Giters

fugue / regula

Regula checks infrastructure as code templates (Terraform, CloudFormation, k8s manifests) for AWS, Azure, Google Cloud, and Kubernetes security and compliance using Open Policy Agent/Rego

Home Page:https://regula.dev/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

[BUG] False positive for FG_R00031

szesch opened this issue · comments

commented

Describe the bug
False positive for FG_R00031 S3 bucket access logging should be enabled on S3 buckets that store CloudTrail log files

How you're running Regula
Regula CLI version v2.9.1 running against a Terraform plan

$ regula version
v2.9.1, build b46cb87, built with OPA v0.43.0

$ terraform version
Terraform v1.2.8
on linux_amd64
+ provider registry.terraform.io/hashicorp/aws v4.30.0
+ provider registry.terraform.io/hashicorp/random v3.4.3

Operating System
Ubuntu 22.04.1

Steps to reproduce

terraform init
terraform plan -out plan
terraform apply plan

# Generate another plan
terraform plan -out plan
terraform show -json plan > plan.json
regula run --no-config --only FG_R00031 -t tf-plan plan.json

IaC Configuration

provider "aws" {
  region  = "us-east-2"
}

provider "random" {}

resource "aws_s3_bucket" "cloudtrail" {
  force_destroy = true
}

data "aws_caller_identity" "current" {}

resource "aws_s3_bucket_policy" "cloudtrail" {
  bucket = aws_s3_bucket.cloudtrail.id
  policy = <<POLICY
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AWSCloudTrailAclCheck",
            "Effect": "Allow",
            "Principal": {
              "Service": "cloudtrail.amazonaws.com"
            },
            "Action": "s3:GetBucketAcl",
            "Resource": "${aws_s3_bucket.cloudtrail.arn}"
        },
        {
            "Sid": "AWSCloudTrailWrite",
            "Effect": "Allow",
            "Principal": {
              "Service": "cloudtrail.amazonaws.com"
            },
            "Action": "s3:PutObject",
            "Resource": "${aws_s3_bucket.cloudtrail.arn}/prefix/*",
            "Condition": {
                "StringEquals": {
                    "s3:x-amz-acl": "bucket-owner-full-control"
                }
            }
        }
    ]
}
POLICY
}

resource "aws_s3_bucket" "logging" {
  force_destroy = true
  acl           = "log-delivery-write"
}

resource "aws_s3_bucket_logging" "cloudtrail" {
  bucket        = aws_s3_bucket.cloudtrail.id
  target_bucket = aws_s3_bucket.logging.id
  target_prefix = "log/"
}

resource "random_id" "cloudtrail" {
  byte_length = 8
}

resource "aws_cloudtrail" "cloudtrail" {
  name                          = random_id.cloudtrail.id
  s3_bucket_name                = aws_s3_bucket.cloudtrail.id
  s3_key_prefix                 = "prefix"
  include_global_service_events = false
}
commented

Hi @szesch Thank you for reporting this issue. The team is investigating and working on a fix.

commented

Should be fixed in v2.9.2, please reopen if this still occurs.