From 8cd0f3b0cd7cac625b7f9582a5a78898a8b6ca2e Mon Sep 17 00:00:00 2001 From: x4v13r64 Date: Thu, 23 Mar 2023 14:17:05 +0100 Subject: [PATCH 1/4] Make test case insensitive --- ScoutSuite/core/conditions.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ScoutSuite/core/conditions.py b/ScoutSuite/core/conditions.py index 8833d71d3..08aa3a7f0 100755 --- a/ScoutSuite/core/conditions.py +++ b/ScoutSuite/core/conditions.py @@ -115,9 +115,9 @@ def pass_condition(b, test, a): # Dictionary keys tests elif test == 'withKey': - result = (a in b) + result = a.lower() in map(str.lower, b) elif test == 'withoutKey': - result = a not in b + result = a.lower() not in map(str.lower, b) # String test elif test == 'containString': From e5a30c78f7e36a515f4ffba54e20c0e6403beb1b Mon Sep 17 00:00:00 2001 From: x4v13r64 Date: Thu, 23 Mar 2023 17:37:41 +0100 Subject: [PATCH 2/4] Add case insensitive conditions --- ScoutSuite/core/conditions.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/ScoutSuite/core/conditions.py b/ScoutSuite/core/conditions.py index 08aa3a7f0..d0f140beb 100755 --- a/ScoutSuite/core/conditions.py +++ b/ScoutSuite/core/conditions.py @@ -115,8 +115,12 @@ def pass_condition(b, test, a): # Dictionary keys tests elif test == 'withKey': - result = a.lower() in map(str.lower, b) + result = a in b elif test == 'withoutKey': + result = a not in b + elif test == 'withKeyCaseInsensitive': + result = a.lower() in map(str.lower, b) + elif test == 'withoutKeyCaseInsensitive': result = a.lower() not in map(str.lower, b) # String test From 3f456a756dc8a6c76c3b85e9316854062cb293eb Mon Sep 17 00:00:00 2001 From: x4v13r64 Date: Thu, 23 Mar 2023 17:39:42 +0100 Subject: [PATCH 3/4] Include case insensitive checks --- .../aws/rules/conditions/policy-statement-any-principal.json | 2 +- .../findings/iam-assume-role-lacks-external-id-and-mfa.json | 2 +- .../providers/aws/rules/findings/iam-assume-role-no-mfa.json | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/ScoutSuite/providers/aws/rules/conditions/policy-statement-any-principal.json b/ScoutSuite/providers/aws/rules/conditions/policy-statement-any-principal.json index 1ff894a9e..f95e50f46 100755 --- a/ScoutSuite/providers/aws/rules/conditions/policy-statement-any-principal.json +++ b/ScoutSuite/providers/aws/rules/conditions/policy-statement-any-principal.json @@ -2,7 +2,7 @@ "conditions": [ "or", [ "_STATEMENT_.Principal", "containAtLeastOneOf", "*" ], [ "and", - [ "_STATEMENT_.Principal", "withKey", "AWS" ], + [ "_STATEMENT_.Principal", "withKeyCaseInsensitive", "AWS" ], [ "_STATEMENT_.Principal.AWS", "containAtLeastOneOf", "*" ] ] ] diff --git a/ScoutSuite/providers/aws/rules/findings/iam-assume-role-lacks-external-id-and-mfa.json b/ScoutSuite/providers/aws/rules/findings/iam-assume-role-lacks-external-id-and-mfa.json index e429bf822..1bd5d6549 100755 --- a/ScoutSuite/providers/aws/rules/findings/iam-assume-role-lacks-external-id-and-mfa.json +++ b/ScoutSuite/providers/aws/rules/findings/iam-assume-role-lacks-external-id-and-mfa.json @@ -22,7 +22,7 @@ ], [ "iam.roles.id.assume_role_policy.PolicyDocument.Statement.id.Principal", - "withKey", + "withKeyCaseInsensitive", "AWS" ], [ diff --git a/ScoutSuite/providers/aws/rules/findings/iam-assume-role-no-mfa.json b/ScoutSuite/providers/aws/rules/findings/iam-assume-role-no-mfa.json index e71e276e3..6a77db59a 100755 --- a/ScoutSuite/providers/aws/rules/findings/iam-assume-role-no-mfa.json +++ b/ScoutSuite/providers/aws/rules/findings/iam-assume-role-no-mfa.json @@ -21,7 +21,7 @@ ], [ "iam.roles.id.assume_role_policy.PolicyDocument.Statement.id.Principal", - "withKey", + "withKeyCaseInsensitive", "AWS" ], [ From 77388efa83d7552ef4412f9dbace2d50340eebe5 Mon Sep 17 00:00:00 2001 From: x4v13r64 Date: Thu, 23 Mar 2023 17:39:51 +0100 Subject: [PATCH 4/4] Include case insensitive checks and add conditions --- .../policy-statement-poor-condition.json | 219 ++++++++++++------ 1 file changed, 149 insertions(+), 70 deletions(-) diff --git a/ScoutSuite/providers/aws/rules/conditions/policy-statement-poor-condition.json b/ScoutSuite/providers/aws/rules/conditions/policy-statement-poor-condition.json index c70bb5768..cdec67bc2 100755 --- a/ScoutSuite/providers/aws/rules/conditions/policy-statement-poor-condition.json +++ b/ScoutSuite/providers/aws/rules/conditions/policy-statement-poor-condition.json @@ -1,75 +1,154 @@ { - "conditions": [ "or", - [ "_STATEMENT_.", "withoutKey", "Condition" ], + "conditions": [ "or", + [ "_STATEMENT_.", "withoutKey", "Condition" ], + [ "and", + [ "and", + [ "_STATEMENT_.Condition.", "withoutKey", "ArnEquals" ], + [ "_STATEMENT_.Condition.", "withoutKey", "ForAnyValue:ArnEquals" ] + ], + [ "and", + [ "_STATEMENT_.Condition.", "withoutKey", "ArnLike" ], + [ "_STATEMENT_.Condition.", "withoutKey", "ForAnyValue:ArnLike" ] + ], + [ "or", + [ "_STATEMENT_.Condition.", "withoutKey", "StringEquals" ], [ "and", - [ "and", - [ "_STATEMENT_.Condition.", "withoutKey", "ArnEquals" ], - [ "_STATEMENT_.Condition.", "withoutKey", "ForAnyValue:ArnEquals" ] - ], - [ "and", - [ "_STATEMENT_.Condition.", "withoutKey", "ArnLike" ], - [ "_STATEMENT_.Condition.", "withoutKey", "ForAnyValue:ArnLike" ] - ], - [ "or", - [ "_STATEMENT_.Condition.", "withoutKey", "StringEquals" ], - [ "and", - [ "_STATEMENT_.Condition.StringEquals.", "withoutKey", "AWS:SourceArn" ], - [ "_STATEMENT_.Condition.StringEquals.", "withoutKey", "AWS:SourceOwner" ], - [ "_STATEMENT_.Condition.StringEquals.", "withoutKey", "kms:ViaService" ], - [ "_STATEMENT_.Condition.StringEquals.", "withoutKey", "kms:CallerAccount" ], - [ "_STATEMENT_.Condition.StringEquals.", "withoutKey", "iam:PassedToService" ] - ] - ], - [ "or", - [ "_STATEMENT_.Condition.", "withoutKey", "StringEqualsIgnoreCase" ], - [ "and", - [ "_STATEMENT_.Condition.StringEqualsIgnoreCase.", "withoutKey", "AWS:SourceArn" ], - [ "_STATEMENT_.Condition.StringEqualsIgnoreCase.", "withoutKey", "AWS:SourceOwner" ], - [ "_STATEMENT_.Condition.StringEqualsIgnoreCase.", "withoutKey", "kms:ViaService" ], - [ "_STATEMENT_.Condition.StringEqualsIgnoreCase.", "withoutKey", "kms:CallerAccount" ], - [ "_STATEMENT_.Condition.StringEqualsIgnoreCase.", "withoutKey", "iam:PassedToService" ] - ] - ], - [ "or", - [ "_STATEMENT_.Condition.", "withoutKey", "StringLike" ], - [ "and", - [ "_STATEMENT_.Condition.StringLike.", "withoutKey", "AWS:SourceArn" ], - [ "_STATEMENT_.Condition.StringLike.", "withoutKey", "AWS:SourceOwner" ], - [ "_STATEMENT_.Condition.StringLike.", "withoutKey", "kms:ViaService" ], - [ "_STATEMENT_.Condition.StringLike.", "withoutKey", "kms:CallerAccount" ], - [ "_STATEMENT_.Condition.StringLike.", "withoutKey", "iam:PassedToService" ] - ] - ], - [ "or", - [ "_STATEMENT_.Condition.", "withoutKey", "ForAnyValue:StringEquals" ], - [ "and", - [ "_STATEMENT_.Condition.ForAnyValue:StringEquals.", "withoutKey", "AWS:SourceArn" ], - [ "_STATEMENT_.Condition.ForAnyValue:StringEquals.", "withoutKey", "AWS:SourceOwner" ], - [ "_STATEMENT_.Condition.ForAnyValue:StringEquals.", "withoutKey", "kms:ViaService" ], - [ "_STATEMENT_.Condition.ForAnyValue:StringEquals.", "withoutKey", "kms:CallerAccount" ], - [ "_STATEMENT_.Condition.ForAnyValue:StringEquals.", "withoutKey", "iam:PassedToService" ] - ] - ], - [ "or", - [ "_STATEMENT_.Condition.", "withoutKey", "ForAnyValue:StringEqualsIgnoreCase" ], - [ "and", - [ "_STATEMENT_.Condition.ForAnyValue:StringEqualsIgnoreCase.", "withoutKey", "AWS:SourceArn" ], - [ "_STATEMENT_.Condition.ForAnyValue:StringEqualsIgnoreCase.", "withoutKey", "AWS:SourceOwner" ], - [ "_STATEMENT_.Condition.ForAnyValue:StringEqualsIgnoreCase.", "withoutKey", "kms:ViaService" ], - [ "_STATEMENT_.Condition.ForAnyValue:StringEqualsIgnoreCase.", "withoutKey", "kms:CallerAccount" ], - [ "_STATEMENT_.Condition.ForAnyValue:StringEqualsIgnoreCase.", "withoutKey", "iam:PassedToService" ] - ] - ], - [ "or", - [ "_STATEMENT_.Condition.", "withoutKey", "ForAnyValue:StringLike" ], - [ "and", - [ "_STATEMENT_.Condition.ForAnyValue:StringLike.", "withoutKey", "AWS:SourceArn" ], - [ "_STATEMENT_.Condition.ForAnyValue:StringLike.", "withoutKey", "AWS:SourceOwner" ], - [ "_STATEMENT_.Condition.ForAnyValue:StringLike.", "withoutKey", "kms:ViaService" ], - [ "_STATEMENT_.Condition.ForAnyValue:StringLike.", "withoutKey", "kms:CallerAccount" ], - [ "_STATEMENT_.Condition.ForAnyValue:StringLike.", "withoutKey", "iam:PassedToService" ] - ] - ] + [ "_STATEMENT_.Condition.StringEquals.", "withoutKeyCaseInsensitive", "aws:CalledVia" ], + [ "_STATEMENT_.Condition.StringEquals.", "withoutKeyCaseInsensitive", "aws:CalledViaFirst" ], + [ "_STATEMENT_.Condition.StringEquals.", "withoutKeyCaseInsensitive", "aws:CalledViaLast" ], + [ "_STATEMENT_.Condition.StringEquals.", "withoutKeyCaseInsensitive", "aws:PrincipalAccount" ], + [ "_STATEMENT_.Condition.StringEquals.", "withoutKeyCaseInsensitive", "aws:PrincipalArn" ], + [ "_STATEMENT_.Condition.StringEquals.", "withoutKeyCaseInsensitive", "aws:PrincipalOrgPaths" ], + [ "_STATEMENT_.Condition.StringEquals.", "withoutKeyCaseInsensitive", "aws:PrincipalOrgID" ], + [ "_STATEMENT_.Condition.StringEquals.", "withoutKeyCaseInsensitive", "aws:PrincipalServiceName" ], + [ "_STATEMENT_.Condition.StringEquals.", "withoutKeyCaseInsensitive", "aws:PrincipalServiceNamesList" ], + [ "_STATEMENT_.Condition.StringEquals.", "withoutKeyCaseInsensitive", "aws:ResourceTag" ], + [ "_STATEMENT_.Condition.StringEquals.", "withoutKeyCaseInsensitive", "aws:SourceAccount" ], + [ "_STATEMENT_.Condition.StringEquals.", "withoutKeyCaseInsensitive", "aws:SourceArn" ], + [ "_STATEMENT_.Condition.StringEquals.", "withoutKeyCaseInsensitive", "aws:SourceIdentity" ], + [ "_STATEMENT_.Condition.StringEquals.", "withoutKeyCaseInsensitive", "aws:SourceOwner" ], + [ "_STATEMENT_.Condition.StringEquals.", "withoutKeyCaseInsensitive", "aws:ViaAWSService" ], + [ "_STATEMENT_.Condition.StringEquals.", "withoutKeyCaseInsensitive", "iam:PassedToService" ], + [ "_STATEMENT_.Condition.StringEquals.", "withoutKeyCaseInsensitive", "kms:CallerAccount" ], + [ "_STATEMENT_.Condition.StringEquals.", "withoutKeyCaseInsensitive", "kms:ViaService" ] ] + ], + [ "or", + [ "_STATEMENT_.Condition.", "withoutKey", "StringEqualsIgnoreCase" ], + [ "and", + [ "_STATEMENT_.Condition.StringEqualsIgnoreCase.", "withoutKeyCaseInsensitive", "aws:CalledVia" ], + [ "_STATEMENT_.Condition.StringEqualsIgnoreCase.", "withoutKeyCaseInsensitive", "aws:CalledViaFirst" ], + [ "_STATEMENT_.Condition.StringEqualsIgnoreCase.", "withoutKeyCaseInsensitive", "aws:CalledViaLast" ], + [ "_STATEMENT_.Condition.StringEqualsIgnoreCase.", "withoutKeyCaseInsensitive", "aws:PrincipalAccount" ], + [ "_STATEMENT_.Condition.StringEqualsIgnoreCase.", "withoutKeyCaseInsensitive", "aws:PrincipalArn" ], + [ "_STATEMENT_.Condition.StringEqualsIgnoreCase.", "withoutKeyCaseInsensitive", "aws:PrincipalOrgPaths" ], + [ "_STATEMENT_.Condition.StringEqualsIgnoreCase.", "withoutKeyCaseInsensitive", "aws:PrincipalOrgID" ], + [ "_STATEMENT_.Condition.StringEqualsIgnoreCase.", "withoutKeyCaseInsensitive", "aws:PrincipalServiceName" ], + [ "_STATEMENT_.Condition.StringEqualsIgnoreCase.", "withoutKeyCaseInsensitive", "aws:PrincipalServiceNamesList" ], + [ "_STATEMENT_.Condition.StringEqualsIgnoreCase.", "withoutKeyCaseInsensitive", "aws:ResourceTag" ], + [ "_STATEMENT_.Condition.StringEqualsIgnoreCase.", "withoutKeyCaseInsensitive", "aws:SourceAccount" ], + [ "_STATEMENT_.Condition.StringEqualsIgnoreCase.", "withoutKeyCaseInsensitive", "aws:SourceArn" ], + [ "_STATEMENT_.Condition.StringEqualsIgnoreCase.", "withoutKeyCaseInsensitive", "aws:SourceIdentity" ], + [ "_STATEMENT_.Condition.StringEqualsIgnoreCase.", "withoutKeyCaseInsensitive", "aws:SourceOwner" ], + [ "_STATEMENT_.Condition.StringEqualsIgnoreCase.", "withoutKeyCaseInsensitive", "aws:ViaAWSService" ], + [ "_STATEMENT_.Condition.StringEqualsIgnoreCase.", "withoutKeyCaseInsensitive", "iam:PassedToService" ], + [ "_STATEMENT_.Condition.StringEqualsIgnoreCase.", "withoutKeyCaseInsensitive", "kms:CallerAccount" ], + [ "_STATEMENT_.Condition.StringEqualsIgnoreCase.", "withoutKeyCaseInsensitive", "kms:ViaService" ] + ] + ], + [ "or", + [ "_STATEMENT_.Condition.", "withoutKey", "StringLike" ], + [ "and", + [ "_STATEMENT_.Condition.StringLike.", "withoutKeyCaseInsensitive", "aws:CalledVia" ], + [ "_STATEMENT_.Condition.StringLike.", "withoutKeyCaseInsensitive", "aws:CalledViaFirst" ], + [ "_STATEMENT_.Condition.StringLike.", "withoutKeyCaseInsensitive", "aws:CalledViaLast" ], + [ "_STATEMENT_.Condition.StringLike.", "withoutKeyCaseInsensitive", "aws:PrincipalAccount" ], + [ "_STATEMENT_.Condition.StringLike.", "withoutKeyCaseInsensitive", "aws:PrincipalArn" ], + [ "_STATEMENT_.Condition.StringLike.", "withoutKeyCaseInsensitive", "aws:PrincipalOrgPaths" ], + [ "_STATEMENT_.Condition.StringLike.", "withoutKeyCaseInsensitive", "aws:PrincipalOrgID" ], + [ "_STATEMENT_.Condition.StringLike.", "withoutKeyCaseInsensitive", "aws:PrincipalServiceName" ], + [ "_STATEMENT_.Condition.StringLike.", "withoutKeyCaseInsensitive", "aws:PrincipalServiceNamesList" ], + [ "_STATEMENT_.Condition.StringLike.", "withoutKeyCaseInsensitive", "aws:ResourceTag" ], + [ "_STATEMENT_.Condition.StringLike.", "withoutKeyCaseInsensitive", "aws:SourceAccount" ], + [ "_STATEMENT_.Condition.StringLike.", "withoutKeyCaseInsensitive", "aws:SourceArn" ], + [ "_STATEMENT_.Condition.StringLike.", "withoutKeyCaseInsensitive", "aws:SourceIdentity" ], + [ "_STATEMENT_.Condition.StringLike.", "withoutKeyCaseInsensitive", "aws:SourceOwner" ], + [ "_STATEMENT_.Condition.StringLike.", "withoutKeyCaseInsensitive", "aws:ViaAWSService" ], + [ "_STATEMENT_.Condition.StringLike.", "withoutKeyCaseInsensitive", "iam:PassedToService" ], + [ "_STATEMENT_.Condition.StringLike.", "withoutKeyCaseInsensitive", "kms:CallerAccount" ], + [ "_STATEMENT_.Condition.StringLike.", "withoutKeyCaseInsensitive", "kms:ViaService" ] + ] + ], + [ "or", + [ "_STATEMENT_.Condition.", "withoutKey", "ForAnyValue:StringEquals" ], + [ "and", + [ "_STATEMENT_.Condition.ForAnyValue:StringEquals.", "withoutKeyCaseInsensitive", "aws:CalledVia" ], + [ "_STATEMENT_.Condition.ForAnyValue:StringEquals.", "withoutKeyCaseInsensitive", "aws:CalledViaFirst" ], + [ "_STATEMENT_.Condition.ForAnyValue:StringEquals.", "withoutKeyCaseInsensitive", "aws:CalledViaLast" ], + [ "_STATEMENT_.Condition.ForAnyValue:StringEquals.", "withoutKeyCaseInsensitive", "aws:PrincipalAccount" ], + [ "_STATEMENT_.Condition.ForAnyValue:StringEquals.", "withoutKeyCaseInsensitive", "aws:PrincipalArn" ], + [ "_STATEMENT_.Condition.ForAnyValue:StringEquals.", "withoutKeyCaseInsensitive", "aws:PrincipalOrgPaths" ], + [ "_STATEMENT_.Condition.ForAnyValue:StringEquals.", "withoutKeyCaseInsensitive", "aws:PrincipalOrgID" ], + [ "_STATEMENT_.Condition.ForAnyValue:StringEquals.", "withoutKeyCaseInsensitive", "aws:PrincipalServiceName" ], + [ "_STATEMENT_.Condition.ForAnyValue:StringEquals.", "withoutKeyCaseInsensitive", "aws:PrincipalServiceNamesList" ], + [ "_STATEMENT_.Condition.ForAnyValue:StringEquals.", "withoutKeyCaseInsensitive", "aws:ResourceTag" ], + [ "_STATEMENT_.Condition.ForAnyValue:StringEquals.", "withoutKeyCaseInsensitive", "aws:SourceAccount" ], + [ "_STATEMENT_.Condition.ForAnyValue:StringEquals.", "withoutKeyCaseInsensitive", "aws:SourceArn" ], + [ "_STATEMENT_.Condition.ForAnyValue:StringEquals.", "withoutKeyCaseInsensitive", "aws:SourceIdentity" ], + [ "_STATEMENT_.Condition.ForAnyValue:StringEquals.", "withoutKeyCaseInsensitive", "aws:SourceOwner" ], + [ "_STATEMENT_.Condition.ForAnyValue:StringEquals.", "withoutKeyCaseInsensitive", "aws:ViaAWSService" ], + [ "_STATEMENT_.Condition.ForAnyValue:StringEquals.", "withoutKeyCaseInsensitive", "iam:PassedToService" ], + [ "_STATEMENT_.Condition.ForAnyValue:StringEquals.", "withoutKeyCaseInsensitive", "kms:CallerAccount" ], + [ "_STATEMENT_.Condition.ForAnyValue:StringEquals.", "withoutKeyCaseInsensitive", "kms:ViaService" ] + ] + ], + [ "or", + [ "_STATEMENT_.Condition.", "withoutKey", "ForAnyValue:StringEqualsIgnoreCase" ], + [ "and", + [ "_STATEMENT_.Condition.ForAnyValue:StringEqualsIgnoreCase.", "withoutKeyCaseInsensitive", "aws:CalledVia" ], + [ "_STATEMENT_.Condition.ForAnyValue:StringEqualsIgnoreCase.", "withoutKeyCaseInsensitive", "aws:CalledViaFirst" ], + [ "_STATEMENT_.Condition.ForAnyValue:StringEqualsIgnoreCase.", "withoutKeyCaseInsensitive", "aws:CalledViaLast" ], + [ "_STATEMENT_.Condition.ForAnyValue:StringEqualsIgnoreCase.", "withoutKeyCaseInsensitive", "aws:PrincipalAccount" ], + [ "_STATEMENT_.Condition.ForAnyValue:StringEqualsIgnoreCase.", "withoutKeyCaseInsensitive", "aws:PrincipalArn" ], + [ "_STATEMENT_.Condition.ForAnyValue:StringEqualsIgnoreCase.", "withoutKeyCaseInsensitive", "aws:PrincipalOrgPaths" ], + [ "_STATEMENT_.Condition.ForAnyValue:StringEqualsIgnoreCase.", "withoutKeyCaseInsensitive", "aws:PrincipalOrgID" ], + [ "_STATEMENT_.Condition.ForAnyValue:StringEqualsIgnoreCase.", "withoutKeyCaseInsensitive", "aws:PrincipalServiceName" ], + [ "_STATEMENT_.Condition.ForAnyValue:StringEqualsIgnoreCase.", "withoutKeyCaseInsensitive", "aws:PrincipalServiceNamesList" ], + [ "_STATEMENT_.Condition.ForAnyValue:StringEqualsIgnoreCase.", "withoutKeyCaseInsensitive", "aws:ResourceTag" ], + [ "_STATEMENT_.Condition.ForAnyValue:StringEqualsIgnoreCase.", "withoutKeyCaseInsensitive", "aws:SourceAccount" ], + [ "_STATEMENT_.Condition.ForAnyValue:StringEqualsIgnoreCase.", "withoutKeyCaseInsensitive", "aws:SourceArn" ], + [ "_STATEMENT_.Condition.ForAnyValue:StringEqualsIgnoreCase.", "withoutKeyCaseInsensitive", "aws:SourceIdentity" ], + [ "_STATEMENT_.Condition.ForAnyValue:StringEqualsIgnoreCase.", "withoutKeyCaseInsensitive", "aws:SourceOwner" ], + [ "_STATEMENT_.Condition.ForAnyValue:StringEqualsIgnoreCase.", "withoutKeyCaseInsensitive", "aws:ViaAWSService" ], + [ "_STATEMENT_.Condition.ForAnyValue:StringEqualsIgnoreCase.", "withoutKeyCaseInsensitive", "iam:PassedToService" ], + [ "_STATEMENT_.Condition.ForAnyValue:StringEqualsIgnoreCase.", "withoutKeyCaseInsensitive", "kms:CallerAccount" ], + [ "_STATEMENT_.Condition.ForAnyValue:StringEqualsIgnoreCase.", "withoutKeyCaseInsensitive", "kms:ViaService" ] + ] + ], + [ "or", + [ "_STATEMENT_.Condition.", "withoutKey", "ForAnyValue:StringLike" ], + [ "and", + [ "_STATEMENT_.Condition.ForAnyValue:StringLike.", "withoutKeyCaseInsensitive", "aws:CalledVia" ], + [ "_STATEMENT_.Condition.ForAnyValue:StringLike.", "withoutKeyCaseInsensitive", "aws:CalledViaFirst" ], + [ "_STATEMENT_.Condition.ForAnyValue:StringLike.", "withoutKeyCaseInsensitive", "aws:CalledViaLast" ], + [ "_STATEMENT_.Condition.ForAnyValue:StringLike.", "withoutKeyCaseInsensitive", "aws:PrincipalAccount" ], + [ "_STATEMENT_.Condition.ForAnyValue:StringLike.", "withoutKeyCaseInsensitive", "aws:PrincipalArn" ], + [ "_STATEMENT_.Condition.ForAnyValue:StringLike.", "withoutKeyCaseInsensitive", "aws:PrincipalOrgPaths" ], + [ "_STATEMENT_.Condition.ForAnyValue:StringLike.", "withoutKeyCaseInsensitive", "aws:PrincipalOrgID" ], + [ "_STATEMENT_.Condition.ForAnyValue:StringLike.", "withoutKeyCaseInsensitive", "aws:PrincipalServiceName" ], + [ "_STATEMENT_.Condition.ForAnyValue:StringLike.", "withoutKeyCaseInsensitive", "aws:PrincipalServiceNamesList" ], + [ "_STATEMENT_.Condition.ForAnyValue:StringLike.", "withoutKeyCaseInsensitive", "aws:ResourceTag" ], + [ "_STATEMENT_.Condition.ForAnyValue:StringLike.", "withoutKeyCaseInsensitive", "aws:SourceAccount" ], + [ "_STATEMENT_.Condition.ForAnyValue:StringLike.", "withoutKeyCaseInsensitive", "aws:SourceArn" ], + [ "_STATEMENT_.Condition.ForAnyValue:StringLike.", "withoutKeyCaseInsensitive", "aws:SourceIdentity" ], + [ "_STATEMENT_.Condition.ForAnyValue:StringLike.", "withoutKeyCaseInsensitive", "aws:SourceOwner" ], + [ "_STATEMENT_.Condition.ForAnyValue:StringLike.", "withoutKeyCaseInsensitive", "aws:ViaAWSService" ], + [ "_STATEMENT_.Condition.ForAnyValue:StringLike.", "withoutKeyCaseInsensitive", "iam:PassedToService" ], + [ "_STATEMENT_.Condition.ForAnyValue:StringLike.", "withoutKeyCaseInsensitive", "kms:CallerAccount" ], + [ "_STATEMENT_.Condition.ForAnyValue:StringLike.", "withoutKeyCaseInsensitive", "kms:ViaService" ] + + ] + ] ] + ] }