Add encryption at rest for Control Tower compliance

[omercnet]

Problem

Several AWS resources in the SST Console infrastructure lack encryption at rest configuration, which is required for AWS Control Tower controls and general security best practices.

Affected Resources

infra/issues.ts

• IssueDetectionQueue (SQS) - no SSE configured
• IssueStream (Kinesis) - no encryption configured
• SubscriberLogGroup (CloudFormation template) - no KMS encryption

infra/billing.ts

• BillingQueue (SQS) - no SSE configured

infra/storage.ts

• Storage (S3) - no server-side encryption configured
• PublicStorage_* (S3) - no server-side encryption configured

Control Tower Controls Affected

• CT.SQS.PR.2 - Require SQS queues to be encrypted at rest
• CT.KINESIS.PR.1 - Require Kinesis streams to be encrypted at rest
• CT.CLOUDWATCH.PR.2 - Require CloudWatch log groups to be encrypted at rest
• CT.S3.PR.1 - Require S3 buckets to have server-side encryption

Proposed Solution

Add encryption configuration using SST's transform option:

1. SQS Queues: Enable sqsManagedSseEnabled: true
2. Kinesis Stream: Add encryptionType: "KMS" with AWS-managed key
3. S3 Buckets: Add server-side encryption configuration
4. CloudFormation LogGroup: Add optional KMS encryption parameter for customer-deployed stacks

Notes

• Using AWS-managed keys (e.g., alias/aws/sqs, alias/aws/kinesis) keeps things simple
• The CloudFormation template deployed to customer accounts may need a parameter to optionally enable encryption, since customers may have their own KMS key requirements