@@ -180,13 +180,19 @@ Resources:
180180 Action:
181181 - "ec2:Describe*"
182182 Resource: "*"
183+ Condition:
184+ StringEquals:
185+ "aws:RequestedRegion": !Ref AWS::Region
183186 - Sid: "AllowKMSKeysListing"
184187 Effect: "Allow"
185188 Action:
186189 - "kms:ListKeys"
187190 - "kms:ListAliases"
188191 - "kms:ListResourceTags"
189192 Resource: "*"
193+ Condition:
194+ StringEquals:
195+ "aws:RequestedRegion": !Ref AWS::Region
190196 - Sid: "AllowKMSEncryptDecrypt"
191197 Effect: "Allow"
192198 Action:
@@ -200,16 +206,24 @@ Resources:
200206 Condition:
201207 StringLike:
202208 "kms:ViaService": "ec2.*.amazonaws.com"
209+ StringEquals:
210+ "aws:RequestedRegion": !Ref AWS::Region
203211 - Sid: "CreateTaggedSnapshotFromVolume"
204212 Effect: "Allow"
205213 Action:
206214 - "ec2:CreateSnapshot"
207215 Resource: "*"
216+ Condition:
217+ StringEquals:
218+ "aws:RequestedRegion": !Ref AWS::Region
208219 - Sid: "CopySnapshots"
209220 Effect: "Allow"
210221 Action:
211222 - "ec2:CopySnapshot"
212223 Resource: "*"
224+ Condition:
225+ StringEquals:
226+ "aws:RequestedRegion": !Ref AWS::Region
213227 - Sid: "SnapshotTags"
214228 Effect: "Allow"
215229 Action:
@@ -219,6 +233,7 @@ Resources:
219233 StringEquals:
220234 "ec2:CreateAction": ["CreateSnapshot", "CopySnapshot"]
221235 "aws:RequestTag/CreatedBy": "Sysdig"
236+ "aws:RequestedRegion": !Ref AWS::Region
222237 - Sid: "ec2SnapshotShare"
223238 Effect: "Allow"
224239 Action:
@@ -229,6 +244,7 @@ Resources:
229244 "aws:ResourceTag/CreatedBy": "Sysdig"
230245 StringEquals:
231246 "ec2:Add/userId": !Ref ScanningAccountID
247+ "aws:RequestedRegion": !Ref AWS::Region
232248 - Sid: "ec2SnapshotDelete"
233249 Effect: "Allow"
234250 Action:
@@ -237,6 +253,8 @@ Resources:
237253 Condition:
238254 StringEqualsIgnoreCase:
239255 "aws:ResourceTag/CreatedBy": "Sysdig"
256+ StringEquals:
257+ "aws:RequestedRegion": !Ref AWS::Region
240258 ScanningKmsKey:
241259 Type: 'AWS::KMS::Key'
242260 Properties:
@@ -351,13 +369,19 @@ Resources:
351369 Action:
352370 - "ec2:Describe*"
353371 Resource: "*"
372+ Condition:
373+ StringEquals:
374+ "aws:RequestedRegion": !Ref AWS::Region
354375 - Sid: "AllowKMSKeysListing"
355376 Effect: "Allow"
356377 Action:
357378 - "kms:ListKeys"
358379 - "kms:ListAliases"
359380 - "kms:ListResourceTags"
360381 Resource: "*"
382+ Condition:
383+ StringEquals:
384+ "aws:RequestedRegion": !Ref AWS::Region
361385 - Sid: "AllowKMSEncryptDecrypt"
362386 Effect: "Allow"
363387 Action:
@@ -371,16 +395,24 @@ Resources:
371395 Condition:
372396 StringLike:
373397 "kms:ViaService": "ec2.*.amazonaws.com"
398+ StringEquals:
399+ "aws:RequestedRegion": !Ref AWS::Region
374400 - Sid: "CreateTaggedSnapshotFromVolume"
375401 Effect: "Allow"
376402 Action:
377403 - "ec2:CreateSnapshot"
378404 Resource: "*"
405+ Condition:
406+ StringEquals:
407+ "aws:RequestedRegion": !Ref AWS::Region
379408 - Sid: "CopySnapshots"
380409 Effect: "Allow"
381410 Action:
382411 - "ec2:CopySnapshot"
383412 Resource: "*"
413+ Condition:
414+ StringEquals:
415+ "aws:RequestedRegion": !Ref AWS::Region
384416 - Sid: "SnapshotTags"
385417 Effect: "Allow"
386418 Action:
@@ -390,6 +422,7 @@ Resources:
390422 StringEquals:
391423 "ec2:CreateAction": ["CreateSnapshot", "CopySnapshot"]
392424 "aws:RequestTag/CreatedBy": "Sysdig"
425+ "aws:RequestedRegion": !Ref AWS::Region
393426 - Sid: "ec2SnapshotShare"
394427 Effect: "Allow"
395428 Action:
@@ -400,6 +433,7 @@ Resources:
400433 "aws:ResourceTag/CreatedBy": "Sysdig"
401434 StringEquals:
402435 "ec2:Add/userId": !Ref ScanningAccountID
436+ "aws:RequestedRegion": !Ref AWS::Region
403437 - Sid: "ec2SnapshotDelete"
404438 Effect: "Allow"
405439 Action:
@@ -408,6 +442,8 @@ Resources:
408442 Condition:
409443 StringEqualsIgnoreCase:
410444 "aws:ResourceTag/CreatedBy": "Sysdig"
445+ StringEquals:
446+ "aws:RequestedRegion": !Ref AWS::Region
411447 ScanningKmsKey:
412448 Type: 'AWS::KMS::Key'
413449 Properties:
0 commit comments