feat: Tighten KMS key policy (#42)

* feat: Tighten KMS key policy

* fix: remove put key policy

* other changes

---------

Co-authored-by: Josh Stevens <[email protected]>

Author: skynnes

crates/core/src/wallet/aws_kms_wallet_manager.rs

@@ -221,11 +221,26 @@ impl AwsKmsWalletManager {
                     "Sid": "AllowRootAccountAccess",
                     "Effect": "Allow",
                     "Principal": { "AWS": format!("arn:aws:iam::{}:root", account_id) },
-                    "Action": "kms:*",
+                    "Action": [
+                        "kms:DescribeKey",
+                        "kms:ListAliases",
+                        "kms:ListKeyPolicies",
+                        "kms:GetKeyPolicy",
+                        "kms:CreateAlias",
+                        "kms:DeleteAlias",
+                        "kms:ScheduleKeyDeletion",
+                        "kms:CancelKeyDeletion",
+                        "kms:EnableKey",
+                        "kms:DisableKey",
+                        "kms:EnableKeyRotation",
+                        "kms:DisableKeyRotation",
+                        "kms:RevokeGrant",
+                        "kms:RetireGrant"
+                      ],
                     "Resource": "*"
                 },
                 {
-                    "Sid": "AllowAdminPrincipalSelf",
+                    "Sid": "AllowRelayerFullControl",
                     "Effect": "Allow",
                     "Principal": { "AWS": admin_principal_arn },
                     "Action": "kms:*",

documentation/rrelayer/docs/pages/changelog.mdx

@@ -6,6 +6,8 @@
 
 ### Features
 
+- feat: Tighten KMS key policy
+
 ---
 
 ### Bug fixes