restricting KMS permissions for cdkExecRole

[mourya-33]

Feature or Bugfix

• Bugfix

Detail

This fix is to address the checkov failure issues for overly permissive cdkExecPolicy. This fix only addresses the KMS permissions. Glue/LF and SageMaker permissions are not yet restricted as they are pending on the resolution of the ticket - #1189

Relates

#1610

#1189

Security

Please answer the questions below briefly where applicable, or write N/A. Based on
OWASP 10.

• Does this PR introduce or modify any input fields or queries - this includes
  fetching data from storage outside the application (e.g. a database, an S3 bucket)?
  • Is the input sanitized? N/A
  • What precautions are you taking before deserializing the data you consume? N/A
  • Is injection prevented by parametrizing queries? N/A
  • Have you ensured no eval or similar functions are used? N/A
• Does this PR introduce any functionality or component that requires authorization? N/A
  • How have you ensured it respects the existing AuthN/AuthZ mechanisms? N/A
  • Are you logging failed auth attempts? N/A
• Are you using or adding any cryptographic features? N/A
  • Do you use a standard proven implementations? N/A
  • Are the used keys controlled by the customer? Where are they stored? N/A
• Are you introducing any new policies/roles/users? N/A
  • Have you used the least-privilege principle? How? Yes. We are restricting the KMS permissions to only the required resources.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[mourya-33]

@dlpzx

I tested this to address the KMS permissions for the ticket - #1610. Could you please review and approve the change.

Tested the following.

1. Link / De-Link environments
2. Create Dataset
3. Glue Crawler runs