chore(release): 2.79.1 (#25542)

See [CHANGELOG.v2.md](https://raw.githubusercontent.com/aws/aws-cdk/patch/v2.79.1/CHANGELOG.v2.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

CHANGELOG.v2.alpha.md

@@ -2,6 +2,8 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [2.79.1-alpha.0](https://github.com/aws/aws-cdk/compare/v2.79.0-alpha.0...v2.79.1-alpha.0) (2023-05-11)
+
 ## [2.79.0-alpha.0](https://github.com/aws/aws-cdk/compare/v2.78.0-alpha.0...v2.79.0-alpha.0) (2023-05-10)
 
 

CHANGELOG.v2.md

@@ -2,6 +2,13 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [2.79.1](https://github.com/aws/aws-cdk/compare/v2.79.0...v2.79.1) (2023-05-11)
+
+
+### Bug Fixes
+
+* **bootstrap:** bootstrap doesn't work in non-aws partitions anymore (revert security hub finding fix) ([#25272](https://github.com/aws/aws-cdk/issues/25272)) ([4c4014e](https://github.com/aws/aws-cdk/commit/4c4014e0bd3fa90402cfc22971f1cbe5d372642f))
+
 ## [2.79.0](https://github.com/aws/aws-cdk/compare/v2.78.0...v2.79.0) (2023-05-10)
 
 

packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml

@@ -473,35 +473,20 @@ Resources:
                     StringNotEquals:
                         s3:ResourceAccount:
                             Ref: 'AWS::AccountId'
-              - Fn::If:
-                - HasTrustedAccounts
-                - Sid: PipelineCrossAccountArtifactsKey
-                  # Use keys only for the purposes of reading encrypted files from S3.
-                  Effect: Allow
-                  Action:
-                    - kms:Decrypt
-                    - kms:DescribeKey
-                    - kms:Encrypt
-                    - kms:ReEncrypt*
-                    - kms:GenerateDataKey*
-
-                  # SecurityHub's rule KMS.2 complains if we put a '*' here, so instead we'll
-                  # turn the list of trusted accountIds ['111', '222', ...] into a list of
-                  # wildcard ARNS: ['arn:aws:kms:*:1111:*', 'arn:aws:kms:*:2222:*', ...].
-                  Resource:
-                    Fn::Split:
-                      - "|"
-                      - Fn::Sub:
-                        - "arn:aws:kms:*:${JoinedAccounts}:*"
-                        - JoinedAccounts:
-                            Fn::Join:
-                              - ":*|arn:aws:kms:*:"
-                              - { Ref: TrustedAccounts }
-                  Condition:
-                    StringEquals:
-                      kms:ViaService:
-                        Fn::Sub: s3.${AWS::Region}.amazonaws.com
-                - { Ref: AWS::NoValue }
+              - Sid: PipelineCrossAccountArtifactsKey
+                # Use keys only for the purposes of reading encrypted files from S3.
+                Effect: Allow
+                Action:
+                  - kms:Decrypt
+                  - kms:DescribeKey
+                  - kms:Encrypt
+                  - kms:ReEncrypt*
+                  - kms:GenerateDataKey*
+                Resource: "*"
+                Condition:
+                  StringEquals:
+                    kms:ViaService:
+                      Fn::Sub: s3.${AWS::Region}.amazonaws.com
               - Action: iam:PassRole
                 Resource:
                   Fn::Sub: "${CloudFormationExecutionRole.Arn}"
@@ -633,7 +618,7 @@ Resources:
       Type: String
       Name:
         Fn::Sub: '/cdk-bootstrap/${Qualifier}/version'
-      Value: '17'
+      Value: '18'
 Outputs:
   BucketName:
     Description: The name of the S3 bucket owned by the CDK toolkit stack

version.v2.json

@@ -1,4 +1,4 @@
 {
-  "version": "2.79.0",
-  "alphaVersion": "2.79.0-alpha.0"
+  "version": "2.79.1",
+  "alphaVersion": "2.79.1-alpha.0"
 }