pipelines: default behavior created overly permissive policy

[andreprawira]

Describe the bug

im using the pipelines construct to deploy resources cross account through the pipelines. When the pipeline kicks in, it will create 2 roles (1 in the account where the pipeline is created, and another 1 in the account where we deploy the resources), one of the resources the pipeline deploy is an IAM role named xxxxx-deploy-role-<account-id>-<region-> that has an inline policy named default

this is what is inside the default inline policy (along with other stuff)

{
            "Condition": {
                "StringEquals": {
                    "kms:ViaService": "s3.us-east-2.amazonaws.com"
                }
            },
            "Action": [
                "kms:Decrypt",
                "kms:DescribeKey",
                "kms:Encrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*"
            ],
            "Resource": "*",
            "Effect": "Allow",
            "Sid": "PipelineCrossAccountArtifactsKey"
        },

The problem of this policy is that it creates a problem in our SecurityHub findings

My question is, is there a way to make this policy not overly permissive instead of supressing the finding in the SecurityHub? Or other alternatives that i cant think of? Thx

Expected Behavior

The default inline policy isnt overly permissive

Current Behavior

The overly permissive default inline policy is found to be a problem in SecurityHub findings

Reproduction Steps

please view the description above

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.143.0

Framework Version

No response

Node.js Version

20.13.0

OS

windows

Language

Python

Language Version

3.9.16

Other information

No response