Giters

mondoohq / cnquery

open source, cloud-native, graph-based asset inventory

Home Page:https://cnquery.io

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

AWS: permission Field Missing in S3 Bucket Grant Structure && Resolve PermanentRedirect Error for S3 GetBucketLogging in CloudTrail Queries

HRouhani opened this issue · comments

commented

(Update 28th Feb)

AWS has enhanced the user experience for the S3 service, particularly concerning server access logging. Now, when we enable server access logging via the S3 console, AWS automates the bucket policy update, granting the necessary permissions to the S3 log delivery group. This enhancement simplifies the setup by removing the need to manually change the bucket policy to permit log file delivery.

So we can come back to this issue when necessary.

Related to : S3 bucket access logging is enabled on the CloudTrail S3 bucket (no relevant anymore)

Issue 1:

Description

When attempting to compile a query that filters AWS CloudTrail trails based on S3 bucket ACL permissions, I encountered a compilation error stating that the field 'permission' cannot be found.

Screenshot from 2024-02-24 07-55-39

Screenshot from 2024-02-20 09-55-19

I could not find any function in cnquery except following in the aws.lr:

 // List of access control grants associated with the bucket
  acl() []aws.s3.bucket.grant

Issue 2:

Description
When executing a query to check for non-empty TargetBucket in S3 bucket logging configurations across AWS CloudTrail trails, a PermanentRedirect error is encountered, indicating that the S3 bucket access is being attempted via an incorrect endpoint.

Steps to Reproduce
Run the query to filter AWS CloudTrail trails based on the condition that their associated S3 bucket logging TargetBucket is not empty:

aws.cloudtrail.trails {s3bucket.logging.TargetBucket != empty}

Screenshot from 2024-02-20 09-55-19

The operation fails with a PermanentRedirect error, suggesting that the bucket access attempt is made to an incorrect endpoint. The error includes a status code of 301, along with a request ID and a detailed host ID, advising to send future requests to a specified endpoint.

Error:

operation error S3: GetBucketLogging, https response error StatusCode: 301, RequestID: 3Q34697NF4EEVFMH, HostID: pArwilhQhadXCVEu6RJP4DVRYvO2ld32bJt1FDlrZVX/hLPp6GoF87ta16VLrWHoV7cbUHTiBgAPJneFEp9CGg==, api error PermanentRedirect: The bucket you are attempting to access must be addressed using the specified endpoint. Please send all future requests to this endpoint.

Possible Solutions

Endpoint Correction: Ensure that the AWS SDK is configured to use the correct regional endpoint corresponding to the S3 bucket's location.

SDK/Client Configuration: Review and adjust the AWS SDK or client configuration to automatically handle or correct endpoint redirection based on the bucket region.

Error Handling Improvement: Implement enhanced error handling to catch PermanentRedirect errors and automatically retry the request with the correct endpoint as suggested by the error message.