@fjall/components-infrastructure 2.12.0 → 2.14.0

package/dist/lib/app.d.ts

@@ -72,10 +72,11 @@ export interface IAppOptions {
      *
      * - `name?` overrides the AWS `EventBus.Name` (defaults to the app name).
      * - `removalPolicy?` overrides the env-resolved default. Default resolves
-     *   via `env({ default: "DESTROY", production: "RETAIN" })` per D17 — NOT
-     *   `process.env.NODE_ENV` (which is not set during CDK synth in Fjall's
-     *   deployment paths). The shape is the normalised string union per
-     *   D18(d), NOT the raw CDK `RemovalPolicy` enum.
+     *   via `envAwareRemovalPolicyDefault()` per D17 (production → RETAIN,
+     *   other recognised stages → DESTROY, unrecognised values fail synth) —
+     *   NOT `process.env.NODE_ENV` (which is not set during CDK synth in
+     *   Fjall's deployment paths). The shape is the normalised string union
+     *   per D18(d), NOT the raw CDK `RemovalPolicy` enum.
      */
     eventBus?: {
         name?: string;
@@ -175,9 +176,8 @@ export declare class App extends CdkApp {
      * Buses are recreatable in non-prod; the env-resolved default keeps prod
      * history. The override (`App.getApp({ eventBus: { name?, removalPolicy? } })`)
      * is consulted first; absent override falls back to the app name and the
-     * `env({ default: "DESTROY", production: "RETAIN" })` resolution per D17.
-     * NODE_ENV is not consulted — it is not set during CDK synth in Fjall's
-     * deployment paths.
+     * `envAwareRemovalPolicyDefault()` resolution per D17. NODE_ENV is not
+     * consulted — it is not set during CDK synth in Fjall's deployment paths.
      */
     getEventBus(): EventBusMessaging;
     /**

package/dist/lib/app.js

@@ -277,9 +277,8 @@ export class App extends CdkApp {
      * Buses are recreatable in non-prod; the env-resolved default keeps prod
      * history. The override (`App.getApp({ eventBus: { name?, removalPolicy? } })`)
      * is consulted first; absent override falls back to the app name and the
-     * `env({ default: "DESTROY", production: "RETAIN" })` resolution per D17.
-     * NODE_ENV is not consulted — it is not set during CDK synth in Fjall's
-     * deployment paths.
+     * `envAwareRemovalPolicyDefault()` resolution per D17. NODE_ENV is not
+     * consulted — it is not set during CDK synth in Fjall's deployment paths.
      */
     getEventBus() {
         if (this.defaultEventBus) {

package/dist/lib/config/aws/accountMonitoringRole.js

@@ -1,3 +1,4 @@
+import { ACCOUNT_MONITORING_ROLE_NAME } from "@fjall/util/aws";
 import { CfnOutput } from "aws-cdk-lib";
 import { Role, AccountPrincipal, PolicyStatement, Effect } from "aws-cdk-lib/aws-iam";
 import { Construct } from "constructs";
@@ -16,7 +17,7 @@ export class AccountMonitoringRole extends Construct {
     constructor(scope, id, props) {
         super(scope, id);
         this.role = new Role(this, "Role", {
-            roleName: "FjallMonitoring",
+            roleName: ACCOUNT_MONITORING_ROLE_NAME,
             path: "/",
             assumedBy: new AccountPrincipal(FJALL_PLATFORM_ACCOUNT_ID),
             description: "Cross-account monitoring role for the Fjall platform. Grants read access to CloudWatch, ECS, RDS, S3, Lambda, ALB, Logs, and Cost Explorer.",

package/dist/lib/config/aws/cloudTrail.d.ts

@@ -1,7 +1,20 @@
 import { Construct } from "constructs";
+import type { AccountTrailState } from "../../utils/cdkContext.js";
 export interface ManagementEventsTrailProps {
     accountId: string;
     region: string;
+    /**
+     * "active" (default) synthesises trail + bucket + CMK. "draining" omits the
+     * trail resource so CloudFormation deletes it, while the bucket + CMK keep
+     * their logical IDs and retained history. "removed" never reaches this
+     * construct — Account skips construction entirely.
+     */
+    lifecycleState?: Exclude<AccountTrailState, "removed">;
+    /**
+     * Bucket + CMK survive stack deletion. Default true; Account passes false
+     * for development environments to avoid retained-orphan churn.
+     */
+    retainAuditHistory?: boolean;
 }
 export declare class ManagementEventsTrail extends Construct {
     constructor(scope: Construct, id: string, props: ManagementEventsTrailProps);

package/dist/lib/config/aws/cloudTrail.js

@@ -1,12 +1,28 @@
+import { CfnOutput } from "aws-cdk-lib";
 import { Construct } from "constructs";
+import { ACCOUNT_TRAIL_NAME, TRAIL_BUCKET_OUTPUT_KEY, TRAIL_KEY_ARN_OUTPUT_KEY } from "@fjall/util/config";
 import { Trail } from "../../resources/aws/logging/cloudTrail.js";
 export class ManagementEventsTrail extends Construct {
     constructor(scope, id, props) {
         super(scope, id);
-        new Trail(this, "ManagementEventsTrail", {
+        const trail = new Trail(this, "ManagementEventsTrail", {
             bucketName: `cloudtrail-management-events-${props.accountId}-${props.region}`,
-            trailName: "managementEvents",
-            isMultiRegionTrail: true
+            trailName: ACCOUNT_TRAIL_NAME,
+            isMultiRegionTrail: true,
+            retainAuditHistory: props.retainAuditHistory ?? true,
+            omitTrail: props.lifecycleState === "draining"
+        });
+        new CfnOutput(this, "TrailBucketNameOutput", {
+            key: TRAIL_BUCKET_OUTPUT_KEY,
+            value: trail.bucket.bucketName,
+            exportName: TRAIL_BUCKET_OUTPUT_KEY,
+            description: "Per-account CloudTrail bucket, read by the org-trail migration reconciler"
+        });
+        new CfnOutput(this, "TrailKeyArnOutput", {
+            key: TRAIL_KEY_ARN_OUTPUT_KEY,
+            value: trail.encryptionKey.key.keyArn,
+            exportName: TRAIL_KEY_ARN_OUTPUT_KEY,
+            description: "Per-account CloudTrail CMK, read by the org-trail migration reconciler"
         });
     }
 }

package/dist/lib/config/aws/disasterRecovery.js

@@ -6,6 +6,7 @@ import { cronSchedule } from "../../resources/aws/messaging/index.js";
 import { AccountPrincipal, Effect, PolicyStatement } from "aws-cdk-lib/aws-iam";
 import { getConfig } from "../../utils/getConfig.js";
 import { toPascalCase } from "../../utils/capitaliseString.js";
+import { BACKUP_VAULT_NAME } from "@fjall/util";
 // Backup retention constants (in days)
 const RETENTION_PERIODS = {
     STANDARD: 90,
@@ -21,7 +22,6 @@ const BACKUP_WINDOWS = {
     COMPLETION: Duration.hours(12),
     COMPLETION_SHORT: Duration.hours(2)
 };
-const BACKUP_VAULT_NAME = "backupVault";
 // Vault lock constants
 const VAULT_LOCK = {
     MIN_RETENTION: Duration.days(365),

package/dist/lib/config/aws/ecrDefaultImage.js

@@ -2,6 +2,7 @@ import { Construct } from "constructs";
 import { CodeBuildProject } from "../../resources/aws/utilities/codeBuild.js";
 import { BuildSpec } from "aws-cdk-lib/aws-codebuild";
 import { LogGroup } from "../../resources/aws/logging/logGroup.js";
+import { RetentionDays } from "aws-cdk-lib/aws-logs";
 import { RemovalPolicy, Stack } from "aws-cdk-lib";
 import { Role } from "../../resources/aws/iam/role.js";
 import { PolicyDocument, PolicyStatement, ServicePrincipal } from "aws-cdk-lib/aws-iam";
@@ -11,6 +12,7 @@ export class EcrDefaultImage extends Construct {
         super(scope, id);
         const logGroup = new LogGroup(this, `${id}LogGroup`, {
             logGroupName: `/vpc/codebuild/${id}/`,
+            retention: RetentionDays.ONE_MONTH,
             removalPolicy: RemovalPolicy.DESTROY
         });
         const ecrDefaultImageRole = new Role(this, `${id}Role`, {

package/dist/lib/config/aws/organisationTrail.d.ts

@@ -0,0 +1,16 @@
+import { Construct } from "constructs";
+export interface OrganisationTrailProps {
+    orgId: string;
+    managementAccountId: string;
+    region: string;
+}
+/**
+ * Organisation-wide management-events trail, owned by the management account.
+ * Replaces per-account ManagementEventsTrail instances in organisation mode:
+ * AWS records every member's management events into the one bucket under
+ * AWSLogs/<orgId>/<accountId>/, and members cannot stop or alter the shadow
+ * trail AWS materialises for them.
+ */
+export declare class OrganisationTrail extends Construct {
+    constructor(scope: Construct, id: string, props: OrganisationTrailProps);
+}

package/dist/lib/config/aws/organisationTrail.js

@@ -0,0 +1,32 @@
+import { CfnOutput } from "aws-cdk-lib";
+import { Construct } from "constructs";
+import { ORG_TRAIL_BUCKET_OUTPUT_KEY, ORGANISATION_TRAIL_NAME } from "@fjall/util/config";
+import { Trail } from "../../resources/aws/logging/cloudTrail.js";
+/**
+ * Organisation-wide management-events trail, owned by the management account.
+ * Replaces per-account ManagementEventsTrail instances in organisation mode:
+ * AWS records every member's management events into the one bucket under
+ * AWSLogs/<orgId>/<accountId>/, and members cannot stop or alter the shadow
+ * trail AWS materialises for them.
+ */
+export class OrganisationTrail extends Construct {
+    constructor(scope, id, props) {
+        super(scope, id);
+        const trail = new Trail(this, "OrganisationTrail", {
+            // "org" short form keeps the name inside S3's 63-character limit for
+            // long region names.
+            bucketName: `cloudtrail-org-management-events-${props.managementAccountId}-${props.region}`,
+            trailName: ORGANISATION_TRAIL_NAME,
+            isMultiRegionTrail: true,
+            isOrganizationTrail: true,
+            orgId: props.orgId,
+            retainAuditHistory: true
+        });
+        new CfnOutput(this, "OrganisationTrailBucketNameOutput", {
+            key: ORG_TRAIL_BUCKET_OUTPUT_KEY,
+            value: trail.bucket.bucketName,
+            exportName: ORG_TRAIL_BUCKET_OUTPUT_KEY,
+            description: "Organisation trail bucket, read by the org-trail migration reconciler"
+        });
+    }
+}

package/dist/lib/config/aws/scpPreset.js

@@ -29,7 +29,16 @@ function buildFoundationGuardrails(allowedRegions) {
             {
                 Sid: "DenyRootUserActions",
                 Effect: "Deny",
-                Action: "*",
+                // Deny + NotAction denies everything except the policy-management
+                // scopes a root-task unlock session needs; the AWS root-task policies
+                // constrain those sessions further.
+                NotAction: [
+                    "s3:GetBucketPolicy",
+                    "s3:PutBucketPolicy",
+                    "s3:DeleteBucketPolicy",
+                    "sqs:GetQueueAttributes",
+                    "sqs:SetQueueAttributes"
+                ],
                 Resource: "*",
                 Condition: {
                     StringLike: {

package/dist/lib/patterns/aws/account.d.ts

@@ -18,6 +18,7 @@ export interface AccountProps extends StackProps {
 export declare class Account extends Stack {
     readonly organisationType: OrganisationType;
     protected readonly resolvedRegion: string;
+    protected readonly accountGlobalsConfigured: boolean;
     constructor(scope: Construct, id: string, props: AccountProps);
     /**
      * Whether this account receives the OIDC deploy connector (provider +
@@ -34,6 +35,14 @@ export declare class Account extends Stack {
      * Deliberately separate from the OIDC/IPAM gates — the axes are independent.
      */
     protected createsEcrDefaultImage(): boolean;
+    /**
+     * Whether this account owns its own management-events trail. Standalone,
+     * Platform, and member accounts do (subject to the fjallAccountTrailState
+     * decommission lifecycle); the organisation root overrides to `false`
+     * because its OrganisationTrail records this account's events too.
+     * Deliberately separate from the OIDC/ECR gates — the axes are independent.
+     */
+    protected createsManagementEventsTrail(): boolean;
     enableGuardDuty(props?: GuardDutyDetectorProps): GuardDutyDetector;
     enableSecurityHub(props?: SecurityHubHubProps): SecurityHubHub;
     enableConfigRecorder(props?: ConfigRecorderProps): ConfigRecorder;

package/dist/lib/patterns/aws/account.js

@@ -4,7 +4,7 @@ import { ManagementEventsTrail } from "../../config/aws/cloudTrail.js";
 import { OidcConnector } from "../../config/aws/oidcConnector.js";
 import { AccountMonitoringRole } from "../../config/aws/accountMonitoringRole.js";
 import { AccountAuditRole } from "../../config/aws/accountAuditRole.js";
-import { CDK_CONTEXT_KEYS } from "../../utils/cdkContext.js";
+import { CDK_CONTEXT_KEYS, resolveAccountTrailState } from "../../utils/cdkContext.js";
 import { getConfig } from "../../utils/getConfig.js";
 import { DisasterRecovery } from "../../config/aws/disasterRecovery.js";
 import { S3BlockPublicAccess } from "../../config/aws/s3BlockPublicAccess.js";
@@ -18,6 +18,7 @@ import { InspectorEnablement } from "../../config/aws/inspectorEnablement.js";
 export class Account extends Stack {
     organisationType = "account";
     resolvedRegion;
+    accountGlobalsConfigured;
     constructor(scope, id, props) {
         const config = getConfig();
         const accountId = props.accountId ?? config.accountId;
@@ -59,6 +60,7 @@ export class Account extends Stack {
         // (OIDC provider/role, FjallMonitoring, FjallAudit) have fixed names that
         // collide across regions, so they are created only in the home region.
         const accountGlobalsConfigured = this.node.tryGetContext("fjallAccountGlobalsConfigured") === "true";
+        this.accountGlobalsConfigured = accountGlobalsConfigured;
         if (this.receivesDeployRole() &&
             fjallOrgId &&
             !oidcAlreadyConfigured &&
@@ -71,17 +73,28 @@ export class Account extends Stack {
         if (fjallOrgId && !accountGlobalsConfigured) {
             new AccountAuditRole(this, "AuditRole", { fjallOrgId });
         }
-        new ManagementEventsTrail(this, "CloudTrail", {
-            accountId: this.account,
-            region: this.resolvedRegion
-        });
+        const environment = config.environment ?? "unknown";
+        // The trail is multi-region, so a non-home-region cascade stack creating
+        // its own copy records every management event a second time — CloudTrail
+        // bills additional copies at $2.00/100k events. Home region only, like
+        // the other account globals above.
+        const trailState = resolveAccountTrailState(this.node);
+        if (!accountGlobalsConfigured &&
+            this.createsManagementEventsTrail() &&
+            trailState !== "removed") {
+            new ManagementEventsTrail(this, "CloudTrail", {
+                accountId: this.account,
+                region: this.resolvedRegion,
+                lifecycleState: trailState,
+                retainAuditHistory: environment !== "development"
+            });
+        }
         if (this.createsEcrDefaultImage()) {
             new EcrDefaultImage(this, "EcrDefaultImage", {
                 region: this.resolvedRegion,
                 accountId: this.account
             });
         }
-        const environment = config.environment ?? "unknown";
         if (config.disasterRecoveryRegion) {
             const isComplianceAccount = environment === "compliance";
             if (environment === "production" || isComplianceAccount) {
@@ -124,6 +137,16 @@ export class Account extends Stack {
     createsEcrDefaultImage() {
         return true;
     }
+    /**
+     * Whether this account owns its own management-events trail. Standalone,
+     * Platform, and member accounts do (subject to the fjallAccountTrailState
+     * decommission lifecycle); the organisation root overrides to `false`
+     * because its OrganisationTrail records this account's events too.
+     * Deliberately separate from the OIDC/ECR gates — the axes are independent.
+     */
+    createsManagementEventsTrail() {
+        return true;
+    }
     enableGuardDuty(props) {
         return new GuardDutyDetector(this, "GuardDuty", props);
     }

package/dist/lib/patterns/aws/organisation.d.ts

@@ -47,6 +47,15 @@ export declare class Organisation extends Account {
      * default-ECR-image helper.
      */
     protected createsEcrDefaultImage(): boolean;
+    /**
+     * The organisation root owns the org-wide OrganisationTrail, which records
+     * this account's management events too — an ACTIVE per-account trail here
+     * would be a duplicate paid copy. Returning `false` skips Account's active
+     * synthesis; the root's own constructor instead keeps the legacy construct
+     * in draining form until the lifecycle reaches "org", so pre-existing audit
+     * storage survives the upgrade.
+     */
+    protected createsManagementEventsTrail(): boolean;
     private createAccountReferences;
     private setupOrganisationFeatures;
     private setupCostAllocationTagActivator;

package/dist/lib/patterns/aws/organisation.js

@@ -1,10 +1,12 @@
 import App from "../../app.js";
 import { Account } from "./account.js";
 import { IdentityCenter } from "../../config/aws/identityCenter.js";
+import { ManagementEventsTrail } from "../../config/aws/cloudTrail.js";
+import { OrganisationTrail } from "../../config/aws/organisationTrail.js";
 import { ScpPreset } from "../../config/aws/scpPreset.js";
 import { OrganisationResource, OrganisationAccount, CostAllocationTagActivator } from "../../resources/aws/organisation/index.js";
 import { stripAndCamelCase } from "../../utils/stripAndCamelCase.js";
-import { CDK_CONTEXT_KEYS } from "../../utils/cdkContext.js";
+import { CDK_CONTEXT_KEYS, resolveAccountTrailState } from "../../utils/cdkContext.js";
 import { getConfig } from "../../utils/getConfig.js";
 import { extractAccountNames } from "../../utils/accountsUtils.js";
 /**
@@ -39,10 +41,17 @@ export class Organisation extends Account {
             this.accountMap[key.toLowerCase()] = value;
         }
         this.accountsConfig = props.accounts;
-        const orgId = this.node.tryGetContext(CDK_CONTEXT_KEYS.ORG_ID);
-        const rootId = this.node.tryGetContext(CDK_CONTEXT_KEYS.ROOT_ID);
-        const managementAccountId = this.node.tryGetContext(CDK_CONTEXT_KEYS.MANAGEMENT_ACCOUNT_ID) ??
-            this.account;
+        // CDK context is a `??` boundary: `-c key=` legitimately passes "", which
+        // would flow through `??`, defeat the `this.account` fallback, and break
+        // the SSO management-account exclusion downstream.
+        const orgIdCtx = this.node.tryGetContext(CDK_CONTEXT_KEYS.ORG_ID);
+        const rootIdCtx = this.node.tryGetContext(CDK_CONTEXT_KEYS.ROOT_ID);
+        const managementAccountCtx = this.node.tryGetContext(CDK_CONTEXT_KEYS.MANAGEMENT_ACCOUNT_ID);
+        const orgId = typeof orgIdCtx === "string" && orgIdCtx !== "" ? orgIdCtx : undefined;
+        const rootId = typeof rootIdCtx === "string" && rootIdCtx !== "" ? rootIdCtx : undefined;
+        const managementAccountId = (typeof managementAccountCtx === "string" && managementAccountCtx !== ""
+            ? managementAccountCtx
+            : undefined) ?? this.account;
         if (!orgId || !rootId) {
             throw new Error("orgId and rootId must be provided via CDK context. Run deployment through the Fjall CLI.");
         }
@@ -51,6 +60,32 @@ export class Organisation extends Account {
             rootId,
             managementAccountId
         });
+        // Home region only: the trail is multi-region, so an org-region cascade
+        // stack creating a second org-wide trail would duplicate every paid copy
+        // across the whole organisation.
+        if (!this.accountGlobalsConfigured) {
+            new OrganisationTrail(this, "OrganisationCloudTrail", {
+                orgId,
+                managementAccountId,
+                region: this.resolvedRegion
+            });
+            // Already-deployed roots carry a per-account trail whose bucket is
+            // DESTROY + autoDeleteObjects — dropping the construct outright would
+            // delete that audit history, bypassing the acknowledgeTrailHistoryLoss
+            // gate. Keep it in DRAINING form (same "CloudTrail" construct path as
+            // Account ⇒ identical bucket/CMK logical IDs): the trail resource goes,
+            // bucket + CMK flip to RETAIN until the reconciler decommissions them
+            // behind the gate. "removed" (trailLifecycle "org") synthesises nothing.
+            const trailState = resolveAccountTrailState(this.node);
+            if (trailState !== "removed") {
+                new ManagementEventsTrail(this, "CloudTrail", {
+                    accountId: this.account,
+                    region: this.resolvedRegion,
+                    lifecycleState: "draining",
+                    retainAuditHistory: true
+                });
+            }
+        }
         this.createAccountReferences(props);
         this.setupOrganisationFeatures(props.identityCenter ?? true, managementAccountId);
     }
@@ -70,6 +105,17 @@ export class Organisation extends Account {
     createsEcrDefaultImage() {
         return false;
     }
+    /**
+     * The organisation root owns the org-wide OrganisationTrail, which records
+     * this account's management events too — an ACTIVE per-account trail here
+     * would be a duplicate paid copy. Returning `false` skips Account's active
+     * synthesis; the root's own constructor instead keeps the legacy construct
+     * in draining form until the lifecycle reaches "org", so pre-existing audit
+     * storage survives the upgrade.
+     */
+    createsManagementEventsTrail() {
+        return false;
+    }
     createAccountReferences(props) {
         const allNames = extractAccountNames(props.accounts);
         for (const accountName of allNames) {

package/dist/lib/patterns/aws/storage.d.ts

@@ -38,7 +38,7 @@ export interface S3Props {
     readonly backupVaultTier?: BackupTier;
     readonly cors?: CorsRule[];
     readonly deployment?: S3DeploymentConfig;
-    /** When true, sets RemovalPolicy.RETAIN and disables autoDeleteObjects. Used for imported buckets. */
+    /** When true, sets RemovalPolicy.RETAIN (overriding the env-aware default). Used for imported buckets. */
     readonly retain?: boolean;
 }
 export interface StorageBuildProps extends S3Props {

package/dist/lib/patterns/aws/storage.js

@@ -21,7 +21,11 @@ function toHttpMethod(method) {
         DELETE: HttpMethods.DELETE,
         HEAD: HttpMethods.HEAD
     };
-    return methodMap[method] ?? HttpMethods.GET;
+    const mapped = methodMap[method];
+    if (mapped === undefined) {
+        throw new Error(`Unsupported CORS method "${method}" — expected one of: ${Object.keys(methodMap).join(", ")}.`);
+    }
+    return mapped;
 }
 function toCorsRules(cors) {
     if (!cors)

package/dist/lib/resources/aws/logging/cloudTrail.d.ts

@@ -1,14 +1,61 @@
 import { Stack } from "aws-cdk-lib";
 import * as CloudTrail from "aws-cdk-lib/aws-cloudtrail";
 import { Construct } from "constructs";
+import { CustomerManagedKey } from "../secrets/index.js";
 import { S3Bucket } from "../storage/index.js";
 interface CloudTrailProps extends CloudTrail.TrailProps {
     bucketName: string;
+    /**
+     * Bucket + CMK survive stack deletion (RemovalPolicy.RETAIN). The trail
+     * resource itself stays DESTROY regardless — a retained trail keeps
+     * logging (and charging) as an unmanaged orphan. Default false preserves
+     * the historical TrailStack behaviour.
+     */
+    retainAuditHistory?: boolean;
+    /**
+     * Draining mode: synthesise only the bucket + CMK so CloudFormation deletes
+     * the trail resource while the retained storage keeps its logical IDs (and
+     * so its history) intact.
+     */
+    omitTrail?: boolean;
 }
+export declare function validateTrailProps(props: CloudTrailProps): void;
 export declare class Trail extends Construct {
-    readonly trail: CloudTrail.Trail;
+    readonly trail?: CloudTrail.Trail;
     readonly bucket: S3Bucket;
+    readonly encryptionKey: CustomerManagedKey;
     constructor(scope: Construct, id: string, props: CloudTrailProps);
+    private trailArn;
+    /**
+     * Canonical CloudTrail delivery policy (ACL probe + log write), scoped to
+     * this trail's ARN via aws:SourceArn so no other trail — including one in
+     * another account — can deliver into or probe the bucket. Emitted from
+     * this construct rather than left to the L2 Trail because draining mode
+     * (omitTrail) skips the L2 construct while the trail being deleted may
+     * still deliver mid-update. Fjall-prefixed sids avoid colliding with the
+     * sid-less statements the L2 Trail adds when it is constructed.
+     */
+    private addAccountTrailBucketPolicy;
+    /**
+     * Conditioned replacement for the KMS half of the retired grantReadWrite:
+     * `Bucket.grantReadWrite` silently granted the CloudTrail principal
+     * unconditioned Encrypt/Decrypt/ReEncrypt on the CMK because the bucket
+     * carries an encryptionKey. CloudTrail's actual needs are
+     * kms:GenerateDataKey* + kms:DescribeKey (trail-side log encryption,
+     * validated at CreateTrail) plus digest delivery via the bucket's default
+     * SSE-KMS — without these, trail creation fails with
+     * InsufficientEncryptionPolicyException.
+     */
+    private addAccountTrailKeyPolicy;
+    /**
+     * The CDK L2 Trail contributes no KMS key-policy statements at all — it
+     * only sets kmsKeyId on the CfnTrail (verified in aws-cdk-lib 2.251.0).
+     * These three statements are therefore the entire CloudTrail-facing key
+     * policy: management-trail and member shadow-trail encryption plus S3
+     * digest delivery. None can be narrowed to member-only encryption contexts
+     * without breaking the management trail's own delivery.
+     */
+    private addOrganisationTrailKeyPolicy;
 }
 export declare class TrailStack extends Stack {
     constructor(scope: Construct, id: string, props: CloudTrailProps);