False positive: publicly-accessible SNS Topics

[rdegraaf]

ScoutSuite reported a number of SNS Topics in my account as being publicly accessible. Upon investigation, they are not. They had resource policies containing the following statements:

{
  "Sid": "__default_statement_ID",
  "Effect": "Allow",
  "Principal": {
    "AWS": "*"
  },
  "Action": [
    "SNS:GetTopicAttributes",
    <elided>
  ],
  "Resource": "<redacted>",
  "Condition": {
    "StringEquals": {
      "AWS:SourceOwner": "<redacted>"
    }
  }
},
{
  "Sid": "AWSSNSPolicy",
  "Effect": "Allow",
  "Principal": {
    "AWS": "*"
  },
  "Action": "sns:Publish",
  "Resource": "<redacted>",
  "Condition": {
    "StringEquals": {
      "aws:PrincipalOrgID": "<redacted>"
    }
  }
}

Since other Topics access policies also used the condition key "AWS:SourceOwner" (spelled with upper-case "AWS") without being flagged, this is probably not the problem. The problem is most like the "aws:PrincipalOrgID" condition key.

If this is indeed a correct analysis of the problem, it likely applies to other findings as well.

To Reproduce

I have not tried to create a reproduction case for this flaw. Let me know if you're having difficulty and I will try to help. However, I will most likely no longer have access to the account where I encountered this flaw.

[x64-latacora]

That's correct, the key is missing from https://github.com/nccgroup/ScoutSuite/blob/develop/ScoutSuite/providers/aws/rules/conditions/policy-statement-poor-condition.json but exists in https://github.com/nccgroup/ScoutSuite/pull/1515.