Skip to content

Commit 1280071

Browse files
Yandy RamirezElad Ben-Israel
Yandy Ramirez
authored and
Elad Ben-Israel
committed
fix(aws-kms): Incomplete KMS Resource Policy Permissions (#3459)
Fixes #3458 where incomplete default resource policy for root account principal was generated and requiring a workaround. See issue #3458 for the complete reference.
1 parent 334261d commit 1280071

27 files changed

+83
-41
lines changed

packages/@aws-cdk/aws-codepipeline-actions/test/integ.cfn-template-from-repo.lit.expected.json

+2-1
Original file line numberDiff line numberDiff line change
@@ -25,7 +25,8 @@
2525
"kms:Get*",
2626
"kms:Delete*",
2727
"kms:ScheduleKeyDeletion",
28-
"kms:CancelKeyDeletion"
28+
"kms:CancelKeyDeletion",
29+
"kms:GenerateDataKey"
2930
],
3031
"Effect": "Allow",
3132
"Principal": {

packages/@aws-cdk/aws-codepipeline-actions/test/integ.lambda-deployed-through-codepipeline.lit.expected.json

+2-1
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,8 @@
1818
"kms:Get*",
1919
"kms:Delete*",
2020
"kms:ScheduleKeyDeletion",
21-
"kms:CancelKeyDeletion"
21+
"kms:CancelKeyDeletion",
22+
"kms:GenerateDataKey"
2223
],
2324
"Effect": "Allow",
2425
"Principal": {

packages/@aws-cdk/aws-codepipeline-actions/test/integ.lambda-pipeline.expected.json

+2-1
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,8 @@
1818
"kms:Get*",
1919
"kms:Delete*",
2020
"kms:ScheduleKeyDeletion",
21-
"kms:CancelKeyDeletion"
21+
"kms:CancelKeyDeletion",
22+
"kms:GenerateDataKey"
2223
],
2324
"Effect": "Allow",
2425
"Principal": {

packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-alexa-deploy.expected.json

+2-1
Original file line numberDiff line numberDiff line change
@@ -28,7 +28,8 @@
2828
"kms:Get*",
2929
"kms:Delete*",
3030
"kms:ScheduleKeyDeletion",
31-
"kms:CancelKeyDeletion"
31+
"kms:CancelKeyDeletion",
32+
"kms:GenerateDataKey"
3233
],
3334
"Effect": "Allow",
3435
"Principal": {

packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-cfn.expected.json

+2-1
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,8 @@
1818
"kms:Get*",
1919
"kms:Delete*",
2020
"kms:ScheduleKeyDeletion",
21-
"kms:CancelKeyDeletion"
21+
"kms:CancelKeyDeletion",
22+
"kms:GenerateDataKey"
2223
],
2324
"Effect": "Allow",
2425
"Principal": {

packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-code-commit-build.expected.json

+2-1
Original file line numberDiff line numberDiff line change
@@ -240,7 +240,8 @@
240240
"kms:Get*",
241241
"kms:Delete*",
242242
"kms:ScheduleKeyDeletion",
243-
"kms:CancelKeyDeletion"
243+
"kms:CancelKeyDeletion",
244+
"kms:GenerateDataKey"
244245
],
245246
"Effect": "Allow",
246247
"Principal": {

packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-code-commit.expected.json

+2-1
Original file line numberDiff line numberDiff line change
@@ -90,7 +90,8 @@
9090
"kms:Get*",
9191
"kms:Delete*",
9292
"kms:ScheduleKeyDeletion",
93-
"kms:CancelKeyDeletion"
93+
"kms:CancelKeyDeletion",
94+
"kms:GenerateDataKey"
9495
],
9596
"Effect": "Allow",
9697
"Principal": {

packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-events.expected.json

+2-1
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,8 @@
1818
"kms:Get*",
1919
"kms:Delete*",
2020
"kms:ScheduleKeyDeletion",
21-
"kms:CancelKeyDeletion"
21+
"kms:CancelKeyDeletion",
22+
"kms:GenerateDataKey"
2223
],
2324
"Effect": "Allow",
2425
"Principal": {

packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-s3-deploy.expected.json

+2-1
Original file line numberDiff line numberDiff line change
@@ -33,7 +33,8 @@
3333
"kms:Get*",
3434
"kms:Delete*",
3535
"kms:ScheduleKeyDeletion",
36-
"kms:CancelKeyDeletion"
36+
"kms:CancelKeyDeletion",
37+
"kms:GenerateDataKey"
3738
],
3839
"Effect": "Allow",
3940
"Principal": {

packages/@aws-cdk/aws-events-targets/test/codepipeline/integ.pipeline-event-target.expected.json

+2-1
Original file line numberDiff line numberDiff line change
@@ -25,7 +25,8 @@
2525
"kms:Get*",
2626
"kms:Delete*",
2727
"kms:ScheduleKeyDeletion",
28-
"kms:CancelKeyDeletion"
28+
"kms:CancelKeyDeletion",
29+
"kms:GenerateDataKey"
2930
],
3031
"Effect": "Allow",
3132
"Principal": {

packages/@aws-cdk/aws-glue/test/integ.table.expected.json

+2-1
Original file line numberDiff line numberDiff line change
@@ -120,7 +120,8 @@
120120
"kms:Get*",
121121
"kms:Delete*",
122122
"kms:ScheduleKeyDeletion",
123-
"kms:CancelKeyDeletion"
123+
"kms:CancelKeyDeletion",
124+
"kms:GenerateDataKey"
124125
],
125126
"Effect": "Allow",
126127
"Principal": {

packages/@aws-cdk/aws-glue/test/test.table.ts

+10-5
Original file line numberDiff line numberDiff line change
@@ -338,7 +338,8 @@ export = {
338338
"kms:Get*",
339339
"kms:Delete*",
340340
"kms:ScheduleKeyDeletion",
341-
"kms:CancelKeyDeletion"
341+
"kms:CancelKeyDeletion",
342+
"kms:GenerateDataKey"
342343
],
343344
Effect: "Allow",
344345
Principal: {
@@ -470,7 +471,8 @@ export = {
470471
"kms:Get*",
471472
"kms:Delete*",
472473
"kms:ScheduleKeyDeletion",
473-
"kms:CancelKeyDeletion"
474+
"kms:CancelKeyDeletion",
475+
"kms:GenerateDataKey"
474476
],
475477
Effect: "Allow",
476478
Principal: {
@@ -678,7 +680,8 @@ export = {
678680
"kms:Get*",
679681
"kms:Delete*",
680682
"kms:ScheduleKeyDeletion",
681-
"kms:CancelKeyDeletion"
683+
"kms:CancelKeyDeletion",
684+
"kms:GenerateDataKey"
682685
],
683686
Effect: "Allow",
684687
Principal: {
@@ -791,7 +794,8 @@ export = {
791794
"kms:Get*",
792795
"kms:Delete*",
793796
"kms:ScheduleKeyDeletion",
794-
"kms:CancelKeyDeletion"
797+
"kms:CancelKeyDeletion",
798+
"kms:GenerateDataKey"
795799
],
796800
Effect: "Allow",
797801
Principal: {
@@ -906,7 +910,8 @@ export = {
906910
"kms:Get*",
907911
"kms:Delete*",
908912
"kms:ScheduleKeyDeletion",
909-
"kms:CancelKeyDeletion"
913+
"kms:CancelKeyDeletion",
914+
"kms:GenerateDataKey"
910915
],
911916
Effect: "Allow",
912917
Principal: {

packages/@aws-cdk/aws-kinesis/test/test.stream.ts

+10-5
Original file line numberDiff line numberDiff line change
@@ -131,7 +131,8 @@ export = {
131131
"kms:Get*",
132132
"kms:Delete*",
133133
"kms:ScheduleKeyDeletion",
134-
"kms:CancelKeyDeletion"
134+
"kms:CancelKeyDeletion",
135+
"kms:GenerateDataKey"
135136
],
136137
"Effect": "Allow",
137138
"Principal": {
@@ -215,7 +216,8 @@ export = {
215216
"kms:Get*",
216217
"kms:Delete*",
217218
"kms:ScheduleKeyDeletion",
218-
"kms:CancelKeyDeletion"
219+
"kms:CancelKeyDeletion",
220+
"kms:GenerateDataKey"
219221
],
220222
"Effect": "Allow",
221223
"Principal": {
@@ -298,7 +300,8 @@ export = {
298300
"kms:Get*",
299301
"kms:Delete*",
300302
"kms:ScheduleKeyDeletion",
301-
"kms:CancelKeyDeletion"
303+
"kms:CancelKeyDeletion",
304+
"kms:GenerateDataKey"
302305
],
303306
"Effect": "Allow",
304307
"Principal": {
@@ -435,7 +438,8 @@ export = {
435438
"kms:Get*",
436439
"kms:Delete*",
437440
"kms:ScheduleKeyDeletion",
438-
"kms:CancelKeyDeletion"
441+
"kms:CancelKeyDeletion",
442+
"kms:GenerateDataKey"
439443
],
440444
"Effect": "Allow",
441445
"Principal": {
@@ -580,7 +584,8 @@ export = {
580584
"kms:Get*",
581585
"kms:Delete*",
582586
"kms:ScheduleKeyDeletion",
583-
"kms:CancelKeyDeletion"
587+
"kms:CancelKeyDeletion",
588+
"kms:GenerateDataKey"
584589
],
585590
"Effect": "Allow",
586591
"Principal": {

packages/@aws-cdk/aws-kms/lib/key.ts

+2-1
Original file line numberDiff line numberDiff line change
@@ -245,7 +245,8 @@ export class Key extends KeyBase {
245245
"kms:Get*",
246246
"kms:Delete*",
247247
"kms:ScheduleKeyDeletion",
248-
"kms:CancelKeyDeletion"
248+
"kms:CancelKeyDeletion",
249+
"kms:GenerateDataKey"
249250
];
250251

251252
this.addToResourcePolicy(new PolicyStatement({

packages/@aws-cdk/aws-kms/test/integ.key-sharing.lit.expected.json

+2-1
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,8 @@
1919
"kms:Get*",
2020
"kms:Delete*",
2121
"kms:ScheduleKeyDeletion",
22-
"kms:CancelKeyDeletion"
22+
"kms:CancelKeyDeletion",
23+
"kms:GenerateDataKey"
2324
],
2425
"Effect": "Allow",
2526
"Principal": {

packages/@aws-cdk/aws-kms/test/integ.key.expected.json

+2-1
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,8 @@
1818
"kms:Get*",
1919
"kms:Delete*",
2020
"kms:ScheduleKeyDeletion",
21-
"kms:CancelKeyDeletion"
21+
"kms:CancelKeyDeletion",
22+
"kms:GenerateDataKey"
2223
],
2324
"Effect": "Allow",
2425
"Principal": {

packages/@aws-cdk/aws-kms/test/test.key.ts

+9-5
Original file line numberDiff line numberDiff line change
@@ -30,7 +30,8 @@ export = {
3030
"kms:Get*",
3131
"kms:Delete*",
3232
"kms:ScheduleKeyDeletion",
33-
"kms:CancelKeyDeletion"
33+
"kms:CancelKeyDeletion",
34+
"kms:GenerateDataKey"
3435
],
3536
Effect: "Allow",
3637
Principal: {
@@ -104,7 +105,8 @@ export = {
104105
"kms:Get*",
105106
"kms:Delete*",
106107
"kms:ScheduleKeyDeletion",
107-
"kms:CancelKeyDeletion"
108+
"kms:CancelKeyDeletion",
109+
"kms:GenerateDataKey"
108110
],
109111
Effect: "Allow",
110112
Principal: {
@@ -183,7 +185,8 @@ export = {
183185
"kms:Get*",
184186
"kms:Delete*",
185187
"kms:ScheduleKeyDeletion",
186-
"kms:CancelKeyDeletion"
188+
"kms:CancelKeyDeletion",
189+
"kms:GenerateDataKey"
187190
],
188191
Effect: "Allow",
189192
Principal: {
@@ -277,7 +280,8 @@ export = {
277280
"kms:Get*",
278281
"kms:Delete*",
279282
"kms:ScheduleKeyDeletion",
280-
"kms:CancelKeyDeletion"
283+
"kms:CancelKeyDeletion",
284+
"kms:GenerateDataKey"
281285
],
282286
Effect: "Allow",
283287
Principal: {
@@ -341,7 +345,7 @@ export = {
341345
// This one is there by default
342346
{
343347
// tslint:disable-next-line:max-line-length
344-
Action: [ "kms:Create*", "kms:Describe*", "kms:Enable*", "kms:List*", "kms:Put*", "kms:Update*", "kms:Revoke*", "kms:Disable*", "kms:Get*", "kms:Delete*", "kms:ScheduleKeyDeletion", "kms:CancelKeyDeletion" ],
348+
Action: [ "kms:Create*", "kms:Describe*", "kms:Enable*", "kms:List*", "kms:Put*", "kms:Update*", "kms:Revoke*", "kms:Disable*", "kms:Get*", "kms:Delete*", "kms:ScheduleKeyDeletion", "kms:CancelKeyDeletion", "kms:GenerateDataKey" ],
345349
Effect: "Allow",
346350
Principal: { AWS: { "Fn::Join": [ "", [ "arn:", { Ref: "AWS::Partition" }, ":iam::", { Ref: "AWS::AccountId" }, ":root" ] ] } },
347351
Resource: "*"

packages/@aws-cdk/aws-rds/test/integ.cluster.expected.json

+2-1
Original file line numberDiff line numberDiff line change
@@ -371,7 +371,8 @@
371371
"kms:Get*",
372372
"kms:Delete*",
373373
"kms:ScheduleKeyDeletion",
374-
"kms:CancelKeyDeletion"
374+
"kms:CancelKeyDeletion",
375+
"kms:GenerateDataKey"
375376
],
376377
"Effect": "Allow",
377378
"Principal": {

packages/@aws-cdk/aws-s3-notifications/test/queue.test.ts

+2-1
Original file line numberDiff line numberDiff line change
@@ -95,7 +95,8 @@ test('if the queue is encrypted with a custom kms key, the key resource policy i
9595
"kms:Get*",
9696
"kms:Delete*",
9797
"kms:ScheduleKeyDeletion",
98-
"kms:CancelKeyDeletion"
98+
"kms:CancelKeyDeletion",
99+
"kms:GenerateDataKey"
99100
],
100101
Effect: "Allow",
101102
Principal: {

packages/@aws-cdk/aws-s3-notifications/test/sqs/integ.bucket-notifications.expected.json

+2-1
Original file line numberDiff line numberDiff line change
@@ -290,7 +290,8 @@
290290
"kms:Get*",
291291
"kms:Delete*",
292292
"kms:ScheduleKeyDeletion",
293-
"kms:CancelKeyDeletion"
293+
"kms:CancelKeyDeletion",
294+
"kms:GenerateDataKey"
294295
],
295296
"Effect": "Allow",
296297
"Principal": {

packages/@aws-cdk/aws-s3/test/integ.bucket.expected.json

+2-1
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,8 @@
1818
"kms:Get*",
1919
"kms:Delete*",
2020
"kms:ScheduleKeyDeletion",
21-
"kms:CancelKeyDeletion"
21+
"kms:CancelKeyDeletion",
22+
"kms:GenerateDataKey"
2223
],
2324
"Effect": "Allow",
2425
"Principal": {

packages/@aws-cdk/aws-s3/test/test.bucket.ts

+5-3
Original file line numberDiff line numberDiff line change
@@ -279,7 +279,8 @@ export = {
279279
"kms:Get*",
280280
"kms:Delete*",
281281
"kms:ScheduleKeyDeletion",
282-
"kms:CancelKeyDeletion"
282+
"kms:CancelKeyDeletion",
283+
"kms:GenerateDataKey"
283284
],
284285
"Effect": "Allow",
285286
"Principal": {
@@ -828,7 +829,7 @@ export = {
828829
"Statement": [
829830
{
830831
"Action": ["kms:Create*", "kms:Describe*", "kms:Enable*", "kms:List*", "kms:Put*", "kms:Update*",
831-
"kms:Revoke*", "kms:Disable*", "kms:Get*", "kms:Delete*", "kms:ScheduleKeyDeletion", "kms:CancelKeyDeletion"],
832+
"kms:Revoke*", "kms:Disable*", "kms:Get*", "kms:Delete*", "kms:ScheduleKeyDeletion", "kms:CancelKeyDeletion", "kms:GenerateDataKey"],
832833
"Effect": "Allow",
833834
"Principal": {
834835
"AWS": {
@@ -882,7 +883,8 @@ export = {
882883
"kms:Get*",
883884
"kms:Delete*",
884885
"kms:ScheduleKeyDeletion",
885-
"kms:CancelKeyDeletion"
886+
"kms:CancelKeyDeletion",
887+
"kms:GenerateDataKey"
886888
],
887889
"Effect": "Allow",
888890
"Principal": {

packages/@aws-cdk/aws-secretsmanager/test/test.secret.ts

+4-2
Original file line numberDiff line numberDiff line change
@@ -105,7 +105,8 @@ export = {
105105
"kms:Get*",
106106
"kms:Delete*",
107107
"kms:ScheduleKeyDeletion",
108-
"kms:CancelKeyDeletion"
108+
"kms:CancelKeyDeletion",
109+
"kms:GenerateDataKey"
109110
],
110111
Effect: "Allow",
111112
Principal: {
@@ -204,7 +205,8 @@ export = {
204205
"kms:Get*",
205206
"kms:Delete*",
206207
"kms:ScheduleKeyDeletion",
207-
"kms:CancelKeyDeletion"
208+
"kms:CancelKeyDeletion",
209+
"kms:GenerateDataKey"
208210
],
209211
Effect: "Allow",
210212
Principal: {

packages/@aws-cdk/aws-ses/test/integ.receipt.expected.json

+2-1
Original file line numberDiff line numberDiff line change
@@ -153,7 +153,8 @@
153153
"kms:Get*",
154154
"kms:Delete*",
155155
"kms:ScheduleKeyDeletion",
156-
"kms:CancelKeyDeletion"
156+
"kms:CancelKeyDeletion",
157+
"kms:GenerateDataKey"
157158
],
158159
"Effect": "Allow",
159160
"Principal": {

packages/@aws-cdk/aws-ses/test/test.receipt-rule-action.ts

+2-1
Original file line numberDiff line numberDiff line change
@@ -310,7 +310,8 @@ export = {
310310
'kms:Get*',
311311
'kms:Delete*',
312312
'kms:ScheduleKeyDeletion',
313-
'kms:CancelKeyDeletion'
313+
'kms:CancelKeyDeletion',
314+
"kms:GenerateDataKey"
314315
],
315316
Effect: 'Allow',
316317
Principal: {

0 commit comments

Comments
 (0)