Add permissions to create service-linked role (#306)

* add permissions to create service-linked role

* update github workflow to run cfn-nag

* update CHANGELOG.md

---------

Co-authored-by: ievgeniia ieromenko <ieviero@amazon.com>

Author: IevIe

.github/workflows/cfn-nag.yml

@@ -11,10 +11,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
-      - name: Set up Ruby 2.6
+      - name: Set up Ruby 2.7
         uses: ruby/setup-ruby@v1
         with:
-          ruby-version: '2.6'
+          ruby-version: '2.7'
       - name: Install cfn-nag
         run: gem install cfn-nag
       - name: Scan files in all templates folders

CHANGELOG.md

@@ -3,6 +3,7 @@
 ## Table of Contents<!-- omit in toc -->
 
 - [Introduction](#introduction)
+- [2025-06-16](#2025-06-16)
 - [2025-03-20](#2025-03-20)
 - [2025-03-04](#2025-03-04)
 - [2025-02-13](#2025-02-13)
@@ -63,6 +64,11 @@
 All notable changes to this project will be documented in this file.
 
 ---
+## 2025-06-16
+
+### Updated<!-- omit in toc -->
+
+- Updated [CloudTrail](https://github.com/aws-samples/aws-security-reference-architecture-examples/tree/main/aws_sra_examples/solutions/cloudtrail/cloudtrail_org) solution with permissions to create a service-linked role.
 
 ## 2025-03-20
 

aws_sra_examples/solutions/cloudtrail/cloudtrail_org/templates/sra-cloudtrail-org.yaml

@@ -400,6 +400,7 @@ Resources:
                   - iam:DeleteServiceLinkedRole
                 Resource:
                   - !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/aws-service-role/cloudtrail.amazonaws.com/AWSServiceRoleForCloudTrail*
+                  - !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/aws-service-role/context.cloudtrail.amazonaws.com/AWSServiceRoleForCloudTrailEventContext
       Tags:
         - Key: sra-solution
           Value: !Ref pSRASolutionName
@@ -425,6 +426,8 @@ Resources:
             comment: Lambda does not need to communicate with VPC resources.
           - id: CKV_AWS_173
             comment: Environment variables are not sensitive
+          - id: CKV_AWS_45
+            comment: Environment variables only contain non-sensitive configuration values that are passed via CloudFormation parameters.
     Properties:
       Description: Creates an Organization CloudTrail
       Architectures: !If
@@ -473,4 +476,4 @@ Resources:
       KMS_KEY_ID: !Ref pOrganizationCloudTrailKMSKeyId
       S3_BUCKET_NAME: !Ref pCloudTrailS3BucketName
       SRA_SOLUTION_NAME: !Ref pSRASolutionName
-      DELEGATED_ADMIN_ACCOUNT_ID: !Ref pDelegatedAdminAccountId
+      DELEGATED_ADMIN_ACCOUNT_ID: !Ref pDelegatedAdminAccountId