search

bridgecrewio / checkov

Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.
https://www.checkov.io/
Apache License 2.0
6.75k stars 1.08k forks source link

False Positives for CKV_AWS_70 #6287

Open blue-tornado opened 2 months ago

blue-tornado commented 2 months ago

CKV_AWS70 is returning false positive when scanning terraform plan that is changing principal value from *_ to a specific principal.

Examples

Terraform plan example:

relevant part of terraform plan

                 ~ {
                     ~ Principal = {
                         ~ AWS = "*" -> "arn:aws:iam::1234567890:rolename"
                       }
                       # (5 unchanged attributes hidden)
                   },

checkov output:

Passed checks: 1, Failed checks: 1, Skipped checks: 0

Check: CKV_AWS_70: "Ensure S3 bucket does not allow an action with any Principal"
   FAILED for resource: module.mybucket.module.bucket[0].aws_s3_bucket.s3_bucket
   File: /plan.json:0-0

Version

itariq20 commented 2 months ago

@blue-tornado Hi, can you please try to update Checkov and see if that helps, since the the latest Checkov version is 3.2.90 and you're on a much older version.