Modify S6327: Improve the recommended fix (#4543)

* Modify S6327: Improve the recommended fix * Apply suggestions from code review * add more info * improvement
SonarSource · Nov 27, 2024 · d046613 · d046613
1 parent dc4e9af
commit d046613
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 2 deletions.
diff --git a/rules/S6327/metadata.json b/rules/S6327/metadata.json
@@ -10,7 +10,7 @@
   "status": "ready",
   "remediation": {
     "func": "Constant\/Issue",
-    "constantCost": "10min"
+    "constantCost": "45min"
   },
   "tags": [
     "aws",

diff --git a/rules/S6327/recommended.adoc b/rules/S6327/recommended.adoc
@@ -1,3 +1,18 @@
 == Recommended Secure Coding Practices
 
-It's recommended to encrypt SNS topics that contain sensitive information. Encryption and decryption are handled transparently by SNS, so no further modifications to the application are necessary.
+It is recommended to encrypt SNS topics that contain sensitive information.
+
+To do so, create a master key and assign the SNS topic to it. Note that this
+system does not encrypt the following:
+
+* Topic metadata (topic name and attributes)
+* Message metadata (subject, message ID, timestamp, and attributes)
+* Data protection policy
+* Per-topic metrics
+
+Then, make sure that any publishers have the ``++kms:GenerateDataKey*++`` and
+``++kms:Decrypt++`` permissions for the AWS KMS key.
+
+See https://docs.aws.amazon.com/sns/latest/dg/sns-key-management.html#sns-what-permissions-for-sse[AWS SNS Key Management Documentation]
+for more information.
+