Modify rule S6249: update message (#935)

* S6249: Update issue message * Add secondary location * Update code example Remove "mynoncompliant" from the resource names. Add language specificators for code blocks * Apply suggestions from code review Co-authored-by: Loris S. <91723853+loris-s-sonarsource@users.noreply.github.com> * Update secondary location issue message --------- Co-authored-by: Loris S. <91723853+loris-s-sonarsource@users.noreply.github.com>
2025-03-20 15:11:28 +01:00 · 2025-03-20 15:11:28 +01:00 · dd52d59602
commit dd52d59602
parent 84ac3f2f9f
4 changed files with 41 additions and 28 deletions
--- a/rules/S6249/cloudformation/rule.adoc
+++ b/rules/S6249/cloudformation/rule.adoc
@ -25,7 +25,7 @@ Resources:
  S3Bucket:
    Type: 'AWS::S3::Bucket' # Sensitive
    Properties: 
-      BucketName: "bucketname"
+      BucketName: "example-bucket"

  S3BucketPolicy:
    Type: 'AWS::S3::BucketPolicy'
@ -36,12 +36,12 @@ Resources:
        Statement:
          - Effect: Deny 
            Principal:
-              AWS: # Sensitive: only one principal is forced to use https
+              AWS: # Only one principal is forced to use https
                - 'arn:aws:iam::123456789123:root' 
            Action: "*" 
            Resource:
-              - arn:aws:s3:::bucketname
-              - arn:aws:s3:::bucketname/* 
+              - arn:aws:s3:::example-bucket
+              - arn:aws:s3:::example-bucket/* 
            Condition:
              Bool:
                "aws:SecureTransport": false 
@ -58,11 +58,12 @@ Resources:
  S3Bucket:
    Type: 'AWS::S3::Bucket' # Compliant
    Properties:
-      BucketName: "bucketname"
+      BucketName: "example-bucket"

  S3BucketPolicy:
    Type: 'AWS::S3::BucketPolicy'
    Properties:
+
      Bucket: !Ref S3Bucket
      PolicyDocument:
        Version: "2012-10-17"
@ -72,8 +73,8 @@ Resources:
              AWS: "*" # all principals should use https
            Action: "*" # for any actions
            Resource: # for the bucket and all its objects
-              - arn:aws:s3:::bucketname
-              - arn:aws:s3:::bucketname/*  
+              - arn:aws:s3:::example-bucket
+              - arn:aws:s3:::example-bucket/*  
            Condition:
              Bool:
                "aws:SecureTransport": false
@ -89,4 +90,6 @@ ifdef::env-github,rspecator-view[]

 include::../message.adoc[]

+include::../highlighting.adoc[]
+
 endif::env-github,rspecator-view[]
--- a/rules/S6249/highlighting.adoc
+++ b/rules/S6249/highlighting.adoc
@ -0,0 +1,6 @@
+=== Highlighting
+
+* Primary location
+** The S3 bucket resource
+* Secondary location
+** The S3 bucket policy condition that allow HTTP
--- a/rules/S6249/message.adoc
+++ b/rules/S6249/message.adoc
@ -1,4 +1,7 @@
 === Message

-Make sure authorizing HTTP requests is safe here.

+* Primary location
+** No bucket policy enforces HTTPS-only access to this bucket. Make sure it is safe here.
+* Secondary location
+** HTTPS requests are denied.
--- a/rules/S6249/terraform/rule.adoc
+++ b/rules/S6249/terraform/rule.adoc
@ -10,8 +10,8 @@ No secure policy is attached to this bucket:

 [source,terraform]
 ----
-resource "aws_s3_bucket" "mynoncompliantbucket" { # Sensitive 
-  bucket = "mynoncompliantbucketname"
+resource "aws_s3_bucket" "example-bucket" { # Sensitive 
+  bucket = "example-bucket"
 }
 ----

@ -19,27 +19,27 @@ A policy is defined but forces only HTTPs communication for some users:

 [source,terraform]
 ----
-resource "aws_s3_bucket" "mynoncompliantbucket" { # Sensitive 
-  bucket = "mynoncompliantbucketname"
+resource "aws_s3_bucket" "example-bucket" { # Sensitive 
+  bucket = "example-bucket"
 }

-resource "aws_s3_bucket_policy" "mynoncompliantbucketpolicy" {
-  bucket = "mynoncompliantbucketname"
+resource "aws_s3_bucket_policy" "example-policy" {
+  bucket = "example-bucket"

  policy = jsonencode({
    Version = "2012-10-17"
-    Id      = "mynoncompliantbucketpolicy"
+    Id      = "ExamplePolicy"
    Statement = [
      {
        Sid       = "HTTPSOnly"
        Effect    = "Deny"
-        Principal = {
-          "AWS": "arn:aws:iam::123456789123:root"
-        } # secondary location: only one principal is forced to use https
+        Principal = [
+          "arn:aws:iam::123456789123:root"
+        ] # Only one principal is forced to use HTTPS
        Action    = "s3:*"
        Resource = [
-          aws_s3_bucket.mynoncompliantbucket.arn,
-          "${aws_s3_bucket.mynoncompliantbucket.arn}/*",
+          aws_s3_bucket.aws_s3_bucket.arn,
+          "${aws_s3_bucket.aws_s3_bucket.arn}/*",
        ]
        Condition = {
          Bool = {
@ -58,16 +58,16 @@ A secure policy that denies all HTTP requests is used:

 [source,terraform]
 ----
-resource "aws_s3_bucket" "mycompliantbucket" {
-  bucket = "mycompliantbucketname"
+resource "aws_s3_bucket" "example-bucket" {
+  bucket = "example-bucket"
 }

-resource "aws_s3_bucket_policy" "mycompliantpolicy" {
-  bucket = "mycompliantbucketname"
+resource "aws_s3_bucket_policy" "example-policy" {
+  bucket = "example-bucket"

  policy = jsonencode({
    Version = "2012-10-17"
-    Id      = "mycompliantpolicy"
+    Id      = "ExamplePolicy"
    Statement = [
      {
        Sid       = "HTTPSOnly"
@ -77,8 +77,8 @@ resource "aws_s3_bucket_policy" "mycompliantpolicy" {
        }
        Action    = "s3:*"
        Resource = [
-          aws_s3_bucket.mycompliantbucket.arn,
-          "${aws_s3_bucket.mycompliantbucket.arn}/*",
+          aws_s3_bucket.example-bucket.arn,
+          "${aws_s3_bucket.example-bucket.arn}/*",
        ]
        Condition = {
          Bool = {
@ -89,7 +89,6 @@ resource "aws_s3_bucket_policy" "mycompliantpolicy" {
    ]
  })
 }
-
 ----

 include::../see.adoc[]
@ -102,4 +101,6 @@ ifdef::env-github,rspecator-view[]

 include::../message.adoc[]

+include::../highlighting.adoc[]
+
 endif::env-github,rspecator-view[]