search

bridgecrewio / checkov

Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.
https://www.checkov.io/
Apache License 2.0
6.72k stars 1.08k forks source link

False positves CKV2_AWS_67 #6293

Closed aaleksandrov closed 1 month ago

aaleksandrov commented 1 month ago

Describe the issue CKV2_AWS_67 generates false positives when using default AWS managed encryption key (AES256)

Examples

Check: CKV2_AWS_67: "Ensure AWS S3 bucket encrypted with Customer Managed Key (CMK) has regular rotation"

    FAILED for resource: module.batch-stream-ingestion.aws_s3_bucket_server_side_encryption_configuration.sse_config

    File: /src/modules/batch-stream-ingestion/main.tf:80-88

resource "aws_s3_bucket_server_side_encryption_configuration" "sse_config" {
   bucket = aws_s3_bucket.firehose_s3_ingestion_result_bucket.bucket
     rule {
       apply_server_side_encryption_by_default {
         sse_algorithm = "AES256"
        }
     }
}

Version (please complete the following information):

aaleksandrov commented 1 month ago

Closing since it's open with a wrong label