Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False positves CKV2_AWS_67 #6294

Open
aaleksandrov opened this issue May 10, 2024 · 3 comments
Open

False positves CKV2_AWS_67 #6294

aaleksandrov opened this issue May 10, 2024 · 3 comments
Labels
checks Check additions or changes

Comments

@aaleksandrov
Copy link

Describe the issue
CKV2_AWS_67 generates false positives when using default AWS managed encryption key (AES256)

Examples

Check: CKV2_AWS_67: "Ensure AWS S3 bucket encrypted with Customer Managed Key (CMK) has regular rotation"

	FAILED for resource: module.batch-stream-ingestion.aws_s3_bucket_server_side_encryption_configuration.sse_config

	File: /src/modules/batch-stream-ingestion/main.tf:80-88


resource "aws_s3_bucket_server_side_encryption_configuration" "sse_config" {
   bucket = aws_s3_bucket.firehose_s3_ingestion_result_bucket.bucket
     rule {
       apply_server_side_encryption_by_default {
         sse_algorithm = "AES256"
        }
     }
}

Version (please complete the following information):

  • Checkov Version: latest from master
@aaleksandrov aaleksandrov added the checks Check additions or changes label May 10, 2024
@stepintooracledba
Copy link

stepintooracledba commented May 10, 2024
edited

This also fails on a S3 bucket where Customer Managed Key is used. CMK already has rotation enabled. False Alerts on Default and CMK Keys..

@rafaljanicki
Copy link
Contributor

And it also fails on keys that are stored in a different account

sean-nixon pushed a commit to sean-nixon/aws-cudos-framework-deployment that referenced this issue May 13, 2024
Exclude CKV2_AWS_67 to workaround checkov bug
01729f7 
Works around apparent bug in checkov bridgecrewio/checkov#6294

The KMS key rotation is not configured on the aws_s3_bucket_server_side_encryption_configuration
resource so it does not make sense to check for it there. Key rotation is outside the scope
of this module.
@sean-nixon sean-nixon mentioned this issue May 13, 2024
Merged
iakov-aws pushed a commit to aws-samples/aws-cudos-framework-deployment that referenced this issue May 13, 2024
@sean-nixon
Exclude CKV2_AWS_67 to workaround checkov bug (#813)
ede4261 
Works around apparent bug in checkov bridgecrewio/checkov#6294

The KMS key rotation is not configured on the aws_s3_bucket_server_side_encryption_configuration
resource so it does not make sense to check for it there. Key rotation is outside the scope
of this module.

Co-authored-by: Sean Nixon <smnixon@amazon.com>
@miguelhar miguelhar mentioned this issue May 14, 2024
Merged
@ubbeK
Copy link

ubbeK commented May 15, 2024

Looks like this PR is causing this: #6239

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
checks Check additions or changes
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@rafaljanicki @ubbeK @aaleksandrov @stepintooracledba