ECSClusterLoggingEncryptedWithCMK fails as it does not check the configuration safely

[jSherz]

Describe the issue The check ECSClusterLoggingEncryptedWithCMK.py (CKV_AWS_224) looks for logging configuration by interrogating an array at key "configuration". This array might not be returned, and thus this check will crash out.

Examples

Example resource in Terraform state:

{
  "address": "my_address",
  "mode": "managed",
  "type": "aws_ecs_cluster",
  "name": "gitlab_ecs_cluster",
  "provider_name": "registry.terraform.io/hashicorp/aws",
  "schema_version": 0,
  "values": {
    "arn": "arn:aws:ecs:eu-west-1:123456789012:cluster/my-test-cluster",
    "capacity_providers": [
      "FARGATE"
    ],
    "configuration": [],
    "default_capacity_provider_strategy": [
      {
        "base": 0,
        "capacity_provider": "FARGATE",
        "weight": 1
      }
    ],
    "id": "arn:aws:ecs:eu-west-1:123456789012:cluster/my-test-cluster",
    "name": "my-test-cluster",
    "setting": [
      {
        "name": "containerInsights",
        "value": "disabled"
      }
    ],
    "tags": {},
    "tags_all": {
      "tag": "val",
      "tag": "val",
      "tag": "val"
    }
  },
  "sensitive_values": {
    "capacity_providers": [
      false
    ],
    "configuration": [],
    "default_capacity_provider_strategy": [
      {}
    ],
    "setting": [
      {}
    ],
    "tags": {},
    "tags_all": {}
  }
}

Error:

2022-05-18 15:05:56,795 [MainThread  ] [ERROR]  Failed to run check: Ensure Cluster logging with CMK for configuration: {'arn': ['arn:aws:ecs:eu-west-1:123456789012:cluster/my-test-cluster'], 'capacity_providers': [['FARGATE']], 'configuration': [[]], 'default_capacity_provider_strategy': [{'base': [0], 'capacity_provider': ['FARGATE'], 'weight': [1], 'start_line': [4959], 'end_line': [4962]}], 'id': ['arn:aws:ecs:eu-west-1:123456789012:cluster/my-test-cluster'], 'name': ['my-test-cluster'], 'setting': [{'name': ['containerInsights'], 'value': ['disabled'], 'start_line': [4968], 'end_line': [4970]}], 'tags': [{'start_line': 4972, 'end_line': 4971}], 'tags_all': [{'tag1': ['val1'], 'tag2': ['val2'], 'tag3': ['val3'], 'start_line': [4974], 'end_line': [4977]}], 'start_line': [4952], 'end_line': [4978], '__address__': 'module.my_module.my_cluster'} at file: /plan.json

Version:

• 2.0.1140

Additional context Here's a patch I used to unblock using this check:

--- ECSClusterLoggingEncryptedWithCMK.py	2022-05-19 09:59:16.000000000 +0100
+++ ECSClusterLoggingEncryptedWithCMK_fixed.py	2022-05-18 17:14:58.000000000 +0100
@@ -11,7 +11,7 @@
         super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
 
     def scan_resource_conf(self, conf):
-        if conf.get("configuration"):
+        if conf.get("configuration") and conf.get("configuration")[0]:
             if conf.get("configuration")[0].get('execute_command_configuration'):
                 command_conf = conf.get("configuration")[0].get('execute_command_configuration')[0]
                 if not command_conf.get('logging') == ['NONE']:

[gruebel]

hi @jSherz looks good 💪 would be great, if you can create a PR with the suggested change 🙂

[ghost]

@jSherz nice catch, ran into the same problem. looking forward to a PR 🙏

[JamesWoolfenden]

Resolved by other work if configuration and isinstance(configuration[0], dict) and configuration[0].get('execute_command_configuration'):