-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(terraform): add CKV_AWS_375, CKV_AWS_376, CKV_AWS_377 to add three new SageMaker checks #6732
base: main
Are you sure you want to change the base?
feat(terraform): add CKV_AWS_375, CKV_AWS_376, CKV_AWS_377 to add three new SageMaker checks #6732
Conversation
Hi folks. Is anyone available to review this? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the contribution, @braidoa! My concern about these checks is that Checkov is meant to be a security tool and these don't appear to be security checks. Am I misunderstanding?
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) | ||
|
||
def get_inspected_key(self): | ||
return "name" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Requiring name
isn't really a security check. You can also use name_prefix
which would be valid but flagged by this check.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See comment below. 😄
if isinstance(production_variants, list): | ||
return CheckResult.PASSED if production_variants else CheckResult.FAILED | ||
elif isinstance(production_variants, dict): | ||
return CheckResult.PASSED if 'variant_name' in production_variants and production_variants['variant_name'] else CheckResult.FAILED |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you explain the security concern of Terraform assigning a random name?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's a GRC (specifically governance) concern. For example, my org requires specified SageMaker names and tags in spreadsheets, project management boards, planning docs, etc. A random, unspecific name could confuse users and result in downstream problems. So we prohibit random names in SageMaker endpoints for better governance.
@braidoa we reviewed internally and the first 2 checks feel like ones you can use as custom for your organization. If you'd like to update the PR to just include the last one |
User description
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
Description
I've added three checks for Amazon SageMaker attributes.
New/Edited policies (Delete if not relevant)
id = "CKV_AWS_375"
name = "Ensure Amazon SageMaker endpoint has a name specified"
id = "CKV_AWS_376"
name = "Ensure Amazon SageMaker endpoint configuration has at least one production variant specified"
id = "CKV_AWS_377"
name = "Ensure Amazon SageMaker notebook instances use lifecycle configurations"
Description
Violations in each rule will occur when a SageMaker resource is missing the respective attribute.
Fix
Someone can fix these issues by specifying the attributes.
Checklist:
Generated description
Below is a concise technical summary of the changes proposed in this PR:
Introduce three new checks for Amazon SageMaker resources in Terraform to ensure compliance with best practices. The
SagemakerEndpointConfigurationEndpointNameSpecified
class checks that SageMaker endpoints have a specified name, while theSagemakerEndpointConfigurationProductionVariantsSpecified
class ensures that endpoint configurations have at least one production variant. Additionally, theSagemakerNotebookLifecycleConfigSpecified
class verifies that SageMaker notebook instances utilize lifecycle configurations. These checks are implemented in thecheckov
library and are accompanied by corresponding test cases to validate their functionality.Modified files (3)
Latest Contributors(0)
Modified files (3)
Latest Contributors(0)