bug: s3 bucket logging warnings being flagged when ignored

[benfisher112]

Describe the bug
We’ve noticed that during the security scan we are getting a warning message for a warning that we have chosen to ignore. We have inputted a number of tfsec:ignore throughout the code base, which until 10/08/2023 resulted in the scans ignoring warnings as desired, but currently the same scans are failing due to warnings being raised.

To Reproduce
Steps to reproduce the behaviour on the code, see example code below:

# Test using latest commit for v0.91.0
bin  (master) $ ./defsec fs ~/cogoprojects/aws-configs/management-account-config 
AVD-AWS-0321 aws-s3-enable-logging main.tf:641-645
# Test again using latest commit for v0.90.0
bin  (master) $ git checkout 0d4c4b51
Note: switching to '0d4c4b51'.
bin  $ ./defsec fs ~/cogoprojects/aws-configs/management-account-config
bin  $

Expected behavior
We have inputted a number of tfsec:ignore throughout the code base. Which until 10/08/2023 resulted in scans ignoring warnings including aws-s3-enable-bucket-logging (desired).

Output of your tfsec command with --debug flag

System Info

• tfsec version: 1.28.1
• terraform version: v.1.4.4
• OS: MacOS 13.4.1

Example Code
Example of tfsec:ignore for bucket logging below:

# tfsec:ignore:aws-s3-enable-bucket-logging - Logging not required
resource "aws_s3_bucket" "logs" {
  bucket = "${var.load_balancer_type}-access-logs-${var.project_name}-${var.environment}"
}

Additional context
Can provide further information

[nikpivkin]

Hi @benfisher112 !

At the moment, we have a duplication of the rule for logging AWS buckets:

• https://avd.aquasec.com/misconfig/aws/s3/avd-aws-0089
• https://avd.aquasec.com/misconfig/aws/s3/avd-aws-0321

Could you use the following comments to ignore both rules?

# tfsec:ignore:aws-s3-enable-logging
# tfsec:ignore:aws-s3-enable-bucket-logging
resource "aws_s3_bucket" "logs" {
  bucket = "${var.load_balancer_type}-access-logs-${var.project_name}-${var.environment}"
}

Output:

AVD-AWS-0086 aws-s3-block-public-acls main.tf:3-5
AVD-AWS-0087 aws-s3-block-public-policy main.tf:3-5
AVD-AWS-0088 aws-s3-enable-bucket-encryption main.tf:3-5
AVD-AWS-0090 aws-s3-enable-versioning main.tf:3-5
AVD-AWS-0132 aws-s3-encryption-customer-key main.tf:3-5
AVD-AWS-0091 aws-s3-ignore-public-acls main.tf:3-5
AVD-AWS-0093 aws-s3-no-public-buckets main.tf:3-5
AVD-AWS-0094 aws-s3-specify-public-access-block main.tf:3-5

[benfisher112]

Thanks @nikpivkin,

Ideally, we'd like to avoid duplication in this instance. We've used .trivyignore for the time being avoid having to duplicate across our projects. When are you likely to have a fix that doesn't require duplication?

[simar7]

Thanks @nikpivkin,

Ideally, we'd like to avoid duplication in this instance. We've used .trivyignore for the time being avoid having to duplicate across our projects. When are you likely to have a fix that doesn't require duplication?

Once we merge this aquasecurity/defsec#1423 it will be fixed.

[simar7]

Closed via aquasecurity/defsec#1423