APPSEC-1061 Modify S6292(secrets): Make text compliant (#3008)

## Review

A dedicated reviewer checked the rule description successfully for:

- [ ] logical errors and incorrect information
- [ ] information gaps and missing content
- [ ] text style and tone
- [ ] PR summary and labels follow [the
guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule)

rules/S6292/secrets/rule.adoc

@@ -1,40 +1,54 @@
+include::../../../shared_content/secrets/description.adoc[]
+
 == Why is this an issue?
 
-Amazon Marketplace Web Service credentials are designed to authenticate and authorize Amazon sellers.
+include::../../../shared_content/secrets/rationale.adoc[]
 
-If your application interacts with Amazon MWS then it requires credentials to access all the resources it needs to function properly. The credentials authenticate to a seller account which can have access to resources like products, orders, price or shipment information.
+=== What is the potential impact?
 
+If your application interacts with Amazon MWS then it requires credentials to
+access all the resources it needs to function properly. +
+The credentials authenticate to a seller account which can have access to
+resources like products, orders, price or shipment information.
 
-== Recommended Secure Coding Practices
+Below are some real-world scenarios that illustrate some impacts of an attacker
+exploiting the secret.
 
-Only administrators should have access to the MWS credentials used by your application.
+:secret_type: secret
 
-As a consequence, MWS credentials should not be stored along with the application code as they would grant special privilege to anyone who has access to the application source code.
+include::../../../shared_content/secrets/impact/banking_financial_loss.adoc[]
 
-Credentials should be stored outside of the code in a file that is never committed to your application code repository.
+include::../../../shared_content/secrets/impact/phishing.adoc[]
 
-If possible, a better alternative is to use your cloud provider's service for managing secrets. On AWS this service is called https://aws.amazon.com/fr/secrets-manager/[Secrets Manager].
+include::../../../shared_content/secrets/impact/malware_distribution.adoc[]
 
-When credentials are disclosed in the application code, consider them as compromised and revoke them immediately.
+include::../../../shared_content/secrets/impact/suspicious_activities_termination.adoc[]
 
+== How to fix it
+
+Only administrators should have access to the MWS credentials used by your
+application.  
+
+include::../../../shared_content/secrets/fix/revoke.adoc[]
+
+include::../../../shared_content/secrets/fix/vault.adoc[]
+
+=== Code examples
+
+:example_secret: amzn.mws.3b8be74a-5f63-5770-5bad-19bd40c0ac65
+:example_name: mws-key
+:example_env: MWS_KEY
+
+include::../../../shared_content/secrets/examples.adoc[]
+
+//=== How does this work?
+
+//=== Pitfalls
+
+//=== Going the extra mile
 
 == Resources
 
-* https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[OWASP Top 10 2021 Category A7] - Identification and Authentication Failures
-* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure
-* https://cwe.mitre.org/data/definitions/798[MITRE, CWE-798] - Use of Hard-coded Credentials
-* https://cwe.mitre.org/data/definitions/259[MITRE, CWE-259] - Use of Hard-coded Password
-* https://www.sans.org/top25-software-errors/#cat3[SANS Top 25] - Porous Defenses
+include::../../../shared_content/secrets/resources/standards.adoc[]
 
-ifdef::env-github,rspecator-view[]
-
-'''
-== Implementation Specification
-(visible only on this page)
-
-=== Message
-
-Amazon MWS Auth Token detected here. Remove this cedential from your code.
-
-
-endif::env-github,rspecator-view[]
+//=== Benchmarks