query(terraform): dependency loop when trying to resolve "S3 Bucket Logging Disabled"

[SamW94]

Platform

Terraform

Provider

AWS

Description

Hello, I'd appreciate it if you could take a look at this for me. I am using the kics GitHub action and I've noticed that it's impossible to resolve this detected query/vulnerability without using a deprecated option in the Terraform.

resource "aws_s3_bucket" "bucket" {
  provider = aws
  bucket   = "my-bucket"
}

The logging argument for aws_s3_bucket resources is deprecated and will be removed in a later version so this is discouraged:

resource "aws_s3_bucket" "bucket" {
  provider = aws
  bucket   = "my-bucket"

  logging {
    target_bucket = "my-bucket-logging"
}

The official Terraform documentation encourages you to use an aws_s3_bucket_logging resource instead, however, this means you need to create another S3 bucket in which to store the my-bucket logs.

When you do this, you get the same query appearing in the scan results about the my-bucket-logging bucket having logging disabled.

resource "aws_s3_bucket" "bucket" {
  provider = aws
  bucket   = "my-bucket"
}

resource "aws_s3_bucket" "bucket_logging" {
  provider = aws
  bucket = "my-bucket-logging"
}

resource "aws_s3_bucket_logging" "my_bucket_logging" {
  bucket = aws_s3_bucket.bucket.id

  target_bucket = aws_s3_bucket.bucket_logging.id
  target_prefix = "log/"

Output

S3 Bucket Logging Disabled, Severity: MEDIUM, Results: 1
Description: Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable
Platform: Terraform
CWE: 778
Learn more about this vulnerability: https://docs.kics.io/latest/queries/terraform-queries/aws/f861041c-8c9f-4156-acfc-5e6e524f5884

	[1]: bucket.tf:1

		001: resource "aws_s3_bucket" "bucket_logging" {
		079:   provider = aws

Hope that makes sense,
Thanks!

[cx-artur-ribeiro]

Hi @SamW94,
First of all, thanks for opening the issue and for the detailed explanation!

We're currently working on supporting the more modular approach that recent versions of the Terraform AWS provider encourage, specifically the use of aws_s3_bucket_logging instead of the deprecated inline logging block.

The query will be updated to handle both the deprecated and the newer structure so that setups following the current best practices won’t be incorrectly flagged.

Once the fix is deployed, I’ll make sure to update you here.

Thanks again for bringing this to our attention!

[SamW94]

I appreciate your prompt response @cx-artur-ribeiro - thank you!