Limit KMS by region

mattclay · Sep 4, 2020 · 839c687 · 839c687
1 parent 5cd70e2
commit 839c687
Showing 1 changed file with 6 additions and 2 deletions.
diff --git a/aws/policy/security-services.yaml b/aws/policy/security-services.yaml
@@ -27,7 +27,7 @@ Statement:
     Resource:
       - 'arn:aws:iam::{{ aws_account_id }}:role/ansible_lambda_role'
 
-  - Sid: AllowRegionUnrestrictedResourceActionsWhichIncurNoFees
+  - Sid: AllowRegionalUnrestrictedResourceActionsWhichIncurNoFees
     Effect: Allow
     Action:
       - iam:ListAccountAliases
@@ -112,13 +112,17 @@ Statement:
         aws:RequestedRegion:
           - '{{ aws_region }}'
 
-  - Sid: AllowGlobalUnrestrictedResourceActionsWhichIncurFees
+  - Sid: AllowRegionalUnrestrictedResourceActionsWhichIncurFees
     Effect: Allow
     Action:
       - kms:CancelKeyDeletion
       - kms:CreateKey
       - kms:GenerateRandom
     Resource: "*"
+    Condition:
+      StringEquals:
+        aws:RequestedRegion:
+          - '{{ aws_region }}'
 
   - Sid: AllowGlobalUnrestrictedResourceActionsWhichIncurNoFees
     Effect: Allow