[CKV2_AWS_6] False positives for s3 bucket public access blocks

[tarfeef101]

Checkov reports false positives on the public access block check, running in the following env:

• terraform 1.0.3
• checkov 3.2.38
• aws provider 5.84.0
• running on a planfile, command is run in CI like so checkov -f plan.json --quiet --config-file /opt/checkov.yaml --external-checks-dir /opt/custom_checks --download-external-modules true --repo-root-for-plan-enrichment .
  e.g.
  • (the checkov config file just enables/disables checks, nothing that would interfere here)

module "example" {
  source           = "./example"
}

w/ module code looking like

resource "aws_s3_bucket" "example" {
  bucket = "example"
  tags   = { Name = "example" }
}

resource "aws_s3_bucket_server_side_encryption_configuration" "example" {
  bucket = aws_s3_bucket.example.id
  rule {
    apply_server_side_encryption_by_default {
      sse_algorithm = "aws:kms"
    }
    bucket_key_enabled = true
  }
}

resource "aws_s3_bucket_public_access_block" "example" {
  bucket                  = aws_s3_bucket.example.id
  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}