Modify rule S6249: update message (#935)

* S6249: Update issue message

* Add secondary location

* Update code example

Remove "mynoncompliant" from the resource names.
Add language specificators for code blocks

* Apply suggestions from code review

Co-authored-by: Loris S. <91723853+loris-s-sonarsource@users.noreply.github.com>

* Update secondary location issue message

---------

Co-authored-by: Loris S. <91723853+loris-s-sonarsource@users.noreply.github.com>

rules/S6249/cloudformation/rule.adoc

@@ -25,7 +25,7 @@ Resources:
   S3Bucket:
     Type: 'AWS::S3::Bucket' # Sensitive
     Properties: 
-      BucketName: "bucketname"
+      BucketName: "example-bucket"
 
   S3BucketPolicy:
     Type: 'AWS::S3::BucketPolicy'
@@ -36,12 +36,12 @@ Resources:
         Statement:
           - Effect: Deny 
             Principal:
-              AWS: # Sensitive: only one principal is forced to use https
+              AWS: # Only one principal is forced to use https
                 - 'arn:aws:iam::123456789123:root' 
             Action: "*" 
             Resource:
-              - arn:aws:s3:::bucketname
+              - arn:aws:s3:::example-bucket
-              - arn:aws:s3:::bucketname/* 
+              - arn:aws:s3:::example-bucket/* 
             Condition:
               Bool:
                 "aws:SecureTransport": false 
@@ -58,11 +58,12 @@ Resources:
   S3Bucket:
     Type: 'AWS::S3::Bucket' # Compliant
     Properties:
-      BucketName: "bucketname"
+      BucketName: "example-bucket"
 
   S3BucketPolicy:
     Type: 'AWS::S3::BucketPolicy'
     Properties:
+
       Bucket: !Ref S3Bucket
       PolicyDocument:
         Version: "2012-10-17"
@@ -72,8 +73,8 @@ Resources:
               AWS: "*" # all principals should use https
             Action: "*" # for any actions
             Resource: # for the bucket and all its objects
-              - arn:aws:s3:::bucketname
+              - arn:aws:s3:::example-bucket
-              - arn:aws:s3:::bucketname/*  
+              - arn:aws:s3:::example-bucket/*  
             Condition:
               Bool:
                 "aws:SecureTransport": false
@@ -89,4 +90,6 @@ ifdef::env-github,rspecator-view[]
 
 include::../message.adoc[]
 
+include::../highlighting.adoc[]
+
 endif::env-github,rspecator-view[]

rules/S6249/highlighting.adoc

@@ -0,0 +1,6 @@
+=== Highlighting
+
+* Primary location
+** The S3 bucket resource
+* Secondary location
+** The S3 bucket policy condition that allow HTTP

rules/S6249/message.adoc

@@ -1,4 +1,7 @@
 === Message
 
-Make sure authorizing HTTP requests is safe here.
 
+* Primary location
+** No bucket policy enforces HTTPS-only access to this bucket. Make sure it is safe here.
+* Secondary location
+** HTTPS requests are denied.

rules/S6249/terraform/rule.adoc

@@ -10,8 +10,8 @@ No secure policy is attached to this bucket:
 
 [source,terraform]
 ----
-resource "aws_s3_bucket" "mynoncompliantbucket" { # Sensitive 
+resource "aws_s3_bucket" "example-bucket" { # Sensitive 
-  bucket = "mynoncompliantbucketname"
+  bucket = "example-bucket"
 }
 ----
 
@@ -19,27 +19,27 @@ A policy is defined but forces only HTTPs communication for some users:
 
 [source,terraform]
 ----
-resource "aws_s3_bucket" "mynoncompliantbucket" { # Sensitive 
+resource "aws_s3_bucket" "example-bucket" { # Sensitive 
-  bucket = "mynoncompliantbucketname"
+  bucket = "example-bucket"
 }
 
-resource "aws_s3_bucket_policy" "mynoncompliantbucketpolicy" {
+resource "aws_s3_bucket_policy" "example-policy" {
-  bucket = "mynoncompliantbucketname"
+  bucket = "example-bucket"
 
   policy = jsonencode({
     Version = "2012-10-17"
-    Id      = "mynoncompliantbucketpolicy"
+    Id      = "ExamplePolicy"
     Statement = [
       {
         Sid       = "HTTPSOnly"
         Effect    = "Deny"
-        Principal = {
+        Principal = [
-          "AWS": "arn:aws:iam::123456789123:root"
+          "arn:aws:iam::123456789123:root"
-        } # secondary location: only one principal is forced to use https
+        ] # Only one principal is forced to use HTTPS
         Action    = "s3:*"
         Resource = [
-          aws_s3_bucket.mynoncompliantbucket.arn,
+          aws_s3_bucket.aws_s3_bucket.arn,
-          "${aws_s3_bucket.mynoncompliantbucket.arn}/*",
+          "${aws_s3_bucket.aws_s3_bucket.arn}/*",
         ]
         Condition = {
           Bool = {
@@ -58,16 +58,16 @@ A secure policy that denies all HTTP requests is used:
 
 [source,terraform]
 ----
-resource "aws_s3_bucket" "mycompliantbucket" {
+resource "aws_s3_bucket" "example-bucket" {
-  bucket = "mycompliantbucketname"
+  bucket = "example-bucket"
 }
 
-resource "aws_s3_bucket_policy" "mycompliantpolicy" {
+resource "aws_s3_bucket_policy" "example-policy" {
-  bucket = "mycompliantbucketname"
+  bucket = "example-bucket"
 
   policy = jsonencode({
     Version = "2012-10-17"
-    Id      = "mycompliantpolicy"
+    Id      = "ExamplePolicy"
     Statement = [
       {
         Sid       = "HTTPSOnly"
@@ -77,8 +77,8 @@ resource "aws_s3_bucket_policy" "mycompliantpolicy" {
         }
         Action    = "s3:*"
         Resource = [
-          aws_s3_bucket.mycompliantbucket.arn,
+          aws_s3_bucket.example-bucket.arn,
-          "${aws_s3_bucket.mycompliantbucket.arn}/*",
+          "${aws_s3_bucket.example-bucket.arn}/*",
         ]
         Condition = {
           Bool = {
@@ -89,7 +89,6 @@ resource "aws_s3_bucket_policy" "mycompliantpolicy" {
     ]
   })
 }
-
 ----
 
 include::../see.adoc[]
@@ -102,4 +101,6 @@ ifdef::env-github,rspecator-view[]
 
 include::../message.adoc[]
 
+include::../highlighting.adoc[]
+
 endif::env-github,rspecator-view[]