kmsKeyExposedPolicy:22: eval_builtin_error: json.unmarshal: invalid character '$' looking for beginning of value}

[ismailyenigul]

• terrascan version: v1.4.0
• Operating System:
  MacOS

Description

Getting the followin warning

kmsKeyExposedPolicy:22: eval_builtin_error: json.unmarshal: invalid character '$' looking for beginning of value} {rule 15 0 'AWS.KMS.NetworkSecurity.High.0566' <nil>} {file 15 0 kmsKeyExposedPolicy.rego <nil>}

While scanning the following tf code.

cat main.tf 

resource "aws_sns_topic" "user_updates" {
  name              = "user-updates-topic"
  kms_master_key_id = "alias/aws/sns"
  # kms_master_key_id               = aws_kms_key.key["default"].arn

}

provider "aws" {
  region = "eu-west-1"
}

locals {
  applications = toset(concat(["default"], var.applications))
}
variable "applications" {
  type    = list
  default = []
}

resource "aws_kms_key" "key" {
  for_each                = local.applications
  description             = "kms key"
  enable_key_rotation     = true
  deletion_window_in_days = 30
  policy                  = data.aws_iam_policy_document.service_access.json
}


data "aws_iam_policy_document" "service_access" {
  policy_id = "my-kms"

  statement {
    effect = "Allow"
    principals {
      type        = "Service"
      identifiers = ["cloudtrail.amazonaws.com", "logs.amazonaws.com"]
    }
    actions   = ["kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:Describe*", "kms:"]
    resources = ["*"]
  }
  statement {
    effect = "Allow"
    principals {
      type        = "Service"
      identifiers = ["cloudwatch.amazonaws.com"]
    }
    actions   = ["kms:Decrypt", "kms:GenerateDataKey"]
    resources = ["*"]
  }
}

What I Did

$ terrascan scan -l debug .

[gaurav-gogia]

Hi, @ismailyenigul please make use of tfplan based scanning feature of terrascan.

This blog can help you in understanding how terrascan can use tfplan output files for scanning IaC.