How get object and operation from AWS access denied exception in javascript?

979 views Asked by At

Any aws service can throw AcceeDenied Exception. Which is logged like that:

somePromise.catch((err) => {
    console.error(`Failed to store logs into CloudWatch`, err);
    callback(err);
})

Cloud watch logs show:

{
    "errorMessage": "Access Denied",
    "errorType": "AccessDenied",
    "stackTrace": [
        "Request.extractError (/var/task/node_modules/aws-sdk/lib/services/s3.js:577:35)",
        "Request.callListeners (/var/task/node_modules/aws-sdk/lib/sequential_executor.js:105:20)",
        "Request.emit (/var/task/node_modules/aws-sdk/lib/sequential_executor.js:77:10)",
        "Request.emit (/var/task/node_modules/aws-sdk/lib/request.js:683:14)",
        "Request.transition (/var/task/node_modules/aws-sdk/lib/request.js:22:10)",
        "AcceptorStateMachine.runTo (/var/task/node_modules/aws-sdk/lib/state_machine.js:14:12)",
        "/var/task/node_modules/aws-sdk/lib/state_machine.js:26:10",
        "Request.<anonymous> (/var/task/node_modules/aws-sdk/lib/request.js:38:9)",
        "Request.<anonymous> (/var/task/node_modules/aws-sdk/lib/request.js:685:12)",
        "Request.callListeners (/var/task/node_modules/aws-sdk/lib/sequential_executor.js:115:18)"
    ]
}

First of all where is a stack trace? :)

Second is there a way to deternime what resource and operation were requested? (There are several chained promises and it is unclear what is wrong)

1

There are 1 answers

0
Jamie Starke On

You're unlikely to get much more detail out of the JavaScript Stacktrace from my experience. A more helpful route I've found is to look at what AWS services the libraries that I'm using (and getting somePromise from) are accessing.

One other way that you could possibly glean some of this information is from the AWS side, using CloudTrail and CloudWatch Logs. You would first need to create a CloudTrail in your AWS Account. Next you would need to send CloudTrail events to CloudWatch Logs.

Once you have your CloudTrail events going to CloudWatch Logs, you can use CloudWatch Logs to query for "Access Denied" and "Unauthorized Operation" messages. To do this, go to CloudWatch in the AWS Console, and go to the Logs Section. Next look for your CloudTrail Log group. Normally the Default log group is called CloudTrail/Default. Once you go into that log Group, Press the Search Logs button at the top. This will bring up all of the logs in the Logs Streams for this Log Group. You can then enter a query that will get only the Access Denied and Unauthorized operation events. To do this, enter the query { ($.errorCode = "*UnauthorizedOperation") || ($.errorCode = "AccessDenied*") }

I found this to be onerous, and very time consuming, so I wrote a utility to send these Access Denied and Unauthorized Operation messages to Slack for me Automatically. You can check it out at https://github.com/Giftbit/activity-aware-ids-aws/blob/master/infrastructure/cloudformation.yaml. It also includes a helpful CloudFormation template to stand this up for you, provided that you have already created your CloudTrail and have the events sent to CloudWatch Logs.