search

bridgecrewio / checkov

Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.
https://www.checkov.io/
Apache License 2.0
6.75k stars 1.08k forks source link

CKV2_AWS_44 is showing false positive #6277

Closed rickythain closed 1 month ago

rickythain commented 2 months ago

Describe the issue CKV2_AWS_44 (Ensure AWS route table with VPC peering does not contain routes overly permissive to all traffic) is showing false-positive but there may be more than just that issue. i summarized and compiled the tf code, json plan file, and checkov result in this repo for reference.

Examples terraform code:

resource "aws_route" "route1" {
  route_table_id            = aws_route_table.rtb1.id
  destination_cidr_block    = "10.1.0.0/16" 
  vpc_peering_connection_id = "pcx-578451154151544"
}

resource "aws_route" "route2" {
  route_table_id            = aws_route_table.rtb2.id
  destination_cidr_block    = "10.0.0.0/16"
  vpc_peering_connection_id = "pcx-578451154151544"
}

checkov returned fail for aws_route.route2, when the resource does not have overly permissive route.

Check: CKV2_AWS_44: "Ensure AWS route table with VPC peering does not contain routes overly permissive to all traffic"
    PASSED for resource: aws_route.route1
    File: /plan.json:13-27
    Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-route-table-with-vpc-peering-does-not-contain-routes-overly-permissive-to-all-traffic
Check: CKV2_AWS_44: "Ensure AWS route table with VPC peering does not contain routes overly permissive to all traffic"
    FAILED for resource: aws_route.route2
    File: /plan.json:37-51
    Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-route-table-with-vpc-peering-does-not-contain-routes-overly-permissive-to-all-traffic

Version (please complete the following information):

Additional context I tried creating a custom policy basing the current policy; replacing the not_contains to not_equals. it is working for aws_route resources but not aws_route_table inline routes. when multiple inline routes are created in a aws_route_table, both not_contains and not_equals return false reports.

itariq20 commented 2 months ago

@rickythain Hi, thanks for reporting this, I believe the Policy is triggering when the destination_cidr_block IP Address contains "0.0.0.0", even if it is "10.0.0.0". The policy passes when the IP Address does not contain "0.0.0.0" such as in the case of "10.1.0.0/16". There's potentially an issue in the Policy logic. We'll investigate on this internally.