From 71a8debeb9a6ce100f0e3ab691f8f9b7a3207cfd Mon Sep 17 00:00:00 2001
From: Anton Belodedenko <2033996+ab77@users.noreply.github.com>
Date: Thu, 8 Feb 2024 10:36:34 -0800
Subject: [PATCH] enforce S3-SSE requests to CloudTrail bucket

---
 security/cloudtrail.yaml | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/security/cloudtrail.yaml b/security/cloudtrail.yaml
index bf5c81bc2..3db7f8cf1 100644
--- a/security/cloudtrail.yaml
+++ b/security/cloudtrail.yaml
@@ -215,6 +215,16 @@ Resources:
           Condition:
             Bool:
               'aws:SecureTransport': false
+        - Sid: EnforceSSERequests
+          Effect: Deny
+          Principal: '*'
+          Action: 's3:PutObject'
+          Resource: !If [HasLogFilePrefix, !Sub 'arn:aws:s3:::${TrailBucket}/${LogFilePrefix}/AWSLogs/${AWS::AccountId}/*', !Sub 'arn:aws:s3:::${TrailBucket}/AWSLogs/${AWS::AccountId}/*']
+          Condition:
+            StringNotEquals:
+              's3:x-amz-server-side-encryption':
+                - 'AES256'
+                - 'aws:kms'
   TrailLogGroup:
     Type: 'AWS::Logs::LogGroup'
     Properties: