From d04661341c3149711c9552edc98e1fe67383b33e Mon Sep 17 00:00:00 2001
From: "Loris S." <91723853+loris-s-sonarsource@users.noreply.github.com>
Date: Wed, 27 Nov 2024 12:04:48 +0100
Subject: [PATCH] Modify S6327: Improve the recommended fix (#4543)

* Modify S6327: Improve the recommended fix

* Apply suggestions from code review

* add more info

* improvement
---
 rules/S6327/metadata.json    |  2 +-
 rules/S6327/recommended.adoc | 17 ++++++++++++++++-
 2 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/rules/S6327/metadata.json b/rules/S6327/metadata.json
index ecaa7bc329a..9942b2145a2 100644
--- a/rules/S6327/metadata.json
+++ b/rules/S6327/metadata.json
@@ -10,7 +10,7 @@
   "status": "ready",
   "remediation": {
     "func": "Constant\/Issue",
-    "constantCost": "10min"
+    "constantCost": "45min"
   },
   "tags": [
     "aws",
diff --git a/rules/S6327/recommended.adoc b/rules/S6327/recommended.adoc
index 619707c6c6b..bde7a0a6055 100644
--- a/rules/S6327/recommended.adoc
+++ b/rules/S6327/recommended.adoc
@@ -1,3 +1,18 @@
 == Recommended Secure Coding Practices
 
-It's recommended to encrypt SNS topics that contain sensitive information. Encryption and decryption are handled transparently by SNS, so no further modifications to the application are necessary.
+It is recommended to encrypt SNS topics that contain sensitive information.
+
+To do so, create a master key and assign the SNS topic to it. Note that this
+system does not encrypt the following:
+
+* Topic metadata (topic name and attributes)
+* Message metadata (subject, message ID, timestamp, and attributes)
+* Data protection policy
+* Per-topic metrics
+
+Then, make sure that any publishers have the ``++kms:GenerateDataKey*++`` and
+``++kms:Decrypt++`` permissions for the AWS KMS key.
+
+See https://docs.aws.amazon.com/sns/latest/dg/sns-key-management.html#sns-what-permissions-for-sse[AWS SNS Key Management Documentation]
+for more information.
+