AWS-cloudformation: Resource handler returned message: "An ARN in the specified key policy is invalid. "

Question

I am getting warning from security hub that I should enable encrypt the my existing sns topic. I have decided to use CMS key. the problem is I don't want give wild card permission to kms because then security hub will complain about should not use wild card action for kms:decrypt.

I not sure what is the best way to do that. try lots of way to fixed it but unsuccessful.

Here is my cloudformation template:

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: Creates an AWS budget and SNS topic for alerts.


Parameters:

  CustomKMSKeyName:
    Type: String
    Default: 'alias/sokaws-budget-sns'



Resources:
  AccountBudget:
    Type: AWS::SSM::Parameter
    Properties:
      Name: do_not_edit_account_budgets
      Type: String
      Value: !Ref Amount

  CustomKMSKey:
    Type: AWS::KMS::Key
    Properties:
      Description: Custom KMS key for Budget alert SNS encryption
      KeyPolicy:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              AWS: arn:aws:iam::${AWS::AccountId}:root
            Action: kms:*
            Resource: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:key/${CustomKMSKeyName}"
              # - "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:key/*"
               #- "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:key/${CustomKMSKeyName}"
               #- "arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function/*""


  CustomKMSKeyAlias:
    Type: AWS::KMS::Alias
    Properties:
      AliasName: !Ref CustomKMSKey
      TargetKeyId: !Ref CustomKMSKey


  SolutionArchitectSubscription:
    DependsOn: BudgetTopic
    Type: AWS::SNS::Subscription
    Properties:
      Endpoint: '{{resolve:ssm:/sokawsdev/contact_solution_architect}}'
      Protocol: email
      TopicArn: !Ref BudgetTopic



  BudgetTopic:
    Type: AWS::SNS::Topic
    Properties:
      TopicName: aws-budget-alerts
      KmsMasterKeyId: !Ref CustomKMSKey


  BudgetTopicPolicy:
    DependsOn: BudgetTopic
    Type: AWS::SNS::TopicPolicy
    Properties:
      PolicyDocument:
        Id: allowbudget
        Version: '2012-10-17'
        Statement:
          - Sid: budget-id
            Effect: Allow
            Principal:
              Service: budgets.amazonaws.com
            Action: sns:Publish
            Resource: !Ref BudgetTopic
      Topics:
        - !Ref BudgetTopic

This is what cloud-formation saying the rootcause

Answer 1

Instead of

            Principal:
              AWS: arn:aws:iam::${AWS::AccountId}:root

it should be

            Principal:
              AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root"