fixed-tf-depreciation-and-added-benchmark-3

Author: tnicholson-aws

aws_sra_examples/solutions/securityhub/securityhub_org/lambda/src/securityhub.py

@@ -36,7 +36,7 @@
 SECURITY_HUB_THROTTLE_PERIOD = 0.2
 BOTO3_CONFIG = Config(retries={"max_attempts": 10, "mode": "standard"})
 AWS_DEFAULT_SBP_VERSION = "1.0.0"
-AWS_DEFAULT_CIS_VERSION = "1.2.0"
+AWS_DEFAULT_CIS_VERSION = "3.0.0"  # Changed from "1.2.0"
 
 try:
     MANAGEMENT_ACCOUNT_SESSION = boto3.Session()

aws_sra_examples/terraform/common/sra_execution_role/main.tf

@@ -13,16 +13,17 @@ resource "aws_iam_role" "sra_execution_role" {
       Action = "sts:AssumeRole",
       Effect = "Allow",
       Principal = {
-        AWS = "arn:${var.aws_partition}:iam::${var.management_account_id}:root"
+        AWS = format("arn:%s:iam::%s:root", var.aws_partition, var.management_account_id)
       }
     }]
   })
 
-  managed_policy_arns = [
-    "arn:${var.aws_partition}:iam::aws:policy/AdministratorAccess"
-  ]
-
   tags = {
     "sra-solution" = var.solution_name
   }
+}
+
+resource "aws_iam_role_policy_attachment" "sra_execution_role_admin_policy" {
+  role       = aws_iam_role.sra_execution_role.name
+  policy_arn = format("arn:%s:iam::aws:policy/AdministratorAccess", var.aws_partition)
 }

aws_sra_examples/terraform/solutions/security_hub/README.md

@@ -182,7 +182,7 @@ Please navigate to the [installing the AWS SRA Solutions](./../../README.md#inst
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_audit_account_id"></a> [audit\_account\_id](#input\_audit\_account\_id) | AWS Account ID of the Control Tower Audit account. | `string` | n/a | yes |
-| <a name="input_cis_standard_version"></a> [cis\_standard\_version](#input\_cis\_standard\_version) | CIS Standard Version | `string` | `"1.4.0"` | no |
+| <a name="input_cis_standard_version"></a> [cis\_standard\_version](#input\_cis\_standard\_version) | CIS Standard Version | `string` | `"3.0.0"` | no |
 | <a name="input_compliance_frequency"></a> [compliance\_frequency](#input\_compliance\_frequency) | Frequency to Check for Organizational Compliance (in days between 1 and 30, default is 7) | `number` | `7` | no |
 | <a name="input_control_tower_lifecycle_rule_name"></a> [control\_tower\_lifecycle\_rule\_name](#input\_control\_tower\_lifecycle\_rule\_name) | The name of the AWS Control Tower Life Cycle Rule | `string` | `"sra-securityhub-org-trigger"` | no |
 | <a name="input_create_lambda_log_group"></a> [create\_lambda\_log\_group](#input\_create\_lambda\_log\_group) | Indicates whether a CloudWatch Log Group should be explicitly created for the Lambda function | `bool` | `false` | no |

aws_sra_examples/terraform/solutions/security_hub/variables.tf

@@ -37,7 +37,11 @@ variable "sra_solution_name" {
 variable "cis_standard_version" {
   description = "CIS Standard Version"
   type        = string
-  default     = "1.4.0"
+  default     = "3.0.0"
+  validation {
+    condition     = contains(["NONE", "1.2.0", "1.4.0", "3.0.0"], var.cis_standard_version)  # Changed to var.cis_standard_version
+    error_message = "Valid values for cis_standard_version are NONE, 1.2.0, 1.4.0, or 3.0.0."
+  }
 }
 
 variable "compliance_frequency" {