From bef4cceb83aba27edea2a3152066978f68ddbdf9 Mon Sep 17 00:00:00 2001
From: spensireli <5614310+spensireli@users.noreply.github.com>
Date: Thu, 31 Jul 2025 22:15:54 -0400
Subject: [PATCH 1/3] feat: fixup kms permissions

---
 src/control-tower/control-tower-landing-zone.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/control-tower/control-tower-landing-zone.ts b/src/control-tower/control-tower-landing-zone.ts
index d492583..9ed8fbf 100644
--- a/src/control-tower/control-tower-landing-zone.ts
+++ b/src/control-tower/control-tower-landing-zone.ts
@@ -188,7 +188,7 @@ export class ControlTowerLandingZone extends Construct {
     const logArchiveAccountId = props.logArchiveAccountId || logArchiveAccount?.accountId;
     const securityAuditAccountId = props.securityAuditAccountId || securityAuditAccount?.accountId;
 
-    const loggingKmsKey = props.loggingBucketKmsKeyArn
+    const loggingKmsKey: kms.Key | undefined = props.loggingBucketKmsKeyArn
       ? undefined
       : new kms.Key(this, 'LoggingKmsKey', {
         description: 'KMS key for Control Tower logging bucket encryption',

From 4bc2ea1a7dcb85dd78be800b6ba351e1ef8738df Mon Sep 17 00:00:00 2001
From: spensireli <5614310+spensireli@users.noreply.github.com>
Date: Thu, 31 Jul 2025 22:22:12 -0400
Subject: [PATCH 2/3] feat: kms grants

---
 src/control-tower/control-tower-landing-zone.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/control-tower/control-tower-landing-zone.ts b/src/control-tower/control-tower-landing-zone.ts
index 9ed8fbf..d492583 100644
--- a/src/control-tower/control-tower-landing-zone.ts
+++ b/src/control-tower/control-tower-landing-zone.ts
@@ -188,7 +188,7 @@ export class ControlTowerLandingZone extends Construct {
     const logArchiveAccountId = props.logArchiveAccountId || logArchiveAccount?.accountId;
     const securityAuditAccountId = props.securityAuditAccountId || securityAuditAccount?.accountId;
 
-    const loggingKmsKey: kms.Key | undefined = props.loggingBucketKmsKeyArn
+    const loggingKmsKey = props.loggingBucketKmsKeyArn
       ? undefined
       : new kms.Key(this, 'LoggingKmsKey', {
         description: 'KMS key for Control Tower logging bucket encryption',

From 699179e1361aa3dcc5864eeb1d0656e8d8e38e00 Mon Sep 17 00:00:00 2001
From: spensireli <5614310+spensireli@users.noreply.github.com>
Date: Sat, 2 Aug 2025 10:03:19 -0400
Subject: [PATCH 3/3] feat: managed policy

---
 src/control-tower/control-tower-landing-zone.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/control-tower/control-tower-landing-zone.ts b/src/control-tower/control-tower-landing-zone.ts
index d492583..c7af3c2 100644
--- a/src/control-tower/control-tower-landing-zone.ts
+++ b/src/control-tower/control-tower-landing-zone.ts
@@ -238,7 +238,7 @@ export class ControlTowerLandingZone extends Construct {
         roleName: 'AWSControlTowerAdmin',
         assumedBy: new iam.ServicePrincipal('controltower.amazonaws.com'),
         managedPolicies: [
-          iam.ManagedPolicy.fromAwsManagedPolicyName('AWSControlTowerAdmin'),
+          iam.ManagedPolicy.fromAwsManagedPolicyName('AWSControlTowerServiceRolePolicy'),
         ],
       })
       : iam.Role.fromRoleName(this, 'ControlTowerAdminRole', 'AWSControlTowerAdmin');