Does it make sense to enforce users to resolve issues generated by IaC scanning tools when all they report are best practice violations?

I work as a Security Engineer and am currently evaluating tools to scan and secure IaC at work.

I have noticed that all the IaC scanning tools scan for best practices violations based on compliance framework policies like CIS Benchmarks or NIST cybersecurity framework policies etc.

For example, this is an issue which is modeled after a CIS AWS Benchmark policy:

>Ensure EC2 instance has IAM role.

In one of the tools I was looking at, this issue is reported …

best practice best practices compliance compliance framework cybersecurity engineer framework generated iac policies practice practices report scan scanning security security engineer tools work