fix(bootstrap): bootstrap doesn't work in non-aws partitions anymore (revert security hub finding fix) (aws#25540)

kaizencc · corymhall · commit 4c4014e0bd3f · 2023-05-11T16:54:52.000Z
**NOTE**: This PR bumps the version of the bootstrap stack to 18, but there is no need to update your bootstrap stacks as this PR changes no functionality. We are reverting aws#24588 because it includes hardcoded partitions in the bootstrap causing the `p0` in aws#25272. Including intrinsics `${AWS::Partition}` here is impossible. In addition, aws#24588 was reported to not actually fix the Security Hub finding: aws#19380 (comment). Although this is a revert, I am rolling forward the bootstrap version to 18. reverts aws#24588. fixes aws#25272. see aws#25273 & aws#25507. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
diff --git a/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml b/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml
@@ -473,35 +473,20 @@ Resources:
                     StringNotEquals:
                         s3:ResourceAccount:
                             Ref: 'AWS::AccountId'
-              - Fn::If:
-                - HasTrustedAccounts
-                - Sid: PipelineCrossAccountArtifactsKey
-                  # Use keys only for the purposes of reading encrypted files from S3.
-                  Effect: Allow
-                  Action:
-                    - kms:Decrypt
-                    - kms:DescribeKey
-                    - kms:Encrypt
-                    - kms:ReEncrypt*
-                    - kms:GenerateDataKey*
-
-                  # SecurityHub's rule KMS.2 complains if we put a '*' here, so instead we'll
-                  # turn the list of trusted accountIds ['111', '222', ...] into a list of
-                  # wildcard ARNS: ['arn:aws:kms:*:1111:*', 'arn:aws:kms:*:2222:*', ...].
-                  Resource:
-                    Fn::Split:
-                      - "|"
-                      - Fn::Sub:
-                        - "arn:aws:kms:*:${JoinedAccounts}:*"
-                        - JoinedAccounts:
-                            Fn::Join:
-                              - ":*|arn:aws:kms:*:"
-                              - { Ref: TrustedAccounts }
-                  Condition:
-                    StringEquals:
-                      kms:ViaService:
-                        Fn::Sub: s3.${AWS::Region}.amazonaws.com
-                - { Ref: AWS::NoValue }
+              - Sid: PipelineCrossAccountArtifactsKey
+                # Use keys only for the purposes of reading encrypted files from S3.
+                Effect: Allow
+                Action:
+                  - kms:Decrypt
+                  - kms:DescribeKey
+                  - kms:Encrypt
+                  - kms:ReEncrypt*
+                  - kms:GenerateDataKey*
+                Resource: "*"
+                Condition:
+                  StringEquals:
+                    kms:ViaService:
+                      Fn::Sub: s3.${AWS::Region}.amazonaws.com
               - Action: iam:PassRole
                 Resource:
                   Fn::Sub: "${CloudFormationExecutionRole.Arn}"
@@ -633,7 +618,7 @@ Resources:
       Type: String
       Name:
         Fn::Sub: '/cdk-bootstrap/${Qualifier}/version'
-      Value: '17'
+      Value: '18'
 Outputs:
   BucketName:
     Description: The name of the S3 bucket owned by the CDK toolkit stack
