fix(misconf): false positive AVD-AWS-0057 when allowing access to one log group

[nikpivkin]

Source: https://github.com/aquasecurity/tfsec/issues/1978#issuecomment-1409982074

To access log events in one specified log group, a wildcard is required at the end of the log group name, otherwise the policy will not work, but this leads to a false positive AVD-AWS-0057. Quote from AWS doc (Example 3):

The :* at the end of the log group name in the Resource line is required to indicate that the policy applies to all log streams in this log group. If you omit :*, the policy will not be enforced.

Terraform config:

resource "aws_iam_role" "this" {
  name = "test_role"
  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = "sts:AssumeRole"
        Effect = "Allow"
        Sid    = ""
        Principal = {
          Service = "s3.amazonaws.com"
        }
      },
    ]
  })
}

resource "aws_iam_role_policy" "this" {
  name   = "test_policy"
  role   = aws_iam_role.this.id
  policy = data.aws_iam_policy_document.this.json
}


data "aws_iam_policy_document" "this" {
  statement {
    actions   = ["logs:PutLogEvents"]
    resources = ["arn:aws:logs:us-west-2:123456789012:log-group:SampleLogGroupName:*"]
  }
}

Trivy output:

trivy config .
2023-09-01T19:28:21.514+0700    INFO    Misconfiguration scanning is enabled
2023-09-01T19:28:21.899+0700    INFO    Detected config files: 2

main.tf (terraform)

Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

HIGH: IAM policy document uses sensitive action 'logs:PutLogEvents' on wildcarded resource 'arn:aws:logs:us-west-2:123456789012:log-group:SampleLogGroupName:*'
═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
You should use the principle of least privilege when defining your IAM policies. This means you should specify each exact permission required without using wildcards, as this could cause the granting of access to certain undesired actions, resources and principals.

See https://avd.aquasec.com/misconfig/avd-aws-0057
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 main.tf:28
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  25   data "aws_iam_policy_document" "this" {
  26     statement {
  27       actions   = ["logs:PutLogEvents"]
  28 [     resources = ["arn:aws:logs:us-west-2:123456789012:log-group:SampleLogGroupName:*"]
  29     }
  30   }
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

[nikpivkin]

@simar7 I can't reproduce it now.

trivy conf .
2023-12-11T18:15:36.931+0700    INFO    Misconfiguration scanning is enabled
2023-12-11T18:15:37.305+0700    INFO    Detected config files: 2

[simar7]

@simar7 I can't reproduce it now.

trivy conf .
2023-12-11T18:15:36.931+0700    INFO    Misconfiguration scanning is enabled
2023-12-11T18:15:37.305+0700    INFO    Detected config files: 2

Hmm yeah same as well, can't seem to reproduce this on the latest version. Well I'll close this for now.