FG_R00252 incorrectly identifies KMS keys as publicly accessible
matt-slalom opened this issue · comments
Describe the bug
FG_R00252 incorrectly identifies KMS keys as publicly accessible. Specifically, key_not_public.rego
does not appear to distinguish between an Allow and a Deny statement.
How you're running Regula
% regula version ✘ 1
v2.10.0, build fd60949, built with OPA v0.43.1
% terraform version
Terraform v1.3.7
on darwin_arm64
Terraform JSON plan output using version above (de-identified plan here)
Operating System
macOS Monterey (12.6.3)
Darwin MHQYFNHR7K 21.6.0 Darwin Kernel Version 21.6.0: Mon Dec 19 20:43:09 PST 2022; root:xnu-8020.240.18~2/RELEASE_ARM64_T6000 arm64
Steps to reproduce
Copy key_not_public.rego
from GitHub:
regula run --no-built-ins test.json --include key_not_public.rego
Additional context
Looking through key_not_public.rego
at least one problem seems to be all_principals
doesn't distinguish whether the policy rule is Effect: deny