ScoutSuite icon indicating copy to clipboard operation
ScoutSuite copied to clipboard

Published 20 hours ago verified publisher icon nccgroup

False positive: Publicly-accessible KMS keys

Open rdegraaf opened this issue 1 year ago • 1 comments

Describe the bug

ScoutSuite reported a number of KMS CMKs in my account as being publicly accessible. Upon investigation, they are not. My best guess for why ScoutSuite thinks that they are is that the condition key "kms:callerAccount" was spelled with a lower-case 'c' rather than the nominal upper-case 'C':

{
    "Sid": "Allow all principals in this account to use this key",
    "Effect": "Allow",
    "Principal": {
        "AWS": "*"
    },
    "Action": [
        "kms:Decrypt",
        "kms:GenerateDataKey*"
    ],
    "Resource": "*",
    "Condition": {
        "StringEquals": {
            "kms:callerAccount": "123456789012"
        }
    }
}

As per https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html, condition key names are not case-sensitive so "kms:CallerAccount" and "kms:callerAccount" are equivalent.

If this is indeed a correct analysis of the problem, it likely applies to other findings as well.

To Reproduce

I have not tried to create a reproduction case for this flaw. Let me know if you're having difficulty and I will try to help. However, I will most likely no longer have access to the account where I encountered this flaw.

rdegraaf avatar Oct 13 '23 23:10 rdegraaf

This is indeed a bug. https://github.com/nccgroup/ScoutSuite/pull/1515 addresses it.

x64-latacora avatar Nov 24 '23 16:11 x64-latacora