Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Securityhub upload finding - Botocore ParamValidationError for aws.lambda with encrypted env variables #7977

Closed
jare19 opened this issue Nov 8, 2022 · 2 comments
Closed

Securityhub upload finding - Botocore ParamValidationError for aws.lambda with encrypted env variables #7977

jare19 opened this issue Nov 8, 2022 · 2 comments
Labels
kind/bug

Comments

@jare19
Copy link
Contributor

jare19 commented Nov 8, 2022

Describe the bug

When the policy is attempting to upload the finding to securityhub, the policy run fails and ends execution.

This is the error below:
botocore.exceptions.ParamValidationError: Parameter validation failed: Unknown parameter in Findings[0].Resources[0].Details.AwsLambdaFunction: "KMSKeyArn", must be one of: Code, CodeSha256, DeadLetterConfig, Environment, FunctionName, Handler, KmsKeyArn, LastModified, Layers, MasterArn, MemorySize, RevisionId, Role, Runtime, Timeout, TracingConfig, VpcConfig, Version[ERROR] ParamValidationError: Parameter validation failed:

What did you expect to happen?

I expected to have the policy run complete successfully and upload the finding to securityhub.

Cloud Provider

Amazon Web Services (AWS)

Cloud Custodian version and dependency information

Worth noting here, that I am requiring c7n 9.20 but it looks like the last release did not bump the c7n version from 9.19 even though a spot check on a file shows that the updates made it from the 9.20 release. 
https://github.com/cloud-custodian/cloud-custodian/blob/0.9.20.0/c7n/version.py

Requirements.txt
c7n==0.9.20
c7n-org==0.6.19



Please copy/paste the following info along with any bug reports:

Custodian:   0.9.19
Python:      3.9.4 (default, Apr  5 2021, 01:50:46) 
             [Clang 12.0.0 (clang-1200.0.32.29)]
Platform:    posix.uname_result(sysname='Darwin', nodename='MCHIFVFXV1WW', release='21.6.0', version='Darwin Kernel Version 21.6.0: Mon Aug 22 20:17:10 PDT 2022; root:xnu-8020.140.49~2/RELEASE_X86_64', machine='x86_64')
Using venv:  True
Docker: False
Installed: 

argcomplete==2.0.0
attrs==22.1.0
boto3==1.24.88
botocore==1.27.88
docutils==0.17.1
importlib-metadata==4.13.0
importlib-resources==5.9.0
jmespath==1.0.1
jsonschema==4.16.0
pkgutil-resolve-name==1.3.10
pyrsistent==0.18.1
python-dateutil==2.8.2
pyyaml==6.0
s3transfer==0.6.0
six==1.16.0
tabulate==0.8.10
typing-extensions==4.3.0
urllib3==1.26.12
zipp==3.8.1

Policy

- name: lambda-testing
  comments: REDACTED
  resource: aws.lambda
  conditions:
  - type: value
    key: region
    op: eq
    value: us-east-1
  filters:
  - type: value
    key: FunctionName
    op: eq
    value: a-test-function-with-encrypted-envvars
  actions:
  - type: post-finding
    severity_label: MEDIUM
    recommendation: REDACTED
    compliance_status: FAILED
    types:
    - Software and Configuration Checks
    recommendation_url: REDACTED

  mode:
    execution-options:
      output_dir: s3://{output_bucket}/logs/{account_id}/{region}
      assume_role: REDACTED
    role: REDACTED
    schedule: rate(1 hour)
    dead_letter_config:
      TargetArn: REDACTED
    tags:
        REDACTED
    type: periodic

Relevant log/traceback output

error during policy execution
Traceback (most recent call last):
  File "/var/task/c7n/handler.py", line 165, in dispatch_event
    p.push(event, context)
  File "/var/task/c7n/policy.py", line 1288, in push
    return mode.run(event, lambda_ctx)
  File "/var/task/c7n/policy.py", line 583, in run
    return PullMode.run(self)
  File "/var/task/c7n/policy.py", line 364, in run
    results = a.process(resources)
  File "/var/task/c7n/resources/securityhub.py", line 444, in process
    import_response = self.manager.retry(
  File "/var/task/c7n/utils.py", line 446, in _retry
    return func(*args, **kw)
  File "/var/runtime/botocore/client.py", line 391, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/var/runtime/botocore/client.py", line 691, in _make_api_call
    request_dict = self._convert_to_request_dict(
  File "/var/runtime/botocore/client.py", line 739, in _convert_to_request_dict
    request_dict = self._serializer.serialize_to_request(
  File "/var/runtime/botocore/validate.py", line 360, in serialize_to_request
    raise ParamValidationError(report=report.generate_report())
botocore.exceptions.ParamValidationError: Parameter validation failed:
Unknown parameter in Findings[0].Resources[0].Details.AwsLambdaFunction: "KMSKeyArn", must be one of: Code, CodeSha256, DeadLetterConfig, Environment, FunctionName, Handler, KmsKeyArn, LastModified, Layers, MasterArn, MemorySize, RevisionId, Role, Runtime, Timeout, TracingConfig, VpcConfig, Version[ERROR] ParamValidationError: Parameter validation failed:

Extra information or context

I believe the issue is that c7n is sending KMSKeyArn to security hub when it should be KmsKeyArn
@jare19 jare19 added the kind/bug label Nov 8, 2022
@jare19 jare19 mentioned this issue Nov 10, 2022
Closed
@jare19
Copy link
Contributor Author

jare19 commented Nov 10, 2022
edited
Loading

Please note my additional details here for Related/same issue on #7960

@jare19 jare19 mentioned this issue Nov 15, 2022
Merged
@ajkerrigan
Copy link
Member

Closed via #7998

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jare19 @ajkerrigan