chore(cfn): restrict System Key by EC

aws · Dec 13, 2024 · 3eab7a8 · 3eab7a8
1 parent 9c0547b
commit 3eab7a8
Showing 1 changed file with 19 additions and 2 deletions.
diff --git a/cfn/ESDK-Hierarchy-CI.yaml b/cfn/ESDK-Hierarchy-CI.yaml
@@ -173,8 +173,25 @@ Resources:
           - Effect: Allow
             Principal:
               AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root"
-            Action: "kms:*"
-            Resource: "*"
+            Action: kms:*
+            Resource: '*'
+          - Effect: Allow
+            Principal:
+              AWS:
+                # These are hard coded, which means this template will fail to bootstrap.
+                # To bootstrap, remove this allow block, and then put it back in subsequent deployment
+                - !Sub "arn:aws:iam::${AWS::AccountId}:role/GitHub-CI-${ProjectName}-Role-${AWS::Region}"
+                - !Sub "arn:aws:iam::${AWS::AccountId}:role/ToolsDevelopment"
+            Action:
+              - kms:Encrypt
+              - kms:Decrypt
+            Resource: '*'
+            Condition:
+              StringEquals:
+                kms:EncryptionContext:type:
+                  - branch:MUTATION_COMMITMENT
+                  - branch:MUTATION_INDEX
+
   EccP256:
     Type: "AWS::KMS::Key"
     Properties: