From c62e8dcab364a024139c9da017cfeadaa51a75a0 Mon Sep 17 00:00:00 2001
From: Anton Belodedenko <2033996+ab77@users.noreply.github.com>
Date: Mon, 12 Feb 2024 09:01:13 -0800
Subject: [PATCH] force encryption with KMS

---
 security/cloudtrail.yaml | 22 ++++++++++++----------
 1 file changed, 12 insertions(+), 10 deletions(-)

diff --git a/security/cloudtrail.yaml b/security/cloudtrail.yaml
index 8103be24b..66fa8cfd6 100644
--- a/security/cloudtrail.yaml
+++ b/security/cloudtrail.yaml
@@ -215,16 +215,18 @@ Resources:
           Condition:
             Bool:
               'aws:SecureTransport': false
-        - Sid: EnforceSSERequests
-          Effect: Deny
-          Principal: '*'
-          Action: 's3:PutObject'
-          Resource: !If [HasLogFilePrefix, !Sub 'arn:aws:s3:::${TrailBucket}/${LogFilePrefix}/AWSLogs/${AWS::AccountId}/*', !Sub 'arn:aws:s3:::${TrailBucket}/AWSLogs/${AWS::AccountId}/*']
-          Condition:
-            StringNotEquals:
-              's3:x-amz-server-side-encryption':
-              - 'AES256'
-              - 'aws:kms'
+        - !If
+          - HasParentKmsKeyStack
+          - Sid: EnforceSSERequests
+            Principal: '*'
+            Action: 's3:PutObject*'
+            Effect: Deny
+            Resource: !If [HasLogFilePrefix, !Sub 'arn:aws:s3:::${TrailBucket}/${LogFilePrefix}/AWSLogs/${AWS::AccountId}/*', !Sub 'arn:aws:s3:::${TrailBucket}/AWSLogs/${AWS::AccountId}/*']
+            Condition:
+              StringNotEquals:
+                's3:x-amz-server-side-encryption': ''
+                's3:x-amz-server-side-encryption-aws-kms-key-id': {'Fn::ImportValue': !Sub '${ParentKmsKeyStack}-KeyArn'}
+          - !Ref 'AWS::NoValue'
   TrailLogGroup:
     Type: 'AWS::Logs::LogGroup'
     Properties: