File tree Expand file tree Collapse file tree
Expand file tree Collapse file tree Original file line number Diff line number Diff line change @@ -162,6 +162,34 @@ Resources:
162162 Action : " kms:*"
163163 Resource : " *"
164164
165+ KmsKeyForHV1ReEncryptStrategy :
166+ Type : " AWS::KMS::Key"
167+ Properties :
168+ Description : KMS Key for GitHub Action Workflow for HV1 Only Branch Keys
169+ Enabled : true
170+ KeyPolicy :
171+ Version : 2012-10-17
172+ Statement :
173+ - Effect : Allow
174+ Principal :
175+ AWS : !Sub "arn:aws:iam::${AWS::AccountId}:root"
176+ Action : " kms:*"
177+ Resource : " *"
178+
179+ KmsKeyForHV2Only :
180+ Type : " AWS::KMS::Key"
181+ Properties :
182+ Description : KMS Key for GitHub Action Workflow for HV2 Only Branch Keys
183+ Enabled : true
184+ KeyPolicy :
185+ Version : 2012-10-17
186+ Statement :
187+ - Effect : Allow
188+ Principal :
189+ AWS : !Sub "arn:aws:iam::${AWS::AccountId}:root"
190+ Action : " kms:*"
191+ Resource : " *"
192+
165193 KeyStoreAdminSystemKeyKmsSymEnc :
166194 Type : " AWS::KMS::Key"
167195 Properties :
@@ -242,14 +270,26 @@ Resources:
242270 "arn:aws:kms:*:${AWS::AccountId}:key/${HierarchicalGitHubKMSKeyIDTwo}"
243271 ]
244272 },
273+ {
274+ "Effect": "Allow",
275+ "Action": [
276+ "kms:ReEncrypt*",
277+ "kms:GenerateDataKeyWithoutPlaintext",
278+ "kms:Decrypt"
279+ ],
280+ "Resource": [
281+ "arn:aws:kms:*:${AWS::AccountId}:key/${KmsKeyForHV1ReEncryptStrategy}"
282+ ]
283+ },
245284 {
246285 "Effect": "Allow",
247286 "Action": [
248287 "kms:Decrypt",
249288 "kms:Encrypt"
250289 ],
251290 "Resource": [
252- "arn:aws:kms:*:${AWS::AccountId}:key/${KeyStoreAdminSystemKeyKmsSymEnc}"
291+ "arn:aws:kms:*:${AWS::AccountId}:key/${KeyStoreAdminSystemKeyKmsSymEnc}",
292+ "arn:aws:kms:*:${AWS::AccountId}:key/${KmsKeyForHV2Only}"
253293 ]
254294 },
255295 {
You can’t perform that action at this time.
0 commit comments