Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False positive on CKV_AWS_304: When using scheduled expressions for secrets rotation #6199

Open
cbowlby-bt opened this issue Apr 22, 2024 · 1 comment
Open

False positive on CKV_AWS_304: When using scheduled expressions for secrets rotation #6199

cbowlby-bt opened this issue Apr 22, 2024 · 1 comment
Labels
checks Check additions or changes

Comments

@cbowlby-bt
Copy link

cbowlby-bt commented Apr 22, 2024
edited

Describe the issue
Check CKV_AWS_304 generates a false positive within the aws_secretsmanager_secret_rotation resource when using the scheduled_expression configuration option. The AWS terraform module allows either the schedule_expression or the automatically_after_days configuration option for the rotation_rules block, they are mutually exclusive to one another.

As far as I can tell, the check only looks for the automatically_after_days configuration option based on an initial code search:

Examples

data "aws_iam_policy_document" "this" {
  statement {
    effect = "Allow"

    principals {
      type        = "Service"
      identifiers = ["lambda.amazonaws.com"]
    }

    actions = ["sts:AssumeRole"]
  }
}

resource "aws_iam_role" "this" {
  name               = "iam_for_lambda"
  assume_role_policy = data.aws_iam_policy_document.this.json
}

resource "aws_lambda_function" "this" {
  filename      = "<payload_file>"
  function_name = "<lambda_function_name>"
  role          = aws_iam_role.this.arn
  handler       = "<handler>"

  source_code_hash = "<source code hash>"

  runtime = "<runtime>"
}

resource "aws_secretsmanager_secret" "this" {
  name_prefix = "example"
  description = "An example secret"
}

resource "aws_lambda_permission" "this" {
  statement_id  = "AllowInvoke"
  action        = "lambda:InvokeFunction"
  function_name = aws_lambda_function.function_name
  principal     = "secretsmanager.amazonaws.com"
  source_arn    = aws_secretsmanager_secret.this.arn
}

resource "aws_secretsmanager_secret_rotation" "this" {
  secret_id           = aws_secretsmanager_secret.this.id
  rotation_lambda_arn = aws_lambda_function.this.arn

  rotate_immediately = true

  rotation_rules {
    schedule_expression = "rate(4 hours)"
  }

  depends_on = [
    time_sleep.wait_for_lambda_permissions_for_secrets_manager,
    module.rotation_lambda
  ]
}

Please share an example code sample (in the IaC of your choice) + the expected outcomes.

Version (please complete the following information):

  • v3.2.65

Additional context
I am unable to provide the ZIP file to handle the rotation (due to internal policies), but the example logic above should build everything else, and is simply a mix of most of the example logic provided by the terraform reference documentation itself.
@cbowlby-bt cbowlby-bt added the checks Check additions or changes label Apr 22, 2024
@cbowlby-bt cbowlby-bt changed the title Check CKV_AWS_304 reports a false positive finding when using a scheduled expression vs specifying days False positive on CKV_AWS_304: When using scheduled expressions for secrets rotation Apr 22, 2024
@naveednawazkhan
Copy link
Contributor

@cbowlby-bt thank you for reaching out. We are looking into it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
checks Check additions or changes
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@naveednawazkhan @cbowlby-bt