bug(cloudformation): False Positive detection for AVD-AWS-0088

[nikpivkin]

We should not warn about AVD-AWS-0088 if the KMSMasterKeyID attribute references an ARN, id or key alias.

Example:

AWSTemplateFormatVersion: 2010-09-09
Resources:
  Key:
    Type: "AWS::KMS::Key"
  Bucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              KMSMasterKeyID:
                Fn::GetAtt:
                  - Key
                  - Arn
              SSEAlgorithm: aws:kms

Ref:

• https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-serversideencryptionbydefault.html
• https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kms-alias.html
• https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kms-key.html

Discussed in #6022

^{Originally posted by yama-6 January 31, 2024}

IDs

AVD-AWS-0088

Description

I enabled Server side Encryption on S3 bucket, but trivy detected "AVD-AWS-0088"

similar discussion: #5262

Reproduction Steps

1. If Server side Encryption is enabled for the S3 bucket, the Cloudformation template will look like this

ExampleBucketXXXXXXXX:
  Type: AWS::S3::Bucket
  Properties:
    BucketEncryption:
      ServerSideEncryptionConfiguration:
        - ServerSideEncryptionByDefault:
            KMSMasterKeyID:
              Fn::GetAtt:
                - ExampleBucketEncryptionKeyXXXXXXXX
                - Arn
            SSEAlgorithm: aws:kms
    PublicAccessBlockConfiguration:
      BlockPublicAcls: true
      BlockPublicPolicy: true
      IgnorePublicAcls: true
      RestrictPublicBuckets: true
  UpdateReplacePolicy: Retain
  DeletionPolicy: Retain

2. run trivy config cdk_template.yaml then AVD-AWS-0088 is deteced

Target

AWS

Scanner

Misconfiguration

Target OS

M1 macOS 14.1.2

Debug Output

$ trivy config --severity CRITICAL,HIGH cdk_template.yaml --debug
2024-01-31T14:21:11.393+0900    DEBUG   Severities: ["CRITICAL" "HIGH"]
2024-01-31T14:21:11.407+0900    DEBUG   cache dir:  /Users/xxx/Library/Caches/trivy
2024-01-31T14:21:11.407+0900    INFO    Misconfiguration scanning is enabled
2024-01-31T14:21:11.407+0900    DEBUG   Policies successfully loaded from disk
2024-01-31T14:21:11.407+0900    DEBUG   Enabling misconfiguration scanners: [azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan]
2024-01-31T14:21:11.416+0900    DEBUG   The nuget packages directory couldn't be found. License search disabled
2024-01-31T14:21:11.446+0900    DEBUG   Walk the file tree rooted at 'cdk_template.yaml' in series
2024-01-31T14:21:11.453+0900    DEBUG   Scanning Helm files for misconfigurations...
2024-01-31T14:21:11.460+0900    DEBUG   Scanning CloudFormation files for misconfigurations...
2024-01-31T14:21:11.472+0900    DEBUG   [misconf] 21:11.472975000 cloudformation.scanner.rego      Overriding filesystem for policies!
2024-01-31T14:21:11.519+0900    DEBUG   [misconf] 21:11.519161000 cloudformation.scanner.rego      Loaded 188 policies from disk.
2024-01-31T14:21:11.519+0900    DEBUG   [misconf] 21:11.519431000 cloudformation.scanner.rego      Overriding filesystem for data!
2024-01-31T14:21:11.826+0900    DEBUG   [misconf] 21:11.825996000 cloudformation.scanner           Found 1 results for AVD-AWS-0017
2024-01-31T14:21:11.826+0900    DEBUG   [misconf] 21:11.826168000 cloudformation.scanner           Found 1 results for AVD-AWS-0018
2024-01-31T14:21:11.826+0900    DEBUG   [misconf] 21:11.826183000 cloudformation.scanner           Found 6 results for AVD-AWS-0099
2024-01-31T14:21:11.826+0900    DEBUG   [misconf] 21:11.826192000 cloudformation.scanner           Found 11 results for AVD-AWS-0124
2024-01-31T14:21:11.826+0900    DEBUG   [misconf] 21:11.826201000 cloudformation.scanner           Found 1 results for AVD-AWS-0130
2024-01-31T14:21:11.826+0900    DEBUG   [misconf] 21:11.826206000 cloudformation.scanner           Found 1 results for AVD-AWS-0129
2024-01-31T14:21:11.826+0900    DEBUG   [misconf] 21:11.826210000 cloudformation.scanner           Found 1 results for AVD-AWS-0131
2024-01-31T14:21:11.826+0900    DEBUG   [misconf] 21:11.826213000 cloudformation.scanner           Found 1 results for AVD-AWS-0028
2024-01-31T14:21:11.826+0900    DEBUG   [misconf] 21:11.826224000 cloudformation.scanner           Found 5 results for AVD-AWS-0104
2024-01-31T14:21:11.826+0900    DEBUG   [misconf] 21:11.826231000 cloudformation.scanner           Found 6 results for AVD-AWS-0107
2024-01-31T14:21:11.826+0900    DEBUG   [misconf] 21:11.826239000 cloudformation.scanner           Found 4 results for AVD-AWS-0164
2024-01-31T14:21:11.826+0900    DEBUG   [misconf] 21:11.826494000 cloudformation.scanner           Found 1 results for AVD-AWS-0029
2024-01-31T14:21:11.827+0900    DEBUG   [misconf] 21:11.827717000 cloudformation.scanner           Found 1 results for AVD-AWS-0030
2024-01-31T14:21:11.827+0900    DEBUG   [misconf] 21:11.827725000 cloudformation.scanner           Found 1 results for AVD-AWS-0031
2024-01-31T14:21:11.827+0900    DEBUG   [misconf] 21:11.827729000 cloudformation.scanner           Found 1 results for AVD-AWS-0033
2024-01-31T14:21:11.827+0900    DEBUG   [misconf] 21:11.827732000 cloudformation.scanner           Found 1 results for AVD-AWS-0034
2024-01-31T14:21:11.828+0900    DEBUG   [misconf] 21:11.828636000 cloudformation.scanner           Found 1 results for AVD-AWS-0045
2024-01-31T14:21:11.828+0900    DEBUG   [misconf] 21:11.828642000 cloudformation.scanner           Found 1 results for AVD-AWS-0051
2024-01-31T14:21:11.828+0900    DEBUG   [misconf] 21:11.828647000 cloudformation.scanner           Found 1 results for AVD-AWS-0053
2024-01-31T14:21:11.828+0900    DEBUG   [misconf] 21:11.828649000 cloudformation.scanner           Found 1 results for AVD-AWS-0052
2024-01-31T14:21:11.828+0900    DEBUG   [misconf] 21:11.828652000 cloudformation.scanner           Found 1 results for AVD-AWS-0054
2024-01-31T14:21:11.828+0900    DEBUG   [misconf] 21:11.828661000 cloudformation.scanner           Found 20 results for AVD-AWS-0047
2024-01-31T14:21:11.828+0900    DEBUG   [misconf] 21:11.828672000 cloudformation.scanner           Found 1 results for AVD-AWS-0123
2024-01-31T14:21:11.828+0900    DEBUG   [misconf] 21:11.828708000 cloudformation.scanner           Found 14 results for AVD-AWS-0057
2024-01-31T14:21:11.828+0900    DEBUG   [misconf] 21:11.828717000 cloudformation.scanner           Found 2 results for AVD-AWS-0066
2024-01-31T14:21:11.828+0900    DEBUG   [misconf] 21:11.828720000 cloudformation.scanner           Found 1 results for AVD-AWS-0067
2024-01-31T14:21:11.828+0900    DEBUG   [misconf] 21:11.828726000 cloudformation.scanner           Found 1 results for AVD-AWS-0133
2024-01-31T14:21:11.828+0900    DEBUG   [misconf] 21:11.828728000 cloudformation.scanner           Found 1 results for AVD-AWS-0080
2024-01-31T14:21:11.828+0900    DEBUG   [misconf] 21:11.828734000 cloudformation.scanner           Found 1 results for AVD-AWS-0077
2024-01-31T14:21:11.828+0900    DEBUG   [misconf] 21:11.828738000 cloudformation.scanner           Found 1 results for AVD-AWS-0086
2024-01-31T14:21:11.828+0900    DEBUG   [misconf] 21:11.828741000 cloudformation.scanner           Found 1 results for AVD-AWS-0087
2024-01-31T14:21:11.828+0900    DEBUG   [misconf] 21:11.828744000 cloudformation.scanner           Found 1 results for AVD-AWS-0088
2024-01-31T14:21:11.828+0900    DEBUG   [misconf] 21:11.828747000 cloudformation.scanner           Found 1 results for AVD-AWS-0090
2024-01-31T14:21:11.828+0900    DEBUG   [misconf] 21:11.828750000 cloudformation.scanner           Found 1 results for AVD-AWS-0132
2024-01-31T14:21:11.828+0900    DEBUG   [misconf] 21:11.828753000 cloudformation.scanner           Found 1 results for AVD-AWS-0091
2024-01-31T14:21:11.828+0900    DEBUG   [misconf] 21:11.828909000 cloudformation.scanner           Found 1 results for AVD-AWS-0092
2024-01-31T14:21:11.828+0900    DEBUG   [misconf] 21:11.828914000 cloudformation.scanner           Found 1 results for AVD-AWS-0093
2024-01-31T14:21:11.828+0900    DEBUG   [misconf] 21:11.828917000 cloudformation.scanner           Found 1 results for AVD-AWS-0094
2024-01-31T14:21:11.828+0900    DEBUG   [misconf] 21:11.828923000 cloudformation.scanner           Found 1 results for AVD-AWS-0095
2024-01-31T14:21:11.828+0900    DEBUG   [misconf] 21:11.828926000 cloudformation.scanner           Found 1 results for AVD-AWS-0136
2024-01-31T14:21:11.828+0900    DEBUG   [misconf] 21:11.828929000 cloudformation.scanner           Found 3 results for AVD-AWS-0098
2024-01-31T14:21:11.830+0900    DEBUG   [misconf] 21:11.830516000 cloudformation.scanner.rego      Scanning 1 inputs...
2024-01-31T14:21:11.941+0900    DEBUG   OS is not detected.
2024-01-31T14:21:11.941+0900    INFO    Detected config files: 1
2024-01-31T14:21:11.941+0900    DEBUG   Scanned config file: cdk_template.yaml
2024-01-31T14:21:11.951+0900    DEBUG   Found an ignore file: .trivyignore
2024-01-31T14:21:11.951+0900    DEBUG   Ignored {"id": "AVD-AWS-0028", "path": "cdk_template.yaml"}
2024-01-31T14:21:11.951+0900    DEBUG   Ignored {"id": "AVD-AWS-0053", "path": "cdk_template.yaml"}
2024-01-31T14:21:11.951+0900    DEBUG   Ignored {"id": "AVD-AWS-0057", "path": "cdk_template.yaml"}
2024-01-31T14:21:11.951+0900    DEBUG   Ignored {"id": "AVD-AWS-0104", "path": "cdk_template.yaml"}
2024-01-31T14:21:11.951+0900    DEBUG   Ignored {"id": "AVD-AWS-0104", "path": "cdk_template.yaml"}
2024-01-31T14:21:11.951+0900    DEBUG   Ignored {"id": "AVD-AWS-0104", "path": "cdk_template.yaml"}
2024-01-31T14:21:11.951+0900    DEBUG   Ignored {"id": "AVD-AWS-0104", "path": "cdk_template.yaml"}
2024-01-31T14:21:11.951+0900    DEBUG   Ignored {"id": "AVD-AWS-0104", "path": "cdk_template.yaml"}
2024-01-31T14:21:11.951+0900    DEBUG   Ignored {"id": "AVD-AWS-0107", "path": "cdk_template.yaml"}
2024-01-31T14:21:11.951+0900    DEBUG   Ignored {"id": "AVD-AWS-0107", "path": "cdk_template.yaml"}
2024-01-31T14:21:11.951+0900    DEBUG   Ignored {"id": "AVD-AWS-0107", "path": "cdk_template.yaml"}
2024-01-31T14:21:11.951+0900    DEBUG   Ignored {"id": "AVD-AWS-0164", "path": "cdk_template.yaml"}
2024-01-31T14:21:11.951+0900    DEBUG   Ignored {"id": "AVD-AWS-0164", "path": "cdk_template.yaml"}
2024-01-31T14:21:11.951+0900    DEBUG   Ignored {"id": "AVD-AWS-0057", "path": "cdk_template.yaml"}
2024-01-31T14:21:11.951+0900    DEBUG   Ignored {"id": "AVD-AWS-0057", "path": "cdk_template.yaml"}
2024-01-31T14:21:11.951+0900    DEBUG   Ignored {"id": "AVD-AWS-0107", "path": "cdk_template.yaml"}
2024-01-31T14:21:11.951+0900    DEBUG   Ignored {"id": "AVD-AWS-0107", "path": "cdk_template.yaml"}
2024-01-31T14:21:11.951+0900    DEBUG   Ignored {"id": "AVD-AWS-0107", "path": "cdk_template.yaml"}
2024-01-31T14:21:11.951+0900    DEBUG   Ignored {"id": "AVD-AWS-0164", "path": "cdk_template.yaml"}
2024-01-31T14:21:11.951+0900    DEBUG   Ignored {"id": "AVD-AWS-0164", "path": "cdk_template.yaml"}

cdk_template.yaml (cloudformation)

Tests: 45 (SUCCESSES: 24, FAILURES: 1, EXCEPTIONS: 20)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not have encryption enabled
═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 cdk_template.yaml:1123-1128
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
1123 ┌           - ServerSideEncryptionByDefault:
1124 │               KMSMasterKeyID:
1125 │                 Fn::GetAtt:
1126 │                   - ExampleBucketEncryptionKeyXXXXXXXX
1127 │                   - Arn
1128 └               SSEAlgorithm: aws:kms
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Version

0.48.3

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[nikpivkin]

@simar7 This issue also applies to the AVD-AWS-0132 check, which checks Customer Managed Keys.

AWS now applies server-side encryption by default.

Amazon S3 now applies server-side encryption with Amazon S3 managed keys (SSE-S3) as the base level of encryption for every bucket in Amazon S3. Starting January 5, 2023, all new object uploads to Amazon S3 are automatically encrypted at no additional cost and with no impact on performance.

How relevant is the AVD-AWS-0088 check?

[simar7]

@simar7 This issue also applies to the AVD-AWS-0132 check, which checks Customer Managed Keys.

AWS now applies server-side encryption by default.

Amazon S3 now applies server-side encryption with Amazon S3 managed keys (SSE-S3) as the base level of encryption for every bucket in Amazon S3. Starting January 5, 2023, all new object uploads to Amazon S3 are automatically encrypted at no additional cost and with no impact on performance.

How relevant is the AVD-AWS-0088 check?

Hmm that's an interesting point. Although I wonder if there's any value keeping the check around but instead "deprecating" it. Users with older versions of policy bundle will continue to see the old checks unless they update. In this case they will not receive any info on the AVD page for the check as it's been removed. Same issue goes for the airgapped/offline users of Trivy.

We haven't deprecated a check yet but the above might be something to consider going forwards as checks become obsolete.

Thoughts?

[nikpivkin]

@simar7 Until a decision is made to consider this check deprecated, I can fix the FP. We should not consider the bucket encrypted on the server side only if the algorithm AES256 is chosen, as AWS provides four options of server-side bucket encryption.

[felipeng]

Maybe lower the severity to LOW and add the recommendation instead, similar to https://avd.aquasec.com/misconfig/aws/cloudwatch/avd-aws-0017/