-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
False positves CKV2_AWS_67 #6294
Comments
This also fails on a S3 bucket where Customer Managed Key is used. CMK already has rotation enabled. False Alerts on Default and CMK Keys.. |
And it also fails on keys that are stored in a different account |
Works around apparent bug in checkov bridgecrewio/checkov#6294 The KMS key rotation is not configured on the aws_s3_bucket_server_side_encryption_configuration resource so it does not make sense to check for it there. Key rotation is outside the scope of this module.
Works around apparent bug in checkov bridgecrewio/checkov#6294 The KMS key rotation is not configured on the aws_s3_bucket_server_side_encryption_configuration resource so it does not make sense to check for it there. Key rotation is outside the scope of this module. Co-authored-by: Sean Nixon <smnixon@amazon.com>
Looks like this PR is causing this: #6239 |
@aaleksandrov this check explicitly looks for CMKs not AWS managed keys which are considered less secure, so that is not a false positive. We have others like this like CKV_AWS_181 @stepintooracledba according to the docs, rotation is off by default: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key#enable_key_rotation. Can you provide documentation or a counter example? If so, we'll get it fixed. @rafaljanicki sounds like you may be right. Do you have a counter example in TF you can share? We'll get this policy updated based on that. |
@tsmithv11 It's quite confusing that this check basically includes 2 checks. If it's desired behavior can you at least change the message? To "Ensure AWS S3 bucket encrypted with Customer Managed Key (CMK) and it has regular rotation" |
@aaleksandrov no problem. I opened #6434 with this adjustment. |
Describe the issue
CKV2_AWS_67 generates false positives when using default AWS managed encryption key (AES256)
Examples
Version (please complete the following information):
master
The text was updated successfully, but these errors were encountered: