bug(terraform): iam_policy_allows_for_data_exfiltration is too restrictive

[david-mnz]

iam_policy_allows_for_data_exfiltration is too restrictive, The is_illegal() function only evaluates the Action, not the Resource. So any IAM statement containing secretsmanager:GetSecretValue will trigger a violation, regardless of whether you specify:
• A specific secret ARN
• A wildcard resource
• Condition keys

Actual Behavior

This should comply but it doesn’t

data "aws_iam_policy_document" "compliant" {
statement {
effect = "Allow"
actions = [
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret"
]
resources = [
"arn:aws:secretsmanager:us-east-1:123456789012:secret:my-app-secret-abc123",
"arn:aws:secretsmanager:us-east-1:123456789012:secret:my-db-password-xyz789"
]
}
}

[david-mnz]

Query
Query id: ba2ed23b-52d3-45ca-be25-f6c358d45abd
Query name: IAM policy allows for data exfiltration
Platform: Terraform
Severity: Medium

https://docs.kics.io/latest/queries/terraform-queries/aws/ba2ed23b-52d3-45ca-be25-f6c358d45abd/

[tculp]

Similarly, S3:GetObject with Resources: [<bucket-arn>, <bucket-arn>/*] gives this error, but <bucket-arn>/* is a very common, and still limited practice

[cx-andre-pereira]

Hi @david-mnz, thanks for reporting this issue. The problem you identified is valid—the queries were not checking the Resource field, causing false positives on policies with scoped ARNs.

I've implemented a fix in PR #8030 that addresses this for both Terraform and CloudFormation variants of the query.

Now the queries correctly flag data exfiltration only when both conditions exist:

1. Sensitive data retrieval action (e.g., secretsmanager:GetSecretValue, s3:GetObject, etc.)
2. Unrestricted resource ("*")

It is something already done in many other queries and I shouldn't have missed it in my original implementation.

Once PR #8030 is merged, the issue should be resolved. Thanks for helping us improve KICS! 🚀