Description
CKV_AWS_111 (write access without constraints) has the documentation for CKV_AWS_109 (resource exposure without constraints).
Both of these documents are wrong and make no mention of the Resource constraint (*) that needs to be set to specific ARNs.
The "Fix" diff for CKV_AWS_111 even shows a policy that completely passes even before removing the offending line marked with a -.
Also interesting is that these are both subsets of CKV_AWS_356 which is marked as "High" severity, while these two, which check if even more dangerous things are low priority.
Can these checks be reevaluated for validity? I have found a few other checks (e.g. CKV_K8S_356 with invalid, possibly AI-generated, information that does not describe the check properly, and I fear there are several others.
We are evaluating our options and would like to get all our teams using Checkov, but it is difficult to pitch when the documentation does not accurately describe the issue and the fix.
Activity