You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
ScoutSuite reported a number of KMS CMKs in my account as being publicly accessible. Upon investigation, they are not. My best guess for why ScoutSuite thinks that they are is that the condition key "kms:callerAccount" was spelled with a lower-case 'c' rather than the nominal upper-case 'C':
{
"Sid": "Allow all principals in this account to use this key",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey*"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:callerAccount": "123456789012"
}
}
}
If this is indeed a correct analysis of the problem, it likely applies to other findings as well.
To Reproduce
I have not tried to create a reproduction case for this flaw. Let me know if you're having difficulty and I will try to help. However, I will most likely no longer have access to the account where I encountered this flaw.
The text was updated successfully, but these errors were encountered:
Describe the bug
ScoutSuite reported a number of KMS CMKs in my account as being publicly accessible. Upon investigation, they are not. My best guess for why ScoutSuite thinks that they are is that the condition key "kms:callerAccount" was spelled with a lower-case 'c' rather than the nominal upper-case 'C':
As per https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html, condition key names are not case-sensitive so "
kms:CallerAccount
" and "kms:callerAccount
" are equivalent.If this is indeed a correct analysis of the problem, it likely applies to other findings as well.
To Reproduce
I have not tried to create a reproduction case for this flaw. Let me know if you're having difficulty and I will try to help. However, I will most likely no longer have access to the account where I encountered this flaw.
The text was updated successfully, but these errors were encountered: