Modify rule S6304: Add Python CDK (#1299)

rules/S6304/ask-yourself.adoc

@@ -1,7 +1,5 @@
 == Ask Yourself Whether
 
-The AWS account:
+The AWS account has more than one resource with different levels of sensitivity.
 
-* has more than one resource with different levels of sensitivity.
-
-There is a risk if you answered yes to any of this question.
+A risk exists if you answered yes to this question.

rules/S6304/description.adoc

@@ -1,2 +1,2 @@
-A policy that allows identities to access all resources in an AWS account may violates https://en.wikipedia.org/wiki/Principle_of_least_privilege[the principle of least privilege]. Suppose an identity has permission to access all resources even though it only requires access to some non-sensitive ones. In this case, unauthorized access and disclosure of sensitive information will occur.
+A policy that allows identities to access all resources in an AWS account may violate https://en.wikipedia.org/wiki/Principle_of_least_privilege[the principle of least privilege]. Suppose an identity has permission to access all resources even though it only requires access to some non-sensitive ones. In this case, unauthorized access and disclosure of sensitive information will occur.
 

rules/S6304/message.adoc

@@ -0,0 +1,3 @@
+=== Message
+
+* Make sure granting access to all resources is safe here.

rules/S6304/metadata.json

@@ -1,5 +1,5 @@
 {
-  "title": "Policies granting access to all resources of an accounts are security-sensitive",
+  "title": "Policies granting access to all resources of an account are security-sensitive",
   "type": "SECURITY_HOTSPOT",
   "status": "ready",
   "remediation": {

rules/S6304/python/highlighting.adoc

@@ -0,0 +1,4 @@
+=== Highlighting
+
+* Primary location: `resources` (constructor) or `Resource` (`from_json`)
+* Secondary location: `effect` (constructor, if it exists) or `Effect` (`from_json`)

rules/S6304/python/metadata.json

@@ -0,0 +1,2 @@
+{
+}

rules/S6304/python/rule.adoc

@@ -0,0 +1,60 @@
+include::../description.adoc[]
+
+include::../ask-yourself.adoc[]
+
+include::../recommended.adoc[]
+
+== Noncompliant Code Example
+
+The wildcard `"*"` is specified as the resource for this `PolicyStatement`. This grants the update permission for all policies of the account:
+
+[source,python]
+----
+from aws_cdk.aws_iam import Effect, PolicyDocument, PolicyStatement
+
+PolicyDocument(
+    statements=[
+        PolicyStatement(
+            effect=Effect.ALLOW,
+            actions="iam:CreatePolicyVersion",
+            resources=["*"]  # Noncompliant
+        )
+    ]
+)
+----
+
+== Compliant Solution
+
+Restrict the update permission to the appropriate subset of policies:
+
+[source,python]
+----
+from aws_cdk import Aws
+from aws_cdk.aws_iam import Effect, PolicyDocument, PolicyStatement
+
+PolicyDocument(
+    statements=[
+        PolicyStatement(
+            effect=Effect.ALLOW,
+            actions="iam:CreatePolicyVersion",
+            resources=[f"arn:aws:iam::{Aws.ACCOUNT_ID}:policy/team1/*"]
+        )
+    ]
+)
+----
+
+include::../exceptions.adoc[]
+
+include::../see.adoc[]
+
+ifdef::env-github,rspecator-view[]
+
+'''
+== Implementation Specification
+(visible only on this page)
+
+include::../message.adoc[]
+
+include::highlighting.adoc[]
+
+endif::env-github,rspecator-view[]

rules/S6304/recommended.adoc

@@ -1,3 +1,3 @@
 == Recommended Secure Coding Practices
 
-It's recommended to apply the least privilege principle, i.e. by only granting access to necessary resources. A good practice to achieve this is to organize or https://aws.amazon.com/blogs/security/simplify-granting-access-to-your-aws-resources-by-using-tags-on-aws-iam-users-and-roles/[tag] resources depending on the sensitivity level of data they store or process. Therefore, managing a secure access control is less prone to errors.
+It's recommended to apply the least privilege principle, i.e., by only granting access to necessary resources. A good practice to achieve this is to organize or https://aws.amazon.com/blogs/security/simplify-granting-access-to-your-aws-resources-by-using-tags-on-aws-iam-users-and-roles/[tag] resources depending on the sensitivity level of data they store or process. Therefore, managing a secure access control is less prone to errors.