fix(kms): kms key grant methods misidentify region when enclosing stack is different region

[GavinZZ]

Issue # (if applicable)

Closes #29308

Reason for this change

This problem is grant() determines the region of a Key using Stack.of(key).region, however the enclosing Stack's region may differ to that of the actual resource. When this happens, the IAM policy generated allows a * resource which is against the least privilege rule.

Description of changes

KMS key already has env value on account and region, use this first. If not exist, use stack account and region.

Description of how you validated changes

New unit test

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[aws-cdk-automation]

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

[GavinZZ]

This change could technically be considered as breaking change although very unlikely. After the change, the new IAM policy would have the Resource field set to a specific KMS key instead of * when key.grant is used to a grantee from a different stack in a different region.

Because it originally grants * to Resource in the policy, users could rely on a different KMS key (which is quite unlikely but possible), this change cause issue. Perhaps I should wrap this using feature flag, open to suggestions.

[paulhcsun]

We should add this behind a feature flag to avoid any possibility of introducing a breaking change.

[paulhcsun]

noice

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: 22e1b47
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).