Skip to content

Commit

Permalink
enforce S3-SSE requests to CloudTrail bucket
Browse files Browse the repository at this point in the history
  • Loading branch information
@ab77
ab77 committed Feb 8, 2024
1 parent 8915460 commit 71a8deb
Showing 1 changed file with 10 additions and 0 deletions.
10 changes: 10 additions & 0 deletions security/cloudtrail.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -215,6 +215,16 @@ Resources:
Condition:
Bool:
'aws:SecureTransport': false
- Sid: EnforceSSERequests
Effect: Deny
Principal: '*'
Action: 's3:PutObject'
Resource: !If [HasLogFilePrefix, !Sub 'arn:aws:s3:::${TrailBucket}/${LogFilePrefix}/AWSLogs/${AWS::AccountId}/*', !Sub 'arn:aws:s3:::${TrailBucket}/AWSLogs/${AWS::AccountId}/*']
Condition:
StringNotEquals:
's3:x-amz-server-side-encryption':
- 'AES256'

Check failure on line 226 in security/cloudtrail.yaml

View workflow job for this annotation

GitHub Actions / lint 

226:17 [indentation] wrong indentation: expected 14 but found 16
- 'aws:kms'
TrailLogGroup:
Type: 'AWS::Logs::LogGroup'
Properties:
Expand Down

0 comments on commit 71a8deb

Please sign in to comment.