docs(queries): update queries catalog

Author: cx-andre-pereira

docs/queries/all-queries.md

@@ -92,6 +92,7 @@ Below are listed queries related to Ansible AWS:
 |API Gateway without WAF<br/><sup><sub>f5f38943-664b-4acc-ab11-f292fa10ed0b</sub></sup>|<span style="color:#ff7213">Medium</span>|Networking and Firewall|<a href="../ansible-queries/aws/f5f38943-664b-4acc-ab11-f292fa10ed0b" onclick="newWindowOpenerSafe(event, '../ansible-queries/aws/f5f38943-664b-4acc-ab11-f292fa10ed0b')">Query details</a><br><a href="https://docs.ansible.com/ansible/latest/collections/community/aws/wafv2_resources_module.html#parameter-arn">Documentation</a><br/>|
 |CloudFront Without WAF<br/><sup><sub>22c80725-e390-4055-8d14-a872230f6607</sub></sup>|<span style="color:#ff7213">Medium</span>|Networking and Firewall|<a href="../ansible-queries/aws/22c80725-e390-4055-8d14-a872230f6607" onclick="newWindowOpenerSafe(event, '../ansible-queries/aws/22c80725-e390-4055-8d14-a872230f6607')">Query details</a><br><a href="https://docs.ansible.com/ansible/latest/collections/community/aws/cloudfront_distribution_module.html">Documentation</a><br/>|
 |EC2 Instance Has Public IP<br/><sup><sub>a8b0c58b-cd25-4b53-9ad0-55bca0be0bc1</sub></sup>|<span style="color:#ff7213">Medium</span>|Networking and Firewall|<a href="../ansible-queries/aws/a8b0c58b-cd25-4b53-9ad0-55bca0be0bc1" onclick="newWindowOpenerSafe(event, '../ansible-queries/aws/a8b0c58b-cd25-4b53-9ad0-55bca0be0bc1')">Query details</a><br><a href="https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_module.html#parameter-assign_public_ip">Documentation</a><br/>|
+|ECS Services assigned with public IP address<br/><sup><sub>560f256b-0b45-4496-bcb5-733681e7d38d</sub></sup>|<span style="color:#ff7213">Medium</span>|Networking and Firewall|<a href="../ansible-queries/aws/560f256b-0b45-4496-bcb5-733681e7d38d" onclick="newWindowOpenerSafe(event, '../ansible-queries/aws/560f256b-0b45-4496-bcb5-733681e7d38d')">Query details</a><br><a href="https://docs.ansible.com/ansible/latest/collections/community/aws/ecs_service_module.html">Documentation</a><br/>|
 |Elasticsearch with HTTPS disabled<br/><sup><sub>d6c2d06f-43c1-488a-9ba1-8d75b40fc62d</sub></sup>|<span style="color:#ff7213">Medium</span>|Networking and Firewall|<a href="../ansible-queries/aws/d6c2d06f-43c1-488a-9ba1-8d75b40fc62d" onclick="newWindowOpenerSafe(event, '../ansible-queries/aws/d6c2d06f-43c1-488a-9ba1-8d75b40fc62d')">Query details</a><br><a href="https://docs.ansible.com/ansible/devel/collections/community/aws/opensearch_module.html">Documentation</a><br/>|
 |HTTP Port Open To Internet<br/><sup><sub>a14ad534-acbe-4a8e-9404-2f7e1045646e</sub></sup>|<span style="color:#ff7213">Medium</span>|Networking and Firewall|<a href="../ansible-queries/aws/a14ad534-acbe-4a8e-9404-2f7e1045646e" onclick="newWindowOpenerSafe(event, '../ansible-queries/aws/a14ad534-acbe-4a8e-9404-2f7e1045646e')">Query details</a><br><a href="https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_group_module.html#ansible-collections-amazon-aws-ec2-group-module">Documentation</a><br/>|
 |Security Group With Unrestricted Access To SSH<br/><sup><sub>57ced4b9-6ba4-487b-8843-b65562b90c77</sub></sup>|<span style="color:#ff7213">Medium</span>|Networking and Firewall|<a href="../ansible-queries/aws/57ced4b9-6ba4-487b-8843-b65562b90c77" onclick="newWindowOpenerSafe(event, '../ansible-queries/aws/57ced4b9-6ba4-487b-8843-b65562b90c77')">Query details</a><br><a href="https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_group_module.html">Documentation</a><br/>|
@@ -114,6 +115,7 @@ Below are listed queries related to Ansible AWS:
 |CloudTrail Log Files Not Encrypted With KMS<br/><sup><sub>f5587077-3f57-4370-9b4e-4eb5b1bac85b</sub></sup>|<span style="color:#edd57e">Low</span>|Encryption|<a href="../ansible-queries/aws/f5587077-3f57-4370-9b4e-4eb5b1bac85b" onclick="newWindowOpenerSafe(event, '../ansible-queries/aws/f5587077-3f57-4370-9b4e-4eb5b1bac85b')">Query details</a><br><a href="https://docs.ansible.com/ansible/latest/collections/community/aws/cloudtrail_module.html">Documentation</a><br/>|
 |EFS Without KMS<br/><sup><sub>bd77554e-f138-40c5-91b2-2a09f878608e</sub></sup>|<span style="color:#edd57e">Low</span>|Encryption|<a href="../ansible-queries/aws/bd77554e-f138-40c5-91b2-2a09f878608e" onclick="newWindowOpenerSafe(event, '../ansible-queries/aws/bd77554e-f138-40c5-91b2-2a09f878608e')">Query details</a><br><a href="https://docs.ansible.com/ansible/latest/collections/community/aws/efs_module.html#parameter-kms_key_id">Documentation</a><br/>|
 |AWS Password Policy With Unchangeable Passwords<br/><sup><sub>e28ceb92-d588-4166-aac5-766c8f5b7472</sub></sup>|<span style="color:#edd57e">Low</span>|Insecure Configurations|<a href="../ansible-queries/aws/e28ceb92-d588-4166-aac5-766c8f5b7472" onclick="newWindowOpenerSafe(event, '../ansible-queries/aws/e28ceb92-d588-4166-aac5-766c8f5b7472')">Query details</a><br><a href="https://docs.ansible.com/ansible/latest/collections/community/aws/iam_password_policy_module.html">Documentation</a><br/>|
+|Instance Uses Metadata Service IMDSv1<br/><sup><sub>b9ef8c0e-1392-4df4-aa84-2e0f95681c75</sub></sup>|<span style="color:#edd57e">Low</span>|Insecure Configurations|<a href="../ansible-queries/aws/b9ef8c0e-1392-4df4-aa84-2e0f95681c75" onclick="newWindowOpenerSafe(event, '../ansible-queries/aws/b9ef8c0e-1392-4df4-aa84-2e0f95681c75')">Query details</a><br><a href="https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_instance_module.html">Documentation</a><br/>|
 |Instance With No VPC<br/><sup><sub>61d1a2d0-4db8-405a-913d-5d2ce49dff6f</sub></sup>|<span style="color:#edd57e">Low</span>|Insecure Configurations|<a href="../ansible-queries/aws/61d1a2d0-4db8-405a-913d-5d2ce49dff6f" onclick="newWindowOpenerSafe(event, '../ansible-queries/aws/61d1a2d0-4db8-405a-913d-5d2ce49dff6f')">Query details</a><br><a href="https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_module.html">Documentation</a><br/>|
 |Lambda Function Without Tags<br/><sup><sub>265d9725-2fb8-42a2-bc57-3279c5db82d5</sub></sup>|<span style="color:#edd57e">Low</span>|Insecure Configurations|<a href="../ansible-queries/aws/265d9725-2fb8-42a2-bc57-3279c5db82d5" onclick="newWindowOpenerSafe(event, '../ansible-queries/aws/265d9725-2fb8-42a2-bc57-3279c5db82d5')">Query details</a><br><a href="https://docs.ansible.com/ansible/latest/collections/community/aws/lambda_module.html">Documentation</a><br/>|
 |EC2 Instance Using Default VPC<br/><sup><sub>8833f180-96f1-46f4-9147-849aafa56029</sub></sup>|<span style="color:#edd57e">Low</span>|Networking and Firewall|<a href="../ansible-queries/aws/8833f180-96f1-46f4-9147-849aafa56029" onclick="newWindowOpenerSafe(event, '../ansible-queries/aws/8833f180-96f1-46f4-9147-849aafa56029')">Query details</a><br><a href="https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_module.html#parameter-vpc_subnet_id">Documentation</a><br/>|

docs/queries/ansible-queries.md

@@ -0,0 +1,201 @@
+---
+title: ECS Services assigned with public IP address
+hide:
+  toc: true
+  navigation: true
+---
+
+<style>
+  .highlight .hll {
+    background-color: #ff171742;
+  }
+  .md-content {
+    max-width: 1100px;
+    margin: 0 auto;
+  }
+</style>
+
+-   **Query id:** 560f256b-0b45-4496-bcb5-733681e7d38d
+-   **Query name:** ECS Services assigned with public IP address
+-   **Platform:** Ansible
+-   **Severity:** <span style="color:#ff7213">Medium</span>
+-   **Category:** Networking and Firewall
+-   **CWE:** <a href="https://cwe.mitre.org/data/definitions/201.html" onclick="newWindowOpenerSafe(event, 'https://cwe.mitre.org/data/definitions/201.html')">201</a>
+-   **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/ecs_services_assigned_with_public_ip_address)
+
+### Description
+Amazon ECS Services should not be assigned public IP addresses. Public IP assignment exposes services directly to the internet, increasing the attack surface and potential unauthorized access.<br>
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/ecs_service_module.html)
+
+### Code samples
+#### Code samples with security vulnerabilities
+```yaml title="Positive test num. 1 - yaml file" hl_lines="19"
+- name: positive1
+  hosts: localhost
+  gather_facts: false
+  tasks:
+    - name: Create ECS service with network configuration
+      community.aws.ecs_service:
+        state: present
+        name: example-public-ip-service
+        cluster: my-ecs-cluster
+        task_definition: my-task-def:1
+        desired_count: 2
+        launch_type: FARGATE
+        network_configuration:
+          subnets:
+            - subnet-aaaa1111
+            - subnet-bbbb2222
+          security_groups:
+            - sg-cccc3333
+          assign_public_ip: true
+
+```
+```yaml title="Positive test num. 2 - yaml file" hl_lines="19"
+- name: positive2-legacy
+  hosts: localhost
+  gather_facts: false
+  tasks:
+    - name: Create ECS service with network configuration
+      ecs_service:
+        state: present
+        name: example-public-ip-service
+        cluster: my-ecs-cluster
+        task_definition: my-task-def:1
+        desired_count: 2
+        launch_type: FARGATE
+        network_configuration:
+          subnets:
+            - subnet-aaaa1111
+            - subnet-bbbb2222
+          security_groups:
+            - sg-cccc3333
+          assign_public_ip: true
+
+```
+
+
+#### Code samples without security vulnerabilities
+```yaml title="Negative test num. 1 - yaml file"
+- name: negative1
+  hosts: localhost
+  gather_facts: false
+  tasks:
+    - name: Create ECS service with network configuration
+      community.aws.ecs_service:
+        state: present
+        name: example-public-ip-service
+        cluster: my-ecs-cluster
+        task_definition: my-task-def:1
+        desired_count: 2
+        launch_type: FARGATE
+        network_configuration:
+          subnets:
+            - subnet-aaaa1111
+            - subnet-bbbb2222
+          security_groups:
+            - sg-cccc3333
+          assign_public_ip: false
+
+```
+```yaml title="Negative test num. 2 - yaml file"
+- name: negative2
+  hosts: localhost
+  gather_facts: false
+  tasks:
+    - name: Create ECS service on FARGATE without assign_public_ip
+      community.aws.ecs_service:
+        state: present
+        name: service-no-public-ip
+        cluster: my-cluster
+        task_definition: my-task-def:1
+        desired_count: 1
+        launch_type: FARGATE
+        network_configuration:
+          subnets:
+            - subnet-aaaa1111
+          security_groups:
+            - sg-bbbb2222
+
+```
+```yaml title="Negative test num. 3 - yaml file"
+- name: negative3
+  hosts: localhost
+  gather_facts: false
+  tasks:
+    - name: Create ECS service on EC2 without network_configuration
+      community.aws.ecs_service:
+        state: present
+        name: service-on-ec2
+        cluster: my-cluster
+        task_definition: my-task-def:2
+        desired_count: 2
+        launch_type: EC2
+
+```
+<details><summary>Negative test num. 4 - yaml file</summary>
+
+```yaml
+- name: negative1
+  hosts: localhost
+  gather_facts: false
+  tasks:
+    - name: Create ECS service with network configuration
+      ecs_service:
+        state: present
+        name: example-public-ip-service
+        cluster: my-ecs-cluster
+        task_definition: my-task-def:1
+        desired_count: 2
+        launch_type: FARGATE
+        network_configuration:
+          subnets:
+            - subnet-aaaa1111
+            - subnet-bbbb2222
+          security_groups:
+            - sg-cccc3333
+          assign_public_ip: false
+
+```
+</details>
+<details><summary>Negative test num. 5 - yaml file</summary>
+
+```yaml
+- name: negative2
+  hosts: localhost
+  gather_facts: false
+  tasks:
+    - name: Create ECS service on FARGATE without assign_public_ip
+      ecs_service:
+        state: present
+        name: service-no-public-ip
+        cluster: my-cluster
+        task_definition: my-task-def:1
+        desired_count: 1
+        launch_type: FARGATE
+        network_configuration:
+          subnets:
+            - subnet-aaaa1111
+          security_groups:
+            - sg-bbbb2222
+
+```
+</details>
+<details><summary>Negative test num. 6 - yaml file</summary>
+
+```yaml
+- name: negative3
+  hosts: localhost
+  gather_facts: false
+  tasks:
+    - name: Create ECS service on EC2 without network_configuration
+      ecs_service:
+        state: present
+        name: service-on-ec2
+        cluster: my-cluster
+        task_definition: my-task-def:2
+        desired_count: 2
+        launch_type: EC2
+
+```
+</details>