Community Auditor Scan issues

[adoraiswamy]

I did a test using one of our common policies. The library call I make is as follows -

• If I do parliament.analyze_policy_string(POLICY_ARN, include_community_auditors=True) it does the additional scan against community rules.
• If not, it does not scan by default using the community rules.

Now that's fine and I'm happy to add the argument.

But then, say I scan for community rules and there is an InvalidARN, the code crashes. In my opinion, it should report the Invalid ARN and continue scanning. If I do not scan for community rules, the code does not crash.

[0xdabbad00]

Please include a sample policy and an example of the crash. This is not enough information for me to understand the problem.

To your first issue, not using the community auditors is the expected functionality. If you do not include_community_auditors=True the community auditors will not be used.

[adoraiswamy]

Apologies for not providing enough detail. Here's a sample policy:

{ "Version": "2012-10-17", "Statement": [ { "Sid": "test", "Effect": "Allow", "Action": "cloudformation:*", "Resource": "arn:aws:cloudformation:us-west-2:*" } ] }

Here's what I am running: parliament --file test.json --include-community-auditors

Here's the crash:

Traceback (most recent call last): File "/Users/arvind/.local/share/virtualenvs/aws_config_audit-iVknFGOg/bin/parliament", line 8, in <module> sys.exit(main()) File "/Users/arvind/.local/share/virtualenvs/aws_config_audit-iVknFGOg/lib/python3.7/site-packages/parliament/cli.py", line 301, in main include_community_auditors=args.include_community_auditors, File "/Users/arvind/.local/share/virtualenvs/aws_config_audit-iVknFGOg/lib/python3.7/site-packages/parliament/__init__.py", line 69, in analyze_policy_string include_community_auditors, File "/Users/arvind/.local/share/virtualenvs/aws_config_audit-iVknFGOg/lib/python3.7/site-packages/parliament/policy.py", line 317, in analyze community_auditors[m].audit(self) File "/Users/arvind/.local/share/virtualenvs/aws_config_audit-iVknFGOg/lib/python3.7/site-packages/parliament/community_auditors/credentials_exposure.py", line 35, in audit actions = policy.get_allowed_actions() File "/Users/arvind/.local/share/virtualenvs/aws_config_audit-iVknFGOg/lib/python3.7/site-packages/parliament/policy.py", line 97, in get_allowed_actions allowed_resources = self.get_allowed_resources(parts[0], parts[1]) File "/Users/arvind/.local/share/virtualenvs/aws_config_audit-iVknFGOg/lib/python3.7/site-packages/parliament/policy.py", line 133, in get_allowed_resources all_references = self.get_references(privilege_prefix, privilege_name) File "/Users/arvind/.local/share/virtualenvs/aws_config_audit-iVknFGOg/lib/python3.7/site-packages/parliament/policy.py", line 70, in get_references privilege_prefix, privilege_name File "/Users/arvind/.local/share/virtualenvs/aws_config_audit-iVknFGOg/lib/python3.7/site-packages/parliament/statement.py", line 361, in get_resources_for_privilege if is_arn_match(resource_type, arn_format, resource): File "/Users/arvind/.local/share/virtualenvs/aws_config_audit-iVknFGOg/lib/python3.7/site-packages/parliament/__init__.py", line 124, in is_arn_match raise Exception("Unexpected format for resource: {}".format(resource)) Exception: Unexpected format for resource: arn:aws:cloudformation:us-west-2:*

[0xdabbad00]

I think this is best resolved by just wrapping the community auditors in code to check for exceptions here:

parliament/parliament/policy.py

Line 316 in be62b85

logging.info(f"*** Checking with community auditor: {m}")

By doing:

            # Run them
            for m in community_auditors:
                logging.info(f"*** Checking with community auditor: {m}")
                try:
                    community_auditors[m].audit(self)
                except Exception as e:
                    self.add_finding("EXCEPTION", detail=str(e), location={"community_auditor": m})

The problem is that some findings will hide other findings by basically causing an exception to ignore further investigations because parliament doesn't know how to proceed. This was called out in #101. I think until #101 is given more thought, I cannot do something smarter here.