Checkmarx
diff --git a/‎docs/queries/all-queries.md‎
Lines changed: 14 additions & 0 deletions b/‎docs/queries/all-queries.md‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎docs/queries/ansible-queries/aws/905f4741-f965-45c1-98db-f7a00a0e5c73.md‎
Lines changed: 216 additions & 5 deletions b/‎docs/queries/ansible-queries/aws/905f4741-f965-45c1-98db-f7a00a0e5c73.md‎
Lines changed: 216 additions & 5 deletions
@@ -30,7 +30,7 @@ SNS Topic Policy should not allow any principal to access<br>
 
 ### Code samples
 #### Code samples with security vulnerabilities
-```yaml title="Positive test num. 1 - yaml file" hl_lines="50 23"
+```yaml title="Positive test num. 1 - yaml file" hl_lines="52 23"
 ---
 - name: Create alarm SNS topic community
   community.aws.sns_topic:
@@ -58,7 +58,73 @@ SNS Topic Policy should not allow any principal to access<br>
       Statement:
         - Action: Publish
           Effect: Allow
-          Principal: "*"
+          Principal: 
+            AWS: "*"
+            
+- name: Create alarm SNS topic
+  sns_topic:
+    name: "alarms"
+    state: present
+    display_name: "alarm SNS topic"
+    delivery_policy:
+      http:
+        defaultHealthyRetryPolicy:
+          minDelayTarget: 2
+          maxDelayTarget: 4
+          numRetries: 3
+          numMaxDelayRetries: 5
+          backoffFunction: "<linear|arithmetic|geometric|exponential>"
+        disableSubscriptionOverrides: True
+        defaultThrottlePolicy:
+          maxReceivesPerSecond: 10
+    subscriptions:
+      - endpoint: "[email protected]"
+        protocol: "email"
+      - endpoint: "my_mobile_number"
+        protocol: "sms"
+    policy:
+      Version: '2022-05-02'
+      Statement:
+        - Effect: Allow
+          Action: Publish
+          Principal: 
+            AWS: "*"
+
+```
+```yaml title="Positive test num. 2 - yaml file" hl_lines="55 23"
+---
+- name: Create alarm SNS topic community
+  community.aws.sns_topic:
+    name: "alarms"
+    state: present
+    display_name: "alarm SNS topic"
+    delivery_policy:
+      http:
+        defaultHealthyRetryPolicy:
+          minDelayTarget: 2
+          maxDelayTarget: 4
+          numRetries: 3
+          numMaxDelayRetries: 5
+          backoffFunction: "<linear|arithmetic|geometric|exponential>"
+        disableSubscriptionOverrides: True
+        defaultThrottlePolicy:
+          maxReceivesPerSecond: 10
+    subscriptions:
+      - endpoint: "[email protected]"
+        protocol: "email"
+      - endpoint: "my_mobile_number"
+        protocol: "sms"
+    policy:
+      Version: '2022-05-02'
+      Statement:
+        - Effect: Allow
+          Action: Publish
+          Principal: 
+            AWS: "*"
+          Condition:
+            StringEquals:
+              sns:Endpoint: "[email protected]"
+            
 - name: Create alarm SNS topic
   sns_topic:
     name: "alarms"
@@ -85,7 +151,11 @@ SNS Topic Policy should not allow any principal to access<br>
       Statement:
         - Effect: Allow
           Action: Publish
-          Principal: '*'
+          Principal: 
+            AWS: "*"
+          Condition:
+            StringEquals:
+              sns:Endpoint: "[email protected]"
 
 ```
 
@@ -113,7 +183,7 @@ SNS Topic Policy should not allow any principal to access<br>
       Statement:
       - Effect: Allow
         Action: Publish
-        Principal: NotAll
+        Principal: "arn:aws:iam::123456789012:root"
 
 - name: Create alarm SNS topic
   sns_topic:
@@ -136,7 +206,148 @@ SNS Topic Policy should not allow any principal to access<br>
       Statement:
       - Effect: Allow
         Action: Publish
-        Principal: NotAll
+        Principal: "arn:aws:iam::123456789012:root"
+
+```
+```yaml title="Negative test num. 2 - yaml file"
+- name: Create SNS topic with safe policy
+  community.aws.sns_topic:
+    name: secure-topic
+    display_name: "Secure SNS Topic"
+    state: present
+    policy:
+      Id: secure-topic-policy
+      Version: "2012-10-17"
+      Statement:
+        - Sid: AllowPublishFromSpecificAccount
+          Effect: Allow
+          Resource: "arn:aws:sns:*:*:secure-topic"
+          Principal: "*"
+          Action: sns:Publish
+          Condition:
+            StringEquals:
+              aws:SourceAccount: "123456789012"
+
+- name: Create alarm SNS topic
+  sns_topic:
+    name: alarms
+    state: present
+    display_name: "alarm SNS topic"
+    delivery_policy:
+      http:
+        defaultHealthyRetryPolicy:
+          minDelayTarget: 2
+          maxDelayTarget: 4
+          numRetries: 3
+          numMaxDelayRetries: 5
+          backoffFunction: exponential
+        disableSubscriptionOverrides: true
+        defaultThrottlePolicy:
+          maxReceivesPerSecond: 10
+    policy:
+      Version: '2022-05-02'
+      Statement:
+        - Effect: Allow
+          Action: Publish
+          Principal: "*"
+          Condition:
+            StringEquals:
+              aws:SourceOwner: "123456789012"
+
+```
+```yaml title="Negative test num. 3 - yaml file"
+- name: Create SNS topic with mixed conditions
+  community.aws.sns_topic:
+    name: mixed-topic
+    display_name: "Mixed SNS Topic"
+    state: present
+    policy:
+      Id: mixed-topic-policy
+      Version: "2012-10-17"
+      Statement:
+        - Sid: AllowAnyPrincipalWithRestrictions
+          Effect: Allow
+          Resource: "arn:aws:sns:*:*:mixed-topic"
+          Principal: "*"
+          Action: sns:Publish
+          Condition:
+            StringEquals:
+              aws:ResourceAccount: "123456789012"
+
+- name: Create alarm SNS topic
+  sns_topic:
+    name: alarms
+    state: present
+    display_name: "alarm SNS topic"
+    delivery_policy:
+      http:
+        defaultHealthyRetryPolicy:
+          minDelayTarget: 2
+          maxDelayTarget: 4
+          numRetries: 3
+          numMaxDelayRetries: 5
+          backoffFunction: exponential
+        disableSubscriptionOverrides: true
+        defaultThrottlePolicy:
+          maxReceivesPerSecond: 10
+    policy:
+      Version: '2022-05-02'
+      Statement:
+        - Effect: Allow
+          Action: Publish
+          Principal: "*"
+          Condition:
+            StringEquals:
+              aws:PrincipalAccount: "123456789012"
+
+```
+<details><summary>Negative test num. 4 - yaml file</summary>
+
+```yaml
+- name: Create SNS topic with mixed conditions
+  community.aws.sns_topic:
+    name: mixed-topic
+    display_name: "Mixed SNS Topic"
+    state: present
+    policy:
+      Id: mixed-topic-policy
+      Version: "2012-10-17"
+      Statement:
+        - Sid: AllowAnyPrincipalWithRestrictions
+          Effect: Allow
+          Resource: "arn:aws:sns:*:*:mixed-topic"
+          Principal: "*"
+          Action: sns:Publish
+          Condition:
+            StringEquals:
+              aws:VpceAccount: "123456789012"
+
+- name: Create alarm SNS topic
+  sns_topic:
+    name: alarms
+    state: present
+    display_name: "alarm SNS topic"
+    delivery_policy:
+      http:
+        defaultHealthyRetryPolicy:
+          minDelayTarget: 2
+          maxDelayTarget: 4
+          numRetries: 3
+          numMaxDelayRetries: 5
+          backoffFunction: exponential
+        disableSubscriptionOverrides: true
+        defaultThrottlePolicy:
+          maxReceivesPerSecond: 10
+    policy:
+      Version: '2022-05-02'
+      Statement:
+        - Effect: Allow
+          Action: Publish
+          Principal: "*"
+          Condition:
+            StringEquals:
+              aws:VpceAccount: "123456789012"
 
 ```
+</details>