Update feature flag naming

packages/aws-cdk-lib/aws-kms/lib/key.ts

@@ -263,7 +263,7 @@ abstract class KeyBase extends Resource implements IKey {
     const bucketStack = Stack.of(this);
     const identityStack = Stack.of(grantee.grantPrincipal);
 
-    if (FeatureFlags.of(this).isEnabled(cxapi.KMS_CROSS_ACCOUNT_REGION_KMS_KEY_POLICY)) {
+    if (FeatureFlags.of(this).isEnabled(cxapi.KMS_REDUCE_CROSS_ACCOUNT_REGION_POLICY_SCOPE)) {
       // if two compared stacks have the same region, this should return 'false' since it's from the
       // same region; if two stacks have different region, then compare env.region
       return bucketStack.region !== identityStack.region && this.env.region !== identityStack.region;
@@ -278,7 +278,7 @@ abstract class KeyBase extends Resource implements IKey {
     const bucketStack = Stack.of(this);
     const identityStack = Stack.of(grantee.grantPrincipal);
 
-    if (FeatureFlags.of(this).isEnabled(cxapi.KMS_CROSS_ACCOUNT_REGION_KMS_KEY_POLICY)) {
+    if (FeatureFlags.of(this).isEnabled(cxapi.KMS_REDUCE_CROSS_ACCOUNT_REGION_POLICY_SCOPE)) {
       // if two compared stacks have the same region, this should return 'false' since it's from the
       // same region; if two stacks have different region, then compare env.account
       return bucketStack.account !== identityStack.account && this.env.account !== identityStack.account;

packages/aws-cdk-lib/aws-kms/test/key.test.ts

@@ -83,7 +83,7 @@ describe('key policies', () => {
   });
 
   test('cross region key with iam role grant', () => {
-    const app = new cdk.App({ context: { [cxapi.KMS_CROSS_ACCOUNT_REGION_KMS_KEY_POLICY]: true } });
+    const app = new cdk.App({ context: { [cxapi.KMS_REDUCE_CROSS_ACCOUNT_REGION_POLICY_SCOPE]: true } });
     const stack = new cdk.Stack(app, 'test-stack', { env: { account: '000000000000', region: 'us-west-2' } });
     const key = kms.Key.fromKeyArn(
       stack,
@@ -113,7 +113,7 @@ describe('key policies', () => {
   });
 
   test('cross region key with iam role grant when feature flag is disabled', () => {
-    const app = new cdk.App({ context: { [cxapi.KMS_CROSS_ACCOUNT_REGION_KMS_KEY_POLICY]: false } });
+    const app = new cdk.App({ context: { [cxapi.KMS_REDUCE_CROSS_ACCOUNT_REGION_POLICY_SCOPE]: false } });
     const stack = new cdk.Stack(app, 'test-stack', { env: { account: '000000000000', region: 'us-west-2' } });
     const key = kms.Key.fromKeyArn(
       stack,

packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md

@@ -66,7 +66,7 @@ Flags come in three types:
 | [@aws-cdk/aws-cloudwatch-actions:changeLambdaPermissionLogicalIdForLambdaAction](#aws-cdkaws-cloudwatch-actionschangelambdapermissionlogicalidforlambdaaction) | When enabled, the logical ID of a Lambda permission for a Lambda action includes an alarm ID. | 2.124.0 | (fix) |
 | [@aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse](#aws-cdkaws-codepipelinecrossaccountkeysdefaultvaluetofalse) | Enables Pipeline to set the default value for crossAccountKeys to false. | 2.127.0 | (default) |
 | [@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2](#aws-cdkaws-codepipelinedefaultpipelinetypetov2) | Enables Pipeline to set the default pipeline type to V2. | V2NEXT | (default) |
-| [@aws-cdk/aws-kms:crossAccountRegionKmsKeyPolicy](#aws-cdkaws-kmscrossaccountregionkmskeypolicy) | When enabled, KMS key grant should create policy with only one resource. | V2NEXT | (fix) |
+| [@aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope](#aws-cdkaws-kmsreducecrossaccountregionpolicyscope) | When enabled, IAM Policy created from KMS key grant will reduce the resource scope to this key only. | V2NEXT | (fix) |
 
 <!-- END table -->
 
@@ -124,7 +124,7 @@ The following json shows the current recommended set of flags, as `cdk init` wou
     "@aws-cdk/aws-cloudwatch-actions:changeLambdaPermissionLogicalIdForLambdaAction": true,
     "@aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse": true,
     "@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2": true,
-    "@aws-cdk/aws-kms:crossAccountRegionKmsKeyPolicy": true
+    "@aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope": true
   }
 }
 ```
@@ -1251,12 +1251,12 @@ construct, the construct automatically defaults the value of this property to `P
 **Compatibility with old behavior:** Pass `pipelineType: PipelineType.V1` to `Pipeline` construct to restore the previous behavior.
 
 
-### @aws-cdk/aws-kms:crossAccountRegionKmsKeyPolicy
+### @aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope
 
-*When enabled, KMS key grant should create policy with only one resource.* (fix)
+*When enabled, IAM Policy created from KMS key grant will reduce the resource scope to this key only.* (fix)
 
-When this feature flag is enabled and calling KMS key grant method, the created IAM policy should correctly resolve to this
-granting KMS key instead of a * resource property.
+When this feature flag is enabled and calling KMS key grant method, the created IAM policy will reduce the resource scope from
+'*' to this specific granting KMS key.
 
 
 | Since | Default | Recommended |

packages/aws-cdk-lib/cx-api/README.md

@@ -293,19 +293,19 @@ _cdk.json_
 }
 ```
 
-* `@aws-cdk/aws-kms:crossAccountRegionKmsKeyPolicy`
+* `@aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope`
 
-Enables KMS key grant to correctly set 'Resoruce' property of IAM policy to the key itself.
+Reduce resource scope of the IAM Policy created from KMS key grant to granting key only.
 
-When this feature flag is enabled and calling KMS key grant method, the created IAM policy should correctly resolve to this
-granting KMS key instead of a * resource property.
+When this feature flag is enabled and calling KMS key grant method, the created IAM policy will reduce the resource scope from
+'*' to this specific granting KMS key.
 
 _cdk.json_
 
 ```json
 {
   "context": {
-    "@aws-cdk/aws-kms:crossAccountRegionKmsKeyPolicy": true
+    "@aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope": true
   }
 }
 ```

packages/aws-cdk-lib/cx-api/lib/features.ts

@@ -100,7 +100,7 @@ export const CODECOMMIT_SOURCE_ACTION_DEFAULT_BRANCH_NAME = '@aws-cdk/aws-codepi
 export const LAMBDA_PERMISSION_LOGICAL_ID_FOR_LAMBDA_ACTION = '@aws-cdk/aws-cloudwatch-actions:changeLambdaPermissionLogicalIdForLambdaAction';
 export const CODEPIPELINE_CROSS_ACCOUNT_KEYS_DEFAULT_VALUE_TO_FALSE = '@aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse';
 export const CODEPIPELINE_DEFAULT_PIPELINE_TYPE_TO_V2 = '@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2';
-export const KMS_CROSS_ACCOUNT_REGION_KMS_KEY_POLICY = '@aws-cdk/aws-kms:crossAccountRegionKmsKeyPolicy';
+export const KMS_REDUCE_CROSS_ACCOUNT_REGION_POLICY_SCOPE = '@aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope';
 
 export const FLAGS: Record<string, FlagInfo> = {
   //////////////////////////////////////////////////////////////////////
@@ -1024,12 +1024,12 @@ export const FLAGS: Record<string, FlagInfo> = {
   },
 
   //////////////////////////////////////////////////////////////////////
-  [KMS_CROSS_ACCOUNT_REGION_KMS_KEY_POLICY]: {
+  [KMS_REDUCE_CROSS_ACCOUNT_REGION_POLICY_SCOPE]: {
     type: FlagType.BugFix,
-    summary: 'When enabled, KMS key grant should create policy with only one resource.',
+    summary: 'When enabled, IAM Policy created from KMS key grant will reduce the resource scope to this key only.',
     detailsMd: `
-      When this feature flag is enabled and calling KMS key grant method, the created IAM policy should correctly resolve to this
-      granting KMS key instead of a * resource property.
+      When this feature flag is enabled and calling KMS key grant method, the created IAM policy will reduce the resource scope from
+      '*' to this specific granting KMS key.
     `,
     introducedIn: { v2: 'V2NEXT' },
     recommendedValue: true,