Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CKV2_AWS_44 is showing false positive #6277

Closed
rickythain opened this issue May 7, 2024 · 1 comment · Fixed by #6301
Closed

CKV2_AWS_44 is showing false positive #6277

rickythain opened this issue May 7, 2024 · 1 comment · Fixed by #6301
Labels
checks Check additions or changes

Comments

@rickythain
Copy link

rickythain commented May 7, 2024
edited

Describe the issue
CKV2_AWS_44 (Ensure AWS route table with VPC peering does not contain routes overly permissive to all traffic) is showing false-positive but there may be more than just that issue.
i summarized and compiled the tf code, json plan file, and checkov result in this repo for reference.

Examples
terraform code:

resource "aws_route" "route1" {
  route_table_id            = aws_route_table.rtb1.id
  destination_cidr_block    = "10.1.0.0/16" 
  vpc_peering_connection_id = "pcx-578451154151544"
}

resource "aws_route" "route2" {
  route_table_id            = aws_route_table.rtb2.id
  destination_cidr_block    = "10.0.0.0/16"
  vpc_peering_connection_id = "pcx-578451154151544"
}

checkov returned fail for aws_route.route2, when the resource does not have overly permissive route.

Check: CKV2_AWS_44: "Ensure AWS route table with VPC peering does not contain routes overly permissive to all traffic"
	PASSED for resource: aws_route.route1
	File: /plan.json:13-27
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-route-table-with-vpc-peering-does-not-contain-routes-overly-permissive-to-all-traffic
Check: CKV2_AWS_44: "Ensure AWS route table with VPC peering does not contain routes overly permissive to all traffic"
	FAILED for resource: aws_route.route2
	File: /plan.json:37-51
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-route-table-with-vpc-peering-does-not-contain-routes-overly-permissive-to-all-traffic

Version (please complete the following information):

  • Checkov Version: 3.2.74

Additional context
I tried creating a custom policy basing the current policy; replacing the not_contains to not_equals. it is working for aws_route resources but not aws_route_table inline routes.
when multiple inline routes are created in a aws_route_table, both not_contains and not_equals return false reports.
@rickythain rickythain added the checks Check additions or changes label May 7, 2024
@itariq20
Copy link

@rickythain Hi, thanks for reporting this, I believe the Policy is triggering when the destination_cidr_block IP Address contains "0.0.0.0", even if it is "10.0.0.0". The policy passes when the IP Address does not contain "0.0.0.0" such as in the case of "10.1.0.0/16". There's potentially an issue in the Policy logic. We'll investigate on this internally.

@tsmithv11 tsmithv11 mentioned this issue May 14, 2024
Merged
@rickythain rickythain mentioned this issue May 21, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
checks Check additions or changes
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(terraform): Remove invalid CIDRs in CKV2_AWS_44 bridgecrewio/checkov
2 participants
@itariq20 @rickythain