How to resolve "Client error: an error occured when calling the UpdateItem operation" in Panther detection

Issue

When testing my Panther rule, I'm getting an error like the following:

ClientError: An error occurred (AccessDeniedException) when calling the UpdateItem operation: User: <my-IAM-role> is not authorized to perform: dynamodb:UpdateItem on resource: arn:aws:dynamodb:<panther-region>:<panther-account-id>:table/panther-kv-store because no identity-based policy allows the dynamodb:UpdateItem action

Resolution

This is usually caused by a detection which uses one of Panther's caching functions, and has a unit test which doesn't properly implement a mock(s) for those functions.

1. Verify that your detection uses one of Panther's caching functions.
2. Evaluate your unit tests for this detection - ensure that for each unit test, any caching functions that your detection uses have mock functions implemented.
3. If any caching functions are not properly mocked, define the appropriate mock functions.  You can read more about how to implement mocks for caching functions here.

If you've successfully managed to complete all three steps, but continue to see errors, please contact our support team. Include a sample of the error message, your detection code, and your unit tests.

Cause

This error is raised by AWS when it cannot access a specific DynamoDB table due to insufficient permissions. Panther only provides the correct IAM permission to your detections when running them against real-time log data from within the detections engine - during unit testing, the DynamoDB table is inaccessible.

By providing mock functions, you bypass the calls to DynamoDB and instead provide pre-determined return values for your rule to use instead. Since no calls are made to Dynamo, this error doesn't occur.