Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

CKV2_AWS_5 does not check for ecs_service or aws_dms_replication_instance

See original GitHub issue

Describe the bug

We’re getting the following:

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to EC2 instances or elastic network interfaces (ENIs)"
	FAILED for resource: aws_security_group.ecs_ingress_loadbalancer
	File: /api.tf:12-35
	Guide: https://docs.bridgecrew.io/docs/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		12 | resource "aws_security_group" "ecs_ingress_loadbalancer" {
		13 |   name        = module.ecs_ingress_load_balancer.id
		14 |   description = "Allow HTTP inbound traffic from Load Balancer"
		15 |   vpc_id      = module.vpc.vpc_id
		16 | 
		17 |   ingress {
		18 |     # TLS (change to whatever ports you need)
		19 |     from_port = 80
		20 |     to_port   = 80
		21 |     protocol  = "TCP"
		22 |     security_groups = [
		23 |       module.alb.security_group_id,
		24 |     ]
		25 |   }
		26 | 
		27 |   egress {
		28 |     from_port = 0
		29 |     to_port   = 0
		30 |     protocol  = "-1"
		31 |     cidr_blocks = [
		32 |       "0.0.0.0/0",
		33 |     ]
		34 |   }
		35 | }

This security group is assigned to ecs_service. Same error occurs when we create a SG and associate it with aws_dms_replication_instance.

To Reproduce

  • Create a security group
  • Assign it to an ecs_service or dms_replication_instance

Expected behavior The CKV2_AWS_5 check not failing, because the SG is assigned to an ECS Service / DMS Replication Instance.

Desktop (please complete the following information):

  • OS: Linux
  • Checkov Version: 2.0.116

Issue Analytics

  • State:closed
  • Created 2 years ago
  • Reactions:1
  • Comments:5

github_iconTop GitHub Comments

1reaction
ppawlowskicommented, May 10, 2021

CKV2_AWS_5 is also raised when the Security Group is attached in the aws_launch_configuration resource.

0reactions
richardj-bsquarecommented, May 17, 2021

If applied to aws_launch_configuration, then it also needs applying to aws_launch_template

I’m getting this reported for this example…

resource "aws_security_group" "cluster-service" {
  name        = var.bu
  description = "Allow ingress on EC2 private instances"
  vpc_id      = local.vpc_id

  ingress {
    protocol    = "-1"
    from_port   = 0
    to_port     = 0
    cidr_blocks = ["0.0.0.0/0"]
  }

  egress {
    protocol    = "-1"
    from_port   = 0
    to_port     = 0
    cidr_blocks = ["0.0.0.0/0"]
  }
}

resource "aws_launch_template" "example-launch-template" {
  name_prefix   = "launch-"
  image_id      = data.aws_ami.amazon_linux_ecs.id
  instance_type = var.instance_type

  vpc_security_group_ids = [aws_security_group.cluster-service.id]
  
  block_device_mappings {
    device_name = "/dev/xvda"

    ebs {
      delete_on_termination = true
      encrypted             = true
      kms_key_id            = data.aws_kms_key.ebs-default-key.arn
      volume_size           = 64
      volume_type           = "gp3"
    }
  }

  iam_instance_profile {
    arn = aws_iam_instance_profile.cluster-service.arn
  }
}
Read more comments on GitHub >

github_iconTop Results From Across the Web

Working with an AWS DMS replication instance
Region Name Region Protocol US East (Ohio) us‑east‑2 HTTPS. HTTPS. HTTPS US East (N. Virginia) us‑east‑1 HTTPS. HTTPS. HTTPS US West (N. California) us‑west‑1 HTTPS. HTTPS....
Read more >
AWS DMS replication instance out of memory - Stack Overflow
I recently started to work with AWS Data Migration Service (DMS) and running into some issues. Currently attempting to migrate a 10GB Oracle...
Read more >
12 AWS DMS - Replication Instance and Database endpoints
Using an AWS SCT replication agent with AWS DMSFor very large database migrations, you can use an AWS SCT replication agent ...
Read more >
Why is my AWS Database Migration Service (AWS DMS ...
Why is my AWS Database Migration Service ( AWS DMS) replication instance in a storage-full status? Watch later. Share. Copy link.
Read more >
Publicly Accessible DMS Replication Instances - Trend Micro
Ensure that AWS DMS replication instances are not publicly accessible and prone to security risks.
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

checkov plan -f not reading json file

Next page

Running checks against terraform state