diff --git a/security/cloudtrail.yaml b/security/cloudtrail.yaml
index bf5c81bc2..3db7f8cf1 100644
--- a/security/cloudtrail.yaml
+++ b/security/cloudtrail.yaml
@@ -215,6 +215,16 @@ Resources:
           Condition:
             Bool:
               'aws:SecureTransport': false
+        - Sid: EnforceSSERequests
+          Effect: Deny
+          Principal: '*'
+          Action: 's3:PutObject'
+          Resource: !If [HasLogFilePrefix, !Sub 'arn:aws:s3:::${TrailBucket}/${LogFilePrefix}/AWSLogs/${AWS::AccountId}/*', !Sub 'arn:aws:s3:::${TrailBucket}/AWSLogs/${AWS::AccountId}/*']
+          Condition:
+            StringNotEquals:
+              's3:x-amz-server-side-encryption':
+                - 'AES256'
+                - 'aws:kms'
   TrailLogGroup:
     Type: 'AWS::Logs::LogGroup'
     Properties: