False positive in CKV_AWS_145

bridgecrewio / checkov

Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.

Apache License 2.0

6.75k stars 1.08k forks source link

Describe the issue If it is related to an existing check, please note the relevant check ID. Also, explain the logic for this addition / change. According AWS "Default server-side encryption with AWS Key Management Service (AWS KMS) keys (SSE-KMS) is not supported." for logging buckets. The CKV_AWS_145 fails if we don't encrypt logging buckets using KMS https://github.com/bridgecrewio/checkov/blob/64d266dc1b6f99988b7c283801f87a68323f9ab9/checkov/terraform/checks/graph_checks/aws/S3KMSEncryptedByDefault.yaml#L2

Examples Please share an example code sample (in the IaC of your choice) + the expected outcomes. The following code should pass:

resource "aws_s3_bucket" "s3_access_logging_bucket" { bucket = var.name force_destroy = var.force_destroy tags = merge( var.platform_mandatory_tags, { "certified_by" = "team" "created_via" = "Terraform" } )

policy = data.aws_iam_policy_document.final_bucket_policy.json

server_side_encryption_configuration { rule { apply_server_side_encryption_by_default { sse_algorithm = "AES256" } } }

Version (please complete the following information):

Checkov Version 2.2.144

Additional context Add any other context about the problem here.

Hi @pingoleon108 thank you for reaching out. server_side_encryption_configuration is deprecated. I have shared the docs for your ref. s3_bucket_server_side_encryption_configuration.

aws_s3_bucket and aws_s3_bucket_logging are different resources.

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_logging

If you use a logging bucket resource, CKV_AWS_145 policy will not fail and has no effect.

Terraform

Resource: aws_s3_bucket_logging

resource "aws_s3_bucket_logging" "some-name" {
  bucket = aws_s3_bucket.my_bucket.id

  target_bucket = "log_destination_bucket"
  target_prefix = aws_s3_bucket.my_bucket.id
}

Terraform

Resource: aws_s3_bucket

Arguments: apply_server_side_encryption_by_default.kms_master_key_id

resource "aws_s3_bucket" "bucket_name" {
  bucket = "bucket_good"
}

+ resource "aws_s3_bucket_server_side_encryption_configuration" "good_sse_1" {
+   bucket = aws_s3_bucket.bucket_name.bucket
+
+   rule {
+     apply_server_side_encryption_by_default {
+       kms_master_key_id = aws_kms_key.mykey.arn
+       sse_algorithm     = "aws:kms"
+     }
+   }
+ }

Ref: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

bridgecrewio / checkov

False positive in CKV_AWS_145 #6264