chore(cloudtrail): enforceSSL on trail s3 bucket (#18270)

could pass another bucket, but automatically created buckets are convenient/popular, so worth improving defaults

https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-cloudtrail.Trail.html
https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-s3.Bucket.html

---

```sh
# updated integ snapshots
packages/@aws-cdk/aws-cloudtrail $ /workspace/aws-cdk/tools/\@aws-cdk/cdk-integ-tools/bin/cdk-integ --dry-run
packages/@aws-cdk/aws-codepipeline-actions $ /workspace/aws-cdk/tools/\@aws-cdk/cdk-integ-tools/bin/cdk-integ --dry-run
```

---

```sh
# eslint fix
/workspace/aws-cdk/node_modules/eslint/bin/eslint.js packages/@aws-cdk/aws-cloudtrail/test/ --ext=.ts --fix
```

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: PatMyron

packages/@aws-cdk/aws-cloudtrail/lib/cloudtrail.ts

@@ -209,7 +209,7 @@ export class Trail extends Resource {
 
     const cloudTrailPrincipal = new iam.ServicePrincipal('cloudtrail.amazonaws.com');
 
-    this.s3bucket = props.bucket || new s3.Bucket(this, 'S3', { encryption: s3.BucketEncryption.UNENCRYPTED });
+    this.s3bucket = props.bucket || new s3.Bucket(this, 'S3', { encryption: s3.BucketEncryption.UNENCRYPTED, enforceSSL: true });
 
     this.s3bucket.addToResourcePolicy(new iam.PolicyStatement({
       resources: [this.s3bucket.bucketArn],

packages/@aws-cdk/aws-cloudtrail/test/cloudtrail.test.ts

@@ -12,6 +12,36 @@ import { ManagementEventSources, ReadWriteType, Trail } from '../lib';
 const ExpectedBucketPolicyProperties = {
   PolicyDocument: {
     Statement: [
+      {
+        Action: 's3:*',
+        Condition: {
+          Bool: { 'aws:SecureTransport': 'false' },
+        },
+        Effect: 'Deny',
+        Principal: {
+          AWS: '*',
+        },
+        Resource: [
+          {
+            'Fn::GetAtt': [
+              'MyAmazingCloudTrailS3A580FE27',
+              'Arn',
+            ],
+          },
+          {
+            'Fn::Join': [
+              '',
+              [{
+                'Fn::GetAtt': [
+                  'MyAmazingCloudTrailS3A580FE27',
+                  'Arn',
+                ],
+              },
+              '/*'],
+            ],
+          },
+        ],
+      },
       {
         Action: 's3:GetBucketAcl',
         Effect: 'Allow',
@@ -154,6 +184,40 @@ describe('cloudtrail', () => {
         Bucket: { Ref: 'TrailS30071F172' },
         PolicyDocument: {
           Statement: [
+            {
+              Action: 's3:*',
+              Condition: {
+                Bool: {
+                  'aws:SecureTransport': 'false',
+                },
+              },
+              Effect: 'Deny',
+              Principal: {
+                AWS: '*',
+              },
+              Resource: [
+                {
+                  'Fn::GetAtt': [
+                    'TrailS30071F172',
+                    'Arn',
+                  ],
+                },
+                {
+                  'Fn::Join': [
+                    '',
+                    [
+                      {
+                        'Fn::GetAtt': [
+                          'TrailS30071F172',
+                          'Arn',
+                        ],
+                      },
+                      '/*',
+                    ],
+                  ],
+                },
+              ],
+            },
             {
               Action: 's3:GetBucketAcl',
               Effect: 'Allow',
@@ -611,4 +675,4 @@ describe('cloudtrail', () => {
       });
     });
   });
-});
+});

packages/@aws-cdk/aws-cloudtrail/test/integ.cloudtrail.lit.expected.json

@@ -97,6 +97,40 @@
         },
         "PolicyDocument": {
           "Statement": [
+            {
+              "Action": "s3:*",
+              "Condition": {
+                "Bool": {
+                  "aws:SecureTransport": "false"
+                }
+              },
+              "Effect": "Deny",
+              "Principal": {
+                "AWS": "*"
+              },
+              "Resource": [
+                {
+                  "Fn::GetAtt": [
+                    "TrailS30071F172",
+                    "Arn"
+                  ]
+                },
+                {
+                  "Fn::Join": [
+                    "",
+                    [
+                      {
+                        "Fn::GetAtt": [
+                          "TrailS30071F172",
+                          "Arn"
+                        ]
+                      },
+                      "/*"
+                    ]
+                  ]
+                }
+              ]
+            },
             {
               "Action": "s3:GetBucketAcl",
               "Effect": "Allow",

packages/@aws-cdk/aws-codepipeline-actions/test/integ.lambda-pipeline.expected.json

@@ -669,6 +669,40 @@
         },
         "PolicyDocument": {
           "Statement": [
+            {
+              "Action": "s3:*",
+              "Condition": {
+                "Bool": {
+                  "aws:SecureTransport": "false"
+                }
+              },
+              "Effect": "Deny",
+              "Principal": {
+                "AWS": "*"
+              },
+              "Resource": [
+                {
+                  "Fn::GetAtt": [
+                    "CloudTrailS310CD22F2",
+                    "Arn"
+                  ]
+                },
+                {
+                  "Fn::Join": [
+                    "",
+                    [
+                      {
+                        "Fn::GetAtt": [
+                          "CloudTrailS310CD22F2",
+                          "Arn"
+                        ]
+                      },
+                      "/*"
+                    ]
+                  ]
+                }
+              ]
+            },
             {
               "Action": "s3:GetBucketAcl",
               "Effect": "Allow",