fix(pdk-nag): remove reference to deleted sns encrypted kms rule (#881)

The SNSEncryptedKMS cdk nag rule has been removed since
[2.30.0](https://github.com/cdklabs/cdk-nag/releases/tag/v2.30.0). We remove this from the
prototyping nag pack and upgrade cdk nag to the latest version.

packages/cdk-graph-plugin-threat-composer/src/model-generator/base-model/threat-composer-base-model.tc.json

@@ -68,15 +68,6 @@
       ],
       "content": "cdk-nag rule: SNSTopicSSLPublishOnly"
     },
-    {
-      "id": "35eefa29-d011-4b50-a7a8-a204a2b01b34",
-      "numericId": 101,
-      "displayOrder": 101,
-      "tags": [
-        "SNS"
-      ],
-      "content": "cdk-nag rule: SNSEncryptedKMS"
-    },
     {
       "id": "fff9fac4-1512-4a49-81a3-88e420f6c110",
       "numericId": 100,
@@ -1400,10 +1391,6 @@
       "mitigationId": "fff9fac4-1512-4a49-81a3-88e420f6c110",
       "linkedId": "90619d5b-6450-4108-8013-2eaafc5788b5"
     },
-    {
-      "mitigationId": "35eefa29-d011-4b50-a7a8-a204a2b01b34",
-      "linkedId": "7f17d020-6368-48ee-b934-c9272de71242"
-    },
     {
       "mitigationId": "7e9478e3-4571-4c36-bb7c-bb33acf4ec08",
       "linkedId": "9d47bd52-9dbc-4eee-8e55-04a3fc8064c4"
@@ -1562,26 +1549,6 @@
       ],
       "statement": "A threat actor who is in a person-in-the-middle position between the publisher and the Amazon SNS endpoint can view plaintext requests and responses, which leads to them being able manipulate view or modify the requests or responses, negatively impacting this application's data"
     },
-    {
-      "id": "7f17d020-6368-48ee-b934-c9272de71242",
-      "numericId": 88,
-      "displayOrder": 88,
-      "tags": [
-        "SNS",
-        "SSE"
-      ],
-      "threatSource": "threat actor",
-      "prerequisites": "with access to underlying storage used for the SNS (Simple Notification Service) topic",
-      "threatAction": "view the SNS messages",
-      "impactedGoal": [
-        "confidentiality",
-        "integrity"
-      ],
-      "impactedAssets": [
-        "this application's data"
-      ],
-      "statement": "A threat actor with access to underlying storage used for the SNS (Simple Notification Service) topic can view the SNS messages, resulting in reduced confidentiality and/or integrity of this application's data"
-    },
     {
       "id": "90619d5b-6450-4108-8013-2eaafc5788b5",
       "numericId": 87,

packages/pdk-nag/src/packs/README.md

@@ -111,7 +111,7 @@ Total: `35`
 
 ### Warnings
 
-Total: `74`
+Total: `73`
 
 | Rule ID | Cause | Explanation |
 | ------------------ | ------------------ | ------------------ |
@@ -183,7 +183,6 @@ Total: `74`
 | SageMakerNotebookInVPC | The SageMaker notebook instance is not provisioned inside a VPC. | Provisioning the notebook instances inside a VPC enables the notebook to access VPC-only resources such as EFS file systems. |
 | SageMakerNotebookNoDirectInternetAccess | The SageMaker notebook does not disable direct internet access. | By preventing direct internet access, you can keep sensitive data from being accessed by unauthorized users. |
 | SecretsManagerRotationEnabled | The secret does not have automatic rotation scheduled. | Rotating secrets on a regular schedule can shorten the period a secret is active, and potentially reduce the business impact if the secret is compromised. |
-| SNSEncryptedKMS | The SNS topic does not have KMS encryption enabled. | To help protect data at rest, ensure that your Amazon Simple Notification Service (Amazon SNS) topics require encryption using AWS Key Management Service (AWS KMS). Because sensitive data can exist at rest in published messages, enable encryption at rest to help protect that data. |
 | SNSTopicSSLPublishOnly | The SNS Topic does not require publishers to use SSL. | Without HTTPS (TLS), a network-based attacker can eavesdrop on network traffic or manipulate it, using an attack such as man-in-the-middle. Allow only encrypted connections over HTTPS (TLS) using the aws:SecureTransport condition and the 'sns:Publish' action in the topic policy to force publishers to use SSL. If SSE is already enabled then this control is auto enforced. |
 | SQSQueueSSE | The SQS Queue does not have server-side encryption enabled. | Server side encryption adds additional protection of sensitive data delivered as messages to subscribers. |
 | SQSQueueSSLRequestsOnly | The SQS queue does not require requests to use SSL. | Without HTTPS (TLS), a network-based attacker can eavesdrop on network traffic or manipulate it, using an attack such as man-in-the-middle. Allow only encrypted connections over HTTPS (TLS) using the aws:SecureTransport condition in the queue policy to force requests to use SSL. |

packages/pdk-nag/src/packs/aws-prototyping-rules.ts

@@ -726,13 +726,6 @@ export let RuleMetadata = [
     level: NagMessageLevel.WARN,
     rule: rules.secretsmanager.SecretsManagerRotationEnabled,
   },
-  {
-    info: "The SNS topic does not have KMS encryption enabled.",
-    explanation:
-      "To help protect data at rest, ensure that your Amazon Simple Notification Service (Amazon SNS) topics require encryption using AWS Key Management Service (AWS KMS). Because sensitive data can exist at rest in published messages, enable encryption at rest to help protect that data.",
-    level: NagMessageLevel.WARN,
-    rule: rules.sns.SNSEncryptedKMS,
-  },
   {
     info: "The SNS Topic does not require publishers to use SSL.",
     explanation:

packages/pdk-nag/test/prototyping-nag-pack.test.ts

@@ -113,7 +113,6 @@ const expectedWarnings = [
   "AwsPrototyping-SageMakerNotebookInVPC",
   "AwsPrototyping-SageMakerNotebookNoDirectInternetAccess",
   "AwsPrototyping-SecretsManagerRotationEnabled",
-  "AwsPrototyping-SNSEncryptedKMS",
   "AwsPrototyping-SNSTopicSSLPublishOnly",
   "AwsPrototyping-SQSQueueSSE",
   "AwsPrototyping-SQSQueueSSLRequestsOnly",