Simple terraform resource "aws_cloudwatch_log_metric_filter" generates many findings

[rod2a]

Hello ! I just add a simple aws_cloudwatch_log_metric_filter in my application in order to create a alarm when the "FAILED" pattern is found in my log :

resource "aws_cloudwatch_log_metric_filter" "this" {
  name           = "events-failed"
  log_group_name = "/aws/events/myappli"
  pattern        = "FAILED"

  metric_transformation {
    name      = "ErrorCount"
    namespace = "MYAPPLI/EventsFailed"
    value     = "1"
  }
}

This new ressource generates many new findings about non existing log metric filters and alarms, for example :

CloudWatch Unauthorized Access Alarm Missing, Severity: HIGH, Results: 1
Description: Ensure a log metric filter and alarm exist for unauthorized API calls
Platform: Terraform
Learn more about this vulnerability: https://docs.kics.io/latest/queries/terraform-queries/aws/4c18a45b-4ab1-4790-9f83-399ac695f1e5

        [1]: infrastructure/alarms.tf:1

                001: resource "aws_cloudwatch_log_metric_filter" "this" {
                002:   name           = "events-failed"
                003:   log_group_name = "/aws/events/myappli"

  - 4c18a45b-4ab1-4790-9f83-399ac695f1e5 # CRITICAL Ensure a log metric filter and alarm exist for unauthorized API calls - https://docs.kics.io/latest/queries/terraform-queries/aws/4c18a45b-4ab1-4790-9f83-399ac695f1e5
  - 5b8d7527-de8e-4114-b9dd-9d988f1f418f # MEDIUM Ensure a log metric filter and alarm exist for AWS Config configuration changes - https://docs.kics.io/latest/queries/terraform-queries/aws/5b8d7527-de8e-4114-b9dd-9d988f1f418f
  - 0a8e8dc5-b6fc-44fc-b5a1-969ec950f9b0 # MEDIUM Ensure a log metric filter and alarm exist for changes to NACL - https://docs.kics.io/latest/queries/terraform-queries/aws/0a8e8dc5-b6fc-44fc-b5a1-969ec950f9b0
  - 56a585f5-555c-48b2-8395-e64e4740a9cf # MEDIUM Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMK - https://docs.kics.io/latest/queries/terraform-queries/aws/56a585f5-555c-48b2-8395-e64e4740a9cf
  - 5864d189-ee9a-4009-ac0c-8a582e6b7919 # MEDIUM Ensure a log metric filter and alarm exist for AWS Management Console authentication failures - https://docs.kics.io/latest/queries/terraform-queries/aws/5864d189-ee9a-4009-ac0c-8a582e6b7919
  - 8b1b1e67-6248-4dca-bbad-93486bb181c0 # MEDIUM Ensure a log metric filter and alarm exist for root acount usage - https://docs.kics.io/latest/queries/terraform-queries/aws/8b1b1e67-6248-4dca-bbad-93486bb181c0
  - 9d0d4512-1959-43a2-a17f-72360ff06d1b # MEDIUM Ensure a log metric filter and alarm exist for VPC changes - https://docs.kics.io/latest/queries/terraform-queries/aws/9d0d4512-1959-43a2-a17f-72360ff06d1b
  - 0f6cbf69-41bb-47dc-93f3-3844640bf480 # MEDIUM Ensure a log metric filter and alarm exist for CloudTrail configuration changes - https://docs.kics.io/latest/queries/terraform-queries/aws/0f6cbf69-41bb-47dc-93f3-3844640bf480
  - 4beaf898-9f8b-4237-89e2-5ffdc7ee6006 # MEDIUM Ensure a log metric filter and alarm exist for security group changes - https://docs.kics.io/latest/queries/terraform-queries/aws/4beaf898-9f8b-4237-89e2-5ffdc7ee6006
  - 44ceb4fa-0897-4fd2-b676-30e7a58f2933 # LOW Ensure a log metric filter and alarm exist for management console sign-in without MFA - https://docs.kics.io/latest/queries/terraform-queries/aws/44ceb4fa-0897-4fd2-b676-30e7a58f2933
  - eaaba502-2f94-411a-a3c2-83d63cc1776d # LOW Ensure a log metric filter and alarm exist for IAM policy changes - https://docs.kics.io/latest/queries/terraform-queries/aws/eaaba502-2f94-411a-a3c2-83d63cc1776d
  - 6b6874fe-4c2f-4eea-8b90-7cceaa4a125e # LOW Ensure a log metric filter and alarm exist for network gateways changes - https://docs.kics.io/latest/queries/terraform-queries/aws/6b6874fe-4c2f-4eea-8b90-7cceaa4a125e
  - 2285e608-ddbc-47f3-ba54-ce7121e31216 # LOW Ensure a log metric filter and alarm exist for route table changes - https://docs.kics.io/latest/queries/terraform-queries/aws/2285e608-ddbc-47f3-ba54-ce7121e31216
  - 38b85c45-e772-4de8-a247-69619ca137b3 # INFO Ensure a log metric filter and alarm exist for AWS organizations changes - https://docs.kics.io/latest/queries/terraform-queries/aws/38b85c45-e772-4de8-a247-69619ca137b3

The global security of my aws account is managed by another team in another code repo, so I excluded all these findings.
Is this a normal behaviour ? Is there (another) way to avoid all these findings ?

[cx-artur-ribeiro]

Hey @rod2a,

You can use kics-github-action as part of a GitHub Actions workflow in your repo. This allows you to configure the exclude-queries option to filter out specific findings in your repository.

For reference, you can check how it's used in the KICS repository here:
🔗 Example of exclude-queries in KICS repo

The kics-github-action README provides more details on available input variables, which you can customize to fine-tune your scans.

Hope this helps! Let me know if you need further clarification.