Condition key names are not case-sensitive. For example, including the aws:SourceIP condition key is equivalent to testing for AWS:SourceIp.
This means, users can specify the aws:SecureTransport condition key name using any letter casing (ie. aws:securetransport) and still provide a valid bucket policy. The ScoutSuite check likely needs to account for all letter case variations of the key name.
To Reproduce
The following reproduction tests show an s3 bucket policy that uses aws:securetransport for the condition key name and shows that the bucket policy is interpreted differently using all lower casing for aws:securetransport :
Describe the bug
Using bucket policies, users can deny all S3 actions on a bucket and its contents if the request is not over SSL/TLS (ref: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_Boolean). Under certain conditions, ScoutSuite alerts a false positive when AWS users enforce TLS for s3 transport via bucket policy.
The related ScoutSuite finding checks for the condition key name
aws:SecureTransport
(ref: https://github.com/nccgroup/ScoutSuite/blob/develop/ScoutSuite/providers/aws/facade/s3.py#L270) but does not account for variations of letter cases for the key name.According to AWS documentation:
This means, users can specify the
aws:SecureTransport
condition key name using any letter casing (ie.aws:securetransport
) and still provide a valid bucket policy. The ScoutSuite check likely needs to account for all letter case variations of the key name.To Reproduce
The following reproduction tests show an s3 bucket policy that uses
aws:securetransport
for the condition key name and shows that the bucket policy is interpreted differently using all lower casing foraws:securetransport
:Policy 1 (deny http requests)
Response 1
Policy 2 (allow http requests)
Response 2