enforce KMS-SSE requests to CloudTrail bucket

Author: ab77

security/cloudtrail.yaml

@@ -215,6 +215,20 @@ Resources:
           Condition:
             Bool:
               'aws:SecureTransport': false
+        - !If
+          - HasParentKmsKeyStack
+          - Sid: EnforceSSERequests
+            Principal: '*'
+            Action: 's3:PutObject*'
+            Effect: Deny
+            Resource: !If [HasLogFilePrefix, !Sub 'arn:aws:s3:::${TrailBucket}/${LogFilePrefix}/AWSLogs/${AWS::AccountId}/*', !Sub 'arn:aws:s3:::${TrailBucket}/AWSLogs/${AWS::AccountId}/*']
+            Condition:
+              StringNotEquals:
+                's3:x-amz-server-side-encryption':
+                - 'AES256'
+                - 'aws:kms'
+                's3:x-amz-server-side-encryption-aws-kms-key-id': {'Fn::ImportValue': !Sub '${ParentKmsKeyStack}-KeyArn'}
+          - !Ref 'AWS::NoValue'
   TrailLogGroup:
     Type: 'AWS::Logs::LogGroup'
     Properties:

security/kms-key.yaml

@@ -188,6 +188,7 @@ Resources:
               Service: 'cloudtrail.amazonaws.com'
             Action:
             - 'kms:GenerateDataKey*'
+            - 'kms:DescribeKey'
             Resource: '*'
             Condition:
               StringLike: