checkov icon indicating copy to clipboard operation
checkov copied to clipboard

Published 20 hours ago verified publisher icon bridgecrewio

CKV_AWS_378 is triggering for SSL offloading of ECS services

Open Shanjohn opened this issue 4 months ago • 0 comments

Describe the issue CKV_AWS_378 triggers on configurations which have HTTP targets. But in a lot of cases SSL is offloaded on the load balancer level, and further targets use HTTP protocol to interact. For example, if you use a certificate from AWS ACM, ALB and AWS ECS Fargate service (which in my case is the majority of all services), the usual approach is to set up the certificate on HTTPS listener and offload it for the fargate service itself. CKV_AWS_378 stand for Ensure AWS Load Balancer doesn’t use HTTP protocol and seems like this is a demand for the listeners. This check seems more like Prohibit SSL offloading in target groups. I want to verify that this is an expected behavior, because I suspect majority of the users will have to ignore this check as a result. cc @tsmithv11

Examples

resource "aws_lb_target_group" "fargate_target_group" {
  name                 = "example-target-group-name"
  port                 = "8080"
  protocol             = "HTTP"
  target_type          = "ip"
  deregistration_delay = "60"
  vpc_id               = "some-vpc-id

  health_check { ... }
}

Version (please complete the following information):

Additional context

Shanjohn avatar Oct 07 '24 13:10 Shanjohn