Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bug(terraform): cloudwatch log without kms key with plan file #7193

Open
zip-chanko opened this issue Jul 10, 2024 · 0 comments
Open

bug(terraform): cloudwatch log without kms key with plan file #7193

zip-chanko opened this issue Jul 10, 2024 · 0 comments
Labels
aws PR related with AWS Cloud bug Something isn't working community Community contribution docker Docker query query New query feature terraform Terraform query

Comments

@zip-chanko
Copy link

  • The query doesn't work when scanning to the plan file if the kms_key_id is referencing from the resource.
  • The query works as expected if it scans to tf file instead of the plan file.

Expected Behavior

Results Summary:
CRITICAL: 0
HIGH: 0
MEDIUM: 0
LOW: 0
INFO: 4
TOTAL: 5

Actual Behavior

CloudWatch Log Group Without KMS, Severity: MEDIUM, Results: 1
Description: AWS CloudWatch Log groups should be encrypted using KMS
Platform: Terraform
Learn more about this vulnerability: https://docs.kics.io/latest/queries/terraform-queries/aws/0afbcfe9-d341-4b92-a64c-7e6de0543879

        [1]: tfplan.json:8

                007:         {
                008:           "address": "aws_cloudwatch_log_group.log",
                009:           "mode": "managed",



Results Summary:
CRITICAL: 0
HIGH: 0
MEDIUM: 1
LOW: 0
INFO: 4
TOTAL: 5

Steps to Reproduce the Problem

  1. Download the plan file tfplan.json
  2. Run the scan as below.
docker run --rm -v $PWD:/path -w /path -t checkmarx/kics scan -p tfplan.json --disable-secrets --cloud-provider aws

To generate the tfplan.json again:

  1. Use the below tf code.
  2. terraform init
  3. terraform plan -out=tfplan
  4. terraform show -json tfplan > tfplan.json
data "aws_caller_identity" "current" {}

resource "aws_kms_key" "key" {
  description             = "chan key policy test"
  enable_key_rotation     = true
  deletion_window_in_days = 10

  policy = jsonencode({
    Version = "2012-10-17"
    Id      = "key-default-1"
    Statement = [
      {
        Sid    = "Enable IAM User Permissions"
        Effect = "Allow"
        Principal = {
          AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
        },
        Action = [
          "kms:ReplicateKey",
          "kms:Create*",
          "kms:Describe*",
          "kms:Enable*",
          "kms:List*",
          "kms:Put*",
          "kms:Update*",
          "kms:Revoke*",
          "kms:Disable*",
          "kms:Get*",
          "kms:Delete*",
          "kms:Generate*",
          "kms:Verify",
          "kms:ImportKeyMaterial",
          "kms:Encrypt",
          "kms:ReEncrypt*",
          "kms:Decrypt",
          "kms:ConnectCustomKeyStore",
          "kms:Sign",
          "kms:DisableKey",
          "kms:UntagResource",
          "kms:SynchronizeMultiRegionKey",
          "kms:TagResource",
          "kms:ScheduleKeyDeletion",
          "kms:RetireGrant",
          "kms:RevokeGrant",
          "kms:DisconnectCustomKeyStore",
          "kms:CancelKeyDeletion"
        ],
        Resource = "*"
      }
    ]
  })
}

resource "aws_cloudwatch_log_group" "log" {
  name              = "encrypted-log-group"
  retention_in_days = 30
  kms_key_id        = aws_kms_key.key.arn
}

Specifications

  • Version: v2.1.1
  • Platform: macOS
  • Subsystem: Darwin Kernel Version 23.5.0 arm64

tfplan.json
@zip-chanko zip-chanko added bug Something isn't working community Community contribution labels Jul 10, 2024
@github-actions github-actions bot added query New query feature docker Docker query terraform Terraform query aws PR related with AWS Cloud labels Jul 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
aws PR related with AWS Cloud bug Something isn't working community Community contribution docker Docker query query New query feature terraform Terraform query
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@zip-chanko