bug(terraform): terraform s3 mfa delete flagged as high sev

[rdkls]

The terraform query for creating an s3 bucket without MFA delete enabled is flagged as HIGH severity.

https://docs.kics.io/latest/queries/terraform-queries/aws/c5b31ab9-0f26-4a49-b8aa-4cc064392f4d/

I feel this is an error and consensus among my peers in AWS Platform Teams, is generally the absence of MFA delete isn't a vulnerability nor insecurity, but something indicated only for very specific datasets, if the data has critical retention requirements.

The problem this caused for us, being classified for all buckets as High severity, the security team who do not have this context are now looking to - across the platform - either require MFA delete on everything, or require exemptions, when really enabling MFA delete should be the exception not the rule.

Additionally, over-classifying queries increases alert fatigue and unnecessarily increases reported vulnerability level of systems; decreases the effectiveness and usefulness of KICS scans.

My recommendation is to keep the check - it is a valuable prompt or consideration - but downgrade severity to only INFO.

If we agree, happy to submit PR for this https://github.com/Checkmarx/kics/blob/bc0b22cbdc5c0c107d64ac9566af003c6368742f/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/metadata.json#L4C22-L4C22

[gabriel-cx]

Hi @rdkls ,

Thank you for your inputs! Our AppSec team is checking the situation and we will give you more feedback asap.

(APPSEC-2332)