diff --git a/rules/S6249/terraform/rule.adoc b/rules/S6249/terraform/rule.adoc
index 8b0914292d2..4d285586569 100644
--- a/rules/S6249/terraform/rule.adoc
+++ b/rules/S6249/terraform/rule.adoc
@@ -8,6 +8,7 @@ include::../recommended.adoc[]
 
 No secure policy is attached to this bucket:
 
+[source,terraform]
 ----
 resource "aws_s3_bucket" "mynoncompliantbucket" { # Sensitive 
   bucket = "mynoncompliantbucketname"
@@ -16,6 +17,7 @@ resource "aws_s3_bucket" "mynoncompliantbucket" { # Sensitive
 
 A policy is defined but forces only HTTPs communication for some users:
 
+[source,terraform]
 ----
 resource "aws_s3_bucket" "mynoncompliantbucket" { # Sensitive 
   bucket = "mynoncompliantbucketname"
@@ -31,13 +33,13 @@ resource "aws_s3_bucket_policy" "mynoncompliantbucketpolicy" {
       {
         Sid       = "HTTPSOnly"
         Effect    = "Deny"
-        Principal = [
-          "arn:aws:iam::123456789123:root"
-        ] # secondary location: only one principal is forced to use https
+        Principal = {
+          "AWS": "arn:aws:iam::123456789123:root"
+        } # secondary location: only one principal is forced to use https
         Action    = "s3:*"
         Resource = [
-          aws_s3_bucket.mynoncompliantbucketpolicy.arn,
-          "${aws_s3_bucket.mynoncompliantbucketpolicy.arn}/*",
+          aws_s3_bucket.mynoncompliantbucket.arn,
+          "${aws_s3_bucket.mynoncompliantbucket.arn}/*",
         ]
         Condition = {
           Bool = {
@@ -70,7 +72,9 @@ resource "aws_s3_bucket_policy" "mycompliantpolicy" {
       {
         Sid       = "HTTPSOnly"
         Effect    = "Deny"
-        Principal = "*"
+        Principal = {
+          "AWS": "*"
+        }
         Action    = "s3:*"
         Resource = [
           aws_s3_bucket.mycompliantbucket.arn,