How to get an AWS SSM Key Arn from an Alias using CloudFormation?

Question

Is it possible to get a KMS Key ARN using CloudFormation using an alias? I want to give specific permissions to a Key in my AWS Account.

Something like the following?

  - Effect: Allow
    Action: kms:Decrypt
    Resource:
      - 'Fn::GetAtt': 
        - 'alias/someAliasOfAKMSKey'
        - 'arn'

Answer 1

You can do something like this:

- Effect: Allow
  Action:
  - kms:Decrypt
  Resource:
  - !Sub 'arn:aws:kms:${AWS::Region}:${AWS::AccountId}:key/someKeyNameOfAKMSKey'