Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

AWS S3 bucket checks for public access fail in terraform_plan framework

See original GitHub issue

Describe the issue S3 bucket created in a module that is throwing failures around public blocks and ACLs but only on a planfile

Check: CKV_AWS_20: "S3 Bucket has an ACL defined which allows public READ access."
        FAILED for resource: aws_s3_bucket.backend
        File: terraform_backend/main.tf:58-65
        Guide: https://docs.bridgecrew.io/docs/s3_1-acl-read-permissions-everyone
Check: CKV_AWS_57: "S3 Bucket has an ACL defined which allows public WRITE access."
        FAILED for resource: aws_s3_bucket.backend
        File: terraform_backend/main.tf:58-65
        Guide: https://docs.bridgecrew.io/docs/s3_2-acl-write-permissions-everyone
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
        FAILED for resource: aws_s3_bucket.backend
        File: terraform_backend/main.tf:58-65
        Guide: https://docs.bridgecrew.io/docs/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

Examples

resource "aws_s3_bucket" "backend" {
  bucket = "terraform-${var.repo}-${var.environment}"
  #checkov:skip=CKV_AWS_18:Need to create a global logging bucket
  #checkov:skip=CKV_AWS_144:Non-critical bucket
  tags = {
    component = var.repo
  }
}

resource "aws_s3_bucket_acl" "backend" {
  bucket = aws_s3_bucket.backend.id
  acl    = "private"
}

resource "aws_s3_bucket_versioning" "backend" {
  bucket = aws_s3_bucket.backend.id
  versioning_configuration {
    status = "Enabled"
  }
}

resource "aws_s3_bucket_server_side_encryption_configuration" "backend" {
  bucket = aws_s3_bucket.backend.bucket
  rule {
    apply_server_side_encryption_by_default {
      sse_algorithm     = "aws:kms"
      kms_master_key_id = data.aws_kms_key.terraform.arn
    }
  }
}

resource "aws_s3_bucket_public_access_block" "backend" {
  bucket                  = aws_s3_bucket.backend.id
  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}

Version (please complete the following information):

checkov 2.1.149 (also occurs on 2.0.0 and 2.1.0)
terraform 1.2.3 and 1.2.6 and 1.2.7
aws provider 4.23 and 4.27

Additional context Again, this only happens when scanning the planfile with the terraform_plan framework. But it does go away with I use the deprecated S3 attributes for acl and public access block.

Issue Analytics

State:
Created a year ago
Reactions:1
Comments:6

Top GitHub Comments

1reaction

zamirTo1commented, Oct 24, 2022

1reaction

gruebelcommented, Sep 12, 2022

hey @citrix-eg thanks for reaching out. I tested it locally and I don’t see any issue with those checks in a plan file. If you can share the exact command you are using and the plan file you scan. When sharing plan files, please make sure to remove any sensitive information.