From c501e9f22e47a6465ec53ac4227f2c64c03506ee Mon Sep 17 00:00:00 2001
From: tnicholson-aws <tnicholson@beyondtrust.com>
Date: Fri, 11 Apr 2025 14:50:37 -0700
Subject: [PATCH 1/2] fixed tf deprecation added benchmark 3

---
 aws_sra_examples/terraform/common/main.tf             |  2 +-
 .../terraform/common/sra_execution_role/main.tf       | 11 ++++++-----
 .../terraform/solutions/security_hub/README.md        |  2 +-
 .../terraform/solutions/security_hub/variables.tf     |  7 +++++--
 4 files changed, 13 insertions(+), 9 deletions(-)

diff --git a/aws_sra_examples/terraform/common/main.tf b/aws_sra_examples/terraform/common/main.tf
index 3fc188576..62c463419 100644
--- a/aws_sra_examples/terraform/common/main.tf
+++ b/aws_sra_examples/terraform/common/main.tf
@@ -144,7 +144,7 @@ resource "local_file" "config_file_creation" {
     # Security Hub Settings
     ########################################################################
     disable_security_hub                     = false
-    cis_standard_version                     = "1.4.0"
+    cis_standard_version                     = "3.0.0"
     compliance_frequency                     = "7"
     securityhub_control_tower_regions_only   = true
     enable_cis_standard                      = false
diff --git a/aws_sra_examples/terraform/common/sra_execution_role/main.tf b/aws_sra_examples/terraform/common/sra_execution_role/main.tf
index 57bcc72e0..734da884a 100644
--- a/aws_sra_examples/terraform/common/sra_execution_role/main.tf
+++ b/aws_sra_examples/terraform/common/sra_execution_role/main.tf
@@ -13,16 +13,17 @@ resource "aws_iam_role" "sra_execution_role" {
       Action = "sts:AssumeRole",
       Effect = "Allow",
       Principal = {
-        AWS = "arn:${var.aws_partition}:iam::${var.management_account_id}:root"
+        AWS = format("arn:%s:iam::%s:root", var.aws_partition, var.management_account_id)
       }
     }]
   })
 
-  managed_policy_arns = [
-    "arn:${var.aws_partition}:iam::aws:policy/AdministratorAccess"
-  ]
-
   tags = {
     "sra-solution" = var.solution_name
   }
+}
+
+resource "aws_iam_role_policy_attachment" "sra_execution_role_admin_policy" {
+  role       = aws_iam_role.sra_execution_role.name
+  policy_arn = format("arn:%s:iam::aws:policy/AdministratorAccess", var.aws_partition)
 }
\ No newline at end of file
diff --git a/aws_sra_examples/terraform/solutions/security_hub/README.md b/aws_sra_examples/terraform/solutions/security_hub/README.md
index 743696094..b1bc56740 100644
--- a/aws_sra_examples/terraform/solutions/security_hub/README.md
+++ b/aws_sra_examples/terraform/solutions/security_hub/README.md
@@ -182,7 +182,7 @@ Please navigate to the [installing the AWS SRA Solutions](./../../README.md#inst
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_audit_account_id"></a> [audit\_account\_id](#input\_audit\_account\_id) | AWS Account ID of the Control Tower Audit account. | `string` | n/a | yes |
-| <a name="input_cis_standard_version"></a> [cis\_standard\_version](#input\_cis\_standard\_version) | CIS Standard Version | `string` | `"1.4.0"` | no |
+| <a name="input_cis_standard_version"></a> [cis\_standard\_version](#input\_cis\_standard\_version) | CIS Standard Version | `string` | `"3.0.0"` | no |
 | <a name="input_compliance_frequency"></a> [compliance\_frequency](#input\_compliance\_frequency) | Frequency to Check for Organizational Compliance (in days between 1 and 30, default is 7) | `number` | `7` | no |
 | <a name="input_control_tower_lifecycle_rule_name"></a> [control\_tower\_lifecycle\_rule\_name](#input\_control\_tower\_lifecycle\_rule\_name) | The name of the AWS Control Tower Life Cycle Rule | `string` | `"sra-securityhub-org-trigger"` | no |
 | <a name="input_create_lambda_log_group"></a> [create\_lambda\_log\_group](#input\_create\_lambda\_log\_group) | Indicates whether a CloudWatch Log Group should be explicitly created for the Lambda function | `bool` | `false` | no |
diff --git a/aws_sra_examples/terraform/solutions/security_hub/variables.tf b/aws_sra_examples/terraform/solutions/security_hub/variables.tf
index 9705ace44..81a9e3b81 100644
--- a/aws_sra_examples/terraform/solutions/security_hub/variables.tf
+++ b/aws_sra_examples/terraform/solutions/security_hub/variables.tf
@@ -37,8 +37,11 @@ variable "sra_solution_name" {
 variable "cis_standard_version" {
   description = "CIS Standard Version"
   type        = string
-  default     = "1.4.0"
-}
+  default     = "3.0.0"
+  validation {
+    condition     = contains(["NONE", "1.2.0", "1.4.0", "3.0.0"], var.cis_standard_version)  # Changed to var.cis_standard_version
+    error_message = "Valid values for cis_standard_version are NONE, 1.2.0, 1.4.0, or 3.0.0."
+  } 
 
 variable "compliance_frequency" {
   description = "Frequency to Check for Organizational Compliance (in days between 1 and 30, default is 7)"

From 12b076523a18a4f318c9474db571dc78b098c6b6 Mon Sep 17 00:00:00 2001
From: cyphronix <57731583+cyphronix@users.noreply.github.com>
Date: Mon, 14 Apr 2025 15:00:34 -0600
Subject: [PATCH 2/2] updating variable definitions for CKV_AWS_338; also
 missing end curly brace

---
 .../solutions/security_hub/configuration/variables.tf    | 6 +++++-
 .../terraform/solutions/security_hub/variables.tf        | 9 +++++++--
 2 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/aws_sra_examples/terraform/solutions/security_hub/configuration/variables.tf b/aws_sra_examples/terraform/solutions/security_hub/configuration/variables.tf
index 260093d46..766b5db93 100644
--- a/aws_sra_examples/terraform/solutions/security_hub/configuration/variables.tf
+++ b/aws_sra_examples/terraform/solutions/security_hub/configuration/variables.tf
@@ -129,7 +129,11 @@ variable "lambda_log_group_kms_key" {
 variable "lambda_log_group_retention" {
   description = "Specifies the number of days you want to retain log events"
   type        = number
-  default     = 14
+  default     = 365
+  validation {
+    condition = var.lambda_log_group_retention >= 365
+    error_message = "Cloudwatch log group retention must be at least 365 days to meet CKV_AWS338 best practice."
+  }
 }
 
 variable "lambda_log_level" {
diff --git a/aws_sra_examples/terraform/solutions/security_hub/variables.tf b/aws_sra_examples/terraform/solutions/security_hub/variables.tf
index 81a9e3b81..2d4083f09 100644
--- a/aws_sra_examples/terraform/solutions/security_hub/variables.tf
+++ b/aws_sra_examples/terraform/solutions/security_hub/variables.tf
@@ -39,9 +39,10 @@ variable "cis_standard_version" {
   type        = string
   default     = "3.0.0"
   validation {
-    condition     = contains(["NONE", "1.2.0", "1.4.0", "3.0.0"], var.cis_standard_version)  # Changed to var.cis_standard_version
+    condition     = contains(["NONE", "1.2.0", "1.4.0", "3.0.0"], var.cis_standard_version)
     error_message = "Valid values for cis_standard_version are NONE, 1.2.0, 1.4.0, or 3.0.0."
   } 
+}
 
 variable "compliance_frequency" {
   description = "Frequency to Check for Organizational Compliance (in days between 1 and 30, default is 7)"
@@ -158,7 +159,11 @@ variable "lambda_log_group_kms_key" {
 variable "lambda_log_group_retention" {
   description = "Specifies the number of days you want to retain log events"
   type        = number
-  default     = 14
+  default     = 365
+  validation {
+    condition = var.lambda_log_group_retention >= 365
+    error_message = "Cloudwatch log group retention must be at least 365 days to meet CKV_AWS_338 best practice."
+  }
 }
 
 variable "lambda_log_level" {