diff --git a/aws_sra_examples/solutions/securityhub/securityhub_org/lambda/src/securityhub.py b/aws_sra_examples/solutions/securityhub/securityhub_org/lambda/src/securityhub.py
index 42b2b9a97..06e038bcf 100644
--- a/aws_sra_examples/solutions/securityhub/securityhub_org/lambda/src/securityhub.py
+++ b/aws_sra_examples/solutions/securityhub/securityhub_org/lambda/src/securityhub.py
@@ -36,7 +36,7 @@
SECURITY_HUB_THROTTLE_PERIOD = 0.2
BOTO3_CONFIG = Config(retries={"max_attempts": 10, "mode": "standard"})
AWS_DEFAULT_SBP_VERSION = "1.0.0"
-AWS_DEFAULT_CIS_VERSION = "1.2.0"
+AWS_DEFAULT_CIS_VERSION = "3.0.0" # Changed from "1.2.0"
try:
MANAGEMENT_ACCOUNT_SESSION = boto3.Session()
diff --git a/aws_sra_examples/terraform/common/sra_execution_role/main.tf b/aws_sra_examples/terraform/common/sra_execution_role/main.tf
index 57bcc72e0..734da884a 100644
--- a/aws_sra_examples/terraform/common/sra_execution_role/main.tf
+++ b/aws_sra_examples/terraform/common/sra_execution_role/main.tf
@@ -13,16 +13,17 @@ resource "aws_iam_role" "sra_execution_role" {
Action = "sts:AssumeRole",
Effect = "Allow",
Principal = {
- AWS = "arn:${var.aws_partition}:iam::${var.management_account_id}:root"
+ AWS = format("arn:%s:iam::%s:root", var.aws_partition, var.management_account_id)
}
}]
})
- managed_policy_arns = [
- "arn:${var.aws_partition}:iam::aws:policy/AdministratorAccess"
- ]
-
tags = {
"sra-solution" = var.solution_name
}
+}
+
+resource "aws_iam_role_policy_attachment" "sra_execution_role_admin_policy" {
+ role = aws_iam_role.sra_execution_role.name
+ policy_arn = format("arn:%s:iam::aws:policy/AdministratorAccess", var.aws_partition)
}
\ No newline at end of file
diff --git a/aws_sra_examples/terraform/solutions/security_hub/README.md b/aws_sra_examples/terraform/solutions/security_hub/README.md
index 743696094..b1bc56740 100644
--- a/aws_sra_examples/terraform/solutions/security_hub/README.md
+++ b/aws_sra_examples/terraform/solutions/security_hub/README.md
@@ -182,7 +182,7 @@ Please navigate to the [installing the AWS SRA Solutions](./../../README.md#inst
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [audit\_account\_id](#input\_audit\_account\_id) | AWS Account ID of the Control Tower Audit account. | `string` | n/a | yes |
-| [cis\_standard\_version](#input\_cis\_standard\_version) | CIS Standard Version | `string` | `"1.4.0"` | no |
+| [cis\_standard\_version](#input\_cis\_standard\_version) | CIS Standard Version | `string` | `"3.0.0"` | no |
| [compliance\_frequency](#input\_compliance\_frequency) | Frequency to Check for Organizational Compliance (in days between 1 and 30, default is 7) | `number` | `7` | no |
| [control\_tower\_lifecycle\_rule\_name](#input\_control\_tower\_lifecycle\_rule\_name) | The name of the AWS Control Tower Life Cycle Rule | `string` | `"sra-securityhub-org-trigger"` | no |
| [create\_lambda\_log\_group](#input\_create\_lambda\_log\_group) | Indicates whether a CloudWatch Log Group should be explicitly created for the Lambda function | `bool` | `false` | no |
diff --git a/aws_sra_examples/terraform/solutions/security_hub/variables.tf b/aws_sra_examples/terraform/solutions/security_hub/variables.tf
index 9705ace44..33df1fd5f 100644
--- a/aws_sra_examples/terraform/solutions/security_hub/variables.tf
+++ b/aws_sra_examples/terraform/solutions/security_hub/variables.tf
@@ -37,7 +37,11 @@ variable "sra_solution_name" {
variable "cis_standard_version" {
description = "CIS Standard Version"
type = string
- default = "1.4.0"
+ default = "3.0.0"
+ validation {
+ condition = contains(["NONE", "1.2.0", "1.4.0", "3.0.0"], var.cis_standard_version) # Changed to var.cis_standard_version
+ error_message = "Valid values for cis_standard_version are NONE, 1.2.0, 1.4.0, or 3.0.0."
+ }
}
variable "compliance_frequency" {