From 51b69948efa593bc8bfdbfe8efe9093e6336e4af Mon Sep 17 00:00:00 2001 From: elmaimbo <76469980+elmaimbo@users.noreply.github.com> Date: Mon, 4 Nov 2024 20:57:03 +1300 Subject: [PATCH] Added kms:GenerateDataKey action to KMSEncryptPolicy policy (#3657) Co-authored-by: Nick Tait Co-authored-by: Aayush thapa <84202325+aaythapa@users.noreply.github.com> --- .../policy_templates.json | 32 +++++++++++++++++++ .../input/all_policy_templates.yaml | 3 ++ .../output/all_policy_templates.json | 25 +++++++++++++++ .../output/aws-cn/all_policy_templates.json | 25 +++++++++++++++ .../aws-us-gov/all_policy_templates.json | 25 +++++++++++++++ 5 files changed, 110 insertions(+) diff --git a/samtranslator/policy_templates_data/policy_templates.json b/samtranslator/policy_templates_data/policy_templates.json index 6ad389fba..e50f44792 100644 --- a/samtranslator/policy_templates_data/policy_templates.json +++ b/samtranslator/policy_templates_data/policy_templates.json @@ -1275,6 +1275,38 @@ } } }, + "KMSEncryptPolicy_v2": { + "Definition": { + "Statement": [ + { + "Action": [ + "kms:Encrypt", + "kms:GenerateDataKey", + "kms:GenerateDataKeyWithoutPlaintext", + "kms:GenerateDataKeyPair", + "kms:GenerateDataKeyPairWithoutPlaintext" + ], + "Effect": "Allow", + "Resource": { + "Fn::Sub": [ + "arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/${keyId}", + { + "keyId": { + "Ref": "KeyId" + } + } + ] + } + } + ] + }, + "Description": "Gives permission to encrypt with KMS Key", + "Parameters": { + "KeyId": { + "Description": "ID of the KMS Key" + } + } + }, "KinesisCrudPolicy": { "Definition": { "Statement": [ diff --git a/tests/translator/input/all_policy_templates.yaml b/tests/translator/input/all_policy_templates.yaml index c2666a9c5..ab1f8d596 100644 --- a/tests/translator/input/all_policy_templates.yaml +++ b/tests/translator/input/all_policy_templates.yaml @@ -187,3 +187,6 @@ Resources: - StepFunctionsCallbackPolicy: StateMachineName: name + + - KMSEncryptPolicy_v2: + KeyId: keyId diff --git a/tests/translator/output/all_policy_templates.json b/tests/translator/output/all_policy_templates.json index 07507ade0..c42a0314a 100644 --- a/tests/translator/output/all_policy_templates.json +++ b/tests/translator/output/all_policy_templates.json @@ -1726,6 +1726,31 @@ ] }, "PolicyName": "KitchenSinkFunctionRolePolicy63" + }, + { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "kms:Encrypt", + "kms:GenerateDataKey", + "kms:GenerateDataKeyWithoutPlaintext", + "kms:GenerateDataKeyPair", + "kms:GenerateDataKeyPairWithoutPlaintext" + ], + "Effect": "Allow", + "Resource": { + "Fn::Sub": [ + "arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/${keyId}", + { + "keyId": "keyId" + } + ] + } + } + ] + }, + "PolicyName": "KitchenSinkFunctionRolePolicy64" } ], "Tags": [ diff --git a/tests/translator/output/aws-cn/all_policy_templates.json b/tests/translator/output/aws-cn/all_policy_templates.json index 8a915b89a..7a6f70009 100644 --- a/tests/translator/output/aws-cn/all_policy_templates.json +++ b/tests/translator/output/aws-cn/all_policy_templates.json @@ -1726,6 +1726,31 @@ ] }, "PolicyName": "KitchenSinkFunctionRolePolicy63" + }, + { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "kms:Encrypt", + "kms:GenerateDataKey", + "kms:GenerateDataKeyWithoutPlaintext", + "kms:GenerateDataKeyPair", + "kms:GenerateDataKeyPairWithoutPlaintext" + ], + "Effect": "Allow", + "Resource": { + "Fn::Sub": [ + "arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/${keyId}", + { + "keyId": "keyId" + } + ] + } + } + ] + }, + "PolicyName": "KitchenSinkFunctionRolePolicy64" } ], "Tags": [ diff --git a/tests/translator/output/aws-us-gov/all_policy_templates.json b/tests/translator/output/aws-us-gov/all_policy_templates.json index 3dc4ef5c5..bc6e666d9 100644 --- a/tests/translator/output/aws-us-gov/all_policy_templates.json +++ b/tests/translator/output/aws-us-gov/all_policy_templates.json @@ -1726,6 +1726,31 @@ ] }, "PolicyName": "KitchenSinkFunctionRolePolicy63" + }, + { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "kms:Encrypt", + "kms:GenerateDataKey", + "kms:GenerateDataKeyWithoutPlaintext", + "kms:GenerateDataKeyPair", + "kms:GenerateDataKeyPairWithoutPlaintext" + ], + "Effect": "Allow", + "Resource": { + "Fn::Sub": [ + "arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/${keyId}", + { + "keyId": "keyId" + } + ] + } + } + ] + }, + "PolicyName": "KitchenSinkFunctionRolePolicy64" } ], "Tags": [