[Bug]: After upgrade to 4.0.0 the emails are not sent anymore

[AndreiDiaconovici]

Is there an existing issue for this?

• I have searched the existing issues

Describe the bug

After the upgrade to 4.0.0 the emails alerts are not sent anymore during CodePipelines run. (STARTED, FAILED, SUCCEEDED)
I have checked the EventBridge rule and it's triggered successfully but the invocation to SNS fails.

Expected Behavior

To send emails.

Current Behavior

Steps To Reproduce

No response

Possible Solution

No response

Additional Information/Context

No response

ADF Version

4.0.0

Contributing a fix?

• Yes, I am working on a fix to resolve this issue

[AndreiDiaconovici]

Greetings,

It seems that the KMS Condition with SourceArn is not working.

  KMSKey:
    Type: AWS::KMS::Key
    DeletionPolicy: Delete
    UpdateReplacePolicy: Delete
    Properties:
      Description: Used by Assumed Roles in Accounts accounts to Encrypt/Decrypt code
      EnableKeyRotation: true
      KeyPolicy:
        Version: "2012-10-17"
        Id: !Ref AWS::StackName
        Statement:
          - Sid: Allows admin of the key
            Effect: Allow
            Principal:
              AWS: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:root
            Action:
              - "kms:CancelKeyDeletion"
              - "kms:Create*"
              - "kms:Decrypt"
              - "kms:Delete*"
              - "kms:Describe*"
              - "kms:DescribeKey"
              - "kms:Disable*"
              - "kms:Enable*"
              - "kms:Encrypt"
              - "kms:GenerateDataKey*"
              - "kms:Get*"
              - "kms:List*"
              - "kms:Put*"
              - "kms:ReEncrypt*"
              - "kms:Revoke*"
              - "kms:ScheduleKeyDeletion"
              - "kms:Update*"
            Resource: "*"
          - Sid: Allow use of the key
            Effect: Allow
            Principal:
              AWS: "*"
            Action:
              - kms:Decrypt
              - kms:DescribeKey
              - kms:Encrypt
              - kms:GenerateDataKey*
              - kms:ReEncryptFrom
              - kms:ReEncryptTo
            Resource: "*"
            Condition:
              StringEquals:
                aws:PrincipalOrgID: !Ref OrganizationId
          - Action:
              - kms:Decrypt
              - kms:GenerateDataKey*
            Effect: Allow
            Principal:
              Service:
                - sns.amazonaws.com
                - codecommit.amazonaws.com
            Resource: "*"
            Condition:
              StringEquals:
                "aws:SourceAccount": !Ref AWS::AccountId
          - Action:
              - kms:Decrypt
              - kms:GenerateDataKey*
            Effect: Allow
            Principal:
              Service:
                - events.amazonaws.com
            Resource: "*"
            Condition:
              ArnLike:
                "aws:SourceArn": !Sub "arn:${AWS::Partition}:events:${AWS::Region}:${AWS::AccountId}:rule/*"

By changing the Condition of events.amazonaws.com to use "aws:ResourceAccount": !Ref AWS::AccountId instead of aws:SourceArn works.