Remove CloudFormation access to S3 via ArtifactCopyPolicy and KMS access (#792)

omkhegde · web-flow · commit b8b2c8213e74 · 2021-06-28T15:47:05.000-07:00
* Remove CloudFormation access to S3 via ArtifactCopyPolicy and KMS secret access since it is not used anymore
diff --git a/src/rpdk/core/data/managed-upload-infrastructure.yaml b/src/rpdk/core/data/managed-upload-infrastructure.yaml
@@ -48,16 +48,6 @@ Resources:
       PolicyDocument:
         Version: "2012-10-17"
         Statement:
-          - Sid: Allow CloudFormation to copy artifacts from the bucket
-            Effect: Allow
-            Principal:
-              Service: cloudformation.amazonaws.com
-            Action:
-              - s3:ListBucket
-              - s3:GetObject
-            Resource:
-              - !Sub "arn:${AWS::Partition}:s3:::${ArtifactBucket}"
-              - !Sub "arn:${AWS::Partition}:s3:::${ArtifactBucket}/*"
           - Sid: Require Secure Transport
             Action: "s3:*"
             Effect: Deny
@@ -84,17 +74,6 @@ Resources:
             AWS: !Ref AWS::AccountId
           Action: kms:*
           Resource: "*"
-        - Sid: Enable access for cloudformation to copy encrypted objects
-          Effect: Allow
-          Principal:
-            Service: cloudformation.amazonaws.com
-          Action:
-            - "kms:Encrypt"
-            - "kms:Decrypt"
-            - "kms:ReEncrypt*"
-            - "kms:GenerateDataKey*"
-            - "kms:DescribeKey"
-          Resource: "*"
 
   LogAndMetricsDeliveryRole:
     Type: AWS::IAM::Role
