search

bridgecrewio / checkov

Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.
https://www.checkov.io/
Apache License 2.0
6.75k stars 1.08k forks source link

CKV_AWS_224 is actually checking two different things #6265

Closed dancorne closed 4 weeks ago

dancorne commented 2 months ago

Describe the issue Hello, CKV_AWS_224 is for AWS ECS Exec configuration and called "Ensure ECS Cluster logging uses CMK" and part of the check looks for kms_key_id.

However according to the documentation the KMS key parameter is for encrypting the connection between client and container, not the log encryption as suggested by the check. It's a little bit confusing because the ExecuteCommandConfiguration block has 3 parameters, 2 of them for logging, and this KMS one as the third but it isn't related to logging.

Examples This passes as expected:

resource "aws_ecs_cluster" "main" {
  name     = var.name

  configuration {
    execute_command_configuration {
      logging    = "OVERRIDE"
      kms_key_id = var.kms_key_id
      log_configuration {
        s3_bucket_name               = var.logs_bucket_name
        s3_bucket_encryption_enabled = true
      }
    }
  }
}

However, removing the KMS parameter has Checkov fail with Ensure ECS Cluster logging uses CMK, but that message isn't appropriate -- the key is used for the connection to the container.

resource "aws_ecs_cluster" "main" {
  name     = var.name

  configuration {
    execute_command_configuration {
      logging    = "OVERRIDE"
      log_configuration {
        s3_bucket_name               = var.logs_bucket_name
        s3_bucket_encryption_enabled = true
      }
    }
  }
}

Version (please complete the following information): 3.2.60, but the code hasn't changed since on main

Additional context

itariq20 commented 2 months ago

@dancorne Hi, thanks for reporting this, we'll investigate on this internally and get you more information.