From ddf18706b556d602f2aab06e616567e764d70ecb Mon Sep 17 00:00:00 2001 From: ievgeniia ieromenko Date: Mon, 16 Jun 2025 15:02:01 -0400 Subject: [PATCH 1/3] add permissions to create service-linked role --- .../cloudtrail/cloudtrail_org/templates/sra-cloudtrail-org.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/aws_sra_examples/solutions/cloudtrail/cloudtrail_org/templates/sra-cloudtrail-org.yaml b/aws_sra_examples/solutions/cloudtrail/cloudtrail_org/templates/sra-cloudtrail-org.yaml index ed232dfe2..c4e88c84c 100644 --- a/aws_sra_examples/solutions/cloudtrail/cloudtrail_org/templates/sra-cloudtrail-org.yaml +++ b/aws_sra_examples/solutions/cloudtrail/cloudtrail_org/templates/sra-cloudtrail-org.yaml @@ -400,6 +400,7 @@ Resources: - iam:DeleteServiceLinkedRole Resource: - !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/aws-service-role/cloudtrail.amazonaws.com/AWSServiceRoleForCloudTrail* + - !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/aws-service-role/context.cloudtrail.amazonaws.com/AWSServiceRoleForCloudTrailEventContext Tags: - Key: sra-solution Value: !Ref pSRASolutionName From 10d8dea4d3ca8c7531daf12327e291064eff5d03 Mon Sep 17 00:00:00 2001 From: ievgeniia ieromenko Date: Mon, 16 Jun 2025 16:39:56 -0400 Subject: [PATCH 2/3] update github workflow to run cfn-nag --- .github/workflows/cfn-nag.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/cfn-nag.yml b/.github/workflows/cfn-nag.yml index f37d36320..57f36935e 100644 --- a/.github/workflows/cfn-nag.yml +++ b/.github/workflows/cfn-nag.yml @@ -11,10 +11,10 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - - name: Set up Ruby 2.6 + - name: Set up Ruby 2.7 uses: ruby/setup-ruby@v1 with: - ruby-version: '2.6' + ruby-version: '2.7' - name: Install cfn-nag run: gem install cfn-nag - name: Scan files in all templates folders From f0a22a6a6d5e38c288d63738495089d27da320bf Mon Sep 17 00:00:00 2001 From: ievgeniia ieromenko Date: Mon, 16 Jun 2025 17:17:36 -0400 Subject: [PATCH 3/3] update CHANGELOG.md --- CHANGELOG.md | 6 ++++++ .../cloudtrail_org/templates/sra-cloudtrail-org.yaml | 4 +++- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7c63edfc2..0791ce132 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ ## Table of Contents - [Introduction](#introduction) +- [2025-06-16](#2025-06-16) - [2025-03-20](#2025-03-20) - [2025-03-04](#2025-03-04) - [2025-02-13](#2025-02-13) @@ -63,6 +64,11 @@ All notable changes to this project will be documented in this file. --- +## 2025-06-16 + +### Updated + +- Updated [CloudTrail](https://github.com/aws-samples/aws-security-reference-architecture-examples/tree/main/aws_sra_examples/solutions/cloudtrail/cloudtrail_org) solution with permissions to create a service-linked role. ## 2025-03-20 diff --git a/aws_sra_examples/solutions/cloudtrail/cloudtrail_org/templates/sra-cloudtrail-org.yaml b/aws_sra_examples/solutions/cloudtrail/cloudtrail_org/templates/sra-cloudtrail-org.yaml index c4e88c84c..3cc95699c 100644 --- a/aws_sra_examples/solutions/cloudtrail/cloudtrail_org/templates/sra-cloudtrail-org.yaml +++ b/aws_sra_examples/solutions/cloudtrail/cloudtrail_org/templates/sra-cloudtrail-org.yaml @@ -426,6 +426,8 @@ Resources: comment: Lambda does not need to communicate with VPC resources. - id: CKV_AWS_173 comment: Environment variables are not sensitive + - id: CKV_AWS_45 + comment: Environment variables only contain non-sensitive configuration values that are passed via CloudFormation parameters. Properties: Description: Creates an Organization CloudTrail Architectures: !If @@ -474,4 +476,4 @@ Resources: KMS_KEY_ID: !Ref pOrganizationCloudTrailKMSKeyId S3_BUCKET_NAME: !Ref pCloudTrailS3BucketName SRA_SOLUTION_NAME: !Ref pSRASolutionName - DELEGATED_ADMIN_ACCOUNT_ID: !Ref pDelegatedAdminAccountId \ No newline at end of file + DELEGATED_ADMIN_ACCOUNT_ID: !Ref pDelegatedAdminAccountId