bug(misconf): false negative AVD-AWS-0057 when aws_iam_policy_document contains count Meta-Argument

[nikpivkin]

Trivy does not report AVD-AWS-0057 when a policy uses aws_iam_policy_document source that contains a count Meta-Argument.

Example:

locals {
  sqs = [
    "arn:aws:sqs:::*"
  ]
}

data "aws_iam_policy_document" "this" {
  count = length(local.sqs)

  statement {
    sid = "test-${count.index}"
    actions = [
      "sqs:CancelMessageMoveTask"
    ]
    resources = [
      "${local.sqs[count.index]}"
    ]
  }
}


resource "aws_iam_policy" "this" {
  count = length(local.sqs)

  name        = "test-${count.index}"
  # policy      = data.aws_iam_policy_document.this[count.index].json

  policy = <<POLICY
  {
      "Version": "2012-10-17",
      "Statement": [
          {
              "Sid": "test-${count.index}",
              "Effect": "Allow",
              "Action": [
                "sqs:CancelMessageMoveTask"
              ],
              "Resource": [
                "${local.sqs[count.index]}"
              ]
          }
      ]
  }
  POLICY
}

Output:

trivy conf -d main.tf
2023-11-10T14:31:53.719+0700    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-11-10T14:31:53.728+0700    DEBUG   cache dir:  /Users/nikita/Library/Caches/trivy
2023-11-10T14:31:53.728+0700    DEBUG   Module dir: /Users/nikita/.trivy/modules
2023-11-10T14:31:53.728+0700    INFO    Misconfiguration scanning is enabled
2023-11-10T14:31:53.728+0700    DEBUG   Policies successfully loaded from disk
2023-11-10T14:31:53.748+0700    DEBUG   The nuget packages directory couldn't be found. License search disabled
2023-11-10T14:31:53.748+0700    DEBUG   Walk the file tree rooted at 'main.tf' in parallel
2023-11-10T14:31:53.748+0700    DEBUG   Scanning Terraform files for misconfigurations...
2023-11-10T14:31:54.104+0700    DEBUG   OS is not detected.
2023-11-10T14:31:54.104+0700    INFO    Detected config files: 1
2023-11-10T14:31:54.104+0700    DEBUG   Scanned config file: .

But reports if I use the inline policy (which is completely equivalent to the document above):

HIGH: IAM policy document uses sensitive action 'sqs:CancelMessageMoveTask' on wildcarded resource 'arn:aws:sqs:::*'
════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
You should use the principle of least privilege when defining your IAM policies. This means you should specify each exact permission required without using wildcards, as this could cause the granting of access to certain undesired actions, resources and principals.

See https://avd.aquasec.com/misconfig/avd-aws-0057
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 main.tf:28-44
   via main.tf:22-45 (aws_iam_policy.this[0])
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  22   resource "aws_iam_policy" "this" {
  23     count = length(local.sqs)
  24   
  25     name        = "test-${count.index}"
  26     # policy      = data.aws_iam_policy_document.this[count.index].json
  27   
  28 ┌   policy = <<POLICY
  29 │   {
  30 └       "Version": "2012-10-17",
  ..   
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Also, when using the iline policy, the range is not displayed correctly.