chore(cfn): restrict System Key by EC

texastony · texastony · commit 5e6815f79cb4 · 2024-12-13T15:30:56.000-08:00
diff --git a/cfn/ESDK-Hierarchy-CI.yaml b/cfn/ESDK-Hierarchy-CI.yaml
@@ -173,8 +173,25 @@ Resources:
           - Effect: Allow
             Principal:
               AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root"
-            Action: "kms:*"
+            Action: kms:*
+            Resource: "*"
+          - Effect: Allow
+            Principal:
+              AWS:
+                # These are hard coded, which means this template will fail to bootstrap.
+                # To bootstrap, remove this allow block, and then put it back in subsequent deployment
+                - !Sub "arn:aws:iam::${AWS::AccountId}:role/GitHub-CI-${ProjectName}-Role-${AWS::Region}"
+                - !Sub "arn:aws:iam::${AWS::AccountId}:role/ToolsDevelopment"
+            Action:
+              - kms:Encrypt
+              - kms:Decrypt
             Resource: "*"
+            Condition:
+              StringEquals:
+                kms:EncryptionContext:type:
+                  - branch:MUTATION_COMMITMENT
+                  - branch:MUTATION_INDEX
+
   EccP256:
     Type: "AWS::KMS::Key"
     Properties:
