Valid Terraform configuration fails with s3EnforceUserAcl

[msnook]

• terrascan version: Latest Docker image

Description

Trying to verify S3 bucket configuration, but keep running into a failing test case (due to s3EnforceUserAcl).

What I Did

Code snippet:

resource "aws_s3_bucket" "frontend_lb_logs" {
  bucket = "frontend-access-logs"
  acl    = "private"

  versioning {
    enabled = true
  }

  logging {
    target_bucket = "log-bucket"
    target_prefix = "AWSLogs/frontend-lb-access-logs/"
  }
}

resource "aws_s3_bucket_policy" "frontend_lb_logs_policy" {
  bucket = aws_s3_bucket.frontend_lb_logs.id

  policy = /* valid policy truncated */
}

I truncated the policy above to simplify the troubleshooting. Note: when I add the policy directly to the aws_s3_bucket, the terrascan results work fine!

Here is the command I run:

terrascan scan -l error --iac-type terraform --iac-version v14 --use-colors f -o json -v -f "/temp/main.tf" -t

Here are the results I get if I use aws_s3_bucket_policy:

{
  "results": {
    "violations": [
      {
        "rule_name": "s3EnforceUserACL",
        "description": "S3 bucket Access is allowed to all AWS Account Users.",
        "rule_id": "AWS.S3Bucket.DS.High.1043",
        "severity": "HIGH",
        "category": "Identity and Access Management",
        "resource_name": "frontend_lb_logs",
        "resource_type": "aws_s3_bucket",
        "file": "main.tf",
        "line": 363
      }
    ],
    "skipped_violations": null,
    "scan_summary": {
      "file/folder": "/temp/main.tf",
      "iac_type": "terraform",
      "scanned_at": "2021-04-13 19:35:10.781287492 +0000 UTC",
      "policies_validated": 158,
      "violated_policies": 1,
      "low": 0,
      "medium": 0,
      "high": 1
    }
  }
}

Why is aws_s3_bucket_policy not recognized by the terrascan?

[amirbenv]

Thanks for the report, will update soon!