From dbd093079115531057358678253a72118cb984bd Mon Sep 17 00:00:00 2001 From: Thomas Nicholson Date: Wed, 9 Apr 2025 12:42:27 -0700 Subject: [PATCH 1/2] =?UTF-8?q?fixed=20deprecated=20issue=20Warning:=20Arg?= =?UTF-8?q?ument=20is=20deprecated=20=E2=94=82=20=E2=94=82=20=20=20with=20?= =?UTF-8?q?module.sra=5Fexecution=5Frole.aws=5Fiam=5Frole.sra=5Fexecution?= =?UTF-8?q?=5Frole,=20=E2=94=82=20=20=20on=20sra=5Fexecution=5Frole/main.t?= =?UTF-8?q?f=20line=2021,=20in=20resource=20"aws=5Fiam=5Frole"=20"sra=5Fex?= =?UTF-8?q?ecution=5Frole":=20=E2=94=82=20=20=2021:=20=20=20managed=5Fpoli?= =?UTF-8?q?cy=5Farns=20=3D=20[=20=E2=94=82=20=20=2022:=20=20=20=20=20"arn:?= =?UTF-8?q?${var.aws=5Fpartition}:iam::aws:policy/AdministratorAccess"=20?= =?UTF-8?q?=E2=94=82=20=20=2023:=20=20=20]=20=E2=94=82=20=E2=94=82=20manag?= =?UTF-8?q?ed=5Fpolicy=5Farns=20is=20deprecated.=20Use=20the=20aws=5Fiam?= =?UTF-8?q?=5Frole=5Fpolicy=5Fattachment=20resource=20instead.=20If=20Terr?= =?UTF-8?q?aform=20should=20exclusively=20manage=20all=20managed=20policy?= =?UTF-8?q?=20attachments=20(the=20current=20behavior=20of=20this=20argume?= =?UTF-8?q?nt),=20use=20the=20aws=5Fiam=5Frole=5Fpolicy=5Fattachments=5Fex?= =?UTF-8?q?clusive=20resource=20as=20well.=20=E2=95=B5?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../terraform/common/sra_execution_role/main.tf | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/aws_sra_examples/terraform/common/sra_execution_role/main.tf b/aws_sra_examples/terraform/common/sra_execution_role/main.tf index 57bcc72e0..734da884a 100644 --- a/aws_sra_examples/terraform/common/sra_execution_role/main.tf +++ b/aws_sra_examples/terraform/common/sra_execution_role/main.tf @@ -13,16 +13,17 @@ resource "aws_iam_role" "sra_execution_role" { Action = "sts:AssumeRole", Effect = "Allow", Principal = { - AWS = "arn:${var.aws_partition}:iam::${var.management_account_id}:root" + AWS = format("arn:%s:iam::%s:root", var.aws_partition, var.management_account_id) } }] }) - managed_policy_arns = [ - "arn:${var.aws_partition}:iam::aws:policy/AdministratorAccess" - ] - tags = { "sra-solution" = var.solution_name } +} + +resource "aws_iam_role_policy_attachment" "sra_execution_role_admin_policy" { + role = aws_iam_role.sra_execution_role.name + policy_arn = format("arn:%s:iam::aws:policy/AdministratorAccess", var.aws_partition) } \ No newline at end of file From aedcd7bc7edbc2c1347aa5d1071484ece34c1ab4 Mon Sep 17 00:00:00 2001 From: Thomas Nicholson Date: Wed, 9 Apr 2025 13:29:24 -0700 Subject: [PATCH 2/2] fixed deprecated error on main.tf and updated support for CIS AWS Benchmark 3.0.0 set to default --- .../securityhub/securityhub_org/lambda/src/securityhub.py | 2 +- aws_sra_examples/terraform/solutions/security_hub/README.md | 2 +- .../terraform/solutions/security_hub/variables.tf | 6 +++++- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/aws_sra_examples/solutions/securityhub/securityhub_org/lambda/src/securityhub.py b/aws_sra_examples/solutions/securityhub/securityhub_org/lambda/src/securityhub.py index 42b2b9a97..06e038bcf 100644 --- a/aws_sra_examples/solutions/securityhub/securityhub_org/lambda/src/securityhub.py +++ b/aws_sra_examples/solutions/securityhub/securityhub_org/lambda/src/securityhub.py @@ -36,7 +36,7 @@ SECURITY_HUB_THROTTLE_PERIOD = 0.2 BOTO3_CONFIG = Config(retries={"max_attempts": 10, "mode": "standard"}) AWS_DEFAULT_SBP_VERSION = "1.0.0" -AWS_DEFAULT_CIS_VERSION = "1.2.0" +AWS_DEFAULT_CIS_VERSION = "3.0.0" # Changed from "1.2.0" try: MANAGEMENT_ACCOUNT_SESSION = boto3.Session() diff --git a/aws_sra_examples/terraform/solutions/security_hub/README.md b/aws_sra_examples/terraform/solutions/security_hub/README.md index 743696094..b1bc56740 100644 --- a/aws_sra_examples/terraform/solutions/security_hub/README.md +++ b/aws_sra_examples/terraform/solutions/security_hub/README.md @@ -182,7 +182,7 @@ Please navigate to the [installing the AWS SRA Solutions](./../../README.md#inst | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [audit\_account\_id](#input\_audit\_account\_id) | AWS Account ID of the Control Tower Audit account. | `string` | n/a | yes | -| [cis\_standard\_version](#input\_cis\_standard\_version) | CIS Standard Version | `string` | `"1.4.0"` | no | +| [cis\_standard\_version](#input\_cis\_standard\_version) | CIS Standard Version | `string` | `"3.0.0"` | no | | [compliance\_frequency](#input\_compliance\_frequency) | Frequency to Check for Organizational Compliance (in days between 1 and 30, default is 7) | `number` | `7` | no | | [control\_tower\_lifecycle\_rule\_name](#input\_control\_tower\_lifecycle\_rule\_name) | The name of the AWS Control Tower Life Cycle Rule | `string` | `"sra-securityhub-org-trigger"` | no | | [create\_lambda\_log\_group](#input\_create\_lambda\_log\_group) | Indicates whether a CloudWatch Log Group should be explicitly created for the Lambda function | `bool` | `false` | no | diff --git a/aws_sra_examples/terraform/solutions/security_hub/variables.tf b/aws_sra_examples/terraform/solutions/security_hub/variables.tf index 9705ace44..33df1fd5f 100644 --- a/aws_sra_examples/terraform/solutions/security_hub/variables.tf +++ b/aws_sra_examples/terraform/solutions/security_hub/variables.tf @@ -37,7 +37,11 @@ variable "sra_solution_name" { variable "cis_standard_version" { description = "CIS Standard Version" type = string - default = "1.4.0" + default = "3.0.0" + validation { + condition = contains(["NONE", "1.2.0", "1.4.0", "3.0.0"], var.cis_standard_version) # Changed to var.cis_standard_version + error_message = "Valid values for cis_standard_version are NONE, 1.2.0, 1.4.0, or 3.0.0." + } } variable "compliance_frequency" {