Closed rickythain closed 1 month ago
@rickythain Hi, thanks for reporting this, I believe the Policy is triggering when the destination_cidr_block IP Address contains "0.0.0.0", even if it is "10.0.0.0". The policy passes when the IP Address does not contain "0.0.0.0" such as in the case of "10.1.0.0/16". There's potentially an issue in the Policy logic. We'll investigate on this internally.
Describe the issue CKV2_AWS_44 (Ensure AWS route table with VPC peering does not contain routes overly permissive to all traffic) is showing false-positive but there may be more than just that issue. i summarized and compiled the tf code, json plan file, and checkov result in this repo for reference.
Examples terraform code:
checkov returned fail for aws_route.route2, when the resource does not have overly permissive route.
Version (please complete the following information):
Additional context I tried creating a custom policy basing the current policy; replacing the
not_contains
tonot_equals
. it is working for aws_route resources but not aws_route_table inline routes. when multiple inline routes are created in a aws_route_table, bothnot_contains
andnot_equals
return false reports.