From 6d5a0bd86dba7013c7714227da049c97c6d4c5e2 Mon Sep 17 00:00:00 2001 From: ievgeniia ieromenko Date: Tue, 3 Sep 2024 15:25:16 -0400 Subject: [PATCH] linting fixes --- .../lambda/src/security_lake.py | 46 +++++++++---------- ...security-lake-meta-store-manager-role.yaml | 14 +++--- ...-security-lake-org-configuration-role.yaml | 6 +-- .../sra-security-lake-org-configuration.yaml | 44 +++++++----------- .../sra-security-lake-org-main-ssm.yaml | 32 ++++++------- 5 files changed, 65 insertions(+), 77 deletions(-) diff --git a/aws_sra_examples/solutions/security_lake/security_lake_org/lambda/src/security_lake.py b/aws_sra_examples/solutions/security_lake/security_lake_org/lambda/src/security_lake.py index a775fb6d..68ac3335 100644 --- a/aws_sra_examples/solutions/security_lake/security_lake_org/lambda/src/security_lake.py +++ b/aws_sra_examples/solutions/security_lake/security_lake_org/lambda/src/security_lake.py @@ -445,11 +445,11 @@ def get_org_configuration(sl_client: SecurityLakeClient) -> tuple: tuple: (bool, dict) """ try: - org_configruations = sl_client.get_data_lake_organization_configuration() - if org_configruations["autoEnableNewAccount"]: - return True, org_configruations["autoEnableNewAccount"] + org_configurations = sl_client.get_data_lake_organization_configuration() + if org_configurations["autoEnableNewAccount"]: + return True, org_configurations["autoEnableNewAccount"] else: - return False, org_configruations + return False, org_configurations except ClientError as e: error_code = e.response["Error"]["Code"] if error_code == "ResourceNotFoundException": @@ -483,18 +483,18 @@ def create_organization_configuration(sl_client: SecurityLakeClient, regions: li create_organization_configuration(sl_client, regions, org_sources, source_version, retry + 1) -def set_sources_to_disable(org_configruations: list, region: str) -> list: +def set_sources_to_disable(org_configurations: list, region: str) -> list: """Update Security Lake. Args: - org_configruations: list of configurations + org_configurations: list of configurations region: AWS region Returns: list: list of sources to disable """ sources_to_disable = [] - for configuration in org_configruations: + for configuration in org_configurations: if configuration["region"] == region: for source in configuration["sources"]: sources_to_disable.append(source) @@ -503,7 +503,7 @@ def set_sources_to_disable(org_configruations: list, region: str) -> list: def update_organization_configuration( - sl_client: SecurityLakeClient, regions: list, org_sources: list, source_version: str, exisiting_org_configuration: list + sl_client: SecurityLakeClient, regions: list, org_sources: list, source_version: str, existing_org_configuration: list ) -> None: """Update Security Lake organization configuration. @@ -512,35 +512,35 @@ def update_organization_configuration( regions: list of AWS regions org_sources: list of AWS log and event sources source_version: version of log source - exisiting_org_configuration: list of existing configurations + existing_org_configuration: list of existing configurations Raises: ClientError: If there is an issue interacting with the AWS API """ - delete_organization_configuration(sl_client, exisiting_org_configuration) + delete_organization_configuration(sl_client, existing_org_configuration) sources: List[AwsLogSourceResourceTypeDef] = [{"sourceName": source, "sourceVersion": source_version} for source in org_sources] - autoenable_config: List[DataLakeAutoEnableNewAccountConfigurationTypeDef] = [] - for regioin in regions: - region_config: DataLakeAutoEnableNewAccountConfigurationTypeDef = {"region": regioin, "sources": sources} - autoenable_config.append(region_config) - response = sl_client.create_data_lake_organization_configuration(autoEnableNewAccount=autoenable_config) + auto_enable_config: List[DataLakeAutoEnableNewAccountConfigurationTypeDef] = [] + for region in regions: + region_config: DataLakeAutoEnableNewAccountConfigurationTypeDef = {"region": region, "sources": sources} + auto_enable_config.append(region_config) + response = sl_client.create_data_lake_organization_configuration(autoEnableNewAccount=auto_enable_config) api_call_details = {"API_Call": "securitylake:CreateDataLakeOrganizationConfiguration", "API_Response": response} LOGGER.info(api_call_details) -def delete_organization_configuration(sl_client: SecurityLakeClient, exisiting_org_configuration: list) -> None: +def delete_organization_configuration(sl_client: SecurityLakeClient, existing_org_configuration: list) -> None: """Delete Security Lake organization configuration. Args: sl_client: boto3 client - exisiting_org_configuration: list of existing configurations + existing_org_configuration: list of existing configurations Raises: ClientError: If there is an issue interacting with the AWS API """ - sources_to_disable = exisiting_org_configuration + sources_to_disable = existing_org_configuration if sources_to_disable: - delete_response = sl_client.delete_data_lake_organization_configuration(autoEnableNewAccount=exisiting_org_configuration) + delete_response = sl_client.delete_data_lake_organization_configuration(autoEnableNewAccount=existing_org_configuration) api_call_details = {"API_Call": "securitylake:DeleteDataLakeOrganizationConfiguration", "API_Response": delete_response} LOGGER.info(api_call_details) @@ -693,7 +693,7 @@ def create_subscribers( def update_subscriber( - sl_client: SecurityLakeClient, subscriber_id: str, source_types: list, external_id: str, principal: str, subscriber_name: str, source_verison: str + sl_client: SecurityLakeClient, subscriber_id: str, source_types: list, external_id: str, principal: str, subscriber_name: str, source_version: str ) -> str: """Update Security Lake subscriber. @@ -704,7 +704,7 @@ def update_subscriber( external_id: external id principal: AWS account id subscriber_name: subscriber name - source_verison: source version + source_version: source version Returns: str: Resource share ARN @@ -713,7 +713,7 @@ def update_subscriber( ValueError: if subscriber not created """ subscriber_sources: Sequence[LogSourceResourceTypeDef] = [ - {"awsLogSource": {"sourceName": source, "sourceVersion": source_verison}} for source in source_types + {"awsLogSource": {"sourceName": source, "sourceVersion": source_version}} for source in source_types ] base_delay = 1 max_delay = 3 @@ -894,7 +894,7 @@ def create_table_in_data_catalog( LOGGER.info(f"Table '{table_name}' already exists in {region} region.") continue if error_code == "AccessDeniedException": - LOGGER.info("'AccessDeniedException' error occured. Review and update Lake Formation permission(s)") + LOGGER.info("'AccessDeniedException' error occurred. Review and update Lake Formation permission(s)") LOGGER.info("Skipping...") continue else: diff --git a/aws_sra_examples/solutions/security_lake/security_lake_org/templates/sra-security-lake-meta-store-manager-role.yaml b/aws_sra_examples/solutions/security_lake/security_lake_org/templates/sra-security-lake-meta-store-manager-role.yaml index f163c46f..23fcd72c 100644 --- a/aws_sra_examples/solutions/security_lake/security_lake_org/templates/sra-security-lake-meta-store-manager-role.yaml +++ b/aws_sra_examples/solutions/security_lake/security_lake_org/templates/sra-security-lake-meta-store-manager-role.yaml @@ -21,18 +21,18 @@ Metadata: - Label: default: Role Properties Parameters: - - pSRASecurityLakeMetastoreManagerRoleName + - pSRASecurityLakeMetaStoreManagerRoleName ParameterLabels: - pSRASecurityLakeMetastoreManagerRoleName: - default: Security Lake Metastore Manager Role Name + pSRASecurityLakeMetaStoreManagerRoleName: + default: SecurityLakeMetaStoreManager Role Name Parameters: - pSRASecurityLakeMetastoreManagerRoleName: + pSRASecurityLakeMetaStoreManagerRoleName: AllowedPattern: '^[\w+=,.@-]{1,64}$' ConstraintDescription: Max 64 alphanumeric characters. Also special characters supported [+, =, ., @, -] Default: AmazonSecurityLakeMetaStoreManagerV2 - Description: Security Lake Metastore Manager Role + Description: SecurityLakeMetaStoreManagerRole Type: String pSRASolutionName: AllowedValues: [sra-security-lake-org] @@ -44,7 +44,7 @@ Resources: rSecurityLakeMetaStoreManagerRole: Type: AWS::IAM::Role Properties: - RoleName: !Ref pSRASecurityLakeMetastoreManagerRoleName + RoleName: !Ref pSRASecurityLakeMetaStoreManagerRoleName AssumeRolePolicyDocument: Version: '2012-10-17' Statement: @@ -54,7 +54,7 @@ Resources: Action: sts:AssumeRole Path: '/service-role/' ManagedPolicyArns: - - !Sub arn:${AWS::Partition}:iam::${AWS::Partition}:policy/service-role/AmazonSecurityLakeMetastoreManager + - !Sub arn:${AWS::Partition}:iam::${AWS::Partition}:policy/service-role/AmazonSecurityLakeMetaStoreManager Policies: - PolicyName: sra-security-lake-org-kms-policy PolicyDocument: diff --git a/aws_sra_examples/solutions/security_lake/security_lake_org/templates/sra-security-lake-org-configuration-role.yaml b/aws_sra_examples/solutions/security_lake/security_lake_org/templates/sra-security-lake-org-configuration-role.yaml index d6107ed2..d168e9af 100644 --- a/aws_sra_examples/solutions/security_lake/security_lake_org/templates/sra-security-lake-org-configuration-role.yaml +++ b/aws_sra_examples/solutions/security_lake/security_lake_org/templates/sra-security-lake-org-configuration-role.yaml @@ -104,7 +104,7 @@ Resources: Statement: - Sid: AllowPutLakeFormationSettings Effect: Allow - Action: lakeformation:PutDatalakeSettings + Action: lakeformation:PutDataLakeSettings Resource: "*" Condition: ForAnyValue:StringEquals: @@ -140,13 +140,13 @@ Resources: PolicyDocument: Version: 2012-10-17 Statement: - - Sid: AllowLambdaunctionConfigurationActions + - Sid: AllowLambdaFunctionConfigurationActions Effect: Allow Action: - lambda:GetFunctionConfiguration - lambda:UpdateFunctionConfiguration Resource: "arn:aws:lambda:*:*:function:AmazonSecurityLake*" - - Sid: AllowlambdaListEventSourceMappings + - Sid: AllowLambdaListEventSourceMappings Effect: Allow Action: - lambda:ListEventSourceMappings diff --git a/aws_sra_examples/solutions/security_lake/security_lake_org/templates/sra-security-lake-org-configuration.yaml b/aws_sra_examples/solutions/security_lake/security_lake_org/templates/sra-security-lake-org-configuration.yaml index 0c97dc97..2a1fcbbc 100644 --- a/aws_sra_examples/solutions/security_lake/security_lake_org/templates/sra-security-lake-org-configuration.yaml +++ b/aws_sra_examples/solutions/security_lake/security_lake_org/templates/sra-security-lake-org-configuration.yaml @@ -53,8 +53,7 @@ Metadata: - pAuditAccountQuerySubscriberPrefix - pAuditAccountQuerySubscriberExternalId - pDisableSecurityLake - - pSRASecurityLakeMetastoreManagerRoleName - - pKmsKeyStackSetId + - pSRASecurityLakeMetatoreManagerRoleName - pCreateResourceLink - pSecurityLakeOrgKeyAlias @@ -75,12 +74,10 @@ Metadata: ParameterLabels: pCreateResourceLink: default: Create Resource Link - pKmsKeyStackSetId: - default: KMS key stackset id pSecurityLakeOrgKeyAlias: default: Security Lake KMS Key Alias - pSRASecurityLakeMetastoreManagerRoleName: - default: Security Lake Metastore Manager Role + pSRASecurityLakeMetaStoreManagerRoleName: + default: SecurityLakeMetastoreManagerRole pCloudTrailManagementEvents: default: CloudTrail - Management events pSourceVersion: @@ -154,12 +151,6 @@ Parameters: Default: 'true' Description: Indicates whether to create a resource link for shared resources in Audit (Security Tooling) account Type: String - pKmsKeyStackSetId: - AllowedPattern: '^sra-security-lake-org-kms-key(?::\S+)?$' - ConstraintDescription: Max 64 alphanumeric characters. Also special characters supported [_, -] - Default: "sra-security-lake-org-kms-key" - Description: The name of the KMS Key StackSet - Type: String pSecurityLakeOrgKeyAlias: AllowedPattern: '^[a-zA-Z0-9/_-]+$' ConstraintDescription: @@ -167,11 +158,11 @@ Parameters: Default: sra-security-lake-org-key Description: Security Lake KMS Key Alias Type: String - pSRASecurityLakeMetastoreManagerRoleName: + pSRASecurityLakeMetaStoreManagerRoleName: AllowedPattern: '^[\w+=,.@-]{1,64}$' ConstraintDescription: Max 64 alphanumeric characters. Also special characters supported [+, =, ., @, -] Default: AmazonSecurityLakeMetaStoreManagerV2 - Description: Security Lake Metastore Manager Role + Description: SecurityLakeMetastoreManagerRole Type: String pSourceVersion: AllowedValues: [2.0] @@ -184,7 +175,7 @@ Parameters: ConstraintDescription: 'Enter "ALL" or a comma-separated list of AWS account numbers without spaces, e.g., "123456789012,234567890123" to create log source. Leave empty to skip log source creation' Description: Accounts to ingest CloudTrail - Management events from. Choose ALL to enable for all accounts in your AWS Organization. To choose the accounts enter a comma - seperated list of the AWS Account numbers. Leave empty to skip log source creation. + separated list of the AWS Account numbers. Leave empty to skip log source creation. Type: CommaDelimitedList Default: 'ALL' pCloudTrailLambdaDataEvents: @@ -192,7 +183,7 @@ Parameters: ConstraintDescription: 'Enter "ALL" or a comma-separated list of AWS account numbers without spaces, e.g., "123456789012,234567890123" to create log source. Leave empty to skip log source creation' Description: Accounts to ingest CloudTrail - Lambda Data events from. Choose ALL to enable for all accounts in your AWS Organization. To choose the accounts enter a comma - seperated list of the AWS Account numbers. Leave empty to skip log source creation. + separated list of the AWS Account numbers. Leave empty to skip log source creation. Type: CommaDelimitedList Default: 'ALL' pCloudTrailS3DataEvents: @@ -200,7 +191,7 @@ Parameters: ConstraintDescription: 'Enter "ALL" or a comma-separated list of AWS account numbers without spaces, e.g., "123456789012,234567890123" to create log source. Leave empty to skip log source creation' Description: Accounts to ingest CloudTrail - S3 Data events from. Choose ALL to enable for all accounts in your AWS Organization. To choose the accounts enter a comma - seperated list of the AWS Account numbers. Leave empty to skip log source creation. + separated list of the AWS Account numbers. Leave empty to skip log source creation. Type: CommaDelimitedList Default: '' pSecurityHubFindings: @@ -208,7 +199,7 @@ Parameters: ConstraintDescription: 'Enter "ALL" or a comma-separated list of AWS account numbers without spaces, e.g., "123456789012,234567890123" to create log source. Leave empty to skip log source creation' Description: Accounts to ingest SecurityHub Findings from. Choose ALL to enable for all accounts in your AWS Organization. To choose the accounts enter a comma - seperated list of the AWS Account numbers. Leave empty to skip log source creation. + separated list of the AWS Account numbers. Leave empty to skip log source creation. Type: CommaDelimitedList Default: 'ALL' pVpcFlowLogs: @@ -216,7 +207,7 @@ Parameters: ConstraintDescription: 'Enter "ALL" or a comma-separated list of AWS account numbers without spaces, e.g., "123456789012,234567890123" to create log source. Leave empty to skip log source creation' Description: Accounts to ingest VPC Flow Logs from. Choose ALL to enable for all accounts in your AWS Organization. To choose the accounts enter a comma - seperated list of the AWS Account numbers. Leave empty to skip log source creation. + separated list of the AWS Account numbers. Leave empty to skip log source creation. Type: CommaDelimitedList Default: 'ALL' pWafLogs: @@ -224,7 +215,7 @@ Parameters: ConstraintDescription: 'Enter "ALL" or a comma-separated list of AWS account numbers without spaces, e.g., "123456789012,234567890123" to create log source. Leave empty to skip log source creation' Description: Accounts to ingest WAFv2 Logs from. Choose ALL to enable for all accounts in your AWS Organization. To choose the accounts enter a comma - seperated list of the AWS Account numbers. Leave empty to skip log source creation. + separated list of the AWS Account numbers. Leave empty to skip log source creation. Type: CommaDelimitedList Default: '' pRoute53Logs: @@ -232,7 +223,7 @@ Parameters: ConstraintDescription: 'Enter "ALL" or a comma-separated list of AWS account numbers without spaces, e.g., "123456789012,234567890123" to create log source. Leave empty to skip log source creation' Description: Accounts to ingest Amazon Route 53 resolver query logs from. Choose ALL to enable for all accounts in your AWS Organization. To choose the accounts enter a comma - seperated list of the AWS Account numbers. Leave empty to skip log source creation. + separated list of the AWS Account numbers. Leave empty to skip log source creation. Type: CommaDelimitedList Default: 'ALL' pEksAuditLogs: @@ -240,7 +231,7 @@ Parameters: ConstraintDescription: 'Enter "ALL" or a comma-separated list of AWS account numbers without spaces, e.g., "123456789012,234567890123" to create log source. Leave empty to skip log source creation' Description: Accounts to ingest Amazon EKS Audit Logs from. Choose ALL to enable for all accounts in your AWS Organization. To choose the accounts enter a comma - seperated list of the AWS Account numbers. Leave empty to skip log source creation. + separated list of the AWS Account numbers. Leave empty to skip log source creation. Type: CommaDelimitedList Default: 'ALL' pControlTowerRegionsOnly: @@ -463,7 +454,6 @@ Resources: Action: cloudformation:ListStackInstances Resource: - !Sub arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:stackset/AWSControlTowerBP-* - - !Sub arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:stackset/${pKmsKeyStackSetId} - PolicyName: sra-security-lake-org-policy-securitylake PolicyDocument: Version: 2012-10-17 @@ -641,8 +631,7 @@ Resources: - ',' - !Ref pOrgConfigurationSources DISABLE_SECURITY_LAKE: !Ref pDisableSecurityLake - META_STORE_MANAGER_ROLE_NAME: !Ref pSRASecurityLakeMetastoreManagerRoleName - KMS_STACKSET_ID: !Ref pKmsKeyStackSetId + META_STORE_MANAGER_ROLE_NAME: !Ref pSRASecurityLakeMetaStoreManagerRoleName CREATE_RESOURCE_LINK: !Ref pCreateResourceLink KEY_ALIAS: !Ref pSecurityLakeOrgKeyAlias Tags: @@ -655,7 +644,7 @@ Resources: Content: S3Bucket: !Ref pSRAStagingS3BucketName S3Key: !Sub ${pSRASolutionName}/layer_code/${pSRASolutionName}-layer.zip - Description: Boto3 version 1.34.153 layer to enable newer API of Security Lake # todo + Description: Boto3 version 1.35.10 layer to enable newer API of Security Lake LayerName: !Sub ${pSecurityLakeOrgLambdaFunctionName}-updated-boto3-layer rSecurityLakeOrgLambdaCustomResource: @@ -707,8 +696,7 @@ Resources: - ',' - !Ref pOrgConfigurationSources DISABLE_SECURITY_LAKE: !Ref pDisableSecurityLake - META_STORE_MANAGER_ROLE_NAME: !Ref pSRASecurityLakeMetastoreManagerRoleName - KMS_STACKSET_ID: !Ref pKmsKeyStackSetId + META_STORE_MANAGER_ROLE_NAME: !Ref pSRASecurityLakeMetaStoreManagerRoleName CREATE_RESOURCE_LINK: !Ref pCreateResourceLink KEY_ALIAS: !Ref pSecurityLakeOrgKeyAlias diff --git a/aws_sra_examples/solutions/security_lake/security_lake_org/templates/sra-security-lake-org-main-ssm.yaml b/aws_sra_examples/solutions/security_lake/security_lake_org/templates/sra-security-lake-org-main-ssm.yaml index 19d401ed..9d5ad34e 100644 --- a/aws_sra_examples/solutions/security_lake/security_lake_org/templates/sra-security-lake-org-main-ssm.yaml +++ b/aws_sra_examples/solutions/security_lake/security_lake_org/templates/sra-security-lake-org-main-ssm.yaml @@ -33,7 +33,7 @@ Metadata: - pEnabledRegions - pSecurityLakeOrgKeyAlias - pSecurityLakeWarning - - pSRASecurityLakeMetastoreManagerRoleName + - pSRASecurityLakeMetaStoreManagerRoleName - Label: default: Security Lake Configuration - Sources to Ingest Parameters: @@ -83,8 +83,8 @@ Metadata: default: Create resource link for shared resources pCreateLakeFormationSlr: default: Create AWS Lake Formation service-linked role - pSRASecurityLakeMetastoreManagerRoleName: - default: Security Lake Metastore Manager Role Name + pSRASecurityLakeMetaStoreManagerRoleName: + default: SecurityLakeMetaStoreManagerRole Name pCloudTrailManagementEvents: default: CloudTrail - Management Events (recommended)) pLogArchiveAccountId: @@ -106,7 +106,7 @@ Metadata: pEksAuditLogs: default: Amazon EKS Audit Logs (recommended) pOrgConfigurationSources: - default: Sources for Organizaiton Configuration + default: Sources for Organization Configuration pCreateOrganizationConfiguration: default: Create Organization Configuration pSourceVersion: @@ -183,10 +183,10 @@ Parameters: Default: 'true' Description: Indicates whether a Lake Formation service-linked role named AWSServiceRoleForLakeFormationDataAccess should be created Type: String - pSRASecurityLakeMetastoreManagerRoleName: + pSRASecurityLakeMetaStoreManagerRoleName: AllowedValues: ['AmazonSecurityLakeMetaStoreManagerV2', 'AmazonSecurityLakeMetaStoreManager'] Default: AmazonSecurityLakeMetaStoreManagerV2 - Description: Security Lake Metastore Manager Role + Description: IAM role used by Security Lake to create data lake or query data from Security Lake Type: String pSourceVersion: AllowedValues: [2.0] @@ -197,19 +197,19 @@ Parameters: pCloudTrailManagementEvents: AllowedPattern: ^($|ALL|(\d{12})(,\s*\d{12})*)$ ConstraintDescription: Enter "ALL" or a comma-separated list of AWS account numbers without spaces, e.g., "123456789012,234567890123" to create log source. Leave empty to skip log source creation - Description: Accounts to ingest CloudTrail - Management events from. Choose ALL to enable for all accounts in your AWS Organization. To choose the accounts enter a comma seperated list of the AWS Account numbers. Leave empty to skip log source creation. + Description: Accounts to ingest CloudTrail - Management events from. Choose ALL to enable for all accounts in your AWS Organization. To choose the accounts enter a comma separated list of the AWS Account numbers. Leave empty to skip log source creation. Type: CommaDelimitedList Default: ALL pCloudTrailLambdaDataEvents: AllowedPattern: ^($|ALL|(\d{12})(,\s*\d{12})*)$ ConstraintDescription: Enter "ALL" or a comma-separated list of AWS account numbers without spaces, e.g., "123456789012,234567890123" to create log source. Leave empty to skip log source creation - Description: Accounts to ingest CloudTrail - Lambda Data events from. Choose ALL to enable for all accounts in your AWS Organization. To choose the accounts enter a comma seperated list of the AWS Account numbers. Leave empty to skip log source creation. + Description: Accounts to ingest CloudTrail - Lambda Data events from. Choose ALL to enable for all accounts in your AWS Organization. To choose the accounts enter a comma separated list of the AWS Account numbers. Leave empty to skip log source creation. Type: CommaDelimitedList Default: ALL pCloudTrailS3DataEvents: AllowedPattern: ^($|ALL|(\d{12})(,\s*\d{12})*)$ ConstraintDescription: Enter "ALL" or a comma-separated list of AWS account numbers without spaces, e.g., "123456789012,234567890123" to create log source. Leave empty to skip log source creation - Description: Accounts to ingest CloudTrail - S3 Data events from. Choose ALL to enable for all accounts in your AWS Organization. To choose the accounts enter a comma seperated list of the AWS Account numbers. Leave empty to skip log source creation. + Description: Accounts to ingest CloudTrail - S3 Data events from. Choose ALL to enable for all accounts in your AWS Organization. To choose the accounts enter a comma separated list of the AWS Account numbers. Leave empty to skip log source creation. Type: CommaDelimitedList Default: '' pCustomerControlTowerRegions: @@ -221,31 +221,31 @@ Parameters: pSecurityHubFindings: AllowedPattern: ^($|ALL|(\d{12})(,\s*\d{12})*)$ ConstraintDescription: Enter "ALL" or a comma-separated list of AWS account numbers without spaces, e.g., "123456789012,234567890123" to create log source. Leave empty to skip log source creation - Description: Accounts to ingest SecurityHub Findings from. Choose ALL to enable for all accounts in your AWS Organization. To choose the accounts enter a comma seperated list of the AWS Account numbers. Leave empty to skip log source creation. + Description: Accounts to ingest SecurityHub Findings from. Choose ALL to enable for all accounts in your AWS Organization. To choose the accounts enter a comma separated list of the AWS Account numbers. Leave empty to skip log source creation. Type: CommaDelimitedList Default: ALL pVpcFlowLogs: AllowedPattern: ^($|ALL|(\d{12})(,\s*\d{12})*)$ ConstraintDescription: Enter "ALL" or a comma-separated list of AWS account numbers without spaces, e.g., "123456789012,234567890123" to create log source. Leave empty to skip log source creation - Description: Accounts to ingest VPC Flow Logs from. Choose ALL to enable for all accounts in your AWS Organization. To choose the accounts enter a comma seperated list of the AWS Account numbers. Leave empty to skip log source creation. + Description: Accounts to ingest VPC Flow Logs from. Choose ALL to enable for all accounts in your AWS Organization. To choose the accounts enter a comma separated list of the AWS Account numbers. Leave empty to skip log source creation. Type: CommaDelimitedList Default: ALL pWafLogs: AllowedPattern: ^($|ALL|(\d{12})(,\s*\d{12})*)$ ConstraintDescription: Enter "ALL" or a comma-separated list of AWS account numbers without spaces, e.g., "123456789012,234567890123" to create log source. Leave empty to skip log source creation - Description: Accounts to ingest WAFv2 Logs from. Choose ALL to enable for all accounts in your AWS Organization. To choose the accounts enter a comma seperated list of the AWS Account numbers. Leave empty to skip log source creation. + Description: Accounts to ingest WAFv2 Logs from. Choose ALL to enable for all accounts in your AWS Organization. To choose the accounts enter a comma separated list of the AWS Account numbers. Leave empty to skip log source creation. Type: CommaDelimitedList Default: '' pRoute53Logs: AllowedPattern: ^($|ALL|(\d{12})(,\s*\d{12})*)$ ConstraintDescription: Enter "ALL" or a comma-separated list of AWS account numbers without spaces, e.g., "123456789012,234567890123" to create log source. Leave empty to skip log source creation - Description: Accounts to ingest Amazon Route 53 resolver query logs from. Choose ALL to enable for all accounts in your AWS Organization. To choose the accounts enter a comma seperated list of the AWS Account numbers. Leave empty to skip log source creation. + Description: Accounts to ingest Amazon Route 53 resolver query logs from. Choose ALL to enable for all accounts in your AWS Organization. To choose the accounts enter a comma separated list of the AWS Account numbers. Leave empty to skip log source creation. Type: CommaDelimitedList Default: ALL pEksAuditLogs: AllowedPattern: ^($|ALL|(\d{12})(,\s*\d{12})*)$ ConstraintDescription: Enter "ALL" or a comma-separated list of AWS account numbers without spaces, e.g., "123456789012,234567890123" to create log source. Leave empty to skip log source creation - Description: Accounts to injest Amazon EKS Audit Logs from. Choose ALL to enable for all accounts in your AWS Organization. To choose the accounts enter a comma seperated list of the AWS Account numbers. Leave empty to skip log source creation. + Description: Accounts to ingest Amazon EKS Audit Logs from. Choose ALL to enable for all accounts in your AWS Organization. To choose the accounts enter a comma separated list of the AWS Account numbers. Leave empty to skip log source creation. Type: CommaDelimitedList Default: ALL pLogArchiveAccountId: @@ -673,8 +673,8 @@ Resources: Parameters: - ParameterKey: pSRASolutionName ParameterValue: !Ref pSRASolutionName - - ParameterKey: pSRASecurityLakeMetastoreManagerRoleName - ParameterValue: !Ref pSRASecurityLakeMetastoreManagerRoleName + - ParameterKey: pSRASecurityLakeMetaStoreManagerRoleName + ParameterValue: !Ref pSRASecurityLakeMetaStoreManagerRoleName Tags: - Key: sra-solution Value: !Ref pSRASolutionName