checkov icon indicating copy to clipboard operation
checkov copied to clipboard

Published 20 hours ago verified publisher icon bridgecrewio

False positive on CKV_AWS_304: When using scheduled expressions for secrets rotation

Open cbowlby-bt opened this issue 10 months ago • 1 comments

Describe the issue Check CKV_AWS_304 generates a false positive within the aws_secretsmanager_secret_rotation resource when using the scheduled_expression configuration option. The AWS terraform module allows either the schedule_expression or the automatically_after_days configuration option for the rotation_rules block, they are mutually exclusive to one another.

As far as I can tell, the check only looks for the automatically_after_days configuration option based on an initial code search:

  • https://github.com/search?q=repo%3Abridgecrewio%2Fcheckov%20automatically_after_days&type=code
  • https://github.com/search?q=repo%3Abridgecrewio%2Fcheckov+schedule_expression&type=code

Examples

data "aws_iam_policy_document" "this" {
  statement {
    effect = "Allow"

    principals {
      type        = "Service"
      identifiers = ["lambda.amazonaws.com"]
    }

    actions = ["sts:AssumeRole"]
  }
}

resource "aws_iam_role" "this" {
  name               = "iam_for_lambda"
  assume_role_policy = data.aws_iam_policy_document.this.json
}

resource "aws_lambda_function" "this" {
  filename      = "<payload_file>"
  function_name = "<lambda_function_name>"
  role          = aws_iam_role.this.arn
  handler       = "<handler>"

  source_code_hash = "<source code hash>"

  runtime = "<runtime>"
}

resource "aws_secretsmanager_secret" "this" {
  name_prefix = "example"
  description = "An example secret"
}

resource "aws_lambda_permission" "this" {
  statement_id  = "AllowInvoke"
  action        = "lambda:InvokeFunction"
  function_name = aws_lambda_function.function_name
  principal     = "secretsmanager.amazonaws.com"
  source_arn    = aws_secretsmanager_secret.this.arn
}

resource "aws_secretsmanager_secret_rotation" "this" {
  secret_id           = aws_secretsmanager_secret.this.id
  rotation_lambda_arn = aws_lambda_function.this.arn

  rotate_immediately = true

  rotation_rules {
    schedule_expression = "rate(4 hours)"
  }

  depends_on = [
    time_sleep.wait_for_lambda_permissions_for_secrets_manager,
    module.rotation_lambda
  ]
}

Please share an example code sample (in the IaC of your choice) + the expected outcomes.

Version (please complete the following information):

  • v3.2.65

Additional context I am unable to provide the ZIP file to handle the rotation (due to internal policies), but the example logic above should build everything else, and is simply a mix of most of the example logic provided by the terraform reference documentation itself.

cbowlby-bt avatar Apr 22 '24 10:04 cbowlby-bt

@cbowlby-bt thank you for reaching out. We are looking into it.

naveednawazkhan avatar Apr 22 '24 14:04 naveednawazkhan