How to exclude a particular resource from checkov custom policy

[ashfaqsharif]

Hi,

Currently, I am working on ensuring tagging compliance for all resources in AWS. My objective is to have the "owner" and "cost-centre" tags applied with compliant values to every resource created. Here is the custom policy that I have developed.

`metadata: name: "Check that all resources are tagged with mandatory tag keys" id: "CUSTOM_CFN_1" category: "TAGGING" definition: and:

• cond_type: "attribute" resource_types: "all" attribute: "Tags[?(@.Key == owner)].Value" operator: "jsonpath_within" value:
  • abc@example.com
  • def@example.com
  • ghi@example.com
• cond_type: "attribute" resource_types: "all" attribute: "Tags[?(@.Key == cost-centre)].Value" operator: "jsonpath_within" value:
  • "100000"
  • "111111"
  • "222222" `

The policy effectively scans all resources within the CloudFormation template. However, since the template was created using CDK, it contains a resource AWS::CDK::Metadata that does not support tagging. What steps should I take to exclude AWS::CDK::Metadata from the policy mentioned above? Attached is my template.json for reference.

`Resources: MyBucket1553EBB46: Type: AWS::S3::Bucket Properties: Tags:

• Key: cost-centre Value: "100000"
• Key: owner Value: abc@example.com UpdateReplacePolicy: Retain DeletionPolicy: Retain Metadata: aws:cdk:path: MyStack/MyBucket1/Resource MyBucket26E0C4281: Type: AWS::S3::Bucket Properties: Tags:
• Key: cost-centre Value: "111111"
• Key: owner Value: abc@example.com UpdateReplacePolicy: Retain DeletionPolicy: Retain Metadata: aws:cdk:path: MyStack/MyBucket2/Resource MyTopic13B5465E8: Type: AWS::SNS::Topic Properties: Tags:
• Key: cost-centre Value: "111111"
• Key: owner Value: abc@example.com Metadata: aws:cdk:path: MyStack/MyTopic1/Resource MyTopic288635456407: Type: AWS::SNS::Topic Properties: Tags:
• Key: cost-centre Value: "222222"
• Key: owner Value: abc@example.com Metadata: aws:cdk:path: MyStack/MyTopic2/Resource CDKMetadata: Type: AWS::CDK::Metadata Properties: Analytics: v2:deflate64:H4sIAAAAAAAA/y3543216546JwZCF1Z6g9IdFSdIbsBGdQJDlLvT0Ol9+pfn4Nid4bCbvmrRR/ukO5RrmjCaNd2KnqBcMsaQTP/gTdUoK5RR3oSt/lFr4xBU8oKhuRf2lEi4GhYfYNb9xzno1rdZieySOdErwLDtD4xdT0GKAAAA Metadata: aws:cdk:path: MyStack/CDKMetadata/Default Condition: CDKMetadataAvailable Conditions: CDKMetadataAvailable: Fn::Or:
  • Fn::Or:
    • Fn::Equals:
      • Ref: AWS::Region
      • af-south-1
    • Fn::Equals:
      • Ref: AWS::Region
      • ap-east-1
    • Fn::Equals:
      • Ref: AWS::Region
      • ap-northeast-1
    • Fn::Equals:
      • Ref: AWS::Region
      • ap-northeast-2
    • Fn::Equals:
      • Ref: AWS::Region
      • ap-south-1
    • Fn::Equals:
      • Ref: AWS::Region
      • ap-southeast-1
    • Fn::Equals:
      • Ref: AWS::Region
      • ap-southeast-2
    • Fn::Equals:
      • Ref: AWS::Region
      • ca-central-1
    • Fn::Equals:
      • Ref: AWS::Region
      • cn-north-1
    • Fn::Equals:
      • Ref: AWS::Region
      • cn-northwest-1
  • Fn::Or:
    • Fn::Equals:
      • Ref: AWS::Region
      • eu-central-1
    • Fn::Equals:
      • Ref: AWS::Region
      • eu-north-1
    • Fn::Equals:
      • Ref: AWS::Region
      • eu-south-1
    • Fn::Equals:
      • Ref: AWS::Region
      • eu-west-1
    • Fn::Equals:
      • Ref: AWS::Region
      • eu-west-2
    • Fn::Equals:
      • Ref: AWS::Region
      • eu-west-3
    • Fn::Equals:
      • Ref: AWS::Region
      • il-central-1
    • Fn::Equals:
      • Ref: AWS::Region
      • me-central-1
    • Fn::Equals:
      • Ref: AWS::Region
      • me-south-1
    • Fn::Equals:
      • Ref: AWS::Region
      • sa-east-1
  • Fn::Or:
    • Fn::Equals:
      • Ref: AWS::Region
      • us-east-1
    • Fn::Equals:
      • Ref: AWS::Region
      • us-east-2
    • Fn::Equals:
      • Ref: AWS::Region
      • us-west-1
    • Fn::Equals:
      • Ref: AWS::Region
      • us-west-2 Parameters: BootstrapVersion: Type: AWS::SSM::Parameter::Value Default: /cdk-bootstrap/hnb659fds/version Description: Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip] Rules: CheckBootstrapVersion: Assertions:
  • Assert: Fn::Not:
    • Fn::Contains:
      • • "1"
          • "2"
          • "3"
          • "4"
          • "5"
      • Ref: BootstrapVersion AssertDescription: CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI.

`

[ashfaqsharif]

I updated the checkov custom policy to handle "Type" and it still failing check on AWS::CDK::Metadata. Here is my updated policy:

`metadata: name: "Check that all resources are tagged with mandatory tag keys" id: "CUSTOM_CFN_1" category: "TAGGING" definition: and:

• cond_type: "attribute" resource_types: "all" attribute: "Tags[?(@.Key == owner)].Value" operator: "jsonpath_within" value:
  • abc@example.com
  • def@example.com
  • ghi@example.com
• cond_type: "attribute" resource_types: "all" attribute: "Tags[?(@.Key == cost-centre)].Value" operator: "jsonpath_within" value:
  • "100000"
  • "111111"
  • "222222"
• cond_type: "attribute" attribute: "Type" operator: "not_equals" value: "AWS::CDK::Metadata"`

And Here is the error in the scan:

`Check: CUSTOM_CFN_1: "Check that all resources are tagged with mandatory tag keys" FAILED for resource: AWS::CDK::Metadata.CDKMetadata File: /template.json:46-52

    46 |   CDKMetadata:
    47 |     Type: AWS::CDK::Metadata
    48 |     Properties:
    49 |       Analytics: v2:deflate64:H4sIAAAAAAAA/yXNMQ7CMAyF4bOwJwZCF1Z6g9IdFSdIbsBGdQJDlLvT0Ol9+pfn4Nid4bCbvmrRR/ukO5RrmjCaNd2KnqBcMsaQTP/gTdUoK5RR3oSt/lFr4xBU8oKhuRf2lEi4GhYfYNb9xzno1rdZieySOdErwLDtD4xdT0GKAAAA
    50 |     Metadata:
    51 |       aws:cdk:path: MyStack/CDKMetadata/Default
    52 |     Condition: CDKMetadataAvailable

`