Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CKV_AWS_23 misunderstand if statements in Egress of Security groups in cloudformaiton #7050

Open
egut opened this issue Mar 12, 2025 · 0 comments
Open

CKV_AWS_23 misunderstand if statements in Egress of Security groups in cloudformaiton #7050

egut opened this issue Mar 12, 2025 · 0 comments
Labels
checks Check additions or changes

Comments

@egut
Copy link

egut commented Mar 12, 2025

Describe the issue
Checkov CKV_AWS_23 misunderstand if-statements in cloudformation, and falsely give issue on the security group egress/ingress if there are if statements.

Note this has noting to do with if the statement is true or not.

Acceptable solution: is that it just skip if-statements
Best solution: it check the possible solutions for valid security group rules.

Examples

This is a complete CFN for testing. Both Security groups are valid and would do the correct thing in deployment.

---
AWSTemplateFormatVersion: 2010-09-09
Description: 'Bug in Checkov'

Parameters:
  https:
    Type: 'String'
    Description: 'Should we use https'
    Default: 'Yes'

  VpcId:
    Type: 'AWS::SSM::Parameter::Value<AWS::EC2::VPC::Id>'
    Default: '/VPC/Id'
    Description: 'SSM-Parameter that have the VpcId'

Conditions:
  UseHttps: !Equals [!Ref 'https', 'Yes']

Resources:

  # This security group get the following error:
  # Ensure every security groups rule has a description (Trunk) checkov(CKV_AWS_23)
  #
  # Expected: No error
  SecurityGroupFails:
    Type: 'AWS::EC2::SecurityGroup'
    Properties:
      GroupName: 'SecurityGroup'
      GroupDescription: 'Security group for showing bug'
      VpcId: !Ref 'VpcId'
      SecurityGroupEgress:
        - !If
          - 'UseHttps'
          - Description: 'Use HTTPS'
            CidrIp: '192.168.1.0/24'
            FromPort: 443
            ToPort: 443
            IpProtocol: 'tcp'
          - !Ref 'AWS::NoValue'
        - Description: 'Allow ICMP'
          CidrIp: '0.0.0.0/0'
          FromPort: -1
          ToPort: -1
          IpProtocol: 'icmp'


  SecurityGroupPass:
    Type: 'AWS::EC2::SecurityGroup'
    Properties:
      GroupName: 'SecurityGroup'
      GroupDescription: 'Security group for reference, that pass the test'
      VpcId: !Ref 'VpcId'
      SecurityGroupEgress:
        - Description: 'Use HTTPS'
          CidrIp: '192.168.1.0/24'
          FromPort: 443
          ToPort: 443
          IpProtocol: 'tcp'
        - Description: 'Allow ICMP'
          CidrIp: '0.0.0.0/0'
          FromPort: -1
          ToPort: -1
          IpProtocol: 'icmp'

Version (please complete the following information):

  • Checkov Version 3.2.382
@egut egut added the checks Check additions or changes label Mar 12, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
checks Check additions or changes
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@egut