Trivy not detecting wildcards in policy

[hirra-farooq]

I am migrating from tfsec to trivy. I have noticed that there are some issues that trivy is not detecting that tfsec usually would.
One example that i think is especially important, given the security principles of least privilege is:

data "aws_iam_policy_document" "test_policy" {
  statement {
    sid    = "Allowall"
    effect = "Allow"

    actions = ["s3*"]

    resources = ["*"]
  }
}

tfsec would raise:
https://aquasecurity.github.io/tfsec/v1.28.6/checks/aws/iam/no-policy-wildcards/

• HIGH IAM policy document uses wildcarded action 's3*'
• HIGH IAM policy document uses sensitive action 's3*' on wildcarded resource '*'

But doing:
trivy config ./myfolder does not raise any issues.

I would have thought the trivy misconfiguration: https://avd.aquasec.com/misconfig/aws/iam/avd-aws-0057/ would be raised?
Is this behaviour intended or a bug?

[nikpivkin]

Hi @hirra-farooq !

Check AVD-AWS-0057 is now deprecated.

[ken5scal]

Hi @nikpivkin
let me add other questions.

• trivy 0.58.0 with --include-deprecated-checks option didn't detect the same config. Is this behavior intended or a bug? or does it only work with "Rego" rules
• This page doesn't show the status of the rule. Is it safe to assume the page does not show the status or it's just preparing to update the status. https://avd.aquasec.com/misconfig/aws/iam/avd-aws-0057/

Thanks in advance!

% trivy version
Version: 0.58.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-12-11 12:17:09.376381063 +0000 UTC
  NextUpdate: 2024-12-12 12:17:09.376380663 +0000 UTC
  DownloadedAt: 2024-12-11 14:18:47.690554 +0000 UTC
Check Bundle:
  Digest: sha256:f6901e03f486a48f47aa17a78d89d18e6c31ded82aff83ed19d0d73935a1a059
  DownloadedAt: 2024-12-12 01:00:41.712391 +0000 UTC
% trivy config --include-deprecated-checks .
2024-12-12T10:41:42+09:00       INFO    [misconfig] Misconfiguration scanning is enabled
2024-12-12T10:41:47+09:00       INFO    [terraform scanner] Scanning root module        file_path="."
2024-12-12T10:41:47+09:00       INFO    [terraform scanner] Scanning root module        file_path="tmp"
2024-12-12T10:41:48+09:00       INFO    Detected config files   num=2

[ken5scal]

Adding more information, it seems trivy 0.56.0 with --include-deprecated-checks detect "avd-aws-0057"

% docker run --rm -v $PWD:/cfn aquasec/trivy:0.56.0 conf /cfn --include-deprecated-checks

Unable to find image 'aquasec/trivy:0.56.0' locally
0.56.0: Pulling from aquasec/trivy
cf04c63912e1: Already exists 
e0bb7b1f10c6: Pull complete 
8ae5d7faa388: Pull complete 
61648e7cdbb8: Pull complete 
Digest: sha256:e682a9f8db9db6f09731fe2f63e4234d240ec67a811d90974b5af3d40497f843
Status: Downloaded newer image for aquasec/trivy:0.56.0
2024-12-12T01:49:07Z    INFO    [misconfig] Misconfiguration scanning is enabled
2024-12-12T01:49:07Z    INFO    [misconfig] Need to update the built-in checks
2024-12-12T01:49:07Z    INFO    [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [------------------------------------------------------] 100.00% ? p/s 200ms2024-12-12T01:49:15Z        INFO    [terraform scanner] Scanning root module    file_path="."
2024-12-12T01:49:15Z    INFO    Detected config files   num=2

sample_resource.tf (terraform)
==============================
Tests: 2 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 2, CRITICAL: 0)

HIGH: IAM policy document uses sensitive action '*' on wildcarded resource '*'
════════════════════════════════════════
You should use the principle of least privilege when defining your IAM policies. This means you should specify each exact permission required without using wildcards, as this could cause the granting of access to certain undesired actions, resources and principals.

See https://avd.aquasec.com/misconfig/avd-aws-0057
────────────────────────────────────────
 sample_resource.tf:33
   via sample_resource.tf:33 (aws_iam_role_policy.sample.policy)
    via sample_resource.tf:32-41 (aws_iam_role_policy.sample.policy)
     via sample_resource.tf:29-42 (aws_iam_role_policy.sample)
────────────────────────────────────────
  29   resource "aws_iam_role_policy" "sample" {
  ..   
  33 [     Version = "2012-10-17",
  ..   
  42   }
────────────────────────────────────────


HIGH: IAM policy document uses wildcarded action '*'
════════════════════════════════════════
You should use the principle of least privilege when defining your IAM policies. This means you should specify each exact permission required without using wildcards, as this could cause the granting of access to certain undesired actions, resources and principals.

See https://avd.aquasec.com/misconfig/avd-aws-0057
────────────────────────────────────────
 sample_resource.tf:33
   via sample_resource.tf:33 (aws_iam_role_policy.sample.policy)
    via sample_resource.tf:32-41 (aws_iam_role_policy.sample.policy)
     via sample_resource.tf:29-42 (aws_iam_role_policy.sample)
────────────────────────────────────────
  29   resource "aws_iam_role_policy" "sample" {
  ..   
  33 [     Version = "2012-10-17",
  ..   
  42   }
────────────────────────────────────────

[knqyf263]

Some context here.
aquasecurity/trivy-checks#245

@nikpivkin We should improve AVD to display information about deprecations.
https://avd.aquasec.com/misconfig/aws/iam/avd-aws-0057/

[nikpivkin]

@itaysk We can add information that the check is deprecated to the header in the check list. For example:

And also in the table with the check metadata:

WDYT?

[knqyf263]

LGTM. Let's start with that. After Simar is back, we can discuss it again.