[BUG] False positive for FG_R00031
szesch opened this issue · comments
Steve Zesch commented
Describe the bug
False positive for FG_R00031 S3 bucket access logging should be enabled on S3 buckets that store CloudTrail log files
How you're running Regula
Regula CLI version v2.9.1 running against a Terraform plan
$ regula version
v2.9.1, build b46cb87, built with OPA v0.43.0
$ terraform version
Terraform v1.2.8
on linux_amd64
+ provider registry.terraform.io/hashicorp/aws v4.30.0
+ provider registry.terraform.io/hashicorp/random v3.4.3
Operating System
Ubuntu 22.04.1
Steps to reproduce
terraform init
terraform plan -out plan
terraform apply plan
# Generate another plan
terraform plan -out plan
terraform show -json plan > plan.json
regula run --no-config --only FG_R00031 -t tf-plan plan.json
IaC Configuration
provider "aws" {
region = "us-east-2"
}
provider "random" {}
resource "aws_s3_bucket" "cloudtrail" {
force_destroy = true
}
data "aws_caller_identity" "current" {}
resource "aws_s3_bucket_policy" "cloudtrail" {
bucket = aws_s3_bucket.cloudtrail.id
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSCloudTrailAclCheck",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "${aws_s3_bucket.cloudtrail.arn}"
},
{
"Sid": "AWSCloudTrailWrite",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "${aws_s3_bucket.cloudtrail.arn}/prefix/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}
]
}
POLICY
}
resource "aws_s3_bucket" "logging" {
force_destroy = true
acl = "log-delivery-write"
}
resource "aws_s3_bucket_logging" "cloudtrail" {
bucket = aws_s3_bucket.cloudtrail.id
target_bucket = aws_s3_bucket.logging.id
target_prefix = "log/"
}
resource "random_id" "cloudtrail" {
byte_length = 8
}
resource "aws_cloudtrail" "cloudtrail" {
name = random_id.cloudtrail.id
s3_bucket_name = aws_s3_bucket.cloudtrail.id
s3_key_prefix = "prefix"
include_global_service_events = false
}
ameliafugue commented
Hi @szesch Thank you for reporting this issue. The team is investigating and working on a fix.
Jasper Van der Jeugt commented
Should be fixed in v2.9.2, please reopen if this still occurs.