From 3eab7a8401536f67a3b7afa33350aef697e4c268 Mon Sep 17 00:00:00 2001
From: texastony <5892063+texastony@users.noreply.github.com>
Date: Fri, 13 Dec 2024 15:10:29 -0800
Subject: [PATCH] chore(cfn): restrict System Key by EC

---
 cfn/ESDK-Hierarchy-CI.yaml | 21 +++++++++++++++++++--
 1 file changed, 19 insertions(+), 2 deletions(-)

diff --git a/cfn/ESDK-Hierarchy-CI.yaml b/cfn/ESDK-Hierarchy-CI.yaml
index 24800d88d..331e558ca 100644
--- a/cfn/ESDK-Hierarchy-CI.yaml
+++ b/cfn/ESDK-Hierarchy-CI.yaml
@@ -173,8 +173,25 @@ Resources:
           - Effect: Allow
             Principal:
               AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root"
-            Action: "kms:*"
-            Resource: "*"
+            Action: kms:*
+            Resource: '*'
+          - Effect: Allow
+            Principal:
+              AWS:
+                # These are hard coded, which means this template will fail to bootstrap.
+                # To bootstrap, remove this allow block, and then put it back in subsequent deployment
+                - !Sub "arn:aws:iam::${AWS::AccountId}:role/GitHub-CI-${ProjectName}-Role-${AWS::Region}"
+                - !Sub "arn:aws:iam::${AWS::AccountId}:role/ToolsDevelopment"
+            Action:
+              - kms:Encrypt
+              - kms:Decrypt
+            Resource: '*'
+            Condition:
+              StringEquals:
+                kms:EncryptionContext:type:
+                  - branch:MUTATION_COMMITMENT
+                  - branch:MUTATION_INDEX
+           
   EccP256:
     Type: "AWS::KMS::Key"
     Properties: