Restricting kms permissions

[lumoVWGS]

1. Describe IN DETAIL the feature/behavior/change you would like to see.

          As discussed @chrislovecnm 

1. kms should be locked down to the relevant resource (ideally use the cluster names resource).
2. route53 changesets not required for nodes only masters.
3. s3:* should be avoided and have explicit rules.
4. use sids so we can reference sections and indicate the statements use.
5. master missing elasticloadbalancing:AddTags + elasticloadbalancing:DescribeTags, elasticloadbalancing:RemoveTags

Originally posted by @ajohnstone in #1873 (comment)

This has been discussed quite some time ago. Ressource wildcard permissions are given for kms:Decrypt and other kms transactions in the masters iam role (see link below), as well as in the ebs role, that is set up if awsEBSCSIDriver is enabled (policy for the service account the ebs-csi-controller is using):

kops/pkg/model/iam/tests/iam_builder_master_strict_ecr.json

Line 149 in 26963dd

"Resource": "*"

This is generating a lot of alerts on security scanners, as the current settings allow the decrypt action with every kms key available in the account.

As the kms keys for ebs, s3 etc. can be referenced by an alias arn as well (for example: arn:aws:kms:::alias/aws/s3), maybe it is possible to restrict the policy to the kms-keys for the according services needed?

2. Feel free to provide a design supporting your feature request.

Example:
{
"Action": [
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:GenerateRandom",
"kms:ReEncrypt*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:kms:::alias/aws/s3",
"arn:aws:kms:::alias/aws/ebs"
]