search

bridgecrewio / checkov

Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.
https://www.checkov.io/
Apache License 2.0
6.83k stars 1.09k forks source link

CKV_AWS_94 should be updated to allow KMS mode: 'SSE-KMS-WITH-SERVICE-ROLE' #6237

Open robotparty opened 3 months ago

robotparty commented 3 months ago

Describe the issue CKV_AWS_94 should be updated to allow KMS mode: 'SSE-KMS-WITH-SERVICE-ROLE'

AWS doc: https://docs.aws.amazon.com/glue/latest/dg/set-up-encryption.html

Examples

resource "aws_glue_data_catalog_encryption_settings" "this" {
  #checkov:skip=CKV_AWS_94:Chekov is not aware of the new KMS mode as of 05/2024
  # it isn't considering it valid: https://github.com/bridgecrewio/checkov/blob/master/checkov/cloudformation/checks/resource/aws/GlueDataCatalogEncryption.py
  data_catalog_encryption_settings {
    connection_password_encryption {
      aws_kms_key_id                       = data.aws_kms_key.artifacts.arn
      return_connection_password_encrypted = true
    }
    encryption_at_rest {
      catalog_encryption_mode         = "SSE-KMS-WITH-SERVICE-ROLE"
      catalog_encryption_service_role = var.role_arns.glue_catalog_encryption
      sse_aws_kms_key_id              = data.aws_kms_key.artifacts.arn
    }
  }
}

Version (please complete the following information):

Additional context Add any other context about the problem here.

mannycepeda1989 commented 3 months ago

Thank you for sharing your feedback on this issue, it does appear that Checkov does not have a Policy to check for this currently. Please feel free to create a Custom Check and share the information, you can also contribute your custom check for future consideration.