You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the issue
CKV2_AWS_44 (Ensure AWS route table with VPC peering does not contain routes overly permissive to all traffic) is showing false-positive but there may be more than just that issue.
i summarized and compiled the tf code, json plan file, and checkov result in this repo for reference.
checkov returned fail for aws_route.route2, when the resource does not have overly permissive route.
Check: CKV2_AWS_44: "Ensure AWS route table with VPC peering does not contain routes overly permissive to all traffic"
PASSED for resource: aws_route.route1
File: /plan.json:13-27
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-route-table-with-vpc-peering-does-not-contain-routes-overly-permissive-to-all-traffic
Check: CKV2_AWS_44: "Ensure AWS route table with VPC peering does not contain routes overly permissive to all traffic"
FAILED for resource: aws_route.route2
File: /plan.json:37-51
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-route-table-with-vpc-peering-does-not-contain-routes-overly-permissive-to-all-traffic
Version (please complete the following information):
Checkov Version: 3.2.74
Additional context
I tried creating a custom policy basing the current policy; replacing the not_contains to not_equals. it is working for aws_route resources but not aws_route_table inline routes.
when multiple inline routes are created in a aws_route_table, both not_contains and not_equals return false reports.
The text was updated successfully, but these errors were encountered:
@rickythain Hi, thanks for reporting this, I believe the Policy is triggering when the destination_cidr_block IP Address contains "0.0.0.0", even if it is "10.0.0.0". The policy passes when the IP Address does not contain "0.0.0.0" such as in the case of "10.1.0.0/16". There's potentially an issue in the Policy logic. We'll investigate on this internally.
Describe the issue
CKV2_AWS_44 (Ensure AWS route table with VPC peering does not contain routes overly permissive to all traffic) is showing false-positive but there may be more than just that issue.
i summarized and compiled the tf code, json plan file, and checkov result in this repo for reference.
Examples
terraform code:
checkov returned fail for aws_route.route2, when the resource does not have overly permissive route.
Version (please complete the following information):
Additional context
I tried creating a custom policy basing the current policy; replacing the
not_contains
tonot_equals
. it is working for aws_route resources but not aws_route_table inline routes.when multiple inline routes are created in a aws_route_table, both
not_contains
andnot_equals
return false reports.The text was updated successfully, but these errors were encountered: