fix(checks): Update Athena KMS argument to latest spec

[simar7]

Terraform uses kms_key now as the argument instead of kms_key_arn. We'll need to update this in our checks: avd-aws-0007 and avd-aws-0006.

Discussed in #5870

^{Originally posted by ConorWright January 4, 2024}

Description

Athena encryption and workgroup configuration are being triggered when I have this set up in terraform. I imagine the issue for athena database is that terraform expects kms_key and trivy expects kms_key_arn here but not sure what is causing the workgroup issue. Examples of the terraform json are below. Irrelevant fields are removed for brevity. Names changed for privacy. Autogenerated from cdktf.

"aws_athena_database": {
      "AthenaDatabase": {
        "bucket": "bucket_name",
        "encryption_configuration": {
          "encryption_option": "SSE_KMS",
          "kms_key": "kms_key_id"
        },
        "name": "database"
      }
    },

"aws_athena_workgroup": {
      "AthenaWorkgroup": {
        "configuration": {
          "enforce_workgroup_configuration": true,
          "publish_cloudwatch_metrics_enabled": true,
          "result_configuration": {
            "encryption_configuration": {
              "encryption_option": "SSE_KMS",
              "kms_key_arn": "kms_key_arn"
            },
            "output_location": "s3://buckert/logs-output/"
          }
        },
        "name": "athena-workgroup",
      }
    },

Desired Behavior

The below to not appear in my trivy output

HIGH: Database does not have encryption configured.
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Athena databases and workspace result sets should be encrypted at rests. These databases and query sets are generally derived from data in S3 buckets and should have the same level of at rest protection.

See https://avd.aquasec.com/misconfig/avd-aws-0006

HIGH: Workgroup does not have encryption configured.
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Athena databases and workspace result sets should be encrypted at rests. These databases and query sets are generally derived from data in S3 buckets and should have the same level of at rest protection.

See https://avd.aquasec.com/misconfig/avd-aws-0006

HIGH: The workgroup configuration is not enforced.
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Athena workgroup configuration should be enforced to prevent client side changes to disable encryption settings.

See https://avd.aquasec.com/misconfig/avd-aws-0007

Actual Behavior

The above appearing in trivy output.

Reproduction Steps

1. Save this to file.tf.json:


{
  "resource": {
    "aws_athena_database": {
      "AthenaDatabase": {
        "bucket": "bucket_name",
        "encryption_configuration": {
          "encryption_option": "SSE_KMS",
          "kms_key": "kms_key_id"
        },
        "name": "database"
      }
    },
    "aws_athena_workgroup": {
      "AthenaWorkgroup": {
        "configuration": {
          "enforce_workgroup_configuration": true,
          "publish_cloudwatch_metrics_enabled": true,
          "result_configuration": {
            "encryption_configuration": {
              "encryption_option": "SSE_KMS",
              "kms_key_arn": "kms_key_arn"
            },
            "output_location": "s3://buckert/logs-output/"
          }
        },
        "name": "athena-workgroup"
      }
    }
  }
}

2. Run trivy config file.tf.json

Target

AWS

Scanner

Misconfiguration

Output Format

SARIF

Mode

Standalone

Debug Output

2024-01-04T13:42:23.680Z	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2024-01-04T13:42:23.694Z	DEBUG	cache dir:  /Users/admin/Library/Caches/trivy
2024-01-04T13:42:23.695Z	INFO	Misconfiguration scanning is enabled
2024-01-04T13:42:23.695Z	DEBUG	Policies successfully loaded from disk
2024-01-04T13:42:23.695Z	DEBUG	Enabling misconfiguration scanners: [azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan]
2024-01-04T13:42:23.724Z	DEBUG	The nuget packages directory couldn't be found. License search disabled
2024-01-04T13:42:23.724Z	DEBUG	Walk the file tree rooted at 'trivy-test.tf.json' in series
2024-01-04T13:42:23.725Z	DEBUG	Scanning Terraform files for misconfigurations...
2024-01-04T13:42:23.725Z	DEBUG	[misconf] 42:23.725924000 terraform.scanner                Scanning [&{%!s(*mapfs.file=&{ [] {. 256 2147484096 {13933516366264157040 668797335 0x1110871e0} <nil>} {{{0 0} {[] {} 0x140021f8650} map[trivy-test.tf.json:0x14002b85b48] 0}}}) }] at '.'...
2024-01-04T13:42:23.727Z	DEBUG	[misconf] 42:23.727748000 terraform.scanner.rego           Overriding filesystem for policies!
2024-01-04T13:42:23.769Z	DEBUG	[misconf] 42:23.769205000 terraform.scanner.rego           Loaded 188 policies from disk.
2024-01-04T13:42:23.769Z	DEBUG	[misconf] 42:23.769461000 terraform.scanner.rego           Overriding filesystem for data!
2024-01-04T13:42:24.065Z	DEBUG	[misconf] 42:24.065767000 terraform.scanner                Scanning root module '.'...
2024-01-04T13:42:24.065Z	DEBUG	[misconf] 42:24.065835000 terraform.parser.<root>          Setting project/module root to '.'
2024-01-04T13:42:24.065Z	DEBUG	[misconf] 42:24.065840000 terraform.parser.<root>          Parsing FS from '.'
2024-01-04T13:42:24.065Z	DEBUG	[misconf] 42:24.065860000 terraform.parser.<root>          Parsing 'trivy-test.tf.json'...
2024-01-04T13:42:24.067Z	DEBUG	[misconf] 42:24.067159000 terraform.parser.<root>          Added file trivy-test.tf.json.
2024-01-04T13:42:24.067Z	DEBUG	[misconf] 42:24.067175000 terraform.parser.<root>          Evaluating module...
2024-01-04T13:42:24.068Z	DEBUG	[misconf] 42:24.068015000 terraform.parser.<root>          Read 2 block(s) and 0 ignore(s) for module 'root' (1 file[s])...
2024-01-04T13:42:24.068Z	DEBUG	[misconf] 42:24.068038000 terraform.parser.<root>          Added 0 variables from tfvars.
2024-01-04T13:42:24.068Z	DEBUG	[misconf] 42:24.068043000 terraform.parser.<root>          Error loading module metadata: open .terraform/modules/modules.json: file does not exist.
2024-01-04T13:42:24.068Z	DEBUG	[misconf] 42:24.068070000 terraform.parser.<root>          Working directory for module evaluation is '/Users/admin/Documents/projects/redacted'
2024-01-04T13:42:24.068Z	DEBUG	[misconf] 42:24.068622000 terraform.parser.<root>.evaluator Filesystem key is '8343bc55fcdfe6fb9b5ec0d9a89c265a28beebd196aeca90749a00086f220daa'
2024-01-04T13:42:24.068Z	DEBUG	[misconf] 42:24.068628000 terraform.parser.<root>.evaluator Starting module evaluation...
2024-01-04T13:42:24.070Z	DEBUG	[misconf] 42:24.070269000 terraform.parser.<root>.evaluator Starting submodule evaluation...
2024-01-04T13:42:24.070Z	DEBUG	[misconf] 42:24.070302000 terraform.parser.<root>.evaluator Finished processing 0 submodule(s).
2024-01-04T13:42:24.070Z	DEBUG	[misconf] 42:24.070306000 terraform.parser.<root>.evaluator Starting post-submodule evaluation...
2024-01-04T13:42:24.072Z	DEBUG	[misconf] 42:24.072873000 terraform.parser.<root>.evaluator Module evaluation complete.
2024-01-04T13:42:24.072Z	DEBUG	[misconf] 42:24.072893000 terraform.parser.<root>          Finished parsing module 'root'.
2024-01-04T13:42:24.072Z	DEBUG	[misconf] 42:24.072899000 terraform.executor               Adapting modules...
2024-01-04T13:42:24.074Z	DEBUG	[misconf] 42:24.074749000 terraform.executor               Adapted 1 module(s) into defsec state data.
2024-01-04T13:42:24.074Z	DEBUG	[misconf] 42:24.074755000 terraform.executor               Using max routines of 9
2024-01-04T13:42:24.074Z	DEBUG	[misconf] 42:24.074758000 terraform.executor               Applying state modifier functions...
2024-01-04T13:42:24.074Z	DEBUG	[misconf] 42:24.074806000 terraform.executor               Initialised 484 rule(s).
2024-01-04T13:42:24.074Z	DEBUG	[misconf] 42:24.074810000 terraform.executor               Created pool with 9 worker(s) to apply rules.
2024-01-04T13:42:24.077Z	DEBUG	[misconf] 42:24.077649000 terraform.scanner.rego           Scanning 1 inputs...
2024-01-04T13:42:24.082Z	DEBUG	[misconf] 42:24.082267000 terraform.executor               Finished applying rules.
2024-01-04T13:42:24.082Z	DEBUG	[misconf] 42:24.082287000 terraform.executor               Applying ignores...
2024-01-04T13:42:24.103Z	DEBUG	OS is not detected.
2024-01-04T13:42:24.103Z	INFO	Detected config files: 2
2024-01-04T13:42:24.103Z	DEBUG	Scanned config file: .
2024-01-04T13:42:24.103Z	DEBUG	Scanned config file: trivy-test.tf.json

Operating System

MacOS Sonama 14.1.1

Version

Version: 0.48.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-11-13 12:10:18.631173329 +0000 UTC
  NextUpdate: 2023-11-13 18:10:18.631173179 +0000 UTC
  DownloadedAt: 2023-11-13 17:17:25.771853 +0000 UTC
Policy Bundle:
  Digest: sha256:8bfc31f3e4301ef758b6793a07e0b12b4306e0b54d03a640efb2ff5e5ef29b9e
  DownloadedAt: 2024-01-04 13:38:54.484093 +0000 UTCt

Checklist

• Run trivy image --reset
• Read the troubleshooting

[nikpivkin]

@simar7 We do not check the kms_key_arn attribute. The problem is due to the fact that we have no way to scan terraform configuration in json format with nested blocks. (See comment)

[simar7]

Closing and tracking here #5907