Checkmarx · cx-bruno-silva · Oct 24, 2025 · Oct 23, 2025
@@ -14,6 +14,7 @@ Below are listed queries related to Ansible AWS:
 |S3 Bucket Allows Put Action From All Principals<br/><sup><sub>a0f1bfe0-741e-473f-b3b2-13e66f856fab</sub></sup>|<span style="color:#ff0000">Critical</span>|Access Control|<a href="../ansible-queries/aws/a0f1bfe0-741e-473f-b3b2-13e66f856fab" onclick="newWindowOpenerSafe(event, '../ansible-queries/aws/a0f1bfe0-741e-473f-b3b2-13e66f856fab')">Query details</a><br><a href="https://docs.ansible.com/ansible/latest/collections/amazon/aws/s3_bucket_module.html">Documentation</a><br/>|
 |S3 Bucket With All Permissions<br/><sup><sub>6a6d7e56-c913-4549-b5c5-5221e624d2ec</sub></sup>|<span style="color:#ff0000">Critical</span>|Access Control|<a href="../ansible-queries/aws/6a6d7e56-c913-4549-b5c5-5221e624d2ec" onclick="newWindowOpenerSafe(event, '../ansible-queries/aws/6a6d7e56-c913-4549-b5c5-5221e624d2ec')">Query details</a><br><a href="https://docs.ansible.com/ansible/latest/collections/amazon/aws/s3_bucket_module.html#parameter-policy">Documentation</a><br/>|
 |S3 Bucket With Public Access<br/><sup><sub>c3e073c1-f65e-4d18-bd67-4a8f20ad1ab9</sub></sup>|<span style="color:#ff0000">Critical</span>|Access Control|<a href="../ansible-queries/aws/c3e073c1-f65e-4d18-bd67-4a8f20ad1ab9" onclick="newWindowOpenerSafe(event, '../ansible-queries/aws/c3e073c1-f65e-4d18-bd67-4a8f20ad1ab9')">Query details</a><br><a href="https://docs.ansible.com/ansible/latest/collections/amazon/aws/aws_s3_module.html#parameter-permission">Documentation</a><br/>|
+|SNS Topic is Publicly Accessible<br/><sup><sub>905f4741-f965-45c1-98db-f7a00a0e5c73</sub></sup>|<span style="color:#ff0000">Critical</span>|Access Control|<a href="../ansible-queries/aws/905f4741-f965-45c1-98db-f7a00a0e5c73" onclick="newWindowOpenerSafe(event, '../ansible-queries/aws/905f4741-f965-45c1-98db-f7a00a0e5c73')">Query details</a><br><a href="https://docs.ansible.com/ansible/latest/collections/community/aws/sns_topic_module.html">Documentation</a><br/>|
 |RDS DB Instance Publicly Accessible<br/><sup><sub>c09e3ca5-f08a-4717-9c87-3919c5e6d209</sub></sup>|<span style="color:#ff0000">Critical</span>|Insecure Configurations|<a href="../ansible-queries/aws/c09e3ca5-f08a-4717-9c87-3919c5e6d209" onclick="newWindowOpenerSafe(event, '../ansible-queries/aws/c09e3ca5-f08a-4717-9c87-3919c5e6d209')">Query details</a><br><a href="https://docs.ansible.com/ansible/latest/collections/community/aws/rds_instance_module.html#parameter-auto_minor_version_upgrade">Documentation</a><br/>|
 |DB Security Group With Public Scope<br/><sup><sub>0956aedf-6a7a-478b-ab56-63e2b19923ad</sub></sup>|<span style="color:#ff0000">Critical</span>|Networking and Firewall|<a href="../ansible-queries/aws/0956aedf-6a7a-478b-ab56-63e2b19923ad" onclick="newWindowOpenerSafe(event, '../ansible-queries/aws/0956aedf-6a7a-478b-ab56-63e2b19923ad')">Query details</a><br><a href="https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_group_module.html">Documentation</a><br/>|
 |RDS Associated with Public Subnet<br/><sup><sub>16732649-4ff6-4cd2-8746-e72c13fae4b8</sub></sup>|<span style="color:#ff0000">Critical</span>|Networking and Firewall|<a href="../ansible-queries/aws/16732649-4ff6-4cd2-8746-e72c13fae4b8" onclick="newWindowOpenerSafe(event, '../ansible-queries/aws/16732649-4ff6-4cd2-8746-e72c13fae4b8')">Query details</a><br><a href="https://docs.ansible.com/ansible/latest/collections/community/aws/rds_instance_module.html#parameter-db_subnet_group_name">Documentation</a><br/>|
@@ -24,7 +25,7 @@ Below are listed queries related to Ansible AWS:
 |S3 Bucket ACL Allows Read to Any Authenticated User<br/><sup><sub>75480b31-f349-4b9a-861f-bce19588e674</sub></sup>|<span style="color:#bb2124">High</span>|Access Control|<a href="../ansible-queries/aws/75480b31-f349-4b9a-861f-bce19588e674" onclick="newWindowOpenerSafe(event, '../ansible-queries/aws/75480b31-f349-4b9a-861f-bce19588e674')">Query details</a><br><a href="https://docs.ansible.com/ansible/latest/collections/amazon/aws/aws_s3_module.html#parameter-permission">Documentation</a><br/>|
 |S3 Bucket Allows Get Action From All Principals<br/><sup><sub>53bce6a8-5492-4b1b-81cf-664385f0c4bf</sub></sup>|<span style="color:#bb2124">High</span>|Access Control|<a href="../ansible-queries/aws/53bce6a8-5492-4b1b-81cf-664385f0c4bf" onclick="newWindowOpenerSafe(event, '../ansible-queries/aws/53bce6a8-5492-4b1b-81cf-664385f0c4bf')">Query details</a><br><a href="https://docs.ansible.com/ansible/latest/collections/amazon/aws/s3_bucket_module.html">Documentation</a><br/>|
 |S3 Bucket Allows List Action From All Principals<br/><sup><sub>d395a950-12ce-4314-a742-ac5a785ab44e</sub></sup>|<span style="color:#bb2124">High</span>|Access Control|<a href="../ansible-queries/aws/d395a950-12ce-4314-a742-ac5a785ab44e" onclick="newWindowOpenerSafe(event, '../ansible-queries/aws/d395a950-12ce-4314-a742-ac5a785ab44e')">Query details</a><br><a href="https://docs.ansible.com/ansible/latest/collections/amazon/aws/s3_bucket_module.html">Documentation</a><br/>|
-|SNS Topic is Publicly Accessible<br/><sup><sub>905f4741-f965-45c1-98db-f7a00a0e5c73</sub></sup>|<span style="color:#bb2124">High</span>|Access Control|<a href="../ansible-queries/aws/905f4741-f965-45c1-98db-f7a00a0e5c73" onclick="newWindowOpenerSafe(event, '../ansible-queries/aws/905f4741-f965-45c1-98db-f7a00a0e5c73')">Query details</a><br><a href="https://docs.ansible.com/ansible/latest/collections/community/aws/sns_topic_module.html">Documentation</a><br/>|
+|SES Policy With Allowed IAM Actions<br/><sup><sub>8ed0bfce-f780-46d4-b086-21c3628f09ad</sub></sup>|<span style="color:#bb2124">High</span>|Access Control|<a href="../ansible-queries/aws/8ed0bfce-f780-46d4-b086-21c3628f09ad" onclick="newWindowOpenerSafe(event, '../ansible-queries/aws/8ed0bfce-f780-46d4-b086-21c3628f09ad')">Query details</a><br><a href="https://docs.ansible.com/ansible/latest/collections/community/aws/aws_ses_identity_policy_module.html#parameter-policy">Documentation</a><br/>|
 |SQS Policy Allows All Actions<br/><sup><sub>ed9b3beb-92cf-44d9-a9d2-171eeba569d4</sub></sup>|<span style="color:#bb2124">High</span>|Access Control|<a href="../ansible-queries/aws/ed9b3beb-92cf-44d9-a9d2-171eeba569d4" onclick="newWindowOpenerSafe(event, '../ansible-queries/aws/ed9b3beb-92cf-44d9-a9d2-171eeba569d4')">Query details</a><br><a href="https://docs.ansible.com/ansible/latest/collections/community/aws/sqs_queue_module.html">Documentation</a><br/>|
 |SQS Queue Exposed<br/><sup><sub>86b0efa7-4901-4edd-a37a-c034bec6645a</sub></sup>|<span style="color:#bb2124">High</span>|Access Control|<a href="../ansible-queries/aws/86b0efa7-4901-4edd-a37a-c034bec6645a" onclick="newWindowOpenerSafe(event, '../ansible-queries/aws/86b0efa7-4901-4edd-a37a-c034bec6645a')">Query details</a><br><a href="https://docs.ansible.com/ansible/latest/collections/community/aws/sqs_queue_module.html#parameter-policy">Documentation</a><br/>|
 |Config Rule For Encrypted Volumes Disabled<br/><sup><sub>7674a686-e4b1-4a95-83d4-1fd53c623d84</sub></sup>|<span style="color:#bb2124">High</span>|Encryption|<a href="../ansible-queries/aws/7674a686-e4b1-4a95-83d4-1fd53c623d84" onclick="newWindowOpenerSafe(event, '../ansible-queries/aws/7674a686-e4b1-4a95-83d4-1fd53c623d84')">Query details</a><br><a href="https://docs.ansible.com/ansible/latest/collections/community/aws/aws_config_rule_module.html#parameter-source/identifier">Documentation</a><br/>|
@@ -65,7 +66,6 @@ Below are listed queries related to Ansible AWS:
 |IAM Role Allows All Principals To Assume<br/><sup><sub>babdedcf-d859-43da-9a7b-6d72e661a8fd</sub></sup>|<span style="color:#ff7213">Medium</span>|Access Control|<a href="../ansible-queries/aws/babdedcf-d859-43da-9a7b-6d72e661a8fd" onclick="newWindowOpenerSafe(event, '../ansible-queries/aws/babdedcf-d859-43da-9a7b-6d72e661a8fd')">Query details</a><br><a href="https://docs.ansible.com/ansible/latest/collections/community/aws/iam_managed_policy_module.html">Documentation</a><br/>|
 |Lambda Permission Principal Is Wildcard<br/><sup><sub>1d972c56-8ec2-48c1-a578-887adb09c57a</sub></sup>|<span style="color:#ff7213">Medium</span>|Access Control|<a href="../ansible-queries/aws/1d972c56-8ec2-48c1-a578-887adb09c57a" onclick="newWindowOpenerSafe(event, '../ansible-queries/aws/1d972c56-8ec2-48c1-a578-887adb09c57a')">Query details</a><br><a href="https://docs.ansible.com/ansible/latest/collections/community/aws/lambda_policy_module.html">Documentation</a><br/>|
 |Public Lambda via API Gateway<br/><sup><sub>5e92d816-2177-4083-85b4-f61b4f7176d9</sub></sup>|<span style="color:#ff7213">Medium</span>|Access Control|<a href="../ansible-queries/aws/5e92d816-2177-4083-85b4-f61b4f7176d9" onclick="newWindowOpenerSafe(event, '../ansible-queries/aws/5e92d816-2177-4083-85b4-f61b4f7176d9')">Query details</a><br><a href="https://docs.ansible.com/ansible/2.4/lambda_policy_module.html">Documentation</a><br/>|
-|SES Policy With Allowed IAM Actions<br/><sup><sub>8ed0bfce-f780-46d4-b086-21c3628f09ad</sub></sup>|<span style="color:#ff7213">Medium</span>|Access Control|<a href="../ansible-queries/aws/8ed0bfce-f780-46d4-b086-21c3628f09ad" onclick="newWindowOpenerSafe(event, '../ansible-queries/aws/8ed0bfce-f780-46d4-b086-21c3628f09ad')">Query details</a><br><a href="https://docs.ansible.com/ansible/latest/collections/community/aws/aws_ses_identity_policy_module.html#parameter-policy">Documentation</a><br/>|
 |SQS Policy With Public Access<br/><sup><sub>d994585f-defb-4b51-b6d2-c70f020ceb10</sub></sup>|<span style="color:#ff7213">Medium</span>|Access Control|<a href="../ansible-queries/aws/d994585f-defb-4b51-b6d2-c70f020ceb10" onclick="newWindowOpenerSafe(event, '../ansible-queries/aws/d994585f-defb-4b51-b6d2-c70f020ceb10')">Query details</a><br><a href="https://docs.ansible.com/ansible/latest/collections/community/aws/sqs_queue_module.html">Documentation</a><br/>|
 |Auto Scaling Group With No Associated ELB<br/><sup><sub>050f085f-a8db-4072-9010-2cca235cc02f</sub></sup>|<span style="color:#ff7213">Medium</span>|Availability|<a href="../ansible-queries/aws/050f085f-a8db-4072-9010-2cca235cc02f" onclick="newWindowOpenerSafe(event, '../ansible-queries/aws/050f085f-a8db-4072-9010-2cca235cc02f')">Query details</a><br><a href="https://docs.ansible.com/ansible/latest/collections/community/aws/ec2_asg_module.html#parameter-load_balancers">Documentation</a><br/>|
 |CMK Is Unusable<br/><sup><sub>133fee21-37ef-45df-a563-4d07edc169f4</sub></sup>|<span style="color:#ff7213">Medium</span>|Availability|<a href="../ansible-queries/aws/133fee21-37ef-45df-a563-4d07edc169f4" onclick="newWindowOpenerSafe(event, '../ansible-queries/aws/133fee21-37ef-45df-a563-4d07edc169f4')">Query details</a><br><a href="https://docs.ansible.com/ansible/latest/collections/community/aws/aws_kms_module.html#parameter-enabled">Documentation</a><br/>|

@@ -21,6 +21,7 @@ hide:
 -   **Severity:** <span style="color:#ff7213">Medium</span>
 -   **Category:** Access Control
 -   **CWE:** <a href="https://cwe.mitre.org/data/definitions/286.html" onclick="newWindowOpenerSafe(event, 'https://cwe.mitre.org/data/definitions/286.html')">286</a>
+-   **Risk score:** <span style="color:#ff7213">6.8</span>
 -   **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/general/privilege_escalation_using_become_plugin)
 
 ### Description
@@ -115,3 +116,4 @@ In order to perform an action as a different user with the become_user, 'become'
       become_user: postgres
       changed_when: false
 ```
+
@@ -21,6 +21,7 @@ hide:
 -   **Severity:** <span style="color:#ff7213">Medium</span>
 -   **Category:** Best Practices
 -   **CWE:** <a href="https://cwe.mitre.org/data/definitions/668.html" onclick="newWindowOpenerSafe(event, 'https://cwe.mitre.org/data/definitions/668.html')">668</a>
+-   **Risk score:** <span style="color:#ff7213">5.2</span>
 -   **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/hosts/ansible_tower_exposed_to_internet)
 
 ### Description
@@ -126,3 +127,4 @@ all:
     ungrouped: {}
 
 ```
+
@@ -21,6 +21,7 @@ hide:
 -   **Severity:** <span style="color:#ff7213">Medium</span>
 -   **Category:** Insecure Configurations
 -   **CWE:** <a href="https://cwe.mitre.org/data/definitions/319.html" onclick="newWindowOpenerSafe(event, 'https://cwe.mitre.org/data/definitions/319.html')">319</a>
+-   **Risk score:** <span style="color:#ff7213">6.8</span>
 -   **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/general/communication_over_http)
 
 ### Description
@@ -62,3 +63,4 @@ Using HTTP URLs (without encryption) could lead to security vulnerabilities and
         var: site_response
 
 ```
+
@@ -21,6 +21,7 @@ hide:
 -   **Severity:** <span style="color:#ff7213">Medium</span>
 -   **Category:** Access Control
 -   **CWE:** <a href="https://cwe.mitre.org/data/definitions/286.html" onclick="newWindowOpenerSafe(event, 'https://cwe.mitre.org/data/definitions/286.html')">286</a>
+-   **Risk score:** <span style="color:#ff7213">6.8</span>
 -   **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/config/privilege_escalation_using_become_plugin_in_defaults)
 
 ### Description
@@ -88,3 +89,4 @@ become_method=sudo
 become=True
 become_user=root
 ```
+
@@ -21,6 +21,7 @@ hide:
 -   **Severity:** <span style="color:#edd57e">Low</span>
 -   **Category:** Best Practices
 -   **CWE:** <a href="https://cwe.mitre.org/data/definitions/532.html" onclick="newWindowOpenerSafe(event, 'https://cwe.mitre.org/data/definitions/532.html')">532</a>
+-   **Risk score:** <span style="color:#edd57e">4.1</span>
 -   **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/general/logging_of_sensitive_data)
 
 ### Description
@@ -106,3 +107,4 @@ To keep sensitive values out of logs, tasks that expose them need to be marked d
       with_items:
         - wow
 ```
+
@@ -21,6 +21,7 @@ hide:
 -   **Severity:** <span style="color:#bb2124">High</span>
 -   **Category:** Insecure Configurations
 -   **CWE:** <a href="https://cwe.mitre.org/data/definitions/200.html" onclick="newWindowOpenerSafe(event, 'https://cwe.mitre.org/data/definitions/200.html')">200</a>
+-   **Risk score:** <span style="color:#bb2124">8.1</span>
 -   **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/config/allow_unsafe_lookups_enabled_in_defaults)
 
 ### Description
@@ -93,3 +94,4 @@ collections_scan_sys_path=True
 command_warnings=False
 action_plugins=~/.ansible/plugins/action:/usr/share/ansible/plugins/action
 ```
+
@@ -21,6 +21,7 @@ hide:
 -   **Severity:** <span style="color:#5bc0de">Info</span>
 -   **Category:** Supply-Chain
 -   **CWE:** <a href="https://cwe.mitre.org/data/definitions/732.html" onclick="newWindowOpenerSafe(event, 'https://cwe.mitre.org/data/definitions/732.html')">732</a>
+-   **Risk score:** <span style="color:#5bc0de">0.0</span>
 -   **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/general/risky_file_permissions)
 
 ### Description
@@ -225,3 +226,4 @@ Some modules could end up creating new files on disk with permissions that might
         mode: "644"
 
 ```
+
@@ -21,6 +21,7 @@ hide:
 -   **Severity:** <span style="color:#edd57e">Low</span>
 -   **Category:** Best Practices
 -   **CWE:** <a href="https://cwe.mitre.org/data/definitions/710.html" onclick="newWindowOpenerSafe(event, 'https://cwe.mitre.org/data/definitions/710.html')">710</a>
+-   **Risk score:** <span style="color:#edd57e">2.9</span>
 -   **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/general/insecure_relative_path_resolution)
 
 ### Description
@@ -84,3 +85,4 @@ Using relative paths can lead to unexpected behavior as the path is resolved rel
         dest: /etc/file.conf
         mode: "0644"
 ```
+
@@ -21,6 +21,7 @@ hide:
 -   **Severity:** <span style="color:#ff7213">Medium</span>
 -   **Category:** Insecure Configurations
 -   **CWE:** <a href="https://cwe.mitre.org/data/definitions/665.html" onclick="newWindowOpenerSafe(event, 'https://cwe.mitre.org/data/definitions/665.html')">665</a>
+-   **Risk score:** <span style="color:#ff7213">5.2</span>
 -   **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/ecs_task_definition_network_mode_not_recommended)
 
 ### Description
@@ -84,3 +85,4 @@ Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the co
     network_mode: awsvpc
 
 ```
+
@@ -21,6 +21,7 @@ hide:
 -   **Severity:** <span style="color:#ff7213">Medium</span>
 -   **Category:** Availability
 -   **CWE:** <a href="https://cwe.mitre.org/data/definitions/400.html" onclick="newWindowOpenerSafe(event, 'https://cwe.mitre.org/data/definitions/400.html')">400</a>
+-   **Risk score:** <span style="color:#ff7213">5.1</span>
 -   **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/auto_scaling_group_with_no_associated_elb)
 
 ### Description
@@ -95,3 +96,4 @@ AWS Auto Scaling Groups must have associated ELBs to ensure high availability an
         propagate_at_launch: no
 
 ```
+
@@ -21,6 +21,7 @@ hide:
 -   **Severity:** <span style="color:#ff0000">Critical</span>
 -   **Category:** Networking and Firewall
 -   **CWE:** <a href="https://cwe.mitre.org/data/definitions/732.html" onclick="newWindowOpenerSafe(event, 'https://cwe.mitre.org/data/definitions/732.html')">732</a>
+-   **Risk score:** <span style="color:#ff0000">8.7</span>
 -   **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/db_security_group_with_public_scope)
 
 ### Description
@@ -114,3 +115,4 @@ The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0'
     group_desc: other example EC2 group
 
 ```
+
@@ -21,6 +21,7 @@ hide:
 -   **Severity:** <span style="color:#ff7213">Medium</span>
 -   **Category:** Encryption
 -   **CWE:** <a href="https://cwe.mitre.org/data/definitions/311.html" onclick="newWindowOpenerSafe(event, 'https://cwe.mitre.org/data/definitions/311.html')">311</a>
+-   **Risk score:** <span style="color:#ff7213">5.9</span>
 -   **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/iam_database_auth_not_enabled)
 
 ### Description
@@ -116,3 +117,4 @@ IAM Database Auth Enabled should be configured to true when using compatible eng
     cluster_id: ansible-test-cluster
 
 ```
+
@@ -21,6 +21,7 @@ hide:
 -   **Severity:** <span style="color:#ff7213">Medium</span>
 -   **Category:** Access Control
 -   **CWE:** <a href="https://cwe.mitre.org/data/definitions/284.html" onclick="newWindowOpenerSafe(event, 'https://cwe.mitre.org/data/definitions/284.html')">284</a>
+-   **Risk score:** <span style="color:#ff7213">6.8</span>
 -   **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/iam_policy_grants_assumerole_permission_across_all_services)
 
 ### Description
@@ -63,3 +64,4 @@ IAM Policy should not grant 'AssumeRole' permission across all services.<br>
     state: present
 
 ```
+
@@ -21,6 +21,7 @@ hide:
 -   **Severity:** <span style="color:#ff7213">Medium</span>
 -   **Category:** Availability
 -   **CWE:** <a href="https://cwe.mitre.org/data/definitions/693.html" onclick="newWindowOpenerSafe(event, 'https://cwe.mitre.org/data/definitions/693.html')">693</a>
+-   **Risk score:** <span style="color:#ff7213">5.1</span>
 -   **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/cmk_is_unusable)
 
 ### Description
@@ -59,3 +60,4 @@ AWS Key Management Service (KMS) must only possess usable Customer Master Keys (
     enabled: true
 
 ```
+
@@ -21,6 +21,7 @@ hide:
 -   **Severity:** <span style="color:#ff0000">Critical</span>
 -   **Category:** Networking and Firewall
 -   **CWE:** <a href="https://cwe.mitre.org/data/definitions/200.html" onclick="newWindowOpenerSafe(event, 'https://cwe.mitre.org/data/definitions/200.html')">200</a>
+-   **Risk score:** <span style="color:#ff0000">8.7</span>
 -   **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/rds_associated_with_public_subnet)
 
 ### Description
@@ -97,3 +98,4 @@ RDS should not run in public subnet<br>
   register: subnet22
 
 ```
+