Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CKV_AWS_224 is actually checking two different things #6265

Open
dancorne opened this issue May 7, 2024 · 1 comment
Open

CKV_AWS_224 is actually checking two different things #6265

dancorne opened this issue May 7, 2024 · 1 comment
Labels
best practices

Comments

@dancorne
Copy link

dancorne commented May 7, 2024

Describe the issue
Hello, CKV_AWS_224 is for AWS ECS Exec configuration and called "Ensure ECS Cluster logging uses CMK" and part of the check looks for kms_key_id.

However according to the documentation the KMS key parameter is for encrypting the connection between client and container, not the log encryption as suggested by the check. It's a little bit confusing because the ExecuteCommandConfiguration block has 3 parameters, 2 of them for logging, and this KMS one as the third but it isn't related to logging.

Examples
This passes as expected:

resource "aws_ecs_cluster" "main" {
  name     = var.name

  configuration {
    execute_command_configuration {
      logging    = "OVERRIDE"
      kms_key_id = var.kms_key_id
      log_configuration {
        s3_bucket_name               = var.logs_bucket_name
        s3_bucket_encryption_enabled = true
      }
    }
  }
}

However, removing the KMS parameter has Checkov fail with Ensure ECS Cluster logging uses CMK, but that message isn't appropriate -- the key is used for the connection to the container.

resource "aws_ecs_cluster" "main" {
  name     = var.name

  configuration {
    execute_command_configuration {
      logging    = "OVERRIDE"
      log_configuration {
        s3_bucket_name               = var.logs_bucket_name
        s3_bucket_encryption_enabled = true
      }
    }
  }
}

Version (please complete the following information):
3.2.60, but the code hasn't changed since on main

Additional context

The communication between your client and the container to which you are connecting is encrypted by default using TLS1.2. It is, however, possible to use your own AWS Key Management Service (KMS) keys to encrypt this data channel. The ECS cluster configuration override supports configuring a customer key as an optional parameter. When specified, the encryption is done using the specified key. Ultimately, ECS Exec leverages the core SSM capabilities described in the SSM documentation.
@itariq20
Copy link

@dancorne Hi, thanks for reporting this, we'll investigate on this internally and get you more information.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
best practices
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dancorne @itariq20