Fix CKV2_AWS_20 false positives for NLB listeners on port 80 (TCP) #6945
Labels
checks
Check additions or changes
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the issue
Currently, the CKV2_AWS_20 rule uses an AND condition requiring
port != 80andprotocol != HTTPfor the listener to pass. This causes false failures for cases like a Network Load Balancer (NLB) using TCP on port 80, even though there is no HTTP traffic to redirect. For example, if you configureport=80butprotocol=TCP, the rule incorrectly fails becauseport != 80is false, violating the AND logic. Changing it to an OR check—i.e.,port != 80 OR protocol != HTTP—would fix the issue and correctly skip the rule when HTTP is not involved.Examples
Please share an example code sample (in the IaC of your choice) + the expected outcomes.
This code should pass.
resource "aws_lb_listener" "lb_listener" {
load_balancer_arn = aws_lb.lb.arn
port = "80"
protocol = "TCP"
default_action {
type = "forward"
target_group_arn = aws_lb_target_group.lb_tg.arn
}
}
Version (please complete the following information):
(version: 3.2.269)
Additional context
Line 32 should be or
The text was updated successfully, but these errors were encountered: