enforce KMS-SSE requests to CloudTrail bucket

widdix · Feb 13, 2024 · ac04ad2 · ac04ad2
1 parent f8d787f
commit ac04ad2
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 0 deletions.
diff --git a/security/cloudtrail.yaml b/security/cloudtrail.yaml
@@ -215,6 +215,20 @@ Resources:
           Condition:
             Bool:
               'aws:SecureTransport': false
+        - !If
+          - HasParentKmsKeyStack
+          - Sid: EnforceSSERequests
+            Principal: '*'
+            Action: 's3:PutObject*'
+            Effect: Deny
+            Resource: !If [HasLogFilePrefix, !Sub 'arn:aws:s3:::${TrailBucket}/${LogFilePrefix}/AWSLogs/${AWS::AccountId}/*', !Sub 'arn:aws:s3:::${TrailBucket}/AWSLogs/${AWS::AccountId}/*']
+            Condition:
+              StringNotEquals:
+                's3:x-amz-server-side-encryption':
+                - 'AES256'
+                - 'aws:kms'
+                's3:x-amz-server-side-encryption-aws-kms-key-id': {'Fn::ImportValue': !Sub '${ParentKmsKeyStack}-KeyArn'}
+          - !Ref 'AWS::NoValue'
   TrailLogGroup:
     Type: 'AWS::Logs::LogGroup'
     Properties:

diff --git a/security/kms-key.yaml b/security/kms-key.yaml
@@ -188,6 +188,7 @@ Resources:
               Service: 'cloudtrail.amazonaws.com'
             Action:
             - 'kms:GenerateDataKey*'
+            - 'kms:DescribeKey'
             Resource: '*'
             Condition:
               StringLike: