diff --git a/packages/@aws-cdk/aws-codepipeline-actions/test/integ.cfn-template-from-repo.lit.expected.json b/packages/@aws-cdk/aws-codepipeline-actions/test/integ.cfn-template-from-repo.lit.expected.json index 185b5db782d92..07144c768176d 100644 --- a/packages/@aws-cdk/aws-codepipeline-actions/test/integ.cfn-template-from-repo.lit.expected.json +++ b/packages/@aws-cdk/aws-codepipeline-actions/test/integ.cfn-template-from-repo.lit.expected.json @@ -25,7 +25,8 @@ "kms:Get*", "kms:Delete*", "kms:ScheduleKeyDeletion", - "kms:CancelKeyDeletion" + "kms:CancelKeyDeletion", + "kms:GenerateDataKey" ], "Effect": "Allow", "Principal": { diff --git a/packages/@aws-cdk/aws-codepipeline-actions/test/integ.lambda-deployed-through-codepipeline.lit.expected.json b/packages/@aws-cdk/aws-codepipeline-actions/test/integ.lambda-deployed-through-codepipeline.lit.expected.json index 793c09465c4e6..d33f61cd86cfe 100644 --- a/packages/@aws-cdk/aws-codepipeline-actions/test/integ.lambda-deployed-through-codepipeline.lit.expected.json +++ b/packages/@aws-cdk/aws-codepipeline-actions/test/integ.lambda-deployed-through-codepipeline.lit.expected.json @@ -18,7 +18,8 @@ "kms:Get*", "kms:Delete*", "kms:ScheduleKeyDeletion", - "kms:CancelKeyDeletion" + "kms:CancelKeyDeletion", + "kms:GenerateDataKey" ], "Effect": "Allow", "Principal": { diff --git a/packages/@aws-cdk/aws-codepipeline-actions/test/integ.lambda-pipeline.expected.json b/packages/@aws-cdk/aws-codepipeline-actions/test/integ.lambda-pipeline.expected.json index d28f31f4b8eab..47d6ffcc0c0ec 100644 --- a/packages/@aws-cdk/aws-codepipeline-actions/test/integ.lambda-pipeline.expected.json +++ b/packages/@aws-cdk/aws-codepipeline-actions/test/integ.lambda-pipeline.expected.json @@ -18,7 +18,8 @@ "kms:Get*", "kms:Delete*", "kms:ScheduleKeyDeletion", - "kms:CancelKeyDeletion" + "kms:CancelKeyDeletion", + "kms:GenerateDataKey" ], "Effect": "Allow", "Principal": { diff --git a/packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-alexa-deploy.expected.json b/packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-alexa-deploy.expected.json index a80249669c76b..cbcaaf428ddfb 100644 --- a/packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-alexa-deploy.expected.json +++ b/packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-alexa-deploy.expected.json @@ -28,7 +28,8 @@ "kms:Get*", "kms:Delete*", "kms:ScheduleKeyDeletion", - "kms:CancelKeyDeletion" + "kms:CancelKeyDeletion", + "kms:GenerateDataKey" ], "Effect": "Allow", "Principal": { diff --git a/packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-cfn.expected.json b/packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-cfn.expected.json index 8605d3cf64511..81c45a0bcffc5 100644 --- a/packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-cfn.expected.json +++ b/packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-cfn.expected.json @@ -18,7 +18,8 @@ "kms:Get*", "kms:Delete*", "kms:ScheduleKeyDeletion", - "kms:CancelKeyDeletion" + "kms:CancelKeyDeletion", + "kms:GenerateDataKey" ], "Effect": "Allow", "Principal": { diff --git a/packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-code-commit-build.expected.json b/packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-code-commit-build.expected.json index 1fded0fbf168b..fd77c68dc48c0 100644 --- a/packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-code-commit-build.expected.json +++ b/packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-code-commit-build.expected.json @@ -240,7 +240,8 @@ "kms:Get*", "kms:Delete*", "kms:ScheduleKeyDeletion", - "kms:CancelKeyDeletion" + "kms:CancelKeyDeletion", + "kms:GenerateDataKey" ], "Effect": "Allow", "Principal": { diff --git a/packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-code-commit.expected.json b/packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-code-commit.expected.json index 79bf8fa1189a4..39b5aac8db3ff 100644 --- a/packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-code-commit.expected.json +++ b/packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-code-commit.expected.json @@ -90,7 +90,8 @@ "kms:Get*", "kms:Delete*", "kms:ScheduleKeyDeletion", - "kms:CancelKeyDeletion" + "kms:CancelKeyDeletion", + "kms:GenerateDataKey" ], "Effect": "Allow", "Principal": { diff --git a/packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-events.expected.json b/packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-events.expected.json index b2e0c099e6985..e4b341ddc4b39 100644 --- a/packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-events.expected.json +++ b/packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-events.expected.json @@ -18,7 +18,8 @@ "kms:Get*", "kms:Delete*", "kms:ScheduleKeyDeletion", - "kms:CancelKeyDeletion" + "kms:CancelKeyDeletion", + "kms:GenerateDataKey" ], "Effect": "Allow", "Principal": { diff --git a/packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-s3-deploy.expected.json b/packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-s3-deploy.expected.json index a924ce67920ea..3915562e381ad 100644 --- a/packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-s3-deploy.expected.json +++ b/packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-s3-deploy.expected.json @@ -33,7 +33,8 @@ "kms:Get*", "kms:Delete*", "kms:ScheduleKeyDeletion", - "kms:CancelKeyDeletion" + "kms:CancelKeyDeletion", + "kms:GenerateDataKey" ], "Effect": "Allow", "Principal": { diff --git a/packages/@aws-cdk/aws-events-targets/test/codepipeline/integ.pipeline-event-target.expected.json b/packages/@aws-cdk/aws-events-targets/test/codepipeline/integ.pipeline-event-target.expected.json index 0406ffeaab3b2..0d49cfe45247c 100644 --- a/packages/@aws-cdk/aws-events-targets/test/codepipeline/integ.pipeline-event-target.expected.json +++ b/packages/@aws-cdk/aws-events-targets/test/codepipeline/integ.pipeline-event-target.expected.json @@ -25,7 +25,8 @@ "kms:Get*", "kms:Delete*", "kms:ScheduleKeyDeletion", - "kms:CancelKeyDeletion" + "kms:CancelKeyDeletion", + "kms:GenerateDataKey" ], "Effect": "Allow", "Principal": { diff --git a/packages/@aws-cdk/aws-glue/test/integ.table.expected.json b/packages/@aws-cdk/aws-glue/test/integ.table.expected.json index 3dd33ba944c04..56fffdcde397e 100644 --- a/packages/@aws-cdk/aws-glue/test/integ.table.expected.json +++ b/packages/@aws-cdk/aws-glue/test/integ.table.expected.json @@ -120,7 +120,8 @@ "kms:Get*", "kms:Delete*", "kms:ScheduleKeyDeletion", - "kms:CancelKeyDeletion" + "kms:CancelKeyDeletion", + "kms:GenerateDataKey" ], "Effect": "Allow", "Principal": { diff --git a/packages/@aws-cdk/aws-glue/test/test.table.ts b/packages/@aws-cdk/aws-glue/test/test.table.ts index 6aebf4636d88a..c2af4b19ea22a 100644 --- a/packages/@aws-cdk/aws-glue/test/test.table.ts +++ b/packages/@aws-cdk/aws-glue/test/test.table.ts @@ -338,7 +338,8 @@ export = { "kms:Get*", "kms:Delete*", "kms:ScheduleKeyDeletion", - "kms:CancelKeyDeletion" + "kms:CancelKeyDeletion", + "kms:GenerateDataKey" ], Effect: "Allow", Principal: { @@ -470,7 +471,8 @@ export = { "kms:Get*", "kms:Delete*", "kms:ScheduleKeyDeletion", - "kms:CancelKeyDeletion" + "kms:CancelKeyDeletion", + "kms:GenerateDataKey" ], Effect: "Allow", Principal: { @@ -678,7 +680,8 @@ export = { "kms:Get*", "kms:Delete*", "kms:ScheduleKeyDeletion", - "kms:CancelKeyDeletion" + "kms:CancelKeyDeletion", + "kms:GenerateDataKey" ], Effect: "Allow", Principal: { @@ -791,7 +794,8 @@ export = { "kms:Get*", "kms:Delete*", "kms:ScheduleKeyDeletion", - "kms:CancelKeyDeletion" + "kms:CancelKeyDeletion", + "kms:GenerateDataKey" ], Effect: "Allow", Principal: { @@ -906,7 +910,8 @@ export = { "kms:Get*", "kms:Delete*", "kms:ScheduleKeyDeletion", - "kms:CancelKeyDeletion" + "kms:CancelKeyDeletion", + "kms:GenerateDataKey" ], Effect: "Allow", Principal: { diff --git a/packages/@aws-cdk/aws-kinesis/test/test.stream.ts b/packages/@aws-cdk/aws-kinesis/test/test.stream.ts index 4b7c5fadadade..d4ec93b2fb4fe 100644 --- a/packages/@aws-cdk/aws-kinesis/test/test.stream.ts +++ b/packages/@aws-cdk/aws-kinesis/test/test.stream.ts @@ -131,7 +131,8 @@ export = { "kms:Get*", "kms:Delete*", "kms:ScheduleKeyDeletion", - "kms:CancelKeyDeletion" + "kms:CancelKeyDeletion", + "kms:GenerateDataKey" ], "Effect": "Allow", "Principal": { @@ -215,7 +216,8 @@ export = { "kms:Get*", "kms:Delete*", "kms:ScheduleKeyDeletion", - "kms:CancelKeyDeletion" + "kms:CancelKeyDeletion", + "kms:GenerateDataKey" ], "Effect": "Allow", "Principal": { @@ -298,7 +300,8 @@ export = { "kms:Get*", "kms:Delete*", "kms:ScheduleKeyDeletion", - "kms:CancelKeyDeletion" + "kms:CancelKeyDeletion", + "kms:GenerateDataKey" ], "Effect": "Allow", "Principal": { @@ -435,7 +438,8 @@ export = { "kms:Get*", "kms:Delete*", "kms:ScheduleKeyDeletion", - "kms:CancelKeyDeletion" + "kms:CancelKeyDeletion", + "kms:GenerateDataKey" ], "Effect": "Allow", "Principal": { @@ -580,7 +584,8 @@ export = { "kms:Get*", "kms:Delete*", "kms:ScheduleKeyDeletion", - "kms:CancelKeyDeletion" + "kms:CancelKeyDeletion", + "kms:GenerateDataKey" ], "Effect": "Allow", "Principal": { diff --git a/packages/@aws-cdk/aws-kms/lib/key.ts b/packages/@aws-cdk/aws-kms/lib/key.ts index 3fd989d154a45..fbf2f3fb432c4 100644 --- a/packages/@aws-cdk/aws-kms/lib/key.ts +++ b/packages/@aws-cdk/aws-kms/lib/key.ts @@ -245,7 +245,8 @@ export class Key extends KeyBase { "kms:Get*", "kms:Delete*", "kms:ScheduleKeyDeletion", - "kms:CancelKeyDeletion" + "kms:CancelKeyDeletion", + "kms:GenerateDataKey" ]; this.addToResourcePolicy(new PolicyStatement({ diff --git a/packages/@aws-cdk/aws-kms/test/integ.key-sharing.lit.expected.json b/packages/@aws-cdk/aws-kms/test/integ.key-sharing.lit.expected.json index 28799650e7649..029677875f369 100644 --- a/packages/@aws-cdk/aws-kms/test/integ.key-sharing.lit.expected.json +++ b/packages/@aws-cdk/aws-kms/test/integ.key-sharing.lit.expected.json @@ -19,7 +19,8 @@ "kms:Get*", "kms:Delete*", "kms:ScheduleKeyDeletion", - "kms:CancelKeyDeletion" + "kms:CancelKeyDeletion", + "kms:GenerateDataKey" ], "Effect": "Allow", "Principal": { diff --git a/packages/@aws-cdk/aws-kms/test/integ.key.expected.json b/packages/@aws-cdk/aws-kms/test/integ.key.expected.json index aed6d40da371c..84148caa63db8 100644 --- a/packages/@aws-cdk/aws-kms/test/integ.key.expected.json +++ b/packages/@aws-cdk/aws-kms/test/integ.key.expected.json @@ -18,7 +18,8 @@ "kms:Get*", "kms:Delete*", "kms:ScheduleKeyDeletion", - "kms:CancelKeyDeletion" + "kms:CancelKeyDeletion", + "kms:GenerateDataKey" ], "Effect": "Allow", "Principal": { diff --git a/packages/@aws-cdk/aws-kms/test/test.key.ts b/packages/@aws-cdk/aws-kms/test/test.key.ts index 47ebaa4a6b608..96f4dafe15510 100644 --- a/packages/@aws-cdk/aws-kms/test/test.key.ts +++ b/packages/@aws-cdk/aws-kms/test/test.key.ts @@ -30,7 +30,8 @@ export = { "kms:Get*", "kms:Delete*", "kms:ScheduleKeyDeletion", - "kms:CancelKeyDeletion" + "kms:CancelKeyDeletion", + "kms:GenerateDataKey" ], Effect: "Allow", Principal: { @@ -104,7 +105,8 @@ export = { "kms:Get*", "kms:Delete*", "kms:ScheduleKeyDeletion", - "kms:CancelKeyDeletion" + "kms:CancelKeyDeletion", + "kms:GenerateDataKey" ], Effect: "Allow", Principal: { @@ -183,7 +185,8 @@ export = { "kms:Get*", "kms:Delete*", "kms:ScheduleKeyDeletion", - "kms:CancelKeyDeletion" + "kms:CancelKeyDeletion", + "kms:GenerateDataKey" ], Effect: "Allow", Principal: { @@ -277,7 +280,8 @@ export = { "kms:Get*", "kms:Delete*", "kms:ScheduleKeyDeletion", - "kms:CancelKeyDeletion" + "kms:CancelKeyDeletion", + "kms:GenerateDataKey" ], Effect: "Allow", Principal: { @@ -341,7 +345,7 @@ export = { // This one is there by default { // tslint:disable-next-line:max-line-length - Action: [ "kms:Create*", "kms:Describe*", "kms:Enable*", "kms:List*", "kms:Put*", "kms:Update*", "kms:Revoke*", "kms:Disable*", "kms:Get*", "kms:Delete*", "kms:ScheduleKeyDeletion", "kms:CancelKeyDeletion" ], + Action: [ "kms:Create*", "kms:Describe*", "kms:Enable*", "kms:List*", "kms:Put*", "kms:Update*", "kms:Revoke*", "kms:Disable*", "kms:Get*", "kms:Delete*", "kms:ScheduleKeyDeletion", "kms:CancelKeyDeletion", "kms:GenerateDataKey" ], Effect: "Allow", Principal: { AWS: { "Fn::Join": [ "", [ "arn:", { Ref: "AWS::Partition" }, ":iam::", { Ref: "AWS::AccountId" }, ":root" ] ] } }, Resource: "*" diff --git a/packages/@aws-cdk/aws-rds/test/integ.cluster.expected.json b/packages/@aws-cdk/aws-rds/test/integ.cluster.expected.json index 27d4e5ed5bd54..8e512dd5f8af0 100644 --- a/packages/@aws-cdk/aws-rds/test/integ.cluster.expected.json +++ b/packages/@aws-cdk/aws-rds/test/integ.cluster.expected.json @@ -371,7 +371,8 @@ "kms:Get*", "kms:Delete*", "kms:ScheduleKeyDeletion", - "kms:CancelKeyDeletion" + "kms:CancelKeyDeletion", + "kms:GenerateDataKey" ], "Effect": "Allow", "Principal": { diff --git a/packages/@aws-cdk/aws-s3-notifications/test/queue.test.ts b/packages/@aws-cdk/aws-s3-notifications/test/queue.test.ts index fa17bc698c883..3c6f33c4ca7a0 100644 --- a/packages/@aws-cdk/aws-s3-notifications/test/queue.test.ts +++ b/packages/@aws-cdk/aws-s3-notifications/test/queue.test.ts @@ -95,7 +95,8 @@ test('if the queue is encrypted with a custom kms key, the key resource policy i "kms:Get*", "kms:Delete*", "kms:ScheduleKeyDeletion", - "kms:CancelKeyDeletion" + "kms:CancelKeyDeletion", + "kms:GenerateDataKey" ], Effect: "Allow", Principal: { diff --git a/packages/@aws-cdk/aws-s3-notifications/test/sqs/integ.bucket-notifications.expected.json b/packages/@aws-cdk/aws-s3-notifications/test/sqs/integ.bucket-notifications.expected.json index 87b9073be6f6b..0066ccc8545bb 100644 --- a/packages/@aws-cdk/aws-s3-notifications/test/sqs/integ.bucket-notifications.expected.json +++ b/packages/@aws-cdk/aws-s3-notifications/test/sqs/integ.bucket-notifications.expected.json @@ -290,7 +290,8 @@ "kms:Get*", "kms:Delete*", "kms:ScheduleKeyDeletion", - "kms:CancelKeyDeletion" + "kms:CancelKeyDeletion", + "kms:GenerateDataKey" ], "Effect": "Allow", "Principal": { diff --git a/packages/@aws-cdk/aws-s3/test/integ.bucket.expected.json b/packages/@aws-cdk/aws-s3/test/integ.bucket.expected.json index d3120db6921cf..e24cd29bc29e5 100644 --- a/packages/@aws-cdk/aws-s3/test/integ.bucket.expected.json +++ b/packages/@aws-cdk/aws-s3/test/integ.bucket.expected.json @@ -18,7 +18,8 @@ "kms:Get*", "kms:Delete*", "kms:ScheduleKeyDeletion", - "kms:CancelKeyDeletion" + "kms:CancelKeyDeletion", + "kms:GenerateDataKey" ], "Effect": "Allow", "Principal": { diff --git a/packages/@aws-cdk/aws-s3/test/test.bucket.ts b/packages/@aws-cdk/aws-s3/test/test.bucket.ts index a1c23a77c9024..71e7a7c1b763c 100644 --- a/packages/@aws-cdk/aws-s3/test/test.bucket.ts +++ b/packages/@aws-cdk/aws-s3/test/test.bucket.ts @@ -279,7 +279,8 @@ export = { "kms:Get*", "kms:Delete*", "kms:ScheduleKeyDeletion", - "kms:CancelKeyDeletion" + "kms:CancelKeyDeletion", + "kms:GenerateDataKey" ], "Effect": "Allow", "Principal": { @@ -828,7 +829,7 @@ export = { "Statement": [ { "Action": ["kms:Create*", "kms:Describe*", "kms:Enable*", "kms:List*", "kms:Put*", "kms:Update*", - "kms:Revoke*", "kms:Disable*", "kms:Get*", "kms:Delete*", "kms:ScheduleKeyDeletion", "kms:CancelKeyDeletion"], + "kms:Revoke*", "kms:Disable*", "kms:Get*", "kms:Delete*", "kms:ScheduleKeyDeletion", "kms:CancelKeyDeletion", "kms:GenerateDataKey"], "Effect": "Allow", "Principal": { "AWS": { @@ -882,7 +883,8 @@ export = { "kms:Get*", "kms:Delete*", "kms:ScheduleKeyDeletion", - "kms:CancelKeyDeletion" + "kms:CancelKeyDeletion", + "kms:GenerateDataKey" ], "Effect": "Allow", "Principal": { diff --git a/packages/@aws-cdk/aws-secretsmanager/test/test.secret.ts b/packages/@aws-cdk/aws-secretsmanager/test/test.secret.ts index 73af1afde6c3b..3aed2515d9aa2 100644 --- a/packages/@aws-cdk/aws-secretsmanager/test/test.secret.ts +++ b/packages/@aws-cdk/aws-secretsmanager/test/test.secret.ts @@ -105,7 +105,8 @@ export = { "kms:Get*", "kms:Delete*", "kms:ScheduleKeyDeletion", - "kms:CancelKeyDeletion" + "kms:CancelKeyDeletion", + "kms:GenerateDataKey" ], Effect: "Allow", Principal: { @@ -204,7 +205,8 @@ export = { "kms:Get*", "kms:Delete*", "kms:ScheduleKeyDeletion", - "kms:CancelKeyDeletion" + "kms:CancelKeyDeletion", + "kms:GenerateDataKey" ], Effect: "Allow", Principal: { diff --git a/packages/@aws-cdk/aws-ses/test/integ.receipt.expected.json b/packages/@aws-cdk/aws-ses/test/integ.receipt.expected.json index 0436e0648f572..2ed1697558d8b 100644 --- a/packages/@aws-cdk/aws-ses/test/integ.receipt.expected.json +++ b/packages/@aws-cdk/aws-ses/test/integ.receipt.expected.json @@ -153,7 +153,8 @@ "kms:Get*", "kms:Delete*", "kms:ScheduleKeyDeletion", - "kms:CancelKeyDeletion" + "kms:CancelKeyDeletion", + "kms:GenerateDataKey" ], "Effect": "Allow", "Principal": { diff --git a/packages/@aws-cdk/aws-ses/test/test.receipt-rule-action.ts b/packages/@aws-cdk/aws-ses/test/test.receipt-rule-action.ts index 7208d9458eafd..12b9bd61f42be 100644 --- a/packages/@aws-cdk/aws-ses/test/test.receipt-rule-action.ts +++ b/packages/@aws-cdk/aws-ses/test/test.receipt-rule-action.ts @@ -310,7 +310,8 @@ export = { 'kms:Get*', 'kms:Delete*', 'kms:ScheduleKeyDeletion', - 'kms:CancelKeyDeletion' + 'kms:CancelKeyDeletion', + "kms:GenerateDataKey" ], Effect: 'Allow', Principal: { diff --git a/packages/@aws-cdk/aws-stepfunctions-tasks/test/integ.sagemaker.expected.json b/packages/@aws-cdk/aws-stepfunctions-tasks/test/integ.sagemaker.expected.json index f489c0c180f93..61cb9c61815de 100644 --- a/packages/@aws-cdk/aws-stepfunctions-tasks/test/integ.sagemaker.expected.json +++ b/packages/@aws-cdk/aws-stepfunctions-tasks/test/integ.sagemaker.expected.json @@ -18,7 +18,8 @@ "kms:Get*", "kms:Delete*", "kms:ScheduleKeyDeletion", - "kms:CancelKeyDeletion" + "kms:CancelKeyDeletion", + "kms:GenerateDataKey" ], "Effect": "Allow", "Principal": { diff --git a/packages/decdk/test/__snapshots__/synth.test.js.snap b/packages/decdk/test/__snapshots__/synth.test.js.snap index 0aef33361c5f2..2716126dc4e75 100644 --- a/packages/decdk/test/__snapshots__/synth.test.js.snap +++ b/packages/decdk/test/__snapshots__/synth.test.js.snap @@ -1898,6 +1898,7 @@ Object { "kms:Delete*", "kms:ScheduleKeyDeletion", "kms:CancelKeyDeletion", + "kms:GenerateDataKey", ], "Effect": "Allow", "Principal": Object { @@ -1986,6 +1987,7 @@ Object { "kms:Delete*", "kms:ScheduleKeyDeletion", "kms:CancelKeyDeletion", + "kms:GenerateDataKey", ], "Effect": "Allow", "Principal": Object { @@ -2908,6 +2910,7 @@ Object { "kms:Delete*", "kms:ScheduleKeyDeletion", "kms:CancelKeyDeletion", + "kms:GenerateDataKey", ], "Effect": "Allow", "Principal": Object {