Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Modify S6327: Improve the recommended fix #4543

Merged
merged 4 commits into from
Nov 27, 2024
Merged

Modify S6327: Improve the recommended fix #4543

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
84ddaba
Modify S6327: Improve the recommended fix
loris-s-sonarsource Nov 26, 2024
10bc7c7
Apply suggestions from code review
loris-s-sonarsource Nov 26, 2024
473b60a
add more info
loris-s-sonarsource Nov 26, 2024
2d7c3ca
improvement
loris-s-sonarsource Nov 27, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion rules/S6327/metadata.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@
"status": "ready",
"remediation": {
"func": "Constant\/Issue",
"constantCost": "10min"
"constantCost": "45min"
},
"tags": [
"aws",
Expand Down
12 changes: 11 additions & 1 deletion rules/S6327/recommended.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,13 @@
== Recommended Secure Coding Practices

It's recommended to encrypt SNS topics that contain sensitive information. Encryption and decryption are handled transparently by SNS, so no further modifications to the application are necessary.
It is recommended to encrypt SNS topics that contain sensitive information.

To do so, create a master key and affect the SNS topic to it. Without a master
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is "affect" the right word here?

key, the SNS topic is not encrypted by default.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using the negative version is usually a bit harder to understand than the positive version: "With a master key, the SNS topic is encrypted by default".

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I removed it, the goal was to say that by default no encryption applied but I am starting to think this sentence, at this location could be confusing. I replaced it with notable information instead


Then, make sure that any publishers have the ``++kms:GenerateDataKey*++`` and
``++kms:Decrypt++`` permissions for the AWS KMS key.

See https://docs.aws.amazon.com/sns/latest/dg/sns-key-management.html#sns-what-permissions-for-sse[AWS SNS Key Management Documentation]
for more information.