security-and-compliance-account/stacks/pipeline_stack/cdk_stack.py [284:352]: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ) ] ) # CodePipeline Encryption Key Policy pipeline_encryption_key.add_to_resource_policy( statement = iam.PolicyStatement( sid = 'KmsAllowKeyAdministration', actions = [ 'kms:*' ], effect = iam.Effect.ALLOW, principals = [ iam.AccountRootPrincipal() ], resources = ['*'] ) ) pipeline_encryption_key.add_to_resource_policy( statement = iam.PolicyStatement( sid = 'KmsAllowKeyUsage', actions = [ 'kms:Decrypt', 'kms:DescribeKey', 'kms:Encrypt', 'kms:GenerateDataKey', 'kms:GenerateDataKeyWithoutPlainText', 'kms:ReEncrypt', 'kms:ReEncryptTo', 'kms:ReEncryptFrom', 'kms:TagResource', 'kms:CreateKey' ], effect = iam.Effect.ALLOW, principals = [ iam.ArnPrincipal( arn = code_pipeline_role.role_arn ) ], resources = ['*'] ) ) # CodePipeline Bucket Policy pipeline_bucket.add_to_resource_policy( iam.PolicyStatement( sid = 'CodePipelineUsage', actions = [ 's3:List*', 's3:Get*', 's3:Put*', 's3:Delete*', 's3:AbortMultipartUpload', 's3:RestoreObject', 's3:ListMultipartUploadParts' ], effect = iam.Effect.ALLOW, principals = [ iam.ArnPrincipal( arn = code_pipeline_role.role_arn ) ], resources = [ pipeline_bucket.bucket_arn, pipeline_bucket.bucket_arn+'/*' ] ), ) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - workload-account/stacks/pipeline_stack/cdk_stack.py [446:514]: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ) ] ) # CodePipeline Encryption Key Policy pipeline_encryption_key.add_to_resource_policy( statement = iam.PolicyStatement( sid = 'KmsAllowKeyAdministration', actions = [ 'kms:*' ], effect = iam.Effect.ALLOW, principals = [ iam.AccountRootPrincipal() ], resources = ['*'] ) ) pipeline_encryption_key.add_to_resource_policy( statement = iam.PolicyStatement( sid = 'KmsAllowKeyUsage', actions = [ 'kms:Decrypt', 'kms:DescribeKey', 'kms:Encrypt', 'kms:GenerateDataKey', 'kms:GenerateDataKeyWithoutPlainText', 'kms:ReEncrypt', 'kms:ReEncryptTo', 'kms:ReEncryptFrom', 'kms:TagResource', 'kms:CreateKey' ], effect = iam.Effect.ALLOW, principals = [ iam.ArnPrincipal( arn = code_pipeline_role.role_arn ) ], resources = ['*'] ) ) # CodePipeline Bucket Policy pipeline_bucket.add_to_resource_policy( iam.PolicyStatement( sid = 'CodePipelineUsage', actions = [ 's3:List*', 's3:Get*', 's3:Put*', 's3:Delete*', 's3:AbortMultipartUpload', 's3:RestoreObject', 's3:ListMultipartUploadParts' ], effect = iam.Effect.ALLOW, principals = [ iam.ArnPrincipal( arn = code_pipeline_role.role_arn ) ], resources = [ pipeline_bucket.bucket_arn, pipeline_bucket.bucket_arn+'/*' ] ), ) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -