Custom Check for CloudFormation DeletionPolicy

bridgecrewio / checkov

Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.

https://www.checkov.io/

Apache License 2.0

6.71k stars 1.08k forks source link

Custom Check for CloudFormation DeletionPolicy #6440

Open dmeiser opened 2 weeks ago

dmeiser commented 2 weeks ago

I have a use case where I want to check specific resources for a DeletionPolicy. I created the YML configuration below, but the check fails every time. It appears that checks for DeletionPolicy are not currently supported:

definition:
  cond_type: attribute
  resource_types:
  - AWS::S3::Bucket
  attribute: DeletionPolicy
  operator: equals
  value: Retain

Saarett commented 1 week ago

Hi @dmeiser , thank you for reaching out. Please share the resource itself and the command used to test it. Thanks