diff --git a/aws_sra_examples/solutions/security_lake/security_lake_org/templates/sra-security-lake-org-main-ssm.yaml b/aws_sra_examples/solutions/security_lake/security_lake_org/templates/sra-security-lake-org-main-ssm.yaml index f2eacbc0..11d581d3 100644 --- a/aws_sra_examples/solutions/security_lake/security_lake_org/templates/sra-security-lake-org-main-ssm.yaml +++ b/aws_sra_examples/solutions/security_lake/security_lake_org/templates/sra-security-lake-org-main-ssm.yaml @@ -453,9 +453,10 @@ Rules: - Assert: !Not [!Equals [!Ref pEnabledRegions, '']] AssertDescription: Please provide Enabled Regions ProvideUniqueExternalIds: - RuleCondition: !Equals - - !Ref pAuditAccountDataSubscriberExternalId - - !Ref pAuditAccountQuerySubscriberExternalId + RuleCondition: !And + - !Not [!Equals [!Ref pAuditAccountDataSubscriberExternalId, '']] + - !Not [!Equals [!Ref pAuditAccountQuerySubscriberExternalId, '']] + - !Equals [!Ref pAuditAccountDataSubscriberExternalId, !Ref pAuditAccountQuerySubscriberExternalId] Assertions: - Assert: !Not [!Equals [!Ref pAuditAccountDataSubscriberExternalId, !Ref pAuditAccountQuerySubscriberExternalId]] AssertDescription: The external ID for Security Lake Audit (Security Tooling) data access and query access subscribers must be different from one another.