bug(terraform): cloudwatch log without kms key with plan file

[zip-chanko]

• The query doesn't work when scanning to the plan file if the kms_key_id is referencing from the resource.
• The query works as expected if it scans to tf file instead of the plan file.

Expected Behavior

Results Summary:
CRITICAL: 0
HIGH: 0
MEDIUM: 0
LOW: 0
INFO: 4
TOTAL: 5

Actual Behavior

CloudWatch Log Group Without KMS, Severity: MEDIUM, Results: 1
Description: AWS CloudWatch Log groups should be encrypted using KMS
Platform: Terraform
Learn more about this vulnerability: https://docs.kics.io/latest/queries/terraform-queries/aws/0afbcfe9-d341-4b92-a64c-7e6de0543879

        [1]: tfplan.json:8

                007:         {
                008:           "address": "aws_cloudwatch_log_group.log",
                009:           "mode": "managed",



Results Summary:
CRITICAL: 0
HIGH: 0
MEDIUM: 1
LOW: 0
INFO: 4
TOTAL: 5

Steps to Reproduce the Problem

1. Download the plan file tfplan.json
2. Run the scan as below.

docker run --rm -v $PWD:/path -w /path -t checkmarx/kics scan -p tfplan.json --disable-secrets --cloud-provider aws

To generate the tfplan.json again:

1. Use the below tf code.
2. terraform init
3. terraform plan -out=tfplan
4. terraform show -json tfplan > tfplan.json

data "aws_caller_identity" "current" {}

resource "aws_kms_key" "key" {
  description             = "chan key policy test"
  enable_key_rotation     = true
  deletion_window_in_days = 10

  policy = jsonencode({
    Version = "2012-10-17"
    Id      = "key-default-1"
    Statement = [
      {
        Sid    = "Enable IAM User Permissions"
        Effect = "Allow"
        Principal = {
          AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
        },
        Action = [
          "kms:ReplicateKey",
          "kms:Create*",
          "kms:Describe*",
          "kms:Enable*",
          "kms:List*",
          "kms:Put*",
          "kms:Update*",
          "kms:Revoke*",
          "kms:Disable*",
          "kms:Get*",
          "kms:Delete*",
          "kms:Generate*",
          "kms:Verify",
          "kms:ImportKeyMaterial",
          "kms:Encrypt",
          "kms:ReEncrypt*",
          "kms:Decrypt",
          "kms:ConnectCustomKeyStore",
          "kms:Sign",
          "kms:DisableKey",
          "kms:UntagResource",
          "kms:SynchronizeMultiRegionKey",
          "kms:TagResource",
          "kms:ScheduleKeyDeletion",
          "kms:RetireGrant",
          "kms:RevokeGrant",
          "kms:DisconnectCustomKeyStore",
          "kms:CancelKeyDeletion"
        ],
        Resource = "*"
      }
    ]
  })
}

resource "aws_cloudwatch_log_group" "log" {
  name              = "encrypted-log-group"
  retention_in_days = 30
  kms_key_id        = aws_kms_key.key.arn
}

Specifications

• Version: v2.1.1
• Platform: macOS
• Subsystem: Darwin Kernel Version 23.5.0 arm64

tfplan.json