Giters

fugue / regula

Regula checks infrastructure as code templates (Terraform, CloudFormation, k8s manifests) for AWS, Azure, Google Cloud, and Kubernetes security and compliance using Open Policy Agent/Rego

Home Page:https://regula.dev/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

FG_R00252 incorrectly identifies KMS keys as publicly accessible

matt-slalom opened this issue · comments

commented

Describe the bug
FG_R00252 incorrectly identifies KMS keys as publicly accessible. Specifically, key_not_public.rego does not appear to distinguish between an Allow and a Deny statement.

How you're running Regula

% regula version                                                                                                              ✘ 1 
v2.10.0, build fd60949, built with OPA v0.43.1

% terraform version
Terraform v1.3.7
on darwin_arm64

Terraform JSON plan output using version above (de-identified plan here)

Operating System
macOS Monterey (12.6.3)
Darwin MHQYFNHR7K 21.6.0 Darwin Kernel Version 21.6.0: Mon Dec 19 20:43:09 PST 2022; root:xnu-8020.240.18~2/RELEASE_ARM64_T6000 arm64

Steps to reproduce
Copy key_not_public.rego from GitHub:
regula run --no-built-ins test.json --include key_not_public.rego

Additional context
Looking through key_not_public.rego at least one problem seems to be all_principals doesn't distinguish whether the policy rule is Effect: deny