checkov icon indicating copy to clipboard operation
checkov copied to clipboard

Published 20 hours ago verified publisher icon bridgecrewio

Checkov Check ID: CKV2_AWS_12 (Ensure AWS Default Security Group restricts all traffic)

Open nima-sherpa opened this issue 3 years ago • 11 comments

Describe the issue I am getting Checkov Check ID: CKV2_AWS_12 while running checkov . I have implemented default security group terraform resources as suggested below; resource "aws_default_security_group" "default" { vpc_id = aws_vpc.ok_vpc.id } But, still i am getting same error. How to resolve this checkov failure and can anyone help me with this? Examples I do have security group resources and security groups rule resources created.

Additional context Add any other context about the problem here.

nima-sherpa avatar Jun 09 '22 19:06 nima-sherpa

Hi, Everyone please provide some input if possible on this issue. While trying creating default security groups above way it did not created ingress and egress rule that means it should resolve the checkov vulnerabilities but it is still persisting.

nima-sherpa avatar Jun 13 '22 15:06 nima-sherpa

Hello @nima-sherpa, can you please provide resource files to reproduce this issue? Also, please post the full error since it can provide valuable info regarding the failure. Thanks!

maxamel avatar Jun 15 '22 15:06 maxamel

resource "aws_security_group" "vpc" { name = "${lookup(var.taggingstandard,"deployment")}-VPC" description = "Security Group for VPC Endpoints" vpc_id = aws_vpc.ok_vpc.id

tags = merge( var.taggingstandard, tomap({"Name" = "${lookup(var.taggingstandard,"deployment")}-VPC"}) ) }

Allow all outbound traffic

resource "aws_security_group_rule" "VPCEEgress" { security_group_id = aws_security_group.vpc.id description = "Allow All Egress"

type = "egress" from_port = 0 to_port = 223 protocol = "all" cidr_blocks = ["0.0.0.0/0"] }

Allow HTTP Traffic (TCP/80) from Public Subnet

resource "aws_security_group_rule" "HTTPSFromVPC" { security_group_id = aws_security_group.vpc.id description = "Allow HTTP Ingress from VPC Endpoints"

type = "ingress" from_port = 443 to_port = 443 protocol = "all"

cidr_blocks = [var.vpc_cidr] }

This is the resources i have added to remediate the issue as suggested;

resource "aws_default_security_group" "default" { vpc_id = aws_vpc.ok_vpc.id }

nima-sherpa avatar Jun 15 '22 20:06 nima-sherpa

Hello @nima-sherpa , I cannot reproduce this error with the attached resources. I am getting:

Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
	PASSED for resource: aws_vpc.ok_vpc

Removing the remediation you added actually triggers the CKV2_AWS_12 violation, so it looks like this is the correct fix. Could you please post the full output of your Checkov run including checkov version?
Thanks.

maxamel avatar Jun 16 '22 06:06 maxamel

Below is the pipeline we used to run checkov and version;

image: name: bridgecrew/checkov:2.0.458 entrypoint: [""] script: - checkov --version - checkov -f planfile.json --skip-check CKV2_AWS_5,CKV2_AWS_19,CKV_AWS_149,CKV2_AWS_27,CKV2_AWS_11,CKV2_AWS_12,CKV2_AWS_18,CKV_AWS_158

ERROR:

Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic" FAILED for resource: aws_vpc.main File: /planfile.json:0-0 Guide: https://docs.bridgecrew.io/docs/networking_4 Cleaning up project directory and file based variables 00:01 ERROR: Job failed: exit code 1

nima-sherpa avatar Jun 16 '22 12:06 nima-sherpa

Hello @nima-sherpa , can you upgrade your checkov version to latest?

Also, the failing resource from your message seems to be aws_vpc.main, while the remediation you added is for aws_vpc.ok_vpc. Perhaps you need to define the remediation for the resource aws_vpc.main?

maxamel avatar Jun 16 '22 17:06 maxamel

Hi, @maxamel i tried using latest checkov version but still didn't help:

image: name: bridgecrew/checkov:latest entrypoint: [""] script: - checkov --version - cd TestDeployment - checkov -f planfile.json --skip-check CKV2_AWS_5,CKV2_AWS_19,CKV_AWS_149,CKV2_AWS_209,CKV2_AWS_184,CKV_AWS_207,CKV_AWS_184,CKV_AWS_158,CKV_AWS_250,CKV_AWS_209,CKV2_AWS_30,CKV2_AWS_11 # - checkov -f planfile.json

and, also have passed the right vpc id

nima-sherpa avatar Jun 17 '22 15:06 nima-sherpa

Hi, @maxamel is there any idea or solution about this

nima-sherpa avatar Jun 27 '22 16:06 nima-sherpa

Hello @nima-sherpa, at the moment this is not reproducible. The initial resources described here seem to have some resources missing, such as aws_vpc.main (on which the scan failed). Can you please post the entire up-to-date planfile.json (including all resources), and the full output of the latest run ? Thanks!

maxamel avatar Jun 28 '22 15:06 maxamel

I am seeing a very similar same behavior. I am using the public AWS VPC module. The module is not adopting the default security group, I am zeroing it out later.

module "vpc" {
  source = "terraform-aws-modules/vpc/aws"
...
  manage_default_security_group = false  #checkov:skip=CKV2_AWS_12:This is zeroed out elsewhere
}
...
resource "aws_default_security_group" "default" {  # Zeroes out the VPC default security group
  vpc_id = module.vpc.vpc_id
}

For me: The checkov:skip is respected when scanning the actual tf files but it is not respected when I scan a plan output json:

Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
        FAILED for resource: aws_vpc.this
        File: /.terraform/tfplan.json:624-640
        Guide: https://docs.bridgecrew.io/docs/networking_4

                625 |               "values": {
                626 |                 "assign_generated_ipv6_cidr_block": false,
                627 |                 "cidr_block": "10.0.0.0/19",
                628 |                 "enable_dns_hostnames": false,
                629 |                 "enable_dns_support": true,
                630 |                 "instance_tenancy": "default",
                631 |                 "ipv4_ipam_pool_id": null,
                632 |                 "ipv4_netmask_length": null,
                633 |                 "ipv6_ipam_pool_id": null,
                634 |                 "ipv6_netmask_length": null,
                635 |                 "tags": {
                636 |                   "Name": "dev"
                637 |                 },
                638 |                 "tags_all": {
                639 |                   "Name": "dev"
                640 |                 }

Whats confusing to me is why this is targeting the aws_vpc resource.

ghost avatar Jul 26 '22 17:07 ghost

As like below check in YAML format, is that available under resource folder [could see only in Graph_checks].

for us, below in-built policy in YAML format did some customization is not working as expected. Just checking alternative way in resource folder or sample examples

https://github.com/bridgecrewio/checkov/blob/09877b8cc696307b96860d671d13b383839559a1/checkov/terraform/checks/graph_checks/aws/VPCHasRestrictedSG.yaml

karthickmuthuraj avatar Aug 10 '22 03:08 karthickmuthuraj

Thanks for contributing to Checkov! We've automatically marked this issue as stale to keep our issues list tidy, because it has not had any activity for 6 months. It will be closed in 14 days if no further activity occurs. Commenting on this issue will remove the stale tag. If you want to talk through the issue or help us understand the priority and context, feel free to add a comment or join us in the Checkov slack channel at https://slack.bridgecrew.io Thanks!

stale[bot] avatar Feb 08 '23 03:02 stale[bot]

Closing issue due to inactivity. If you feel this is in error, please re-open, or reach out to the community via slack: https://slack.bridgecrew.io Thanks!

stale[bot] avatar Feb 24 '23 11:02 stale[bot]