Skip to content

fix(queries): fixed fp for sns topic is publicly accesible query for Terraform/AWS, Ansible/AWS and CloudFormation/aws #7758

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 11 commits into
base: master
Choose a base branch
from
Open

fix(queries): fixed fp for sns topic is publicly accesible query for Terraform/AWS, Ansible/AWS and CloudFormation/aws #7758

wants to merge 11 commits into from

Conversation

cx-ricardo-jesus
Copy link
Contributor

Closes #

Reason for Proposed Changes

  • The current implementation of the query "SNS Topic Is Publicly Accessible" for Ansible, Terraform and CloudFormation platforms was not taking into account the cases when there is a condition block that limits access to a specific account ID inside a statement in a policy.

Proposed Changes

  • For all the queries made the same approach, on the policy that originally all of the queries had, made an extra verification using the helper function is_limited_to_an_account_id, which basically just verifies if, inside the statement, there is a Condition block with a condition key that equals any condition key from the following set: `["aws:SourceOwner", "aws:SourceAccount", "aws:ResourceAccount", "aws:PrincipalAccount", "aws:VpceAccount"].
  • The query for the Terraform query suffered more changes when compared to the other queries because the current implementation does not support the module equivalent to the resource aws_sns_topic.
  • Also, the module has two ways of defining a policy, which are by using the fields topic_policy and topic_policy_statements.

I submit this contribution under the Apache-2.0 license.

@cx-ricardo-jesus cx-ricardo-jesus requested a review from a team as a code owner October 8, 2025 08:43
@github-actions github-actions bot added query New query feature ansible Ansible query cloudformation CloudFormation query terraform Terraform query aws PR related with AWS Cloud labels Oct 8, 2025
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Oct 8, 2025

kics-logo

KICS version: v2.1.13

Category Results
CRITICAL CRITICAL 0
HIGH HIGH 0
MEDIUM MEDIUM 0
LOW LOW 0
INFO INFO 0
TRACE TRACE 0
TOTAL TOTAL 0
Metric Values
Files scanned placeholder 1
Files parsed placeholder 1
Files failed to scan placeholder 0
Total executed queries placeholder 47
Queries failed to execute placeholder 0
Execution time placeholder 0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@cx-ricardo-jesus cx-ricardo-jesus

Labels

ansible Ansible query aws PR related with AWS Cloud cloudformation CloudFormation query query New query feature terraform Terraform query

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@cx-ricardo-jesus