docs: add KMS decrypt permissions for S3 artifact encryption

The artifact bucket uses SSEAlgorithm: aws:kms, so both the GitHub
Actions OIDC role (step 2) and the CodeBuild service role (step 3)
need kms:Decrypt and kms:GenerateDataKey scoped via kms:ViaService
to the S3 endpoint.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: scottschreckengaust

docs/ADMINISTRATORS_GUIDE.md

@@ -178,6 +178,18 @@ Resources:
                     - !Sub 'arn:${AWS::Partition}:s3:::${ArtifactBucketName}'
                     - !Sub 'arn:${AWS::Partition}:s3:::${ArtifactBucketName}/*'
                 - !Ref AWS::NoValue
+              - !If
+                - HasArtifactBucket
+                - Sid: AllowDecryptArtifacts
+                  Effect: Allow
+                  Action:
+                    - kms:Decrypt
+                    - kms:GenerateDataKey
+                  Resource: '*'
+                  Condition:
+                    StringEquals:
+                      kms:ViaService: !Sub 's3.${AWS::Region}.amazonaws.com'
+                - !Ref AWS::NoValue
 
 Outputs:
   RoleArn:
@@ -352,6 +364,15 @@ Resources:
                 Resource:
                   - !GetAtt ArtifactBucket.Arn
                   - !Sub '${ArtifactBucket.Arn}/*'
+              - Sid: AllowKMSForArtifacts
+                Effect: Allow
+                Action:
+                  - kms:Decrypt
+                  - kms:GenerateDataKey
+                Resource: '*'
+                Condition:
+                  StringEquals:
+                    kms:ViaService: !Sub 's3.${AWS::Region}.amazonaws.com'
 
   Project:
     Type: AWS::CodeBuild::Project