diff --git a/modules/cloudtrail-baseline/main.tf b/modules/cloudtrail-baseline/main.tf index 67c83d72..0d81a32d 100644 --- a/modules/cloudtrail-baseline/main.tf +++ b/modules/cloudtrail-baseline/main.tf @@ -184,6 +184,7 @@ data "aws_iam_policy_document" "cloudtrail_key_policy" { } resource "aws_kms_key" "cloudtrail" { + count = var.cloudtrail_kms_customer_managed || var.cloudtrail_sns_topic_enabled ? 1 : 0 description = "A KMS key to encrypt CloudTrail events." deletion_window_in_days = var.key_deletion_window_in_days enable_key_rotation = "true" @@ -237,7 +238,7 @@ resource "aws_cloudtrail" "global" { include_global_service_events = true is_multi_region_trail = true is_organization_trail = var.is_organization_trail - kms_key_id = aws_kms_key.cloudtrail.arn + kms_key_id = var.cloudtrail_kms_customer_managed ? aws_kms_key.cloudtrail.arn : null s3_bucket_name = var.s3_bucket_name s3_key_prefix = var.s3_key_prefix sns_topic_name = var.cloudtrail_sns_topic_enabled ? aws_sns_topic.cloudtrail-sns-topic[0].arn : null diff --git a/modules/cloudtrail-baseline/variables.tf b/modules/cloudtrail-baseline/variables.tf index 062143af..eb54ccac 100644 --- a/modules/cloudtrail-baseline/variables.tf +++ b/modules/cloudtrail-baseline/variables.tf @@ -57,6 +57,12 @@ variable "permissions_boundary_arn" { default = "" } +variable "cloudtrail_kms_customer_managed" { + description = "Whether to use SSE-KMS encryption for CloudTrail logs KMS encryption type. With this variable set false, CloudTrail logs are encrypted with SSE-S3. SSE-S3 is AWS managed and incurs no cost. Note that if SNS is enabled, a customer managed KMS key will be created for that topic regardless of this variable option." + type = bool + default = true +} + variable "key_deletion_window_in_days" { description = "Duration in days after which the key is deleted after destruction of the resource, must be between 7 and 30 days. Defaults to 30 days." type = number