From 7025ed343aafa3fbaac8606d327b70a39c746a6c Mon Sep 17 00:00:00 2001
From: cgeers <c.geers@gmail.com>
Date: Wed, 11 Sep 2024 11:04:30 -0500
Subject: [PATCH] fix(modules): volume access add KMS management permissions
 (#131)

---
 modules/volume_access.cft.yaml | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/modules/volume_access.cft.yaml b/modules/volume_access.cft.yaml
index 4729082..a252019 100644
--- a/modules/volume_access.cft.yaml
+++ b/modules/volume_access.cft.yaml
@@ -255,7 +255,8 @@ Resources:
                   Effect: "Allow"
                   Principal:
                     AWS:
-                    - !Sub "arn:aws:iam::${AWS::AccountId}:root"
+                    - !Sub arn:aws:iam::${AWS::AccountId}:root
+                    - !Sub arn:aws:iam::${AWS::AccountId}:role/sysdig-secure-scanning-stackset-execution-${NameSuffix}
                   Action: "kms:*"
                   Resource: "*"
           ScanningKmsAlias:
@@ -397,6 +398,8 @@ Resources:
   OrganizationKMSKeyStackSet:
     Type: AWS::CloudFormation::StackSet
     Condition: IsOrganizational
+    DependsOn: 
+    - OrganizationRoleStackSet
     Properties:
       StackSetName: !Sub sysdig-secure-scanning-organization-kmskey-${NameSuffix}
       Description: IAM Role used to create KMS Keys to scan organization accounts/regions
@@ -464,7 +467,8 @@ Resources:
                   Effect: "Allow"
                   Principal:
                     AWS:
-                    - !Sub "arn:aws:iam::${AWS::AccountId}:root"
+                    - !Sub arn:aws:iam::${AWS::AccountId}:root
+                    - !Sub arn:aws:iam::${AWS::AccountId}:role/aws-service-role/member.org.stacksets.cloudformation.amazonaws.com/AWSServiceRoleForCloudFormationStackSetsOrgMember
                   Action: "kms:*"
                   Resource: "*"
           ScanningKmsAlias: