Checkmarx
diff --git a/‎docs/queries/all-queries.md‎
Lines changed: 6 additions & 0 deletions b/‎docs/queries/all-queries.md‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎docs/queries/ansible-queries/aws/905f4741-f965-45c1-98db-f7a00a0e5c73.md‎
Lines changed: 216 additions & 5 deletions b/‎docs/queries/ansible-queries/aws/905f4741-f965-45c1-98db-f7a00a0e5c73.md‎
Lines changed: 216 additions & 5 deletions
@@ -1665,13 +1665,19 @@ This page contains all queries.
 |Private Cluster Disabled<br/><sup><sub>6ccb85d7-0420-4907-9380-50313f80946b</sub></sup>|Terraform|<span style="color:#ff7213">Medium</span>|Insecure Configurations|<a href="../terraform-queries/gcp/6ccb85d7-0420-4907-9380-50313f80946b" onclick="newWindowOpenerSafe(event, '../terraform-queries/gcp/6ccb85d7-0420-4907-9380-50313f80946b')">Query details</a><br><a href="https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster">Documentation</a><br/>|
 |Shielded GKE Nodes Disabled<br/><sup><sub>579a0727-9c29-4d58-8195-fc5802a8bdb4</sub></sup>|Terraform|<span style="color:#ff7213">Medium</span>|Insecure Configurations|<a href="../terraform-queries/gcp/579a0727-9c29-4d58-8195-fc5802a8bdb4" onclick="newWindowOpenerSafe(event, '../terraform-queries/gcp/579a0727-9c29-4d58-8195-fc5802a8bdb4')">Query details</a><br><a href="https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#enable_shielded_nodes">Documentation</a><br/>|
 |Shielded VM Disabled<br/><sup><sub>1b44e234-3d73-41a8-9954-0b154135280e</sub></sup>|Terraform|<span style="color:#ff7213">Medium</span>|Insecure Configurations|<a href="../terraform-queries/gcp/1b44e234-3d73-41a8-9954-0b154135280e" onclick="newWindowOpenerSafe(event, '../terraform-queries/gcp/1b44e234-3d73-41a8-9954-0b154135280e')">Query details</a><br><a href="https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance#shielded_instance_config">Documentation</a><br/>|
+|Beta - SQL DB Instance With Exposed Show Privileges<br/><sup><sub>b5b70198-2a34-4792-b0d9-ce99abe485bb</sub></sup>|Terraform|<span style="color:#ff7213">Medium</span>|Insecure Defaults|<a href="../terraform-queries/gcp/b5b70198-2a34-4792-b0d9-ce99abe485bb" onclick="newWindowOpenerSafe(event, '../terraform-queries/gcp/b5b70198-2a34-4792-b0d9-ce99abe485bb')">Query details</a><br><a href="https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance.html#settings-1">Documentation</a><br/>|
+|Beta - SQL DB Instance With Local Data Loading Enabled<br/><sup><sub>51a2c34d-dfd0-436f-aa34-e8f796e052fd</sub></sup>|Terraform|<span style="color:#ff7213">Medium</span>|Insecure Defaults|<a href="../terraform-queries/gcp/51a2c34d-dfd0-436f-aa34-e8f796e052fd" onclick="newWindowOpenerSafe(event, '../terraform-queries/gcp/51a2c34d-dfd0-436f-aa34-e8f796e052fd')">Query details</a><br><a href="https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance.html#settings-1">Documentation</a><br/>|
 |GKE Using Default Service Account<br/><sup><sub>1c8eef02-17b1-4a3e-b01d-dcc3292d2c38</sub></sup>|Terraform|<span style="color:#ff7213">Medium</span>|Insecure Defaults|<a href="../terraform-queries/gcp/1c8eef02-17b1-4a3e-b01d-dcc3292d2c38" onclick="newWindowOpenerSafe(event, '../terraform-queries/gcp/1c8eef02-17b1-4a3e-b01d-dcc3292d2c38')">Query details</a><br><a href="https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#node_config">Documentation</a><br/>|
 |Using Default Service Account<br/><sup><sub>3cb4af0b-056d-4fb1-8b95-fdc4593625ff</sub></sup>|Terraform|<span style="color:#ff7213">Medium</span>|Insecure Defaults|<a href="../terraform-queries/gcp/3cb4af0b-056d-4fb1-8b95-fdc4593625ff" onclick="newWindowOpenerSafe(event, '../terraform-queries/gcp/3cb4af0b-056d-4fb1-8b95-fdc4593625ff')">Query details</a><br><a href="https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance">Documentation</a><br/>|
 |Google Compute Network Using Default Firewall Rule<br/><sup><sub>40abce54-95b1-478c-8e5f-ea0bf0bb0e33</sub></sup>|Terraform|<span style="color:#ff7213">Medium</span>|Networking and Firewall|<a href="../terraform-queries/gcp/40abce54-95b1-478c-8e5f-ea0bf0bb0e33" onclick="newWindowOpenerSafe(event, '../terraform-queries/gcp/40abce54-95b1-478c-8e5f-ea0bf0bb0e33')">Query details</a><br><a href="https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall#name">Documentation</a><br/>|
 |Google Compute Network Using Firewall Rule that Allows All Ports<br/><sup><sub>22ef1d26-80f8-4a6c-8c15-f35aab3cac78</sub></sup>|Terraform|<span style="color:#ff7213">Medium</span>|Networking and Firewall|<a href="../terraform-queries/gcp/22ef1d26-80f8-4a6c-8c15-f35aab3cac78" onclick="newWindowOpenerSafe(event, '../terraform-queries/gcp/22ef1d26-80f8-4a6c-8c15-f35aab3cac78')">Query details</a><br><a href="https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall#allow">Documentation</a><br/>|
 |IP Forwarding Enabled<br/><sup><sub>f34c0c25-47b4-41eb-9c79-249b4dd47b89</sub></sup>|Terraform|<span style="color:#ff7213">Medium</span>|Networking and Firewall|<a href="../terraform-queries/gcp/f34c0c25-47b4-41eb-9c79-249b4dd47b89" onclick="newWindowOpenerSafe(event, '../terraform-queries/gcp/f34c0c25-47b4-41eb-9c79-249b4dd47b89')">Query details</a><br><a href="https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/compute_instance">Documentation</a><br/>|
 |Serial Ports Are Enabled For VM Instances<br/><sup><sub>97fa667a-d05b-4f16-9071-58b939f34751</sub></sup>|Terraform|<span style="color:#ff7213">Medium</span>|Networking and Firewall|<a href="../terraform-queries/gcp/97fa667a-d05b-4f16-9071-58b939f34751" onclick="newWindowOpenerSafe(event, '../terraform-queries/gcp/97fa667a-d05b-4f16-9071-58b939f34751')">Query details</a><br><a href="https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance">Documentation</a><br/>|
 |SSH Access Is Not Restricted<br/><sup><sub>c4dcdcdf-10dd-4bf4-b4a0-8f6239e6aaa0</sub></sup>|Terraform|<span style="color:#ff7213">Medium</span>|Networking and Firewall|<a href="../terraform-queries/gcp/c4dcdcdf-10dd-4bf4-b4a0-8f6239e6aaa0" onclick="newWindowOpenerSafe(event, '../terraform-queries/gcp/c4dcdcdf-10dd-4bf4-b4a0-8f6239e6aaa0')">Query details</a><br><a href="https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall">Documentation</a><br/>|
+|Beta - Google DNS Policy Logging Disabled<br/><sup><sub>cc9e464e-5abc-4c8f-8077-a9aa7ebe6a05</sub></sup>|Terraform|<span style="color:#ff7213">Medium</span>|Observability|<a href="../terraform-queries/gcp/cc9e464e-5abc-4c8f-8077-a9aa7ebe6a05" onclick="newWindowOpenerSafe(event, '../terraform-queries/gcp/cc9e464e-5abc-4c8f-8077-a9aa7ebe6a05')">Query details</a><br><a href="https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/dns_policy#enable_logging-1">Documentation</a><br/>|
+|Beta - SQL DB Instance With Minimum Log Duration<br/><sup><sub>00335e17-674c-442e-a64c-9436e60e6efb</sub></sup>|Terraform|<span style="color:#ff7213">Medium</span>|Observability|<a href="../terraform-queries/gcp/00335e17-674c-442e-a64c-9436e60e6efb" onclick="newWindowOpenerSafe(event, '../terraform-queries/gcp/00335e17-674c-442e-a64c-9436e60e6efb')">Query details</a><br><a href="https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance.html#settings-1">Documentation</a><br/>|
+|Beta - SQL DB Instance Without Connections Logging<br/><sup><sub>fc7187e5-b9a2-46c0-950d-3bfcaaacc5ca</sub></sup>|Terraform|<span style="color:#ff7213">Medium</span>|Observability|<a href="../terraform-queries/gcp/fc7187e5-b9a2-46c0-950d-3bfcaaacc5ca" onclick="newWindowOpenerSafe(event, '../terraform-queries/gcp/fc7187e5-b9a2-46c0-950d-3bfcaaacc5ca')">Query details</a><br><a href="https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance.html#settings-1">Documentation</a><br/>|
+|Beta - SQL DB Instance Without Disconnections Logging<br/><sup><sub>8895abb4-6491-4ae6-9c33-c2f360752b7a</sub></sup>|Terraform|<span style="color:#ff7213">Medium</span>|Observability|<a href="../terraform-queries/gcp/8895abb4-6491-4ae6-9c33-c2f360752b7a" onclick="newWindowOpenerSafe(event, '../terraform-queries/gcp/8895abb4-6491-4ae6-9c33-c2f360752b7a')">Query details</a><br><a href="https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance.html#settings-1">Documentation</a><br/>|
 |Cloud Storage Bucket Logging Not Enabled<br/><sup><sub>d6cabc3a-d57e-48c2-b341-bf3dd4f4a120</sub></sup>|Terraform|<span style="color:#ff7213">Medium</span>|Observability|<a href="../terraform-queries/gcp/d6cabc3a-d57e-48c2-b341-bf3dd4f4a120" onclick="newWindowOpenerSafe(event, '../terraform-queries/gcp/d6cabc3a-d57e-48c2-b341-bf3dd4f4a120')">Query details</a><br><a href="https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket#log_bucket">Documentation</a><br/>|
 |Cloud Storage Bucket Versioning Disabled<br/><sup><sub>e7e961ac-d17e-4413-84bc-8a1fbe242944</sub></sup>|Terraform|<span style="color:#ff7213">Medium</span>|Observability|<a href="../terraform-queries/gcp/e7e961ac-d17e-4413-84bc-8a1fbe242944" onclick="newWindowOpenerSafe(event, '../terraform-queries/gcp/e7e961ac-d17e-4413-84bc-8a1fbe242944')">Query details</a><br><a href="https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket#enabled">Documentation</a><br/>|
 |Google Compute Subnetwork Logging Disabled<br/><sup><sub>40430747-442d-450a-a34f-dc57149f4609</sub></sup>|Terraform|<span style="color:#ff7213">Medium</span>|Observability|<a href="../terraform-queries/gcp/40430747-442d-450a-a34f-dc57149f4609" onclick="newWindowOpenerSafe(event, '../terraform-queries/gcp/40430747-442d-450a-a34f-dc57149f4609')">Query details</a><br><a href="https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_subnetwork">Documentation</a><br/>|
 
@@ -30,7 +30,7 @@ SNS Topic Policy should not allow any principal to access<br>
 
 ### Code samples
 #### Code samples with security vulnerabilities
-```yaml title="Positive test num. 1 - yaml file" hl_lines="50 23"
+```yaml title="Positive test num. 1 - yaml file" hl_lines="52 23"
 ---
 - name: Create alarm SNS topic community
   community.aws.sns_topic:
@@ -58,7 +58,73 @@ SNS Topic Policy should not allow any principal to access<br>
       Statement:
         - Action: Publish
           Effect: Allow
-          Principal: "*"
+          Principal: 
+            AWS: "*"
+            
+- name: Create alarm SNS topic
+  sns_topic:
+    name: "alarms"
+    state: present
+    display_name: "alarm SNS topic"
+    delivery_policy:
+      http:
+        defaultHealthyRetryPolicy:
+          minDelayTarget: 2
+          maxDelayTarget: 4
+          numRetries: 3
+          numMaxDelayRetries: 5
+          backoffFunction: "<linear|arithmetic|geometric|exponential>"
+        disableSubscriptionOverrides: True
+        defaultThrottlePolicy:
+          maxReceivesPerSecond: 10
+    subscriptions:
+      - endpoint: "[email protected]"
+        protocol: "email"
+      - endpoint: "my_mobile_number"
+        protocol: "sms"
+    policy:
+      Version: '2022-05-02'
+      Statement:
+        - Effect: Allow
+          Action: Publish
+          Principal: 
+            AWS: "*"
+
+```
+```yaml title="Positive test num. 2 - yaml file" hl_lines="55 23"
+---
+- name: Create alarm SNS topic community
+  community.aws.sns_topic:
+    name: "alarms"
+    state: present
+    display_name: "alarm SNS topic"
+    delivery_policy:
+      http:
+        defaultHealthyRetryPolicy:
+          minDelayTarget: 2
+          maxDelayTarget: 4
+          numRetries: 3
+          numMaxDelayRetries: 5
+          backoffFunction: "<linear|arithmetic|geometric|exponential>"
+        disableSubscriptionOverrides: True
+        defaultThrottlePolicy:
+          maxReceivesPerSecond: 10
+    subscriptions:
+      - endpoint: "[email protected]"
+        protocol: "email"
+      - endpoint: "my_mobile_number"
+        protocol: "sms"
+    policy:
+      Version: '2022-05-02'
+      Statement:
+        - Effect: Allow
+          Action: Publish
+          Principal: 
+            AWS: "*"
+          Condition:
+            StringEquals:
+              sns:Endpoint: "[email protected]"
+            
 - name: Create alarm SNS topic
   sns_topic:
     name: "alarms"
@@ -85,7 +151,11 @@ SNS Topic Policy should not allow any principal to access<br>
       Statement:
         - Effect: Allow
           Action: Publish
-          Principal: '*'
+          Principal: 
+            AWS: "*"
+          Condition:
+            StringEquals:
+              sns:Endpoint: "[email protected]"
 
 ```
 
@@ -113,7 +183,7 @@ SNS Topic Policy should not allow any principal to access<br>
       Statement:
       - Effect: Allow
         Action: Publish
-        Principal: NotAll
+        Principal: "arn:aws:iam::123456789012:root"
 
 - name: Create alarm SNS topic
   sns_topic:
@@ -136,7 +206,148 @@ SNS Topic Policy should not allow any principal to access<br>
       Statement:
       - Effect: Allow
         Action: Publish
-        Principal: NotAll
+        Principal: "arn:aws:iam::123456789012:root"
+
+```
+```yaml title="Negative test num. 2 - yaml file"
+- name: Create SNS topic with safe policy
+  community.aws.sns_topic:
+    name: secure-topic
+    display_name: "Secure SNS Topic"
+    state: present
+    policy:
+      Id: secure-topic-policy
+      Version: "2012-10-17"
+      Statement:
+        - Sid: AllowPublishFromSpecificAccount
+          Effect: Allow
+          Resource: "arn:aws:sns:*:*:secure-topic"
+          Principal: "*"
+          Action: sns:Publish
+          Condition:
+            StringEquals:
+              aws:SourceAccount: "123456789012"
+
+- name: Create alarm SNS topic
+  sns_topic:
+    name: alarms
+    state: present
+    display_name: "alarm SNS topic"
+    delivery_policy:
+      http:
+        defaultHealthyRetryPolicy:
+          minDelayTarget: 2
+          maxDelayTarget: 4
+          numRetries: 3
+          numMaxDelayRetries: 5
+          backoffFunction: exponential
+        disableSubscriptionOverrides: true
+        defaultThrottlePolicy:
+          maxReceivesPerSecond: 10
+    policy:
+      Version: '2022-05-02'
+      Statement:
+        - Effect: Allow
+          Action: Publish
+          Principal: "*"
+          Condition:
+            StringEquals:
+              aws:SourceOwner: "123456789012"
+
+```
+```yaml title="Negative test num. 3 - yaml file"
+- name: Create SNS topic with mixed conditions
+  community.aws.sns_topic:
+    name: mixed-topic
+    display_name: "Mixed SNS Topic"
+    state: present
+    policy:
+      Id: mixed-topic-policy
+      Version: "2012-10-17"
+      Statement:
+        - Sid: AllowAnyPrincipalWithRestrictions
+          Effect: Allow
+          Resource: "arn:aws:sns:*:*:mixed-topic"
+          Principal: "*"
+          Action: sns:Publish
+          Condition:
+            StringEquals:
+              aws:ResourceAccount: "123456789012"
+
+- name: Create alarm SNS topic
+  sns_topic:
+    name: alarms
+    state: present
+    display_name: "alarm SNS topic"
+    delivery_policy:
+      http:
+        defaultHealthyRetryPolicy:
+          minDelayTarget: 2
+          maxDelayTarget: 4
+          numRetries: 3
+          numMaxDelayRetries: 5
+          backoffFunction: exponential
+        disableSubscriptionOverrides: true
+        defaultThrottlePolicy:
+          maxReceivesPerSecond: 10
+    policy:
+      Version: '2022-05-02'
+      Statement:
+        - Effect: Allow
+          Action: Publish
+          Principal: "*"
+          Condition:
+            StringEquals:
+              aws:PrincipalAccount: "123456789012"
+
+```
+<details><summary>Negative test num. 4 - yaml file</summary>
+
+```yaml
+- name: Create SNS topic with mixed conditions
+  community.aws.sns_topic:
+    name: mixed-topic
+    display_name: "Mixed SNS Topic"
+    state: present
+    policy:
+      Id: mixed-topic-policy
+      Version: "2012-10-17"
+      Statement:
+        - Sid: AllowAnyPrincipalWithRestrictions
+          Effect: Allow
+          Resource: "arn:aws:sns:*:*:mixed-topic"
+          Principal: "*"
+          Action: sns:Publish
+          Condition:
+            StringEquals:
+              aws:VpceAccount: "123456789012"
+
+- name: Create alarm SNS topic
+  sns_topic:
+    name: alarms
+    state: present
+    display_name: "alarm SNS topic"
+    delivery_policy:
+      http:
+        defaultHealthyRetryPolicy:
+          minDelayTarget: 2
+          maxDelayTarget: 4
+          numRetries: 3
+          numMaxDelayRetries: 5
+          backoffFunction: exponential
+        disableSubscriptionOverrides: true
+        defaultThrottlePolicy:
+          maxReceivesPerSecond: 10
+    policy:
+      Version: '2022-05-02'
+      Statement:
+        - Effect: Allow
+          Action: Publish
+          Principal: "*"
+          Condition:
+            StringEquals:
+              aws:VpceAccount: "123456789012"
 
 ```
+</details>