False positive: Publicly-accessible KMS keys

[rdegraaf]

Describe the bug

ScoutSuite reported a number of KMS CMKs in my account as being publicly accessible. Upon investigation, they are not. My best guess for why ScoutSuite thinks that they are is that the condition key "kms:callerAccount" was spelled with a lower-case 'c' rather than the nominal upper-case 'C':

{
    "Sid": "Allow all principals in this account to use this key",
    "Effect": "Allow",
    "Principal": {
        "AWS": "*"
    },
    "Action": [
        "kms:Decrypt",
        "kms:GenerateDataKey*"
    ],
    "Resource": "*",
    "Condition": {
        "StringEquals": {
            "kms:callerAccount": "123456789012"
        }
    }
}

As per https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html, condition key names are not case-sensitive so "kms:CallerAccount" and "kms:callerAccount" are equivalent.

If this is indeed a correct analysis of the problem, it likely applies to other findings as well.

To Reproduce

I have not tried to create a reproduction case for this flaw. Let me know if you're having difficulty and I will try to help. However, I will most likely no longer have access to the account where I encountered this flaw.

[x64-latacora]

This is indeed a bug. #1515 addresses it.