diff --git a/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml b/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml index 4d8a4d1dcce64..321a5fdd76089 100644 --- a/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml +++ b/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml @@ -473,35 +473,20 @@ Resources: StringNotEquals: s3:ResourceAccount: Ref: 'AWS::AccountId' - - Fn::If: - - HasTrustedAccounts - - Sid: PipelineCrossAccountArtifactsKey - # Use keys only for the purposes of reading encrypted files from S3. - Effect: Allow - Action: - - kms:Decrypt - - kms:DescribeKey - - kms:Encrypt - - kms:ReEncrypt* - - kms:GenerateDataKey* - - # SecurityHub's rule KMS.2 complains if we put a '*' here, so instead we'll - # turn the list of trusted accountIds ['111', '222', ...] into a list of - # wildcard ARNS: ['arn:aws:kms:*:1111:*', 'arn:aws:kms:*:2222:*', ...]. - Resource: - Fn::Split: - - "|" - - Fn::Sub: - - "arn:aws:kms:*:${JoinedAccounts}:*" - - JoinedAccounts: - Fn::Join: - - ":*|arn:aws:kms:*:" - - { Ref: TrustedAccounts } - Condition: - StringEquals: - kms:ViaService: - Fn::Sub: s3.${AWS::Region}.amazonaws.com - - { Ref: AWS::NoValue } + - Sid: PipelineCrossAccountArtifactsKey + # Use keys only for the purposes of reading encrypted files from S3. + Effect: Allow + Action: + - kms:Decrypt + - kms:DescribeKey + - kms:Encrypt + - kms:ReEncrypt* + - kms:GenerateDataKey* + Resource: "*" + Condition: + StringEquals: + kms:ViaService: + Fn::Sub: s3.${AWS::Region}.amazonaws.com - Action: iam:PassRole Resource: Fn::Sub: "${CloudFormationExecutionRole.Arn}" @@ -633,7 +618,7 @@ Resources: Type: String Name: Fn::Sub: '/cdk-bootstrap/${Qualifier}/version' - Value: '17' + Value: '18' Outputs: BucketName: Description: The name of the S3 bucket owned by the CDK toolkit stack