bug(terraform aws): false positive: "S3 bucket notifications disabled" flags resources not related to S3

[buehmann]

S3 bucket notifications disabled flags two resources in our Terraform codebase.

KICS seems to assume that all SNS topics or Lambda functions are related to S3 bucket notifications.

The resources in our examples are not S3 notification targets, they serve entirely different purposes:

• The SNS topic is used for change request notifications unrelated to S3.
• The Lambda function initialises a database schema.

Expected Behavior

"S3 bucket notifications disabled" should not report any issues for the examples below.

Actual Behavior

S3 bucket notifications disabled, Severity: LOW, Results: 2
Description: S3 bucket notifications provide alerts triggered when certain operations are performed, which might be a helpful indicator for detecting unintended operations that might compromise your infrastructure or even malicious activity.
Platform: Terraform
CWE: 778
Risk Score: 1.0
Learn more about this vulnerability: https://docs.kics.io/latest/queries/terraform-queries/aws/e39f87f5-0abf-488b-864c-63ee1f588140

	[1]: s3-notifications.tar.gz/s3-notifications/lambda.tf:2

		001: # False positive of e39f87f5-0abf-488b-864c-63ee1f588140 (S3 bucket notifications disabled)
		002: resource "aws_lambda_function" "lambda_init_mysql" {
		003:   count = var.enabled ? 1 : 0


	[2]: s3-notifications.tar.gz/s3-notifications/change.tf:38

		037: # False positive of e39f87f5-0abf-488b-864c-63ee1f588140 (S3 bucket notifications disabled)
		038: resource "aws_sns_topic" "change" {
		039:   name = "${local.resource_name_prefix}-support-change-request"

Steps to Reproduce the Problem

Scan s3-notifications.tar.gz like this:

➜  kics (master) ✗ bin/kics scan -p s3-notifications.tar.gz --include-queries e39f87f5-0abf-488b-864c-63ee1f588140

Specifications

• Version: snapshot-600c0469