Skip to content

steampipe-mod-aws-perimeter crashing in ECS #684

New issue
New issue
Closed as not planned
Closed as not planned
steampipe-mod-aws-perimeter crashing in ECS#684
Labels
bugSomething isn't workingstale
@adnankoroth

Description

@adnankoroth
adnankoroth
opened on Jan 20, 2025

Describe the bug
When running the steampipe-plugin-aws for perimeter security checks on AWS ECS, the following issues were observed:
1. Unexpected AWS permission errors:
• Despite granting AdministratorAccess to both the ECS task role and the target account role, errors such as RepositoryPolicyNotFoundException still occur.
• Running the same queries locally with AWS SSO does not face these issues, raising the question of whether additional resource-based policies are required for ECS that aren’t needed locally.
• Even resources that are not in use are incorrectly flagged with errors.
2. JSON export failure:
• When the AWS permission errors occur, exporting results to JSON crashes with the following error:
Error: invalid character ',' looking for beginning of value
• This suggests that the AWS permission error responses are not being properly handled, leading to corrupted JSON output.
• The issue closely resembles the problem mentioned in a related Powerpipe [issue #665]
(#665).

Powerpipe version (powerpipe -v)
• Steampipe version: 1.0.1
• Powerpipe version: 1.0.1
• AWS plugin version: 1.5.0
• Mod-perimeter version: 1.0.1

To reproduce
Deploy Steampipe on an AWS ECS task
Attempt to export the query results to JSON.

Expected behavior
• The AWS perimeter security checks should execute successfully without encountering permission errors when administrator permissions are granted.
• JSON export should not crash due to AWS permission errors but instead handle them gracefully.

Additional context
• Not an IAM issue: Administrator access was provided, and some data is successfully retrieved before the error occurs.
• Not a memory issue: The ECS task was run with sufficient resources (4vCPU 8GB RAM), ruling out resource constraints.
• Queries run successfully in a local environment using AWS SSO credentials, but fail on ECS with the same permissions.
• The errors are affecting all resources, even those that are not actively in use.
• ECS task is running in a private subnet with outbound access via a NAT gateway.
• JSON export crashes when permission errors occur, potentially due to improper handling of AWS API responses.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingstale

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions