Describe the issue

False positive for unrestricted egress when using the standalone Terraform resource aws_vpc_security_group_egress_rule.
Relevant check ID: CKV_AWS_382 (implemented via SecurityGroupUnrestrictedEgressAll, which inherits from AbsSecurityGroupUnrestrictedEgress).

Root cause logic gaps in AbsSecurityGroupUnrestrictedEgress.scan_resource_conf and contains_violation:

1. For aws_vpc_security_group_egress_rule resource, the code only evaluates contains_violation() if from_port or to_port are present. When ip_protocol = "-1", Terraform allows to omit port attributes, so the violation path is skipped and the function returns PASSED unconditionally.
2. The code looks for the key protocol, but this resource uses ip_protocol; thus even if evaluated, protocol would be None.

Examples

A resource like the following, which allows all outbound traffic (all protocols, all ports, any IPv4 destination), is reported as PASSED instead of FAILED:

resource "aws_vpc_security_group_egress_rule" "ecs_container_egress" {
  security_group_id = aws_security_group.ecs_container_instance.id
  description       = "Allow all egress traffic"
  ip_protocol       = "-1"
  cidr_ipv4         = "0.0.0.0/0"
}

Additional failing scenario that is currently also misclassified (if using IPv6 only):

resource "aws_vpc_security_group_egress_rule" "wide_open_ipv6" {
  security_group_id = aws_security_group.example.id
  description       = "Allow all ipv6"
  ip_protocol       = "-1"
  cidr_ipv6         = "::/0"
}

Expected: FAILED.
Actual: PASSED (same logic gap).

Version:

• Checkov Version: 3.2.494