enforce S3-SSE requests to CloudTrail bucket

Author: ab77

security/cloudtrail.yaml

@@ -215,6 +215,16 @@ Resources:
           Condition:
             Bool:
               'aws:SecureTransport': false
+        - Sid: EnforceSSERequests
+          Effect: Deny
+          Principal: '*'
+          Action: 's3:PutObject'
+          Resource: !If [HasLogFilePrefix, !Sub 'arn:aws:s3:::${TrailBucket}/${LogFilePrefix}/AWSLogs/${AWS::AccountId}/*', !Sub 'arn:aws:s3:::${TrailBucket}/AWSLogs/${AWS::AccountId}/*']
+          Condition:
+            StringNotEquals:
+              's3:x-amz-server-side-encryption':
+              - 'AES256'
+              - 'aws:kms'
   TrailLogGroup:
     Type: 'AWS::Logs::LogGroup'
     Properties: