Checkmarx · rafaela-soares · May 4, 2022 · May 2, 2022 · May 2, 2022 · May 2, 2022
@@ -1,8 +1,8 @@
 {
   "id": "857f8808-e96a-4ba8-a9b7-f2d4ec6cad94",
   "queryName": "Automatic Minor Upgrades Disabled",
-  "severity": "HIGH",
-  "category": "Encryption",
+  "severity": "LOW",
+  "category": "Best Practices",
   "descriptionText": "RDS instance auto minor version upgrade feature must be true",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/rds_instance_module.html#parameter-auto_minor_version_upgrade",
   "platform": "Ansible",

@@ -1,12 +1,12 @@
 [
   {
     "queryName": "Automatic Minor Upgrades Disabled",
-    "severity": "HIGH",
+    "severity": "LOW",
     "line": 10
   },
   {
     "queryName": "Automatic Minor Upgrades Disabled",
-    "severity": "HIGH",
+    "severity": "LOW",
     "line": 12
   }
 ]
@@ -1,7 +1,7 @@
 {
   "id": "f5587077-3f57-4370-9b4e-4eb5b1bac85b",
-  "queryName": "CloudTrail Log Files Not Encrypted",
-  "severity": "HIGH",
+  "queryName": "CloudTrail Log Files Not Encrypted With CMK",
+  "severity": "LOW",
   "category": "Encryption",
   "descriptionText": "CloudTrail Log Files should be encrypted with Key Management Service (KMS)",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/cloudtrail_module.html",

@@ -0,0 +1,7 @@
+[
+  {
+    "queryName": "CloudTrail Log Files Not Encrypted With CMK",
+    "severity": "LOW",
+    "line": 2
+  }
+]
@@ -2,7 +2,7 @@
   "id": "83957b81-39c1-4191-8e12-671d2ce14354",
   "queryName": "IAM Password Without Uppercase Letter",
   "severity": "MEDIUM",
-  "category": "Insecure Configurations",
+  "category": "Best Practices",
   "descriptionText": "Check if IAM account password has at least one uppercase letter",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/iam_password_policy_module.html",
   "platform": "Ansible",

@@ -1,7 +1,7 @@
 {
   "id": "b5ed026d-a772-4f07-97f9-664ba0b116f8",
   "queryName": "IAM Policy Grants Full Permissions",
-  "severity": "MEDIUM",
+  "severity": "HIGH",
   "category": "Access Control",
   "descriptionText": "IAM policies allow all ('*') in a statement action",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/iam_managed_policy_module.html",

@@ -1,7 +1,7 @@
 [
   {
     "queryName": "IAM Policy Grants Full Permissions",
-    "severity": "MEDIUM",
+    "severity": "HIGH",
     "line": 4,
     "fileName": "positive.yaml"
   }

@@ -1,9 +1,9 @@
 {
   "id": "905f4741-f965-45c1-98db-f7a00a0e5c73",
-  "queryName": "SNS Topic is Publicly Accessible For Subscription",
-  "severity": "MEDIUM",
+  "queryName": "SNS Topic is Publicly Accessible",
+  "severity": "HIGH",
   "category": "Access Control",
-  "descriptionText": "This query checks if SNS Topic is Accessible For Subscription",
+  "descriptionText": "SNS Topic Policy should not allow any principal to access",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/sns_topic_module.html",
   "platform": "Ansible",
   "descriptionID": "956322cf",

@@ -0,0 +1,24 @@
+package Cx
+
+import data.generic.ansible as ansLib
+import data.generic.common as common_lib
+
+CxPolicy[result] {
+	task := ansLib.tasks[id][t]
+	modules := {"community.aws.sns_topic", "sns_topic"}
+	snsTopicCommunity := task[modules[m]]
+	ansLib.checkState(snsTopicCommunity)
+	policies := snsTopicCommunity.policy
+	statement := policies.Statement[i]
+	statement.Effect == "Allow"
+	common_lib.any_principal(statement)
+
+	result := {
+		"documentId": id,
+		"searchKey": sprintf("name={{%s}}.{{%s}}.policy", [task.name, modules[m]]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": "sns_topic.policy does not allow actions from all principals",
+		"keyActualValue": "sns_topic.policy allows actions from all principals",
+		"searchLine": common_lib.build_search_line(["playbooks", t, modules[m], "policy"], []),
+	}
+}
@@ -14,6 +14,12 @@
         disableSubscriptionOverrides: true
         defaultThrottlePolicy:
           maxReceivesPerSecond: 10
+    policy:
+      Version: '2022-05-02'
+      Statement:
+      - Effect: Allow
+        Action: Publish
+        Principal: NotAll
 
 - name: Create alarm SNS topic
   sns_topic:
@@ -31,3 +37,9 @@
         disableSubscriptionOverrides: true
         defaultThrottlePolicy:
           maxReceivesPerSecond: 10
+    policy:
+      Version: '2022-05-02'
+      Statement:
+      - Effect: Allow
+        Action: Publish
+        Principal: NotAll
@@ -20,7 +20,12 @@
         protocol: "email"
       - endpoint: "my_mobile_number"
         protocol: "sms"
-
+    policy:
+      Version: '2022-05-02'
+      Statement:
+        - Action: Publish
+          Effect: Allow
+          Principal: "*"
 - name: Create alarm SNS topic
   sns_topic:
     name: "alarms"
@@ -42,3 +47,9 @@
         protocol: "email"
       - endpoint: "my_mobile_number"
         protocol: "sms"
+    policy:
+      Version: '2022-05-02'
+      Statement:
+        - Effect: Allow
+          Action: Publish
+          Principal: '*'
@@ -0,0 +1,14 @@
+[
+	{
+		"queryName": "SNS Topic is Publicly Accessible",
+		"severity": "HIGH",
+		"line": 23,
+		"fileName": "positive.yaml"
+	},
+	{
+		"queryName": "SNS Topic is Publicly Accessible",
+		"severity": "HIGH",
+		"line": 51,
+		"fileName": "positive.yaml"
+	}
+]
@@ -1,7 +1,7 @@
 {
   "id": "e1e7b278-2a8b-49bd-a26e-66a7f70b17eb",
   "queryName": "SQS with SSE disabled",
-  "severity": "LOW",
+  "severity": "MEDIUM",
   "category": "Encryption",
   "descriptionText": " SQS Queue should be protected with CMK encryption",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/sqs_queue_module.html#ansible-collections-community-aws-sqs-queue-module",

@@ -1,22 +1,22 @@
 [
   {
     "queryName": "SQS with SSE disabled",
-    "severity": "LOW",
+    "severity": "MEDIUM",
     "line": 2
   },
   {
     "queryName": "SQS with SSE disabled",
-    "severity": "LOW",
+    "severity": "MEDIUM",
     "line": 16
   },
   {
     "queryName": "SQS with SSE disabled",
-    "severity": "LOW",
+    "severity": "MEDIUM",
     "line": 22
   },
   {
     "queryName": "SQS with SSE disabled",
-    "severity": "LOW",
+    "severity": "MEDIUM",
     "line": 29
   }
 ]
@@ -2,7 +2,7 @@
   "id": "1bc398a8-d274-47de-a4c8-6ac867b353de",
   "queryName": "Trusted Microsoft Services Not Enabled",
   "severity": "HIGH",
-  "category": "Access Control",
+  "category": "Networking and Firewall",
   "descriptionText": "Ensure Trusted Microsoft Services have Storage Account access.",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_storageaccount_module.html#parameter-network_acls/bypass",
   "platform": "Ansible",

@@ -2,7 +2,7 @@
   "id": "2263b286-2fe9-4747-a0ae-8b4768a2bbd2",
   "queryName": "BigQuery Dataset Is Public",
   "severity": "HIGH",
-  "category": "Insecure Configurations",
+  "category": "Access Control",
   "descriptionText": "BigQuery dataset is anonymously or publicly accessible",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_bigquery_dataset_module.html#parameter-access/special_group",
   "platform": "Ansible",

@@ -1,8 +1,8 @@
 {
   "id": "086031e1-9d4a-4249-acb3-5bfe4c363db2",
   "queryName": "Cloud Storage Anonymous or Publicly Accessible",
-  "severity": "MEDIUM",
-  "category": "Insecure Configurations",
+  "severity": "HIGH",
+  "category": "Access Control",
   "descriptionText": "Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'entity' must not be 'allUsers' or 'allAuthenticatedUsers'",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_storage_bucket_module.html",
   "platform": "Ansible",

@@ -1,17 +1,17 @@
 [
 	{
 		"queryName": "Cloud Storage Anonymous or Publicly Accessible",
-		"severity": "MEDIUM",
+		"severity": "HIGH",
 		"line": 11
 	},
 	{
 		"queryName": "Cloud Storage Anonymous or Publicly Accessible",
-		"severity": "MEDIUM",
+		"severity": "HIGH",
 		"line": 22
 	},
 	{
 		"queryName": "Cloud Storage Anonymous or Publicly Accessible",
-		"severity": "MEDIUM",
+		"severity": "HIGH",
 		"line": 28
 	}
 ]
@@ -1,7 +1,7 @@
 {
   "id": "f0104061-8bfc-4b45-8a7d-630eb502f281",
   "queryName": "Automatic Minor Upgrades Disabled",
-  "severity": "MEDIUM",
+  "severity": "LOW",
   "category": "Best Practices",
   "descriptionText": "AWS RDS should have automatic minor upgrades enabled, which means the attribute 'AutoMinorVersionUpgrade' must be set to true.",
   "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html",

@@ -1,26 +1,26 @@
 [
   {
     "queryName": "Automatic Minor Upgrades Disabled",
-    "severity": "MEDIUM",
+    "severity": "LOW",
     "line": 58,
     "fileName": "positive1.yaml"
   },
   {
     "queryName": "Automatic Minor Upgrades Disabled",
-    "severity": "MEDIUM",
+    "severity": "LOW",
     "line": 82,
     "fileName": "positive1.yaml"
   },
   {
     "queryName": "Automatic Minor Upgrades Disabled",
-    "severity": "MEDIUM",
+    "severity": "LOW",
     "line": 58,
     "fileName": "positive2.json"
   },
   {
     "line": 85,
     "fileName": "positive2.json",
     "queryName": "Automatic Minor Upgrades Disabled",
-    "severity": "MEDIUM"
+    "severity": "LOW"
   }
 ]
@@ -1,7 +1,7 @@
 {
   "id": "050a9ba8-d1cb-4c61-a5e8-8805a70d3b85",
-  "queryName": "CloudTrail Log Files Not Encrypted",
-  "severity": "HIGH",
+  "queryName": "CloudTrail Log Files Not Encrypted With CMK",
+  "severity": "LOW",
   "category": "Encryption",
   "descriptionText": "Logs delivered by CloudTrail should be encrypted using KMS",
   "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudtrail-trail.html#cfn-cloudtrail-trail-kmskeyid",

@@ -0,0 +1,14 @@
+[
+  {
+    "queryName": "CloudTrail Log Files Not Encrypted With CMK",
+    "severity": "LOW",
+    "line": 62,
+    "fileName": "positive1.yaml"
+  },
+  {
+    "queryName": "CloudTrail Log Files Not Encrypted With CMK",
+    "severity": "LOW",
+    "line": 53,
+    "fileName": "positive2.json"
+  }
+]
@@ -1,8 +1,8 @@
 {
   "id": "b3de4e4c-14be-4159-b99d-9ad194365e4c",
   "queryName": "EC2 Instance Has Public IP",
-  "severity": "MEDIUM",
-  "category": "Insecure Configurations",
+  "severity": "HIGH",
+  "category": "Networking and Firewall",
   "descriptionText": "EC2 Subnet should not have MapPublicIpOnLaunch set to true",
   "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-subnet.html#cfn-ec2-subnet-mappubliciponlaunch",
   "platform": "CloudFormation",