Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Virus Definition Update Lambda Fails with error #1255

Open
surecloud-Awalia opened this issue Jul 15, 2024 · 3 comments
Open

Virus Definition Update Lambda Fails with error #1255

surecloud-Awalia opened this issue Jul 15, 2024 · 3 comments

Comments

@surecloud-Awalia
Copy link

Hello,

I am facing an issue with the Lambda which updates the virus definition bucket with the latest definitions. It is failing with following error -
Virus definition bucket and the Lambda is created by the construct and we have no control over the bucket policy so its difficult to debug the issue and find the root cause. We are on the latest version of the clamscan construct and aws cdk.

LAMBDA_WARNING: Unhandled exception. The most likely cause is an issue in the function code. However, in rare cases, a Lambda runtime update can cause unexpected function behavior. For functions using managed runtimes, runtime updates can be triggered by a function change, or can be applied automatically. To determine if the runtime has been updated, check the runtime version in the INIT_START log entry. If this error correlates with a change in the runtime version, you may be able to mitigate this error by temporarily rolling back to the previous runtime version. For more information, see https://docs.aws.amazon.com/lambda/latest/dg/runtimes-update.html
[ERROR] S3UploadFailedError: Failed to upload /tmp/bytecode.cvd to dev-uk-datastore-devukdatastorevirusscanvirusscanv-k5xj2nsvajkp/bytecode.cvd: An error occurred (AccessDenied) when calling the PutObject operation: Access Denied
Traceback (most recent call last):
  File "/var/lang/lib/python3.12/site-packages/aws_lambda_powertools/logging/logger.py", line 450, in decorate
    return lambda_handler(event, context, *args, **kwargs)
  File "/var/task/lambda.py", line 39, in lambda_handler
    upload_s3_defs(download_path, defs_bucket)
  File "/var/task/lambda.py", line 66, in upload_s3_defs
    defs_bucket.upload_file(os.path.join(root, file), file)
  File "/var/lang/lib/python3.12/site-packages/boto3/s3/inject.py", line 235, in bucket_upload_file
    return self.meta.client.upload_file(
  File "/var/lang/lib/python3.12/site-packages/boto3/s3/inject.py", line 145, in upload_file
    return transfer.upload_file(
  File "/var/lang/lib/python3.12/site-packages/boto3/s3/transfer.py", line 377, in upload_file
    raise S3UploadFailedError(

Any help or suggestion would be appreciated. Let me know if more information is needed from my side.

@dontirun
Copy link
Contributor

What are the bucket policy and lambda IAM role permissions? Did anything change between deployments?

@surecloud-Awalia
Copy link
Author

surecloud-Awalia commented Jul 15, 2024

It is working fine when I am removing the last statement from he bucket policy.

{
"Effect": "Deny",
"NotPrincipal": {
"AWS": [
"arn:aws:sts::{account_id}:assumed-role/dev-uk-datastore-devukdatastorevirusscanvirusscanDo-0w7SDX1bjPKj/dev-uk-datastore-devukdatastorevirusscanvirusscanD-PJSO3NUQPRsv",
"arn:aws:iam::{account_id}:role/dev-uk-datastore-devukdatastorevirusscanvirusscanDo-0w7SDX1bjPKj"
]
},
"Action": "s3:PutObject*",
"Resource": "arn:aws:s3:::dev-uk-datastore-devukdatastorevirusscanvirusscanv-k5xj2nsvajkp/*"
}

dev-uk-datastore-devukdatastorevirusscanvirusscanD-PJSO3NUQPRsv - Lambda
arn:aws:s3:::dev-uk-datastore-devukdatastorevirusscanvirusscanv-k5xj2nsvajkp - def bucket
arn:aws:iam::{account_id}:role/dev-uk-datastore-devukdatastorevirusscanvirusscanDo-0w7SDX1bjPKj - Lambda ROle

@surecloud-Awalia
Copy link
Author

Looks like the last statement does not need * for all objects for PutObject, it is working fine when I remove /* from the resource arn, so its just the bucket arn

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants