From 78d610117b264f607e8fc57c79b5bcfaa07412c9 Mon Sep 17 00:00:00 2001 From: Nick Tait Date: Mon, 30 Sep 2024 13:47:09 +1300 Subject: [PATCH 1/5] Added permission required to generate data key for encryption. --- samtranslator/policy_templates_data/policy_templates.json | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/samtranslator/policy_templates_data/policy_templates.json b/samtranslator/policy_templates_data/policy_templates.json index 6ad389fba..51cbe00ac 100644 --- a/samtranslator/policy_templates_data/policy_templates.json +++ b/samtranslator/policy_templates_data/policy_templates.json @@ -1253,7 +1253,10 @@ "Definition": { "Statement": [ { - "Action": "kms:Encrypt", + "Action": [ + "kms:Encrypt", + "kms:GenerateDataKey" + ], "Effect": "Allow", "Resource": { "Fn::Sub": [ From e207a715181310ec97db48bafb2e928202b379e3 Mon Sep 17 00:00:00 2001 From: Nick Tait Date: Thu, 3 Oct 2024 13:17:22 +1300 Subject: [PATCH 2/5] Fixed expected data used by tests. --- tests/translator/output/all_policy_templates.json | 5 ++++- tests/translator/output/aws-cn/all_policy_templates.json | 5 ++++- tests/translator/output/aws-us-gov/all_policy_templates.json | 5 ++++- 3 files changed, 12 insertions(+), 3 deletions(-) diff --git a/tests/translator/output/all_policy_templates.json b/tests/translator/output/all_policy_templates.json index 07507ade0..195ccd5b9 100644 --- a/tests/translator/output/all_policy_templates.json +++ b/tests/translator/output/all_policy_templates.json @@ -1421,7 +1421,10 @@ "PolicyDocument": { "Statement": [ { - "Action": "kms:Encrypt", + "Action": [ + "kms:Encrypt", + "kms:GenerateDataKey" + ], "Effect": "Allow", "Resource": { "Fn::Sub": [ diff --git a/tests/translator/output/aws-cn/all_policy_templates.json b/tests/translator/output/aws-cn/all_policy_templates.json index 8a915b89a..e107ffae2 100644 --- a/tests/translator/output/aws-cn/all_policy_templates.json +++ b/tests/translator/output/aws-cn/all_policy_templates.json @@ -1421,7 +1421,10 @@ "PolicyDocument": { "Statement": [ { - "Action": "kms:Encrypt", + "Action": [ + "kms:Encrypt", + "kms:GenerateDataKey" + ], "Effect": "Allow", "Resource": { "Fn::Sub": [ diff --git a/tests/translator/output/aws-us-gov/all_policy_templates.json b/tests/translator/output/aws-us-gov/all_policy_templates.json index 3dc4ef5c5..f52a76174 100644 --- a/tests/translator/output/aws-us-gov/all_policy_templates.json +++ b/tests/translator/output/aws-us-gov/all_policy_templates.json @@ -1421,7 +1421,10 @@ "PolicyDocument": { "Statement": [ { - "Action": "kms:Encrypt", + "Action": [ + "kms:Encrypt", + "kms:GenerateDataKey" + ], "Effect": "Allow", "Resource": { "Fn::Sub": [ From 2e089a8e4c57594bde64e54ac4636ed6bc83faaa Mon Sep 17 00:00:00 2001 From: Nick Tait Date: Thu, 3 Oct 2024 13:56:06 +1300 Subject: [PATCH 3/5] Changed "kms:GenerateDataKey" permission to "kms:GenerateDataKey*". --- samtranslator/policy_templates_data/policy_templates.json | 2 +- tests/translator/output/all_policy_templates.json | 2 +- tests/translator/output/aws-cn/all_policy_templates.json | 2 +- tests/translator/output/aws-us-gov/all_policy_templates.json | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/samtranslator/policy_templates_data/policy_templates.json b/samtranslator/policy_templates_data/policy_templates.json index 51cbe00ac..7b8f28973 100644 --- a/samtranslator/policy_templates_data/policy_templates.json +++ b/samtranslator/policy_templates_data/policy_templates.json @@ -1255,7 +1255,7 @@ { "Action": [ "kms:Encrypt", - "kms:GenerateDataKey" + "kms:GenerateDataKey*" ], "Effect": "Allow", "Resource": { diff --git a/tests/translator/output/all_policy_templates.json b/tests/translator/output/all_policy_templates.json index 195ccd5b9..82312e14f 100644 --- a/tests/translator/output/all_policy_templates.json +++ b/tests/translator/output/all_policy_templates.json @@ -1423,7 +1423,7 @@ { "Action": [ "kms:Encrypt", - "kms:GenerateDataKey" + "kms:GenerateDataKey*" ], "Effect": "Allow", "Resource": { diff --git a/tests/translator/output/aws-cn/all_policy_templates.json b/tests/translator/output/aws-cn/all_policy_templates.json index e107ffae2..92d3b9d43 100644 --- a/tests/translator/output/aws-cn/all_policy_templates.json +++ b/tests/translator/output/aws-cn/all_policy_templates.json @@ -1423,7 +1423,7 @@ { "Action": [ "kms:Encrypt", - "kms:GenerateDataKey" + "kms:GenerateDataKey*" ], "Effect": "Allow", "Resource": { diff --git a/tests/translator/output/aws-us-gov/all_policy_templates.json b/tests/translator/output/aws-us-gov/all_policy_templates.json index f52a76174..0d4409191 100644 --- a/tests/translator/output/aws-us-gov/all_policy_templates.json +++ b/tests/translator/output/aws-us-gov/all_policy_templates.json @@ -1423,7 +1423,7 @@ { "Action": [ "kms:Encrypt", - "kms:GenerateDataKey" + "kms:GenerateDataKey*" ], "Effect": "Allow", "Resource": { From d66aa22a135a627370f77cb33dccbeae3d8dd7f5 Mon Sep 17 00:00:00 2001 From: Nick Tait Date: Thu, 3 Oct 2024 20:22:55 +1300 Subject: [PATCH 4/5] Listed actions individually instead of using wildcard. --- samtranslator/policy_templates_data/policy_templates.json | 5 ++++- tests/translator/output/all_policy_templates.json | 5 ++++- tests/translator/output/aws-cn/all_policy_templates.json | 5 ++++- tests/translator/output/aws-us-gov/all_policy_templates.json | 5 ++++- 4 files changed, 16 insertions(+), 4 deletions(-) diff --git a/samtranslator/policy_templates_data/policy_templates.json b/samtranslator/policy_templates_data/policy_templates.json index 7b8f28973..bac05eebe 100644 --- a/samtranslator/policy_templates_data/policy_templates.json +++ b/samtranslator/policy_templates_data/policy_templates.json @@ -1255,7 +1255,10 @@ { "Action": [ "kms:Encrypt", - "kms:GenerateDataKey*" + "kms:GenerateDataKey", + "kms:GenerateDataKeyWithoutPlaintext", + "kms:GenerateDataKeyPair", + "kms:GenerateDataKeyPairWithoutPlaintext" ], "Effect": "Allow", "Resource": { diff --git a/tests/translator/output/all_policy_templates.json b/tests/translator/output/all_policy_templates.json index 82312e14f..779e8988b 100644 --- a/tests/translator/output/all_policy_templates.json +++ b/tests/translator/output/all_policy_templates.json @@ -1423,7 +1423,10 @@ { "Action": [ "kms:Encrypt", - "kms:GenerateDataKey*" + "kms:GenerateDataKey", + "kms:GenerateDataKeyWithoutPlaintext", + "kms:GenerateDataKeyPair", + "kms:GenerateDataKeyPairWithoutPlaintext" ], "Effect": "Allow", "Resource": { diff --git a/tests/translator/output/aws-cn/all_policy_templates.json b/tests/translator/output/aws-cn/all_policy_templates.json index 92d3b9d43..cdcaa79d2 100644 --- a/tests/translator/output/aws-cn/all_policy_templates.json +++ b/tests/translator/output/aws-cn/all_policy_templates.json @@ -1423,7 +1423,10 @@ { "Action": [ "kms:Encrypt", - "kms:GenerateDataKey*" + "kms:GenerateDataKey", + "kms:GenerateDataKeyWithoutPlaintext", + "kms:GenerateDataKeyPair", + "kms:GenerateDataKeyPairWithoutPlaintext" ], "Effect": "Allow", "Resource": { diff --git a/tests/translator/output/aws-us-gov/all_policy_templates.json b/tests/translator/output/aws-us-gov/all_policy_templates.json index 0d4409191..03582355c 100644 --- a/tests/translator/output/aws-us-gov/all_policy_templates.json +++ b/tests/translator/output/aws-us-gov/all_policy_templates.json @@ -1423,7 +1423,10 @@ { "Action": [ "kms:Encrypt", - "kms:GenerateDataKey*" + "kms:GenerateDataKey", + "kms:GenerateDataKeyWithoutPlaintext", + "kms:GenerateDataKeyPair", + "kms:GenerateDataKeyPairWithoutPlaintext" ], "Effect": "Allow", "Resource": { From 6000a62d78ddb6c74a990b2d9feb4ca189742d34 Mon Sep 17 00:00:00 2001 From: Nick Tait Date: Sun, 13 Oct 2024 15:04:46 +1300 Subject: [PATCH 5/5] Moved changes into new policy "KMSEncryptPolicy_v2", and restored old "KMSEncryptPolicy" definition. --- .../policy_templates.json | 26 +++++++++++++++ .../input/all_policy_templates.yaml | 3 ++ .../output/all_policy_templates.json | 33 +++++++++++++++---- .../output/aws-cn/all_policy_templates.json | 33 +++++++++++++++---- .../aws-us-gov/all_policy_templates.json | 33 +++++++++++++++---- 5 files changed, 107 insertions(+), 21 deletions(-) diff --git a/samtranslator/policy_templates_data/policy_templates.json b/samtranslator/policy_templates_data/policy_templates.json index bac05eebe..e50f44792 100644 --- a/samtranslator/policy_templates_data/policy_templates.json +++ b/samtranslator/policy_templates_data/policy_templates.json @@ -1250,6 +1250,32 @@ } }, "KMSEncryptPolicy": { + "Definition": { + "Statement": [ + { + "Action": "kms:Encrypt", + "Effect": "Allow", + "Resource": { + "Fn::Sub": [ + "arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/${keyId}", + { + "keyId": { + "Ref": "KeyId" + } + } + ] + } + } + ] + }, + "Description": "Gives permission to encrypt with KMS Key", + "Parameters": { + "KeyId": { + "Description": "ID of the KMS Key" + } + } + }, + "KMSEncryptPolicy_v2": { "Definition": { "Statement": [ { diff --git a/tests/translator/input/all_policy_templates.yaml b/tests/translator/input/all_policy_templates.yaml index c2666a9c5..ab1f8d596 100644 --- a/tests/translator/input/all_policy_templates.yaml +++ b/tests/translator/input/all_policy_templates.yaml @@ -187,3 +187,6 @@ Resources: - StepFunctionsCallbackPolicy: StateMachineName: name + + - KMSEncryptPolicy_v2: + KeyId: keyId diff --git a/tests/translator/output/all_policy_templates.json b/tests/translator/output/all_policy_templates.json index 779e8988b..c42a0314a 100644 --- a/tests/translator/output/all_policy_templates.json +++ b/tests/translator/output/all_policy_templates.json @@ -1421,13 +1421,7 @@ "PolicyDocument": { "Statement": [ { - "Action": [ - "kms:Encrypt", - "kms:GenerateDataKey", - "kms:GenerateDataKeyWithoutPlaintext", - "kms:GenerateDataKeyPair", - "kms:GenerateDataKeyPairWithoutPlaintext" - ], + "Action": "kms:Encrypt", "Effect": "Allow", "Resource": { "Fn::Sub": [ @@ -1732,6 +1726,31 @@ ] }, "PolicyName": "KitchenSinkFunctionRolePolicy63" + }, + { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "kms:Encrypt", + "kms:GenerateDataKey", + "kms:GenerateDataKeyWithoutPlaintext", + "kms:GenerateDataKeyPair", + "kms:GenerateDataKeyPairWithoutPlaintext" + ], + "Effect": "Allow", + "Resource": { + "Fn::Sub": [ + "arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/${keyId}", + { + "keyId": "keyId" + } + ] + } + } + ] + }, + "PolicyName": "KitchenSinkFunctionRolePolicy64" } ], "Tags": [ diff --git a/tests/translator/output/aws-cn/all_policy_templates.json b/tests/translator/output/aws-cn/all_policy_templates.json index cdcaa79d2..7a6f70009 100644 --- a/tests/translator/output/aws-cn/all_policy_templates.json +++ b/tests/translator/output/aws-cn/all_policy_templates.json @@ -1421,13 +1421,7 @@ "PolicyDocument": { "Statement": [ { - "Action": [ - "kms:Encrypt", - "kms:GenerateDataKey", - "kms:GenerateDataKeyWithoutPlaintext", - "kms:GenerateDataKeyPair", - "kms:GenerateDataKeyPairWithoutPlaintext" - ], + "Action": "kms:Encrypt", "Effect": "Allow", "Resource": { "Fn::Sub": [ @@ -1732,6 +1726,31 @@ ] }, "PolicyName": "KitchenSinkFunctionRolePolicy63" + }, + { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "kms:Encrypt", + "kms:GenerateDataKey", + "kms:GenerateDataKeyWithoutPlaintext", + "kms:GenerateDataKeyPair", + "kms:GenerateDataKeyPairWithoutPlaintext" + ], + "Effect": "Allow", + "Resource": { + "Fn::Sub": [ + "arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/${keyId}", + { + "keyId": "keyId" + } + ] + } + } + ] + }, + "PolicyName": "KitchenSinkFunctionRolePolicy64" } ], "Tags": [ diff --git a/tests/translator/output/aws-us-gov/all_policy_templates.json b/tests/translator/output/aws-us-gov/all_policy_templates.json index 03582355c..bc6e666d9 100644 --- a/tests/translator/output/aws-us-gov/all_policy_templates.json +++ b/tests/translator/output/aws-us-gov/all_policy_templates.json @@ -1421,13 +1421,7 @@ "PolicyDocument": { "Statement": [ { - "Action": [ - "kms:Encrypt", - "kms:GenerateDataKey", - "kms:GenerateDataKeyWithoutPlaintext", - "kms:GenerateDataKeyPair", - "kms:GenerateDataKeyPairWithoutPlaintext" - ], + "Action": "kms:Encrypt", "Effect": "Allow", "Resource": { "Fn::Sub": [ @@ -1732,6 +1726,31 @@ ] }, "PolicyName": "KitchenSinkFunctionRolePolicy63" + }, + { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "kms:Encrypt", + "kms:GenerateDataKey", + "kms:GenerateDataKeyWithoutPlaintext", + "kms:GenerateDataKeyPair", + "kms:GenerateDataKeyPairWithoutPlaintext" + ], + "Effect": "Allow", + "Resource": { + "Fn::Sub": [ + "arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/${keyId}", + { + "keyId": "keyId" + } + ] + } + } + ] + }, + "PolicyName": "KitchenSinkFunctionRolePolicy64" } ], "Tags": [