We can easily make exceptions by adding this line of code directly above the resource. Hint, if you use the VS Code extension, you can just click a button to do this for you. When the scan runs again, this finding will be ignored.
The tfsec config file enables us to modify a rule's severity level or exclude a rule from a scan completely. This is useful when a rule is not applicable or the severity should be lowered for a dev environment vs a prod environment.
Overriding the Severity
This rule below is being modified from the original "HIGH" finding to a "LOW" finding.
Again, leveraging the custom config file will result in the rule aws-s3-enable-bucket-encryption being excluded from the findings.
Custom tfsec Rules
tfsec supports custom rules written in JSON, YAML, or Rego. Custom rules are useful when you want to enforce security policies specific to your organization or when out-of-the-box rules don't meet your requirements.
JSON Format
This rule ensures an S3 bucket has a business owner tag.
# _tfchecks.json{"checks": [ {"code":"No Business Owner Tag - CUS001","description":"Custom check to ensure buckets are tagged with a business owner.","impact":"By not having a business owner tag, it is difficult to determine who is responsible for the bucket.","resolution":"Add the businessOwner tag.","requiredTypes": ["resource" ],"requiredLabels": ["aws_s3_bucket" ],"severity":"CRITICAL","matchSpec": {"name":"tags","action":"contains","value":"businessOwner" },"errorMessage":"The required businessOwner tag was missing." } ]}
The custom rule can be leveraged during a scan. This assumes the terraform code and custom rule are in the same directory but this doesn't have to be true.
---checks: - code:No Business Owner Tag - CUS001description:Custom check to ensure buckets are tagged with a business owner.impact:By not having a business owner tag, it is difficult to determine who is responsible for the bucket.resolution:Add the businessOwner tag.requiredTypes: - resourcerequiredLabels: - aws_s3_bucketseverity:CRITICALmatchSpec:name:tagsaction:containsvalue:businessOwnererrorMessage:The required businessOwner tag was missing.
Rego Format
tfsec allows for writing policies in Rego format but not all arguments are supported. In this case, we cannot write a tfsec rego policy that checks for tags. Under the hood, tfsec is utilizing the open-source project defsec and tags are not supported for an S3 bucket. You can view what is supported here. Additionally, you can see all the values and their current configuration by running this command, tfsec --print-rego-input | jq '.aws.s3.buckets[0]' which will return an output similar to below.
An example of a supported check would be a Rego policy that checks S3 bucket versioning is enabled.
package custom.aws.s3.versioning_enabled
deny[res] {
bucket := input.aws.s3.buckets[_]
bucket.versioning.enabled.value == false
msg := "Bucket should have versioning enabled."
res := result.new(msg, bucket.versioning.enabled)
}