False positive failure for S3 versioning and encryption (AVD-AWS-0088, AVD-AWS-0090) #4736

gberenice · 2023-06-29T10:00:56Z

gberenice
Jun 29, 2023

Description

Hey!
We use terraform module cloudposseterraform-aws-s3-bucket v3.1.2 in our configuration, but Trivy scan (that is run as a Trunk check) fails with the error we don't expect to see:

 0:0  high  S3 Buckets should be encrypted to protect the data that is stored within them if access   trivy/AVD-AWS-0088
            is compromised.                                                                                             
...                                                                                      
 0:0  high   ↵ Versioning in Amazon S3 is a means of keeping multiple variants of an object in the    trivy/AVD-AWS-0090
            same bucket.  ↵ You can use the S3 Versioning feature to preserve, retrieve, an...                          
            .trunk/out/erP.txt

Both encryption and versioning are enabled and configured.

S3 bucket encryption is managed via the resource aws_s3_bucket_server_side_encryption_configuration.
This is our state:

resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
    bucket = "test-logs"
    id     = "test-logs"

    rule {
        bucket_key_enabled = false

        apply_server_side_encryption_by_default {
            kms_master_key_id = "arn:aws:kms:us-east-1:111111111111:key/11111111-1111-1111-1111-111111111111"
            sse_algorithm     = "aws:kms"
        }
    }
}

Similar for versioning, in the state our resource aws_s3_bucket_versioning looks like:

resource "aws_s3_bucket_versioning" "default" {
    bucket = "test-logs"
    id     = "test-logs"

    versioning_configuration {
        status = "Enabled"
    }
}

Desired Behavior

Scan trivy config main.tf is successfully passed.

Actual Behavior

Scan fails.

Reproduction Steps

1. Add a child module with the following arguments:

module "logs_bucket" {
  source  = "cloudposse/s3-bucket/aws"
  version = "3.1.2"

  acl                = "private"
  sse_algorithm      = "aws:kms"
  kms_master_key_arn = module.kms_key.key_arn

  # Feature enablement
  user_enabled       = false
  versioning_enabled = true

2. Enable Trivy via Trunk in `trunk.yaml`:
```yaml
version: 0.1
cli:
  version: 1.11.1
plugins:
  sources:
    - id: trunk
      ref: v0.0.19
      uri: https://github.com/trunk-io/plugins
lint:
  enabled:
    - [email protected]

Run the check.



### Target

None

### Scanner

None

### Output Format

JSON

### Mode

Standalone

### Debug Output

```bash
{
  "SchemaVersion": 2,
  "ArtifactName": "main.tf",
  "ArtifactType": "filesystem",
  "Metadata": {
    "ImageConfig": {
      "architecture": "",
      "created": "0001-01-01T00:00:00Z",
      "os": "",
      "rootfs": {
        "type": "",
        "diff_ids": null
      },
      "config": {}
    }
  },
  "Results": [
    {
      "Target": ".",
      "Class": "config",
      "Type": "terraform",
      "MisconfSummary": {
        "Successes": 1,
        "Failures": 0,
        "Exceptions": 0
      }
    },
    {
      "Target": "git::https:/github.com/masterpointio/terraform-aws-tailscale.git?ref=tags/0.2.0/masterpointio/ssm-agent/aws/cloudposse/kms-key/aws/main.tf",
      "Class": "config",
      "Type": "terraform",
      "MisconfSummary": {
        "Successes": 1,
        "Failures": 0,
        "Exceptions": 0
      }
    },
    {
      "Target": "git::https:/github.com/masterpointio/terraform-aws-tailscale.git?ref=tags/0.2.0/masterpointio/ssm-agent/aws/cloudposse/s3-bucket/aws/cloudposse/iam-s3-user/aws/cloudposse/iam-system-user/aws/main.tf",
      "Class": "config",
      "Type": "terraform",
      "MisconfSummary": {
        "Successes": 1,
        "Failures": 0,
        "Exceptions": 0
      }
    },
    {
      "Target": "git::https:/github.com/masterpointio/terraform-aws-tailscale.git?ref=tags/0.2.0/masterpointio/ssm-agent/aws/cloudposse/s3-bucket/aws/main.tf",
      "Class": "config",
      "Type": "terraform",
      "MisconfSummary": {
        "Successes": 1,
        "Failures": 9,
        "Exceptions": 0
      },
      "Misconfigurations": [
        {
          "Type": "Terraform Security Check",
          "ID": "AVD-AWS-0086",
          "AVDID": "AVD-AWS-0086",
          "Title": "S3 Access block should block public ACL",
          "Description": "\nS3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.\n",
          "Message": "No public access block so not blocking public acls",
          "Query": "data..",
          "Resolution": "Enable blocking any PUT calls with a public ACL specified",
          "Severity": "HIGH",
          "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0086",
          "References": [
            "https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html",
            "https://avd.aquasec.com/misconfig/avd-aws-0086"
          ],
          "Status": "FAIL",
          "Layer": {},
          "CauseMetadata": {
            "Resource": "module.tailscale_subnet_router",
            "Provider": "AWS",
            "Service": "s3",
            "StartLine": 29,
            "EndLine": 43,
            "Code": {
              "Lines": [
                {
                  "Number": 29,
                  "Content": "resource \"aws_s3_bucket\" \"default\" {",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": true,
                  "LastCause": false
                },
                {
                  "Number": 30,
                  "Content": "  #bridgecrew:skip=BC_AWS_S3_13:Skipping `Enable S3 Bucket Logging` because we do not have good defaults",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 31,
                  "Content": "  #bridgecrew:skip=CKV_AWS_52:Skipping `Ensure S3 bucket has MFA delete enabled` due to issue in terraform (https://github.com/hashicorp/terraform-provider-aws/issues/629).",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 32,
                  "Content": "  #bridgecrew:skip=BC_AWS_S3_16:Skipping `Ensure S3 bucket versioning is enabled` because dynamic blocks are not supported by checkov",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 33,
                  "Content": "  #bridgecrew:skip=BC_AWS_S3_14:Skipping `Ensure all data stored in the S3 bucket is securely encrypted at rest` because that is now enforced automatically by AWS",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 34,
                  "Content": "  #bridgecrew:skip=BC_AWS_GENERAL_56:Skipping `Ensure that S3 buckets are encrypted with KMS by default` because we do not agree that this is required",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 35,
                  "Content": "  #bridgecrew:skip=BC_AWS_GENERAL_72:We do not agree that cross-region replication must be enabled",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 36,
                  "Content": "  count         = local.enabled ? 1 : 0",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 37,
                  "Content": "  bucket        = local.bucket_name",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": true
                },
                {
                  "Number": 38,
                  "Content": "",
                  "IsCause": false,
                  "Annotation": "",
                  "Truncated": true,
                  "FirstCause": false,
                  "LastCause": false
                }
              ]
            }
          }
        },
        {
          "Type": "Terraform Security Check",
          "ID": "AVD-AWS-0087",
          "AVDID": "AVD-AWS-0087",
          "Title": "S3 Access block should block public policy",
          "Description": "\nS3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.\n",
          "Message": "No public access block so not blocking public policies",
          "Query": "data..",
          "Resolution": "Prevent policies that allow public access being PUT",
          "Severity": "HIGH",
          "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0087",
          "References": [
            "https://docs.aws.amazon.com/AmazonS3/latest/dev-retired/access-control-block-public-access.html",
            "https://avd.aquasec.com/misconfig/avd-aws-0087"
          ],
          "Status": "FAIL",
          "Layer": {},
          "CauseMetadata": {
            "Resource": "module.tailscale_subnet_router",
            "Provider": "AWS",
            "Service": "s3",
            "StartLine": 29,
            "EndLine": 43,
            "Code": {
              "Lines": [
                {
                  "Number": 29,
                  "Content": "resource \"aws_s3_bucket\" \"default\" {",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": true,
                  "LastCause": false
                },
                {
                  "Number": 30,
                  "Content": "  #bridgecrew:skip=BC_AWS_S3_13:Skipping `Enable S3 Bucket Logging` because we do not have good defaults",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 31,
                  "Content": "  #bridgecrew:skip=CKV_AWS_52:Skipping `Ensure S3 bucket has MFA delete enabled` due to issue in terraform (https://github.com/hashicorp/terraform-provider-aws/issues/629).",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 32,
                  "Content": "  #bridgecrew:skip=BC_AWS_S3_16:Skipping `Ensure S3 bucket versioning is enabled` because dynamic blocks are not supported by checkov",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 33,
                  "Content": "  #bridgecrew:skip=BC_AWS_S3_14:Skipping `Ensure all data stored in the S3 bucket is securely encrypted at rest` because that is now enforced automatically by AWS",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 34,
                  "Content": "  #bridgecrew:skip=BC_AWS_GENERAL_56:Skipping `Ensure that S3 buckets are encrypted with KMS by default` because we do not agree that this is required",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 35,
                  "Content": "  #bridgecrew:skip=BC_AWS_GENERAL_72:We do not agree that cross-region replication must be enabled",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 36,
                  "Content": "  count         = local.enabled ? 1 : 0",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 37,
                  "Content": "  bucket        = local.bucket_name",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": true
                },
                {
                  "Number": 38,
                  "Content": "",
                  "IsCause": false,
                  "Annotation": "",
                  "Truncated": true,
                  "FirstCause": false,
                  "LastCause": false
                }
              ]
            }
          }
        },
        {
          "Type": "Terraform Security Check",
          "ID": "AVD-AWS-0088",
          "AVDID": "AVD-AWS-0088",
          "Title": "Unencrypted S3 bucket.",
          "Description": "S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.",
          "Message": "Bucket does not have encryption enabled",
          "Query": "data..",
          "Resolution": "Configure bucket encryption",
          "Severity": "HIGH",
          "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0088",
          "References": [
            "https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html",
            "https://avd.aquasec.com/misconfig/avd-aws-0088"
          ],
          "Status": "FAIL",
          "Layer": {},
          "CauseMetadata": {
            "Resource": "module.tailscale_subnet_router",
            "Provider": "AWS",
            "Service": "s3",
            "StartLine": 29,
            "EndLine": 43,
            "Code": {
              "Lines": [
                {
                  "Number": 29,
                  "Content": "resource \"aws_s3_bucket\" \"default\" {",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": true,
                  "LastCause": false
                },
                {
                  "Number": 30,
                  "Content": "  #bridgecrew:skip=BC_AWS_S3_13:Skipping `Enable S3 Bucket Logging` because we do not have good defaults",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 31,
                  "Content": "  #bridgecrew:skip=CKV_AWS_52:Skipping `Ensure S3 bucket has MFA delete enabled` due to issue in terraform (https://github.com/hashicorp/terraform-provider-aws/issues/629).",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 32,
                  "Content": "  #bridgecrew:skip=BC_AWS_S3_16:Skipping `Ensure S3 bucket versioning is enabled` because dynamic blocks are not supported by checkov",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 33,
                  "Content": "  #bridgecrew:skip=BC_AWS_S3_14:Skipping `Ensure all data stored in the S3 bucket is securely encrypted at rest` because that is now enforced automatically by AWS",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 34,
                  "Content": "  #bridgecrew:skip=BC_AWS_GENERAL_56:Skipping `Ensure that S3 buckets are encrypted with KMS by default` because we do not agree that this is required",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 35,
                  "Content": "  #bridgecrew:skip=BC_AWS_GENERAL_72:We do not agree that cross-region replication must be enabled",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 36,
                  "Content": "  count         = local.enabled ? 1 : 0",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 37,
                  "Content": "  bucket        = local.bucket_name",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": true
                },
                {
                  "Number": 38,
                  "Content": "",
                  "IsCause": false,
                  "Annotation": "",
                  "Truncated": true,
                  "FirstCause": false,
                  "LastCause": false
                }
              ]
            }
          }
        },
        {
          "Type": "Terraform Security Check",
          "ID": "AVD-AWS-0089",
          "AVDID": "AVD-AWS-0089",
          "Title": "S3 Bucket does not have logging enabled.",
          "Description": "Buckets should have logging enabled so that access can be audited.",
          "Message": "Bucket does not have logging enabled",
          "Query": "data..",
          "Resolution": "Add a logging block to the resource to enable access logging",
          "Severity": "MEDIUM",
          "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0089",
          "References": [
            "https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html",
            "https://avd.aquasec.com/misconfig/avd-aws-0089"
          ],
          "Status": "FAIL",
          "Layer": {},
          "CauseMetadata": {
            "Resource": "module.tailscale_subnet_router",
            "Provider": "AWS",
            "Service": "s3",
            "StartLine": 29,
            "EndLine": 43,
            "Code": {
              "Lines": [
                {
                  "Number": 29,
                  "Content": "resource \"aws_s3_bucket\" \"default\" {",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": true,
                  "LastCause": false
                },
                {
                  "Number": 30,
                  "Content": "  #bridgecrew:skip=BC_AWS_S3_13:Skipping `Enable S3 Bucket Logging` because we do not have good defaults",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 31,
                  "Content": "  #bridgecrew:skip=CKV_AWS_52:Skipping `Ensure S3 bucket has MFA delete enabled` due to issue in terraform (https://github.com/hashicorp/terraform-provider-aws/issues/629).",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 32,
                  "Content": "  #bridgecrew:skip=BC_AWS_S3_16:Skipping `Ensure S3 bucket versioning is enabled` because dynamic blocks are not supported by checkov",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 33,
                  "Content": "  #bridgecrew:skip=BC_AWS_S3_14:Skipping `Ensure all data stored in the S3 bucket is securely encrypted at rest` because that is now enforced automatically by AWS",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 34,
                  "Content": "  #bridgecrew:skip=BC_AWS_GENERAL_56:Skipping `Ensure that S3 buckets are encrypted with KMS by default` because we do not agree that this is required",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 35,
                  "Content": "  #bridgecrew:skip=BC_AWS_GENERAL_72:We do not agree that cross-region replication must be enabled",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 36,
                  "Content": "  count         = local.enabled ? 1 : 0",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 37,
                  "Content": "  bucket        = local.bucket_name",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": true
                },
                {
                  "Number": 38,
                  "Content": "",
                  "IsCause": false,
                  "Annotation": "",
                  "Truncated": true,
                  "FirstCause": false,
                  "LastCause": false
                }
              ]
            }
          }
        },
        {
          "Type": "Terraform Security Check",
          "ID": "AVD-AWS-0090",
          "AVDID": "AVD-AWS-0090",
          "Title": "S3 Data should be versioned",
          "Description": "\nVersioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket. \nYou can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets. \nWith versioning you can recover more easily from both unintended user actions and application failures.\n",
          "Message": "Bucket does not have versioning enabled",
          "Query": "data..",
          "Resolution": "Enable versioning to protect against accidental/malicious removal or modification",
          "Severity": "MEDIUM",
          "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0090",
          "References": [
            "https://docs.aws.amazon.com/AmazonS3/latest/userguide/Versioning.html",
            "https://avd.aquasec.com/misconfig/avd-aws-0090"
          ],
          "Status": "FAIL",
          "Layer": {},
          "CauseMetadata": {
            "Resource": "module.tailscale_subnet_router",
            "Provider": "AWS",
            "Service": "s3",
            "StartLine": 29,
            "EndLine": 43,
            "Code": {
              "Lines": [
                {
                  "Number": 29,
                  "Content": "resource \"aws_s3_bucket\" \"default\" {",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": true,
                  "LastCause": false
                },
                {
                  "Number": 30,
                  "Content": "  #bridgecrew:skip=BC_AWS_S3_13:Skipping `Enable S3 Bucket Logging` because we do not have good defaults",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 31,
                  "Content": "  #bridgecrew:skip=CKV_AWS_52:Skipping `Ensure S3 bucket has MFA delete enabled` due to issue in terraform (https://github.com/hashicorp/terraform-provider-aws/issues/629).",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 32,
                  "Content": "  #bridgecrew:skip=BC_AWS_S3_16:Skipping `Ensure S3 bucket versioning is enabled` because dynamic blocks are not supported by checkov",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 33,
                  "Content": "  #bridgecrew:skip=BC_AWS_S3_14:Skipping `Ensure all data stored in the S3 bucket is securely encrypted at rest` because that is now enforced automatically by AWS",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 34,
                  "Content": "  #bridgecrew:skip=BC_AWS_GENERAL_56:Skipping `Ensure that S3 buckets are encrypted with KMS by default` because we do not agree that this is required",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 35,
                  "Content": "  #bridgecrew:skip=BC_AWS_GENERAL_72:We do not agree that cross-region replication must be enabled",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 36,
                  "Content": "  count         = local.enabled ? 1 : 0",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 37,
                  "Content": "  bucket        = local.bucket_name",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": true
                },
                {
                  "Number": 38,
                  "Content": "",
                  "IsCause": false,
                  "Annotation": "",
                  "Truncated": true,
                  "FirstCause": false,
                  "LastCause": false
                }
              ]
            }
          }
        },
        {
          "Type": "Terraform Security Check",
          "ID": "AVD-AWS-0091",
          "AVDID": "AVD-AWS-0091",
          "Title": "S3 Access Block should Ignore Public Acl",
          "Description": "\nS3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.\n",
          "Message": "No public access block so not ignoring public acls",
          "Query": "data..",
          "Resolution": "Enable ignoring the application of public ACLs in PUT calls",
          "Severity": "HIGH",
          "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0091",
          "References": [
            "https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html",
            "https://avd.aquasec.com/misconfig/avd-aws-0091"
          ],
          "Status": "FAIL",
          "Layer": {},
          "CauseMetadata": {
            "Resource": "module.tailscale_subnet_router",
            "Provider": "AWS",
            "Service": "s3",
            "StartLine": 29,
            "EndLine": 43,
            "Code": {
              "Lines": [
                {
                  "Number": 29,
                  "Content": "resource \"aws_s3_bucket\" \"default\" {",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": true,
                  "LastCause": false
                },
                {
                  "Number": 30,
                  "Content": "  #bridgecrew:skip=BC_AWS_S3_13:Skipping `Enable S3 Bucket Logging` because we do not have good defaults",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 31,
                  "Content": "  #bridgecrew:skip=CKV_AWS_52:Skipping `Ensure S3 bucket has MFA delete enabled` due to issue in terraform (https://github.com/hashicorp/terraform-provider-aws/issues/629).",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 32,
                  "Content": "  #bridgecrew:skip=BC_AWS_S3_16:Skipping `Ensure S3 bucket versioning is enabled` because dynamic blocks are not supported by checkov",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 33,
                  "Content": "  #bridgecrew:skip=BC_AWS_S3_14:Skipping `Ensure all data stored in the S3 bucket is securely encrypted at rest` because that is now enforced automatically by AWS",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 34,
                  "Content": "  #bridgecrew:skip=BC_AWS_GENERAL_56:Skipping `Ensure that S3 buckets are encrypted with KMS by default` because we do not agree that this is required",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 35,
                  "Content": "  #bridgecrew:skip=BC_AWS_GENERAL_72:We do not agree that cross-region replication must be enabled",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 36,
                  "Content": "  count         = local.enabled ? 1 : 0",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 37,
                  "Content": "  bucket        = local.bucket_name",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": true
                },
                {
                  "Number": 38,
                  "Content": "",
                  "IsCause": false,
                  "Annotation": "",
                  "Truncated": true,
                  "FirstCause": false,
                  "LastCause": false
                }
              ]
            }
          }
        },
        {
          "Type": "Terraform Security Check",
          "ID": "AVD-AWS-0093",
          "AVDID": "AVD-AWS-0093",
          "Title": "S3 Access block should restrict public bucket to limit access",
          "Description": "S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.",
          "Message": "No public access block so not restricting public buckets",
          "Query": "data..",
          "Resolution": "Limit the access to public buckets to only the owner or AWS Services (eg; CloudFront)",
          "Severity": "HIGH",
          "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0093",
          "References": [
            "https://docs.aws.amazon.com/AmazonS3/latest/dev-retired/access-control-block-public-access.html",
            "https://avd.aquasec.com/misconfig/avd-aws-0093"
          ],
          "Status": "FAIL",
          "Layer": {},
          "CauseMetadata": {
            "Resource": "module.tailscale_subnet_router",
            "Provider": "AWS",
            "Service": "s3",
            "StartLine": 29,
            "EndLine": 43,
            "Code": {
              "Lines": [
                {
                  "Number": 29,
                  "Content": "resource \"aws_s3_bucket\" \"default\" {",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": true,
                  "LastCause": false
                },
                {
                  "Number": 30,
                  "Content": "  #bridgecrew:skip=BC_AWS_S3_13:Skipping `Enable S3 Bucket Logging` because we do not have good defaults",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 31,
                  "Content": "  #bridgecrew:skip=CKV_AWS_52:Skipping `Ensure S3 bucket has MFA delete enabled` due to issue in terraform (https://github.com/hashicorp/terraform-provider-aws/issues/629).",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 32,
                  "Content": "  #bridgecrew:skip=BC_AWS_S3_16:Skipping `Ensure S3 bucket versioning is enabled` because dynamic blocks are not supported by checkov",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 33,
                  "Content": "  #bridgecrew:skip=BC_AWS_S3_14:Skipping `Ensure all data stored in the S3 bucket is securely encrypted at rest` because that is now enforced automatically by AWS",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 34,
                  "Content": "  #bridgecrew:skip=BC_AWS_GENERAL_56:Skipping `Ensure that S3 buckets are encrypted with KMS by default` because we do not agree that this is required",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 35,
                  "Content": "  #bridgecrew:skip=BC_AWS_GENERAL_72:We do not agree that cross-region replication must be enabled",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 36,
                  "Content": "  count         = local.enabled ? 1 : 0",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 37,
                  "Content": "  bucket        = local.bucket_name",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": true
                },
                {
                  "Number": 38,
                  "Content": "",
                  "IsCause": false,
                  "Annotation": "",
                  "Truncated": true,
                  "FirstCause": false,
                  "LastCause": false
                }
              ]
            }
          }
        },
        {
          "Type": "Terraform Security Check",
          "ID": "AVD-AWS-0094",
          "AVDID": "AVD-AWS-0094",
          "Title": "S3 buckets should each define an aws_s3_bucket_public_access_block",
          "Description": "The \"block public access\" settings in S3 override individual policies that apply to a given bucket, meaning that all public access can be controlled in one central types for that bucket. It is therefore good practice to define these settings for each bucket in order to clearly define the public access that can be allowed for it.",
          "Message": "Bucket does not have a corresponding public access block.",
          "Query": "data..",
          "Resolution": "Define a aws_s3_bucket_public_access_block for the given bucket to control public access policies",
          "Severity": "LOW",
          "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0094",
          "References": [
            "https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html",
            "https://avd.aquasec.com/misconfig/avd-aws-0094"
          ],
          "Status": "FAIL",
          "Layer": {},
          "CauseMetadata": {
            "Resource": "module.tailscale_subnet_router",
            "Provider": "AWS",
            "Service": "s3",
            "StartLine": 29,
            "EndLine": 43,
            "Code": {
              "Lines": [
                {
                  "Number": 29,
                  "Content": "resource \"aws_s3_bucket\" \"default\" {",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": true,
                  "LastCause": false
                },
                {
                  "Number": 30,
                  "Content": "  #bridgecrew:skip=BC_AWS_S3_13:Skipping `Enable S3 Bucket Logging` because we do not have good defaults",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 31,
                  "Content": "  #bridgecrew:skip=CKV_AWS_52:Skipping `Ensure S3 bucket has MFA delete enabled` due to issue in terraform (https://github.com/hashicorp/terraform-provider-aws/issues/629).",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 32,
                  "Content": "  #bridgecrew:skip=BC_AWS_S3_16:Skipping `Ensure S3 bucket versioning is enabled` because dynamic blocks are not supported by checkov",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 33,
                  "Content": "  #bridgecrew:skip=BC_AWS_S3_14:Skipping `Ensure all data stored in the S3 bucket is securely encrypted at rest` because that is now enforced automatically by AWS",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 34,
                  "Content": "  #bridgecrew:skip=BC_AWS_GENERAL_56:Skipping `Ensure that S3 buckets are encrypted with KMS by default` because we do not agree that this is required",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 35,
                  "Content": "  #bridgecrew:skip=BC_AWS_GENERAL_72:We do not agree that cross-region replication must be enabled",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 36,
                  "Content": "  count         = local.enabled ? 1 : 0",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 37,
                  "Content": "  bucket        = local.bucket_name",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": true
                },
                {
                  "Number": 38,
                  "Content": "",
                  "IsCause": false,
                  "Annotation": "",
                  "Truncated": true,
                  "FirstCause": false,
                  "LastCause": false
                }
              ]
            }
          }
        },
        {
          "Type": "Terraform Security Check",
          "ID": "AVD-AWS-0132",
          "AVDID": "AVD-AWS-0132",
          "Title": "S3 encryption should use Customer Managed Keys",
          "Description": "Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.",
          "Message": "Bucket does not encrypt data with a customer managed key.",
          "Query": "data..",
          "Resolution": "Enable encryption using customer managed keys",
          "Severity": "HIGH",
          "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0132",
          "References": [
            "https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html",
            "https://avd.aquasec.com/misconfig/avd-aws-0132"
          ],
          "Status": "FAIL",
          "Layer": {},
          "CauseMetadata": {
            "Resource": "module.tailscale_subnet_router",
            "Provider": "AWS",
            "Service": "s3",
            "StartLine": 29,
            "EndLine": 43,
            "Code": {
              "Lines": [
                {
                  "Number": 29,
                  "Content": "resource \"aws_s3_bucket\" \"default\" {",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": true,
                  "LastCause": false
                },
                {
                  "Number": 30,
                  "Content": "  #bridgecrew:skip=BC_AWS_S3_13:Skipping `Enable S3 Bucket Logging` because we do not have good defaults",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 31,
                  "Content": "  #bridgecrew:skip=CKV_AWS_52:Skipping `Ensure S3 bucket has MFA delete enabled` due to issue in terraform (https://github.com/hashicorp/terraform-provider-aws/issues/629).",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 32,
                  "Content": "  #bridgecrew:skip=BC_AWS_S3_16:Skipping `Ensure S3 bucket versioning is enabled` because dynamic blocks are not supported by checkov",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 33,
                  "Content": "  #bridgecrew:skip=BC_AWS_S3_14:Skipping `Ensure all data stored in the S3 bucket is securely encrypted at rest` because that is now enforced automatically by AWS",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 34,
                  "Content": "  #bridgecrew:skip=BC_AWS_GENERAL_56:Skipping `Ensure that S3 buckets are encrypted with KMS by default` because we do not agree that this is required",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 35,
                  "Content": "  #bridgecrew:skip=BC_AWS_GENERAL_72:We do not agree that cross-region replication must be enabled",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 36,
                  "Content": "  count         = local.enabled ? 1 : 0",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 37,
                  "Content": "  bucket        = local.bucket_name",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": true
                },
                {
                  "Number": 38,
                  "Content": "",
                  "IsCause": false,
                  "Annotation": "",
                  "Truncated": true,
                  "FirstCause": false,
                  "LastCause": false
                }
              ]
            }
          }
        }
      ]
    },
    {
      "Target": "git::https:/github.com/masterpointio/terraform-aws-tailscale.git?ref=tags/0.2.0/masterpointio/ssm-agent/aws/main.tf",
      "Class": "config",
      "Type": "terraform",
      "MisconfSummary": {
        "Successes": 4,
        "Failures": 7,
        "Exceptions": 0
      },
      "Misconfigurations": [
        {
          "Type": "Terraform Security Check",
          "ID": "AVD-AWS-0057",
          "AVDID": "AVD-AWS-0057",
          "Title": "IAM policy should avoid use of wildcards and instead apply the principle of least privilege",
          "Description": "You should use the principle of least privilege when defining your IAM policies. This means you should specify each exact permission required without using wildcards, as this could cause the granting of access to certain undesired actions, resources and principals.",
          "Message": "IAM policy document uses sensitive action 'kms:GenerateDataKey' on wildcarded resource '*'",
          "Query": "data..",
          "Resolution": "Specify the exact permissions required, and to which resources they should apply instead of using wildcards.",
          "Severity": "HIGH",
          "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0057",
          "References": [
            "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html",
            "https://avd.aquasec.com/misconfig/avd-aws-0057"
          ],
          "Status": "FAIL",
          "Layer": {},
          "CauseMetadata": {
            "Resource": "module.tailscale_subnet_router",
            "Provider": "AWS",
            "Service": "iam",
            "StartLine": 89,
            "EndLine": 89,
            "Code": {
              "Lines": [
                {
                  "Number": 50,
                  "Content": "data \"aws_iam_policy_document\" \"session_logging\" {",
                  "IsCause": false,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 51,
                  "Content": "",
                  "IsCause": false,
                  "Annotation": "",
                  "Truncated": true,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 89,
                  "Content": "    resources = [\"*\"]",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": true,
                  "LastCause": true
                },
                {
                  "Number": 90,
                  "Content": "",
                  "IsCause": false,
                  "Annotation": "",
                  "Truncated": true,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 91,
                  "Content": "}",
                  "IsCause": false,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                }
              ]
            }
          }
        },
        {
          "Type": "Terraform Security Check",
          "ID": "AVD-AWS-0057",
          "AVDID": "AVD-AWS-0057",
          "Title": "IAM policy should avoid use of wildcards and instead apply the principle of least privilege",
          "Description": "You should use the principle of least privilege when defining your IAM policies. This means you should specify each exact permission required without using wildcards, as this could cause the granting of access to certain undesired actions, resources and principals.",
          "Message": "IAM policy document uses sensitive action 'logs:CreateLogStream' on wildcarded resource '*'",
          "Query": "data..",
          "Resolution": "Specify the exact permissions required, and to which resources they should apply instead of using wildcards.",
          "Severity": "HIGH",
          "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0057",
          "References": [
            "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html",
            "https://avd.aquasec.com/misconfig/avd-aws-0057"
          ],
          "Status": "FAIL",
          "Layer": {},
          "CauseMetadata": {
            "Resource": "module.tailscale_subnet_router",
            "Provider": "AWS",
            "Service": "iam",
            "StartLine": 71,
            "EndLine": 71,
            "Code": {
              "Lines": [
                {
                  "Number": 50,
                  "Content": "data \"aws_iam_policy_document\" \"session_logging\" {",
                  "IsCause": false,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 51,
                  "Content": "",
                  "IsCause": false,
                  "Annotation": "",
                  "Truncated": true,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 71,
                  "Content": "    resources = [\"*\"]",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": true,
                  "LastCause": true
                },
                {
                  "Number": 90,
                  "Content": "",
                  "IsCause": false,
                  "Annotation": "",
                  "Truncated": true,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 91,
                  "Content": "}",
                  "IsCause": false,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                }
              ]
            }
          }
        },
        {
          "Type": "Terraform Security Check",
          "ID": "AVD-AWS-0057",
          "AVDID": "AVD-AWS-0057",
          "Title": "IAM policy should avoid use of wildcards and instead apply the principle of least privilege",
          "Description": "You should use the principle of least privilege when defining your IAM policies. This means you should specify each exact permission required without using wildcards, as this could cause the granting of access to certain undesired actions, resources and principals.",
          "Message": "IAM policy document uses sensitive action 's3:GetEncryptionConfiguration' on wildcarded resource '*'",
          "Query": "data..",
          "Resolution": "Specify the exact permissions required, and to which resources they should apply instead of using wildcards.",
          "Severity": "HIGH",
          "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0057",
          "References": [
            "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html",
            "https://avd.aquasec.com/misconfig/avd-aws-0057"
          ],
          "Status": "FAIL",
          "Layer": {},
          "CauseMetadata": {
            "Resource": "module.tailscale_subnet_router",
            "Provider": "AWS",
            "Service": "iam",
            "StartLine": 80,
            "EndLine": 80,
            "Code": {
              "Lines": [
                {
                  "Number": 50,
                  "Content": "data \"aws_iam_policy_document\" \"session_logging\" {",
                  "IsCause": false,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 51,
                  "Content": "",
                  "IsCause": false,
                  "Annotation": "",
                  "Truncated": true,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 80,
                  "Content": "    resources = [\"*\"]",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": true,
                  "LastCause": true
                },
                {
                  "Number": 90,
                  "Content": "",
                  "IsCause": false,
                  "Annotation": "",
                  "Truncated": true,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 91,
                  "Content": "}",
                  "IsCause": false,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                }
              ]
            }
          }
        },
        {
          "Type": "Terraform Security Check",
          "ID": "AVD-AWS-0057",
          "AVDID": "AVD-AWS-0057",
          "Title": "IAM policy should avoid use of wildcards and instead apply the principle of least privilege",
          "Description": "You should use the principle of least privilege when defining your IAM policies. This means you should specify each exact permission required without using wildcards, as this could cause the granting of access to certain undesired actions, resources and principals.",
          "Message": "IAM policy document uses sensitive action 's3:PutObject' on wildcarded resource '5938eed5-e57c-4c08-97cd-7abd5e3ab748/*'",
          "Query": "data..",
          "Resolution": "Specify the exact permissions required, and to which resources they should apply instead of using wildcards.",
          "Severity": "HIGH",
          "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0057",
          "References": [
            "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html",
            "https://avd.aquasec.com/misconfig/avd-aws-0057"
          ],
          "Status": "FAIL",
          "Layer": {},
          "CauseMetadata": {
            "Resource": "module.tailscale_subnet_router",
            "Provider": "AWS",
            "Service": "iam",
            "StartLine": 59,
            "EndLine": 59,
            "Code": {
              "Lines": [
                {
                  "Number": 50,
                  "Content": "data \"aws_iam_policy_document\" \"session_logging\" {",
                  "IsCause": false,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 51,
                  "Content": "",
                  "IsCause": false,
                  "Annotation": "",
                  "Truncated": true,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 59,
                  "Content": "    resources = [\"${join(\"\", data.aws_s3_bucket.logs_bucket.*.arn)}/*\"]",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": true,
                  "LastCause": true
                },
                {
                  "Number": 90,
                  "Content": "",
                  "IsCause": false,
                  "Annotation": "",
                  "Truncated": true,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 91,
                  "Content": "}",
                  "IsCause": false,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                }
              ]
            }
          }
        },
        {
          "Type": "Terraform Security Check",
          "ID": "AVD-AWS-0104",
          "AVDID": "AVD-AWS-0104",
          "Title": "An egress security group rule allows traffic to /0.",
          "Description": "Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.",
          "Message": "Security group rule allows egress to multiple public internet addresses.",
          "Query": "data..",
          "Resolution": "Set a more restrictive cidr range",
          "Severity": "CRITICAL",
          "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0104",
          "References": [
            "https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/centralized-egress-to-internet.html",
            "https://avd.aquasec.com/misconfig/avd-aws-0104"
          ],
          "Status": "FAIL",
          "Layer": {},
          "CauseMetadata": {
            "Resource": "module.tailscale_subnet_router",
            "Provider": "AWS",
            "Service": "ec2",
            "StartLine": 134,
            "EndLine": 134,
            "Code": {
              "Lines": [
                {
                  "Number": 129,
                  "Content": "resource \"aws_security_group_rule\" \"allow_all_egress\" {",
                  "IsCause": false,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 130,
                  "Content": "  type              = \"egress\"",
                  "IsCause": false,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 131,
                  "Content": "  from_port         = 0",
                  "IsCause": false,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 132,
                  "Content": "  to_port           = 0",
                  "IsCause": false,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 133,
                  "Content": "  protocol          = \"-1\"",
                  "IsCause": false,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 134,
                  "Content": "  cidr_blocks       = [\"0.0.0.0/0\"]",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": true,
                  "LastCause": true
                },
                {
                  "Number": 135,
                  "Content": "  security_group_id = aws_security_group.default.id",
                  "IsCause": false,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 136,
                  "Content": "}",
                  "IsCause": false,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                }
              ]
            }
          }
        },
        {
          "Type": "Terraform Security Check",
          "ID": "AVD-AWS-0124",
          "AVDID": "AVD-AWS-0124",
          "Title": "Missing description for security group rule.",
          "Description": "Security group rules should include a description for auditing purposes.\n\nSimplifies auditing, debugging, and managing security groups.",
          "Message": "Security group rule does not have a description.",
          "Query": "data..",
          "Resolution": "Add descriptions for all security groups rules",
          "Severity": "LOW",
          "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0124",
          "References": [
            "https://www.cloudconformity.com/knowledge-base/aws/EC2/security-group-rules-description.html",
            "https://avd.aquasec.com/misconfig/avd-aws-0124"
          ],
          "Status": "FAIL",
          "Layer": {},
          "CauseMetadata": {
            "Resource": "module.tailscale_subnet_router",
            "Provider": "AWS",
            "Service": "ec2",
            "StartLine": 129,
            "EndLine": 136,
            "Code": {
              "Lines": [
                {
                  "Number": 129,
                  "Content": "resource \"aws_security_group_rule\" \"allow_all_egress\" {",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": true,
                  "LastCause": false
                },
                {
                  "Number": 130,
                  "Content": "  type              = \"egress\"",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 131,
                  "Content": "  from_port         = 0",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 132,
                  "Content": "  to_port           = 0",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 133,
                  "Content": "  protocol          = \"-1\"",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 134,
                  "Content": "  cidr_blocks       = [\"0.0.0.0/0\"]",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 135,
                  "Content": "  security_group_id = aws_security_group.default.id",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 136,
                  "Content": "}",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": true
                }
              ]
            }
          }
        },
        {
          "Type": "Terraform Security Check",
          "ID": "AVD-AWS-0130",
          "AVDID": "AVD-AWS-0130",
          "Title": "aws_instance should activate session tokens for Instance Metadata Service.",
          "Description": "\nIMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.\nBy default \u003ccode\u003eaws_instance\u003c/code\u003e resource sets IMDS session auth tokens to be optional. \nTo fully protect IMDS you need to enable session tokens by using \u003ccode\u003emetadata_options\u003c/code\u003e block and its \u003ccode\u003ehttp_tokens\u003c/code\u003e variable set to \u003ccode\u003erequired\u003c/code\u003e.\n",
          "Message": "Launch template does not require IMDS access to require a token",
          "Query": "data..",
          "Resolution": "Enable HTTP token requirement for IMDS",
          "Severity": "HIGH",
          "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0130",
          "References": [
            "https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service",
            "https://avd.aquasec.com/misconfig/avd-aws-0130"
          ],
          "Status": "FAIL",
          "Layer": {},
          "CauseMetadata": {
            "Resource": "module.tailscale_subnet_router",
            "Provider": "AWS",
            "Service": "ec2",
            "StartLine": 271,
            "EndLine": 305,
            "Code": {
              "Lines": [
                {
                  "Number": 271,
                  "Content": "resource \"aws_launch_template\" \"default\" {",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": true,
                  "LastCause": false
                },
                {
                  "Number": 272,
                  "Content": "  name_prefix   = module.this.id",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 273,
                  "Content": "  image_id      = length(var.ami) \u003e 0 ? var.ami : data.aws_ami.amazon_linux_2.id",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 274,
                  "Content": "  instance_type = var.instance_type",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 275,
                  "Content": "  key_name      = var.key_pair_name",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 276,
                  "Content": "  user_data     = base64encode(var.user_data)",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 277,
                  "Content": "",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 278,
                  "Content": "  monitoring {",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 279,
                  "Content": "    enabled = true",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": true
                },
                {
                  "Number": 280,
                  "Content": "",
                  "IsCause": false,
                  "Annotation": "",
                  "Truncated": true,
                  "FirstCause": false,
                  "LastCause": false
                }
              ]
            }
          }
        }
      ]
    }
  ]
}

Operating System

macOS Ventura

Version

Version: 0.42.1

Checklist

Run trivy --reset
Read the troubleshooting

simar7 · 2023-06-30T18:03:37Z

simar7
Jun 30, 2023
Maintainer

Thanks for reporting, I'll look into it.

0 replies

simar7 · 2023-07-04T01:35:30Z

simar7
Jul 4, 2023
Maintainer

@nikpivkin - could you take a look at this?

1 reply

nikpivkin Jul 4, 2023
Maintainer

Yes, of course

nikpivkin · 2023-07-04T10:25:32Z

nikpivkin
Jul 4, 2023
Maintainer

@simar7 A false positive result occurs due to the fact that the bucket name cannot be evaluated. If the default value for the variable is set to null, then here returns cty.NilVal, instead of DynamicPseudoType.

Execution of an expression with a ternary operator, where one of the operands of the result is null (var.bucket_name is null by default) ends with the following error: `The true and false result expression must have consistent types'.

Example:

variable "bucket_name" {
  default     = null
  description = "Bucket name. If provided, the bucket will be created with this name instead of generating the name from the context"
}

resource "aws_s3_bucket" "example" {
  bucket = var.bucket_name != null ? var.bucket_name : "default"
}

9 replies

simar7 Jul 5, 2023
Maintainer

Issue to track #4780

gberenice Jul 6, 2023
Author

@simar7 @nikpivkin @knqyf263 thanks a lot for the quick fix! 🚀
Are there any estimates of when it will be included in the Trivy release?

knqyf263 Jul 6, 2023
Maintainer

@simar7 Can we include it in v0.43.1, which will be released tomorrow?

simar7 Jul 7, 2023
Maintainer

@knqyf263 yes I'm working on preparing a new release for defsec today. Should be in that shortly.

gberenice Jul 7, 2023
Author

@simar7 thank you!

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

False positive failure for S3 versioning and encryption (AVD-AWS-0088, AVD-AWS-0090) #4736

{{title}}

Replies: 3 comments 10 replies

{{title}}

{{title}}

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

Select a reply

False positive failure for S3 versioning and encryption (AVD-AWS-0088, AVD-AWS-0090) #4736

gberenice Jun 29, 2023

Description

Desired Behavior

Actual Behavior

Reproduction Steps

Operating System

Version

Checklist

Replies: 3 comments · 10 replies

simar7 Jun 30, 2023 Maintainer

simar7 Jul 4, 2023 Maintainer

nikpivkin Jul 4, 2023 Maintainer

nikpivkin Jul 4, 2023 Maintainer

simar7 Jul 5, 2023 Maintainer

gberenice Jul 6, 2023 Author

knqyf263 Jul 6, 2023 Maintainer

simar7 Jul 7, 2023 Maintainer

gberenice Jul 7, 2023 Author

gberenice
Jun 29, 2023

Replies: 3 comments 10 replies

simar7
Jun 30, 2023
Maintainer

simar7
Jul 4, 2023
Maintainer

nikpivkin Jul 4, 2023
Maintainer

nikpivkin
Jul 4, 2023
Maintainer

simar7 Jul 5, 2023
Maintainer

gberenice Jul 6, 2023
Author

knqyf263 Jul 6, 2023
Maintainer

simar7 Jul 7, 2023
Maintainer

gberenice Jul 7, 2023
Author