From 4df047798ec3ff4cced1ca0377e1771832e20e87 Mon Sep 17 00:00:00 2001
From: Anton Belodedenko <2033996+ab77@users.noreply.github.com>
Date: Mon, 12 Feb 2024 13:16:51 -0800
Subject: [PATCH] specify encryption procotol

---
 security/cloudtrail.yaml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/security/cloudtrail.yaml b/security/cloudtrail.yaml
index 66fa8cfd6..74940bacc 100644
--- a/security/cloudtrail.yaml
+++ b/security/cloudtrail.yaml
@@ -224,7 +224,10 @@ Resources:
             Resource: !If [HasLogFilePrefix, !Sub 'arn:aws:s3:::${TrailBucket}/${LogFilePrefix}/AWSLogs/${AWS::AccountId}/*', !Sub 'arn:aws:s3:::${TrailBucket}/AWSLogs/${AWS::AccountId}/*']
             Condition:
               StringNotEquals:
-                's3:x-amz-server-side-encryption': ''
+                's3:x-amz-server-side-encryption': [
+                  'AES256',
+                  'aws:kms'
+                ],
                 's3:x-amz-server-side-encryption-aws-kms-key-id': {'Fn::ImportValue': !Sub '${ParentKmsKeyStack}-KeyArn'}
           - !Ref 'AWS::NoValue'
   TrailLogGroup: