Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

post-finding security hub has issues with isoformat on ec2, asg and failing the lambda

See original GitHub issue

Describe the bug The lambda generated to post finding on Securityhub is failing on isoFormat

2020-09-30T10:13:04.829-04:00Copy[ERROR] 2020-09-30T14:13:04.828Z 6f0773e7-732f-4784-b4a1-182702d42ba6 error during policy executionTraceback (most recent call last): File "/var/task/c7n/handler.py", line 166, in dispatch_event p.push(event, context) File "/var/task/c7n/policy.py", line 1134, in push return mode.run(event, lambda_ctx) File "/var/task/c7n/policy.py", line 850, in run resources = super(ConfigRuleMode, self).run(event, lambda_context) File "/var/task/c7n/policy.py", line 450, in run return self.run_resource_set(event, resources) File "/var/task/c7n/policy.py", line 480, in run_resource_set results = action.process(resources) File "/var/task/c7n/resources/securityhub.py", line 409, in process finding = self.get_finding( File "/var/task/c7n/resources/securityhub.py", line 531, in get_finding finding_resources.append(self.format_resource(r)) File "/var/task/c7n/resources/asg.py", line 739, in format_resource details['CreatedTime'] = details['CreatedTime'].isoformat()AttributeError: 'int' object has no attribute 'isoformat' | [ERROR] 2020-09-30T14:13:04.828Z 6f0773e7-732f-4784-b4a1-182702d42ba6 error during policy execution Traceback (most recent call last): File "/var/task/c7n/handler.py", line 166, in dispatch_event p.push(event, context) File "/var/task/c7n/policy.py", line 1134, in push return mode.run(event, lambda_ctx) File "/var/task/c7n/policy.py", line 850, in run resources = super(ConfigRuleMode, self).run(event, lambda_context) File "/var/task/c7n/policy.py", line 450, in run return self.run_resource_set(event, resources) File "/var/task/c7n/policy.py", line 480, in run_resource_set results = action.process(resources) File "/var/task/c7n/resources/securityhub.py", line 409, in process finding = self.get_finding( File "/var/task/c7n/resources/securityhub.py", line 531, in get_finding finding_resources.append(self.format_resource(r)) File "/var/task/c7n/resources/asg.py", line 739, in format_resource details['CreatedTime'] = details['CreatedTime'].isoformat() AttributeError: 'int' object has no attribute 'isoformat'

– | –

To Reproduce used anchor for post finding

 post-finding-failed: &post-finding-failed  
    type: post-finding
    description: |
        mandatory tags are required on S3.
    title: "custodian-s3-mandatory-tags-missing"
    severity_normalized: 70
    types:
      - "Software and Configuration Checks/AWS Security Best Practices"
    recommendation: "Add data confidentiality tag to S3 buckets"
    recommendation_url: "https://wikiurk"
    compliance_status: FAILED
    severity_label: HIGH

Policy

 - name: ec2-mandatory-tag-check
    resource: ec2
    description: |
       The policy checks the ec2 required tags
    mode: *config-mode
    filters:
      - and: *filters-absent
      - "tag:aws:autoscaling:groupName": absent
    actions:
      - <<: *post-finding-failed
        title: "custodian-ec2-mandatory-tags-missing"
        description: "Mandatory tags are required on ec2"
      # - type: mark-for-op
      #   op: stop
      #   days: 7 
      - <<: *notify
        violation_desc: "Mandatory Tags are missing on EC2"

ASG

 - name: asg-ec2-mandatory-tag-check
    resource: asg
    description: |
       The policy checks the asg required tags
    mode: *config-mode
    filters:
      - and: *filters-absent
    actions:
      - <<: *post-finding-failed
        title: "custodian-asg-ec2-mandatory-tags-missing"
        description: "Mandatory tags are required on asg"
      # - type: mark-for-op
      #   op: suspend
      #   days: 7 
      - <<: *notify
        violation_desc: "Mandatory Tags are missing on ASG"

Expected behavior Lambda should publish to security hub

Background (please complete the following information):

  • Python Version: [e.g. python 3.8.1]
  • Custodian Version: [e.g. 0.9.4]
  • Tool Version: [if applicable]
  • Cloud Provider: [e.g. gcp, aws, azure]
  • Policy: [please exclude any account/sensitive information]
policies: 
   - name: check-buckets
      resource: aws.s3
  • Traceback: [if applicable, please exclude sensitive/account information]
  • custodian version --debug output

Additional context Add any other context about the problem here.

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Comments:7 (5 by maintainers)

github_iconTop GitHub Comments

1reaction
kapiltcommented, Oct 6, 2020

this issue is specific to config rule mode afaics, and we’ll need to normalize the behavior when converting from config’s idiosyncratic formating.

0reactions
amitsehgalcommented, Oct 1, 2020

Ec2 and EBS returns str and. ASG returns epoch time and all three breaking with isoFormat … obviously removing that works … I also tried date util parser … works for ebs and ec2 … fails for asg

Read more comments on GitHub >

github_iconTop Results From Across the Web

Automatically resolve Security Hub findings for resources that ...
AWS Security Hub findings backed by AWS Config are automatically archived when AWS Config identifies that a resource has been deleted. However, ...
Read more >
Source code for c7n.resources.ec2 - Cloud Custodian
First if we're in event based lambda go ahead and skip this, # tags can't be trusted in ec2 instances immediately post creation....
Read more >
1000 feet overview of AWS Security Hub, AWS Config along ...
Below, we will be using a very simple example, where we import AWS config data to Security Hub using CloudWatch Event handler which...
Read more >
EC2 instances should not have a public IP address | AWS ...
If this instance without public IP, how to access this instance through internet? I would like to great explanation about this security best ......
Read more >
AWS Security Hub Integration | Kion
Write logic for each check in a separate Lambda function. Store the Lambda functions in a repository. Create a CI/CD pipeline that has...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

aws.iam-role - filter based on trust policy

Next page

False positive match on Tag:Project absent resources rest-api and rest-resource