terraform: string formatting is not correctly evaluated for wildcard resource rules

[acdha]

Description

I have a Terraform project using Trivy 0.49. I noticed a problem with the popular https://github.com/terraform-aws-modules/terraform-aws-lambda module which generates IAM policies using code like this:

resources = flatten([for _, v in ["%v:*", "%v:*:*"] : format(v, local.log_group_arn)])

Every one of those Lambda invocations will generate a finding like this:

.terraform/modules/static_sites.static_web_content/iam.tf (terraform)
=====================================================================
Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: IAM policy document uses sensitive action 'logs:CreateLogGroup' on wildcarded resource 'c976754b-dba2-4b3b-a56f-49ade19fb65e:*'
════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
You should use the principle of least privilege when defining your IAM policies. This means you should specify each exact permission required without using wildcards, as this could cause the granting of access to certain undesired actions, resources and principals.

See https://avd.aquasec.com/misconfig/avd-aws-0057
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 .terraform/modules/static_sites.static_web_content/iam.tf:130
   via .terraform/modules/static_sites.static_web_content/iam.tf:121-131 (data.aws_iam_policy_document.logs[0])
    via .terraform/modules/static_sites.static_web_content/iam.tf:118-132 (data.aws_iam_policy_document.logs[0])
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 118   data "aws_iam_policy_document" "logs" {
 ...   
 130 [     resources = flatten([for _, v in ["%v:*", "%v:*:*"] : format(v, local.log_group_arn)])
 ...   
 132   }
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Desired Behavior

Obviously I can ignore that rule or even all downloaded modules but I would like to evaluate all of the code we're using. In this case, it looks like the trick would be changing the evaluation logic to either suppress the warning when something like string formatting or interpolation is in use or, better, doing so only when the value is non-empty.

Actual Behavior

The finding was generated

Reproduction Steps

1. Terraform as below
2. `trivy config --severity HIGH,CRITICAL --tf-vars development.tfvars .`


module "static_web_content" {
  source        = "terraform-aws-modules/lambda/aws"
  version       = "~> 4.18"
  function_name = "${var.deployment_id}-serve-static-web"
  description   = "Serve static web content from S3"
  handler       = "serve_static.lambda_handler"
  runtime       = "python3.11"
  architectures = ["arm64"]
  source_path   = "${path.module}/serve_static.py"
  timeout       = 60
  publish       = true

  attach_network_policy = true
  vpc_security_group_ids = [
    var.security_group_id,
  ]

  vpc_subnet_ids = var.private_vpc_subnets

  attach_policies    = true
  number_of_policies = 1
  policies = [
    aws_iam_policy.read_static_sites_bucket.arn,
  ]

  allowed_triggers = {
    ALB = {
      service    = "elasticloadbalancing"
      source_arn = aws_lb_target_group.static_sites.arn
    }
  }

  environment_variables = {
    STATIC_SITE_BUCKET_NAME = aws_s3_bucket.static_sites.id
  }

  cloudwatch_logs_retention_in_days = var.cloudwatch_log_retention_days
  cloudwatch_logs_kms_key_id        = var.cloudwatch_logs_kms_arn
  tags                              = local.tags
}

### Target

Git Repository

### Scanner

Misconfiguration

### Output Format

None

### Mode

None

### Debug Output

```bash
(available privately)

Operating System

ProductName: macOS ProductVersion: 14.3 BuildVersion: 23D56

Version

Version: 0.49.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-02-01 18:12:52.179560737 +0000 UTC
  NextUpdate: 2024-02-02 00:12:52.179560336 +0000 UTC
  DownloadedAt: 2024-02-01 21:16:56.686826 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2024-01-03 00:44:47.262007656 +0000 UTC
  NextUpdate: 2024-01-06 00:44:47.262007506 +0000 UTC
  DownloadedAt: 2024-01-03 20:50:33.368787 +0000 UTC
Policy Bundle:
  Digest: sha256:f21e8e92a7b3f6042ef7acfd3b799afc1648536dc4111c4d5458bc16396f8332
  DownloadedAt: 2024-02-01 21:17:29.825475 +0000 UTC

Checklist

• Run trivy image --reset
• Read the troubleshooting

[simar7]

In the desired behavior section you mentioned to suppress the warning. But the result is telling you that there is a problem with that particular resource.

So are you saying this is a false positive and shouldn't be flagged? Just want to clarify what the issue is here and what's desired.

[acdha]

That code is always evaluated with a log group prefix so there’s no way it could produce a * or similar high risk policy, so I think variable severity might improve the S/N ratio in general. In this case, the specific resource type adds noise because the group/stream structure for CloudWatch Logs means it’s expected to have a trailing :* on many policies:

https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/iam-access-control-overview-cwl.html

That could suggest a heuristic like downgrading from HIGH to MEDIUM for prefixed wildcards and maybe suppressing it entirely for the single trailing prefix on CWL and similar.

[bozzaj]

Ran into a similar issue around string evaluations. Here's a snippet of a statement that triggers avd-aws-0057

  statement {
    sid    = "logs"
    effect = "Allow"

    actions = [
      "logs:CreateLogStream",
      "logs:PutLogEvents"
    ]
    resources = [
      "${aws_cloudwatch_log_group.logs.arn}:log-stream:*"
    ]
  }

When using this, I get the following error:

HIGH: IAM policy document uses sensitive action 'logs:CreateLogStream' on wildcarded resource '0e48a3c2-636e-42a2-aa47-79a747143b1e:log-stream:*'

If I (instead), use the following:

  statement {
    sid    = "logs"
    effect = "Allow"

    actions = [
      "logs:CreateLogStream",
      "logs:PutLogEvents"
    ]
    resources = [
      "arn:aws:logs:${var.region}:${var.accountid}:log-group:${aws_cloudwatch_log_group.logs.name}:log-stream:*",
    ]
  }

trivy is fine.

I'm guessing that the UUID placeholder being put in (0e48a3c2-636e-42a2-aa47-79a747143b1e in my example, c976754b-dba2-4b3b-a56f-49ade19fb65e in the original) is then being evaluated as is, resulting in a resource string that isn't accurate.

[simar7]

@bozzaj can you open a new discussion with a minimally reproducible code example? The original issue doesn't seem to be reproducible anymore as we've made some improvements. Correct me if I'm wrong, @acdha

$ trivy --debug config . 

terraform-aws-modules/lambda/aws/main.tf (terraform)
====================================================
Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (UNKNOWN: 0, LOW: 2, MEDIUM: 0, HIGH: 0, CRITICAL: 2)

LOW: Log group is not encrypted.
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
CloudWatch log groups are encrypted by default, however, to get the full benefit of controlling key rotation and other KMS aspects a KMS CMK should be used.


See https://avd.aquasec.com/misconfig/avd-aws-0017
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 terraform-aws-modules/lambda/aws/main.tf:184-192
   via main.tf:1-40 (module.static_web_content)
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 184 ┌ resource "aws_cloudwatch_log_group" "lambda" {
 185 │   count = local.create && var.create_function && !var.create_layer && !var.use_existing_cloudwatch_log_group ? 1 : 0
 186 │ 
 187 │   name              = "/aws/lambda/${var.lambda_at_edge ? "us-east-1." : ""}${var.function_name}"
 188 │   retention_in_days = var.cloudwatch_logs_retention_in_days
 189 │   kms_key_id        = var.cloudwatch_logs_kms_key_id
 190 │ 
 191 │   tags = merge(var.tags, var.cloudwatch_logs_tags)
 192 └ }
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


LOW: Function does not have tracing enabled.
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
X-Ray tracing enables end-to-end debugging and analysis of all function activity. This will allow for identifying bottlenecks, slow downs and timeouts.


See https://avd.aquasec.com/misconfig/avd-aws-0066
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 terraform-aws-modules/lambda/aws/main.tf:24-139
   via main.tf:1-40 (module.static_web_content)
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  24 ┌ resource "aws_lambda_function" "this" {
  25 │   count = local.create && var.create_function && !var.create_layer ? 1 : 0
  26 │ 
  27 │   function_name                      = var.function_name
  28 │   description                        = var.description
  29 │   role                               = var.create_role ? aws_iam_role.lambda[0].arn : var.lambda_role
  30 │   handler                            = var.package_type != "Zip" ? null : var.handler
  31 │   memory_size                        = var.memory_size
  32 └   reserved_concurrent_executions     = var.reserved_concurrent_executions
  ..   
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.
Without this, any resource from principal will be granted permission – even if that resource is from another account.
For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API


See https://avd.aquasec.com/misconfig/avd-aws-0067
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 terraform-aws-modules/lambda/aws/main.tf:261
   via terraform-aws-modules/lambda/aws/main.tf:252-264 (aws_lambda_permission.unqualified_alias_triggers["ALB"])
    via main.tf:1-40 (module.static_web_content)
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 252   resource "aws_lambda_permission" "unqualified_alias_triggers" {
 ...   
 261 [   source_arn         = try(each.value.source_arn, null)
 ...   
 264   }
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.
Without this, any resource from principal will be granted permission – even if that resource is from another account.
For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API


See https://avd.aquasec.com/misconfig/avd-aws-0067
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 terraform-aws-modules/lambda/aws/main.tf:246
   via terraform-aws-modules/lambda/aws/main.tf:236-249 (aws_lambda_permission.current_version_triggers["ALB"])
    via main.tf:1-40 (module.static_web_content)
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 236   resource "aws_lambda_permission" "current_version_triggers" {
 ...   
 246 [   source_arn         = try(each.value.source_arn, null)
 ...   
 249   }
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

[nikpivkin]

We fill in the ARN attribute as id (https://github.com/aquasecurity/trivy/blob/main/pkg/iac/terraform/presets.go#L19), so it does not have the correct format and the check is triggered. To solve this problem it is necessary to process each resource separately and form its ARN. But I think there are a lot of resources.