You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the issue
Hello, CKV_AWS_224 is for AWS ECS Exec configuration and called "Ensure ECS Cluster logging uses CMK" and part of the check looks for kms_key_id.
However, removing the KMS parameter has Checkov fail with Ensure ECS Cluster logging uses CMK, but that message isn't appropriate -- the key is used for the connection to the container.
The communication between your client and the container to which you are connecting is encrypted by default using TLS1.2. It is, however, possible to use your own AWS Key Management Service (KMS) keys to encrypt this data channel. The ECS cluster configuration override supports configuring a customer key as an optional parameter. When specified, the encryption is done using the specified key. Ultimately, ECS Exec leverages the core SSM capabilities described in the SSM documentation.
The text was updated successfully, but these errors were encountered:
Describe the issue
Hello, CKV_AWS_224 is for AWS ECS Exec configuration and called "Ensure ECS Cluster logging uses CMK" and part of the check looks for
kms_key_id
.However according to the documentation the KMS key parameter is for encrypting the connection between client and container, not the log encryption as suggested by the check. It's a little bit confusing because the
ExecuteCommandConfiguration
block has 3 parameters, 2 of them for logging, and this KMS one as the third but it isn't related to logging.Examples
This passes as expected:
However, removing the KMS parameter has Checkov fail with
Ensure ECS Cluster logging uses CMK
, but that message isn't appropriate -- the key is used for the connection to the container.Version (please complete the following information):
3.2.60, but the code hasn't changed since on
main
Additional context
The text was updated successfully, but these errors were encountered: