You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
CKV_AWS_342 currently will flag a WAFv2 WebACL that uses only managed rule groups. Managed rule groups have AWS-defined behavior regarding the actions that are taken (and some, like bot control, are not possible to express with the rule syntax), so you don't specify an action unless you want to override it, and the only override options are to count without blocking or to do nothing at all. This means it is not possible to actually satisfy this Checkov check while ensuring you are blocking traffic as intended.
This check should apply in situations where you're not specifying a managed rule group.
Examples
This currently fails but should pass:
resource"aws_wafv2_web_acl""this" {
name=var.namedescription="Managed by Terraform, do not edit in the console"scope="REGIONAL"token_domains=[var.dns.fqdn, aws_lb.this.dns_name]
default_action {
allow {}
}
rule {
name="aws-managed-rules-common"priority=1statement {
managed_rule_group_statement {
name="AWSManagedRulesCommonRuleSet"vendor_name="AWS"
}
}
}
}
Version (please complete the following information):
2.3.317
Additional information:
It may also be that managed rules themselves are usable in a statement and thus should also be ignored for the purposes of checking that rules have actions, but I'm not sure what that looks like.
The text was updated successfully, but these errors were encountered:
Describe the issue
CKV_AWS_342 currently will flag a WAFv2 WebACL that uses only managed rule groups. Managed rule groups have AWS-defined behavior regarding the actions that are taken (and some, like bot control, are not possible to express with the rule syntax), so you don't specify an action unless you want to override it, and the only override options are to
count
without blocking or to do nothing at all. This means it is not possible to actually satisfy this Checkov check while ensuring you are blocking traffic as intended.This check should apply in situations where you're not specifying a managed rule group.
Examples
This currently fails but should pass:
Version (please complete the following information):
2.3.317
Additional information:
It may also be that managed rules themselves are usable in a
statement
and thus should also be ignored for the purposes of checking that rules have actions, but I'm not sure what that looks like.The text was updated successfully, but these errors were encountered: