force encryption with KMS

widdix · Feb 12, 2024 · c62e8dc · c62e8dc
1 parent 44ce87c
commit c62e8dc
Showing 1 changed file with 12 additions and 10 deletions.
diff --git a/security/cloudtrail.yaml b/security/cloudtrail.yaml
@@ -215,16 +215,18 @@ Resources:
           Condition:
             Bool:
               'aws:SecureTransport': false
-        - Sid: EnforceSSERequests
-          Effect: Deny
-          Principal: '*'
-          Action: 's3:PutObject'
-          Resource: !If [HasLogFilePrefix, !Sub 'arn:aws:s3:::${TrailBucket}/${LogFilePrefix}/AWSLogs/${AWS::AccountId}/*', !Sub 'arn:aws:s3:::${TrailBucket}/AWSLogs/${AWS::AccountId}/*']
-          Condition:
-            StringNotEquals:
-              's3:x-amz-server-side-encryption':
-              - 'AES256'
-              - 'aws:kms'
+        - !If
+          - HasParentKmsKeyStack
+          - Sid: EnforceSSERequests
+            Principal: '*'
+            Action: 's3:PutObject*'
+            Effect: Deny
+            Resource: !If [HasLogFilePrefix, !Sub 'arn:aws:s3:::${TrailBucket}/${LogFilePrefix}/AWSLogs/${AWS::AccountId}/*', !Sub 'arn:aws:s3:::${TrailBucket}/AWSLogs/${AWS::AccountId}/*']
+            Condition:
+              StringNotEquals:
+                's3:x-amz-server-side-encryption': ''
+                's3:x-amz-server-side-encryption-aws-kms-key-id': {'Fn::ImportValue': !Sub '${ParentKmsKeyStack}-KeyArn'}
+          - !Ref 'AWS::NoValue'
   TrailLogGroup:
     Type: 'AWS::Logs::LogGroup'
     Properties: