@@ -181,13 +181,19 @@ Resources:
181181 Action:
182182 - "ec2:Describe*"
183183 Resource: "*"
184+ Condition:
185+ StringEquals:
186+ "aws:RequestedRegion": !Ref AWS::Region
184187 - Sid: "AllowKMSKeysListing"
185188 Effect: "Allow"
186189 Action:
187190 - "kms:ListKeys"
188191 - "kms:ListAliases"
189192 - "kms:ListResourceTags"
190193 Resource: "*"
194+ Condition:
195+ StringEquals:
196+ "aws:RequestedRegion": !Ref AWS::Region
191197 - Sid: "AllowKMSEncryptDecrypt"
192198 Effect: "Allow"
193199 Action:
@@ -201,16 +207,24 @@ Resources:
201207 Condition:
202208 StringLike:
203209 "kms:ViaService": "ec2.*.amazonaws.com"
210+ StringEquals:
211+ "aws:RequestedRegion": !Ref AWS::Region
204212 - Sid: "CreateTaggedSnapshotFromVolume"
205213 Effect: "Allow"
206214 Action:
207215 - "ec2:CreateSnapshot"
208216 Resource: "*"
217+ Condition:
218+ StringEquals:
219+ "aws:RequestedRegion": !Ref AWS::Region
209220 - Sid: "CopySnapshots"
210221 Effect: "Allow"
211222 Action:
212223 - "ec2:CopySnapshot"
213224 Resource: "*"
225+ Condition:
226+ StringEquals:
227+ "aws:RequestedRegion": !Ref AWS::Region
214228 - Sid: "SnapshotTags"
215229 Effect: "Allow"
216230 Action:
@@ -220,6 +234,7 @@ Resources:
220234 StringEquals:
221235 "ec2:CreateAction": ["CreateSnapshot", "CopySnapshot"]
222236 "aws:RequestTag/CreatedBy": "Sysdig"
237+ "aws:RequestedRegion": !Ref AWS::Region
223238 - Sid: "ec2SnapshotShare"
224239 Effect: "Allow"
225240 Action:
@@ -230,6 +245,7 @@ Resources:
230245 "aws:ResourceTag/CreatedBy": "Sysdig"
231246 StringEquals:
232247 "ec2:Add/userId": !Ref ScanningAccountID
248+ "aws:RequestedRegion": !Ref AWS::Region
233249 - Sid: "ec2SnapshotDelete"
234250 Effect: "Allow"
235251 Action:
@@ -238,6 +254,8 @@ Resources:
238254 Condition:
239255 StringEqualsIgnoreCase:
240256 "aws:ResourceTag/CreatedBy": "Sysdig"
257+ StringEquals:
258+ "aws:RequestedRegion": !Ref AWS::Region
241259 ScanningKmsKey:
242260 Type: 'AWS::KMS::Key'
243261 Properties:
@@ -352,13 +370,19 @@ Resources:
352370 Action:
353371 - "ec2:Describe*"
354372 Resource: "*"
373+ Condition:
374+ StringEquals:
375+ "aws:RequestedRegion": !Ref AWS::Region
355376 - Sid: "AllowKMSKeysListing"
356377 Effect: "Allow"
357378 Action:
358379 - "kms:ListKeys"
359380 - "kms:ListAliases"
360381 - "kms:ListResourceTags"
361382 Resource: "*"
383+ Condition:
384+ StringEquals:
385+ "aws:RequestedRegion": !Ref AWS::Region
362386 - Sid: "AllowKMSEncryptDecrypt"
363387 Effect: "Allow"
364388 Action:
@@ -372,16 +396,24 @@ Resources:
372396 Condition:
373397 StringLike:
374398 "kms:ViaService": "ec2.*.amazonaws.com"
399+ StringEquals:
400+ "aws:RequestedRegion": !Ref AWS::Region
375401 - Sid: "CreateTaggedSnapshotFromVolume"
376402 Effect: "Allow"
377403 Action:
378404 - "ec2:CreateSnapshot"
379405 Resource: "*"
406+ Condition:
407+ StringEquals:
408+ "aws:RequestedRegion": !Ref AWS::Region
380409 - Sid: "CopySnapshots"
381410 Effect: "Allow"
382411 Action:
383412 - "ec2:CopySnapshot"
384413 Resource: "*"
414+ Condition:
415+ StringEquals:
416+ "aws:RequestedRegion": !Ref AWS::Region
385417 - Sid: "SnapshotTags"
386418 Effect: "Allow"
387419 Action:
@@ -391,6 +423,7 @@ Resources:
391423 StringEquals:
392424 "ec2:CreateAction": ["CreateSnapshot", "CopySnapshot"]
393425 "aws:RequestTag/CreatedBy": "Sysdig"
426+ "aws:RequestedRegion": !Ref AWS::Region
394427 - Sid: "ec2SnapshotShare"
395428 Effect: "Allow"
396429 Action:
@@ -401,6 +434,7 @@ Resources:
401434 "aws:ResourceTag/CreatedBy": "Sysdig"
402435 StringEquals:
403436 "ec2:Add/userId": !Ref ScanningAccountID
437+ "aws:RequestedRegion": !Ref AWS::Region
404438 - Sid: "ec2SnapshotDelete"
405439 Effect: "Allow"
406440 Action:
@@ -409,6 +443,8 @@ Resources:
409443 Condition:
410444 StringEqualsIgnoreCase:
411445 "aws:ResourceTag/CreatedBy": "Sysdig"
446+ StringEquals:
447+ "aws:RequestedRegion": !Ref AWS::Region
412448 ScanningKmsKey:
413449 Type: 'AWS::KMS::Key'
414450 Properties:
0 commit comments