10.760507042Z"
} {
  "textPayload": "2021/04/20 16:52:02 /workspace/serverless_function_source_code/clients/logger.go:60: failed to publish: \"failed to check if project \\\"\\\" is within the target or is excluded: failed to get project ancestry path: googleapi: got HTTP response code 404 with body: <!DOCTYPE html>\\n<html lang=en>\\n  <meta charset=utf-8>\\n  <meta name=viewport content=\\\"initial-scale=1, minimum-scale=1, width=device-width\\\">\\n  <title>Error 404 (Not Found)!!1</title>\\n  <style>\\n    *{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:150px}\\n  </style>\\n  <a href=//www.google.com/><span id=logo aria-label=Google></span></a>\\n  <p><b>404.</b> <ins>That’s an error.</ins>\\n  <p>The requested URL <code>/v1/projects/:getAncestry?alt=json&amp;prettyPrint=false</code> was not found on this server.  <ins>That’s all we know.</ins>\\n\"",
  "insertId": "000000-c022de2e-061b-4313-877d-2c11626c09b3",
  "resource": {
    "type": "cloud_function",
    "labels": {
      "region": "us-central1",
      "project_id": "contextawaredemo",
      "function_name": "Router"
    }
  },
  "timestamp": "2021-04-20T16:52:02.359Z",
  "labels": {
    "execution_id": "5ec566o4hprl"
  },
  "logName": "projects/contextawaredemo/logs/cloudfunctions.googleapis.com%2Fcloud-functions",
  "trace": "projects/contextawaredemo/traces/974a900f1a0cf9f0c44f78e81cd36a94",
  "receiveTimestamp": "2021-04-20T16:52:11.218877036Z"
}```
@deepakdimri-ce
Copy link
Author

hi @daniel-cit, can you help with issue #207?

@daniel-cit
Copy link
Contributor

Hi @deepakdimri-ce.
By your description, your example is triggering a SHA finding, not an ETD finding:

 "textPayload": "Function error: rule \"primitive_roles_used\" not found\n",

which is the SHA finding PRIMITIVE_ROLES_USED

A user has one of the following IAM basic roles: roles/owner, roles/editor, or roles/viewer. 
These roles are too permissive and shouldn't be used. 
Instead, they should be assigned per project only.

which is not a SHA finding supported by security-response-automation

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@daniel-cit @deepakdimri-ce