diff --git a/.github/workflows/cfn-nag.yml b/.github/workflows/cfn-nag.yml
index f37d36320..57f36935e 100644
--- a/.github/workflows/cfn-nag.yml
+++ b/.github/workflows/cfn-nag.yml
@@ -11,10 +11,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
-      - name: Set up Ruby 2.6
+      - name: Set up Ruby 2.7
         uses: ruby/setup-ruby@v1
         with:
-          ruby-version: '2.6'
+          ruby-version: '2.7'
       - name: Install cfn-nag
         run: gem install cfn-nag
       - name: Scan files in all templates folders
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 7c63edfc2..0791ce132 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,7 @@
 ## Table of Contents<!-- omit in toc -->
 
 - [Introduction](#introduction)
+- [2025-06-16](#2025-06-16)
 - [2025-03-20](#2025-03-20)
 - [2025-03-04](#2025-03-04)
 - [2025-02-13](#2025-02-13)
@@ -63,6 +64,11 @@
 All notable changes to this project will be documented in this file.
 
 ---
+## 2025-06-16
+
+### Updated<!-- omit in toc -->
+
+- Updated [CloudTrail](https://github.com/aws-samples/aws-security-reference-architecture-examples/tree/main/aws_sra_examples/solutions/cloudtrail/cloudtrail_org) solution with permissions to create a service-linked role.
 
 ## 2025-03-20
 
diff --git a/aws_sra_examples/solutions/cloudtrail/cloudtrail_org/templates/sra-cloudtrail-org.yaml b/aws_sra_examples/solutions/cloudtrail/cloudtrail_org/templates/sra-cloudtrail-org.yaml
index ed232dfe2..3cc95699c 100644
--- a/aws_sra_examples/solutions/cloudtrail/cloudtrail_org/templates/sra-cloudtrail-org.yaml
+++ b/aws_sra_examples/solutions/cloudtrail/cloudtrail_org/templates/sra-cloudtrail-org.yaml
@@ -400,6 +400,7 @@ Resources:
                   - iam:DeleteServiceLinkedRole
                 Resource:
                   - !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/aws-service-role/cloudtrail.amazonaws.com/AWSServiceRoleForCloudTrail*
+                  - !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/aws-service-role/context.cloudtrail.amazonaws.com/AWSServiceRoleForCloudTrailEventContext
       Tags:
         - Key: sra-solution
           Value: !Ref pSRASolutionName
@@ -425,6 +426,8 @@ Resources:
             comment: Lambda does not need to communicate with VPC resources.
           - id: CKV_AWS_173
             comment: Environment variables are not sensitive
+          - id: CKV_AWS_45
+            comment: Environment variables only contain non-sensitive configuration values that are passed via CloudFormation parameters.
     Properties:
       Description: Creates an Organization CloudTrail
       Architectures: !If
@@ -473,4 +476,4 @@ Resources:
       KMS_KEY_ID: !Ref pOrganizationCloudTrailKMSKeyId
       S3_BUCKET_NAME: !Ref pCloudTrailS3BucketName
       SRA_SOLUTION_NAME: !Ref pSRASolutionName
-      DELEGATED_ADMIN_ACCOUNT_ID: !Ref pDelegatedAdminAccountId
\ No newline at end of file
+      DELEGATED_ADMIN_ACCOUNT_ID: !Ref pDelegatedAdminAccountId