Open AndreiDiaconovici opened 2 weeks ago
Greetings,
It seems that the KMS Condition with SourceArn is not working.
KMSKey:
Type: AWS::KMS::Key
DeletionPolicy: Delete
UpdateReplacePolicy: Delete
Properties:
Description: Used by Assumed Roles in Accounts accounts to Encrypt/Decrypt code
EnableKeyRotation: true
KeyPolicy:
Version: "2012-10-17"
Id: !Ref AWS::StackName
Statement:
- Sid: Allows admin of the key
Effect: Allow
Principal:
AWS: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:root
Action:
- "kms:CancelKeyDeletion"
- "kms:Create*"
- "kms:Decrypt"
- "kms:Delete*"
- "kms:Describe*"
- "kms:DescribeKey"
- "kms:Disable*"
- "kms:Enable*"
- "kms:Encrypt"
- "kms:GenerateDataKey*"
- "kms:Get*"
- "kms:List*"
- "kms:Put*"
- "kms:ReEncrypt*"
- "kms:Revoke*"
- "kms:ScheduleKeyDeletion"
- "kms:Update*"
Resource: "*"
- Sid: Allow use of the key
Effect: Allow
Principal:
AWS: "*"
Action:
- kms:Decrypt
- kms:DescribeKey
- kms:Encrypt
- kms:GenerateDataKey*
- kms:ReEncryptFrom
- kms:ReEncryptTo
Resource: "*"
Condition:
StringEquals:
aws:PrincipalOrgID: !Ref OrganizationId
- Action:
- kms:Decrypt
- kms:GenerateDataKey*
Effect: Allow
Principal:
Service:
- sns.amazonaws.com
- codecommit.amazonaws.com
Resource: "*"
Condition:
StringEquals:
"aws:SourceAccount": !Ref AWS::AccountId
- Action:
- kms:Decrypt
- kms:GenerateDataKey*
Effect: Allow
Principal:
Service:
- events.amazonaws.com
Resource: "*"
Condition:
ArnLike:
"aws:SourceArn": !Sub "arn:${AWS::Partition}:events:${AWS::Region}:${AWS::AccountId}:rule/*"
By changing the Condition of events.amazonaws.com to use "aws:ResourceAccount": !Ref AWS::AccountId
instead of aws:SourceArn works.
Is there an existing issue for this?
Describe the bug
After the upgrade to 4.0.0 the emails alerts are not sent anymore during CodePipelines run. (STARTED, FAILED, SUCCEEDED) I have checked the EventBridge rule and it's triggered successfully but the invocation to SNS fails.
Expected Behavior
To send emails.
Current Behavior
Steps To Reproduce
No response
Possible Solution
No response
Additional Information/Context
No response
ADF Version
4.0.0
Contributing a fix?