Modify S6327: Improve the recommended fix (#4543)

* Modify S6327: Improve the recommended fix * Apply suggestions from code review * add more info * improvement
2024-11-27 12:04:48 +01:00 · 2024-11-27 12:04:48 +01:00 · d04661341c
commit d04661341c
parent dc4e9af93c
2 changed files with 17 additions and 2 deletions
--- a/rules/S6327/metadata.json
+++ b/rules/S6327/metadata.json
@ -10,7 +10,7 @@
  "status": "ready",
  "remediation": {
    "func": "Constant\/Issue",
-    "constantCost": "10min"
+    "constantCost": "45min"
  },
  "tags": [
    "aws",
--- a/rules/S6327/recommended.adoc
+++ b/rules/S6327/recommended.adoc
@ -1,3 +1,18 @@
 == Recommended Secure Coding Practices

-It's recommended to encrypt SNS topics that contain sensitive information. Encryption and decryption are handled transparently by SNS, so no further modifications to the application are necessary.
+It is recommended to encrypt SNS topics that contain sensitive information.
+
+To do so, create a master key and assign the SNS topic to it. Note that this
+system does not encrypt the following:
+
+* Topic metadata (topic name and attributes)
+* Message metadata (subject, message ID, timestamp, and attributes)
+* Data protection policy
+* Per-topic metrics
+
+Then, make sure that any publishers have the ``++kms:GenerateDataKey*++`` and
+``++kms:Decrypt++`` permissions for the AWS KMS key.
+
+See https://docs.aws.amazon.com/sns/latest/dg/sns-key-management.html#sns-what-permissions-for-sse[AWS SNS Key Management Documentation]
+for more information.
+