False detection for S3 encryption (AVD-AWS-0088)

[nathanbowang]

IDs

AVD-AWS-0088

Description

Hi, We use terraform KMS module terraform-aws-modules/kms/aws v2.0.1 and S3 module terraform-aws-modules/s3-bucket/aws v3.15.1 in our configuration, but Trivy scan fails with the error we don't expect to see

Reproduction Steps

module "artifactory_key" {
  source  = "terraform-aws-modules/kms/aws"
  version = "2.0.1"

  deletion_window_in_days = 7
  enable_key_rotation     = true
  enable_default_policy   = true
}

module "artifactory_bucket" {
  source  = "terraform-aws-modules/s3-bucket/aws"
  version = "3.15.1"

  bucket = "artifactory-sdfsgemekg"

  versioning    = {
    status     = true
    mfa_delete = false
  }
  server_side_encryption_configuration = {
    rule = {
      apply_server_side_encryption_by_default = {
        kms_master_key_id = module.artifactory_key.key_arn
        sse_algorithm     = "aws:kms"
      }
    }
  }
}

Target

Filesystem

Scanner

Misconfiguration

Target OS

5.4.254-1-MANJARO

Debug Output

2023-09-27T21:05:28.825Z	DEBUG	Severities: ["CRITICAL" "HIGH" "MEDIUM"]
2023-09-27T21:05:28.826Z	DEBUG	Ignore statuses	{"statuses": null}
2023-09-27T21:05:28.832Z	DEBUG	cache dir:  /root/.cache/trivy
2023-09-27T21:05:28.832Z	INFO	Misconfiguration scanning is enabled
2023-09-27T21:05:28.832Z	DEBUG	Policies successfully loaded from disk
2023-09-27T21:05:28.870Z	DEBUG	Walk the file tree rooted at '.' in parallel
2023-09-27T21:05:28.871Z	DEBUG	Skipping directory: .terraform
2023-09-27T21:05:28.871Z	DEBUG	Scanning Terraform files for misconfigurations...
2023-09-27T21:05:41.587Z	DEBUG	OS is not detected.
2023-09-27T21:05:41.587Z	INFO	Detected config files: 10
2023-09-27T21:05:41.587Z	DEBUG	Scanned config file: iam-github.tf
2023-09-27T21:05:41.587Z	DEBUG	Scanned config file: terraform-aws-modules/apigateway-v2/aws/main.tf
2023-09-27T21:05:41.587Z	DEBUG	Scanned config file: terraform-aws-modules/ecr/aws/main.tf
2023-09-27T21:05:41.587Z	DEBUG	Scanned config file: terraform-aws-modules/kms/aws/main.tf
2023-09-27T21:05:41.587Z	DEBUG	Scanned config file: terraform-aws-modules/lambda/aws/main.tf
2023-09-27T21:05:41.587Z	DEBUG	Scanned config file: terraform-aws-modules/s3-bucket/aws/main.tf
2023-09-27T21:05:41.587Z	DEBUG	Scanned config file: terraform-aws-modules/sns/aws/main.tf
2023-09-27T21:05:41.587Z	DEBUG	Scanned config file: .
2023-09-27T21:05:41.587Z	DEBUG	Scanned config file: git::https:/github.com/terraform-aws-modules/terraform-aws-cloudwatch?ref=v4.3.0/modules/log-group/main.tf
2023-09-27T21:05:41.587Z	DEBUG	Scanned config file: git::https:/github.com/terraform-aws-modules/terraform-aws-iam?ref=v5.30.0/modules/iam-user/main.tf

terraform-aws-modules/s3-bucket/aws/main.tf (terraform)

Tests: 15 (SUCCESSES: 13, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (MEDIUM: 0, HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not have encryption enabled
════════════════════════════════════════════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────────────────────────────────────────────
 terraform-aws-modules/s3-bucket/aws/main.tf:155-177
   via s3-artifact.tf:102-133 (module.artifactory)
────────────────────────────────────────────────────────────────────────────────
 155 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
 156 │   count = local.create_bucket && length(keys(var.server_side_encryption_configuration)) > 0 ? 1 : 0
 157 │ 
 158 │   bucket                = aws_s3_bucket.this[0].id
 159 │   expected_bucket_owner = var.expected_bucket_owner
 160 │ 
 161 │   dynamic "rule" {
 162 │     for_each = try(flatten([var.server_side_encryption_configuration["rule"]]), [])
 163 └ 
 ...   
────────────────────────────────────────────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────────────────────────────────────────────
 terraform-aws-modules/s3-bucket/aws/main.tf:155-177
   via s3-artifact.tf:102-133 (module.artifactory)
────────────────────────────────────────────────────────────────────────────────
 155 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
 156 │   count = local.create_bucket && length(keys(var.server_side_encryption_configuration)) > 0 ? 1 : 0
 157 │ 
 158 │   bucket                = aws_s3_bucket.this[0].id
 159 │   expected_bucket_owner = var.expected_bucket_owner
 160 │ 
 161 │   dynamic "rule" {
 162 │     for_each = try(flatten([var.server_side_encryption_configuration["rule"]]), [])
 163 └ 
 ...   
────────────────────────────────────────────────────────────────────────────────

Version

0.45.1

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[simar7]

The issue seems to lie in the downloaded modules that you are using. In the next release of Trivy we've improved the output a little so it's easier to tell that.

If you want to ignore downloaded modules, you can pass --tf-exclude-downloaded-modules flag.

$  trivy config --tf-exclude-downloaded-modules . 
2023-09-27T16:05:39.253-0600    INFO    Misconfiguration scanning is enabled
2023-09-27T16:05:39.710-0600    INFO    Detected config files: 3

[nathanbowang]

Hi, thanks for the quick reply.
I skipped the .terraform folder which contains the downloaded modules. Besides, I'm using other modules as well and don't have this kind of issue.
When I replace the KMS module with the terraform resource, Trivy will not complain. like this:

resource "aws_kms_key" "objects" {
  deletion_window_in_days = 7
  enable_key_rotation     = true
}

Both ways create a bucket encrypted with a custom managed key in AWS, I checked in the console.
I want to use the module because I need other configurations for the key.

[nikpivkin]

Hi @natebowang !

I created issue #6274