Closed dishikang123 closed 2 weeks ago
Can you please post your checkov command? And the report output (passed/failed checks) ?
@maxamel
command:
.\checkov.exe -f <path to file> --external-checks-dir <path to custom checks> -c TEST*
output:
___| |__ ___ ___| | _______ __
/ __| '_ \ / _ \/ __| |/ / _ \ \ / /
| (__| | | | __/ (__| < (_) \ V /
\___|_| |_|\___|\___|_|\_\___/ \_/
By Prisma Cloud | version: 3.2.94
cloudformation scan results:
Passed checks: 3, Failed checks: 1, Skipped checks: 0
Check: TEST_AWS_4: "Ensure RDS PostgreSQL parameters are configured according to requirements"
PASSED for resource: AWS::RDS::DBParameterGroup.Postgres13StandardParameterGroup
File: /..\..\rdsparameters.yml:108-131
Check: TEST_AWS_4: "Ensure RDS PostgreSQL parameters are configured according to requirements"
PASSED for resource: AWS::RDS::DBParameterGroup.Postgres14StandardParameterGroup
File: /..\..\rdsparameters.yml:149-172
Check: TEST_AWS_4: "Ensure RDS PostgreSQL parameters are configured according to requirements"
PASSED for resource: AWS::RDS::DBParameterGroup.Postgres15StandardParameterGroup
File: /..\..\rdsparameters.yml:191-214
Check: TEST_AWS_4: "Ensure RDS PostgreSQL parameters are configured according to requirements"
FAILED for resource: AWS::RDS::DBParameterGroup.MySQL8StandardParameterGroup
File: /..\..\rdsparameters.yml:26-50
[37m26 | [33m MySQL8StandardParameterGroup:
[37m27 | [33m Type: AWS::RDS::DBParameterGroup
[37m28 | [33m Properties:
[37m29 | [33m Description: Standard Parameter Group for MySQL 8
[37m30 | [33m Family: mysql8.0
[37m31 | [33m Parameters:
[37m32 | [33m require_secure_transport: 1
[37m33 | [33m tls_version: TLSv1.2
[37m34 | [33m local_infile: 0
[37m35 | [33m general_log: 1
[37m36 | [33m log_output: FILE
[37m37 | [33m slow_query_log: 1
[37m38 | [33m max_user_connections: 10
[37m39 | [33m password_history: 24
[37m40 | [33m password_reuse_interval: 365
[37m41 | [33m validate_password_length: 12
[37m42 | [33m validate_password_mixed_case_count: 1
[37m43 | [33m validate_password_number_count: 1
[37m44 | [33m validate_password_policy: STRONG
[37m45 | [33m validate_password_special_char_count: 1
[37m46 | [33m default_password_lifetime: 365
[37m47 | [33m log_error_verbosity: 2
[37m48 | [33m sql_mode: STRICT_ALL_TABLES
[37m49 | [33m master-info-repository: TABLE
[37m50 | [33m performance_schema: 1
Currently this cannot be reproduced. Judging from the report output it seems the input file is different than the one mentioned in the issue description. Can you attach the full rdsparameters.yml ?
AWSTemplateFormatVersion: "2010-09-09"
Description: Standardized RDS configurations, such as Parameter Groups and Option Groups for specific database versions
Resources:
MySQL8StandardParameterGroup:
Type: AWS::RDS::DBParameterGroup
Properties:
Description: Standard Parameter Group for MySQL 8
Family: mysql8.0
Parameters:
require_secure_transport: 1
tls_version: TLSv1.2
local_infile: 0
general_log: 1
log_output: FILE
slow_query_log: 1
max_user_connections: 10
password_history: 24
password_reuse_interval: 365
validate_password_length: 12
validate_password_mixed_case_count: 1
validate_password_number_count: 1
validate_password_policy: STRONG
validate_password_special_char_count: 1
default_password_lifetime: 365
log_error_verbosity: 2
sql_mode: STRICT_ALL_TABLES
master-info-repository: TABLE
performance_schema: 1
Postgres13StandardParameterGroup:
Type: AWS::RDS::DBParameterGroup
Properties:
Description: Standard Parameter Group for Postgres 13
Family: postgres13
Parameters:
rds.force_ssl: 1
ssl_min_protocol_version: TLSv1.2
Postgres14StandardParameterGroup:
Type: AWS::RDS::DBParameterGroup
Properties:
Description: Standard Parameter Group for Postgres 14
Family: postgres14
Parameters:
rds.force_ssl: 1
ssl_min_protocol_version: TLSv1.2
Postgres15StandardParameterGroup:
Type: AWS::RDS::DBParameterGroup
Properties:
Description: Standard Parameter Group for Postgres 15
Family: postgres15
Parameters:
rds.force_ssl: 1
ssl_min_protocol_version: TLSv1.2
I managed to reproduce this issue. @tsmithv11 the docs state filter is most commonly used with connection blocks, and I haven't seen explicit examples similar to the one above. It does seem like this case should work, what do you think?
Thank you for reporting, @dishikang123 and thanks for investigating, @maxamel.
I believe we built the filter to only work for resource types not based on attributes in a resource block. This is an interesting idea to refine a policy so it doesn't flag (good or bad) specific resources, but not currently supported. For now, you can use:
definition:
or:
- cond_type: "attribute"
resource_types:
- "AWS::RDS::DBParameterGroup"
attribute: Family
operator: not_within
value:
- "postgres13"
- "postgres14"
- "postgres15"
- cond_type: "attribute"
resource_types:
- "AWS::RDS::DBParameterGroup"
attribute: Parameters.ssl_min_protocol_version
operator: equals
value: "TLSv1.2"
It will show the first resource block as passing which can be "noisy" but at least it's not a false positive.
@tsmithv11 Thanks for the suggestion. If I understand the logic correctly, both attributes get evaluated first and have the or
applied, as opposed to if first attribute evaluated to true, then the second attribute will not get evaluated at all.
@dishikang123 correct
Describe the issue I am trying to create custom checks in YAML to validate against cloudformation templates. In trying to use
filter
to filter out resources where the rule is applicable, it doesn't seem to be working. The resource in question isAWS::RDS::DBParameterGroup
and I only want to validate the rule whenFamily
is postgres 13 - 15. The rule I came with up works fine against postgres, but still flags other family such as mysql as failure when it should be skipped.Example Value Input:
rule: