aws-samples
diff --git a/‎CHANGELOG.md‎
Lines changed: 9 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎aws_sra_examples/solutions/common/common_cfct_setup/templates/customizations-for-aws-control-tower.template‎
Lines changed: 46 additions & 0 deletions b/‎aws_sra_examples/solutions/common/common_cfct_setup/templates/customizations-for-aws-control-tower.template‎
Lines changed: 46 additions & 0 deletions
@@ -3,6 +3,7 @@
 ## Table of Contents<!-- omit in toc -->
 
 - [Introduction](#introduction)
+- [2022-07-12](#2022-07-12)
 - [2022-05-23](#2022-05-23)
 - [2022-05-15](#2022-05-15)
 - [2022-04-25](#2022-04-25)
@@ -29,6 +30,14 @@ All notable changes to this project will be documented in this file.
 
 ---
 
+## 2022-07-12
+
+### Changed<!-- omit in toc -->
+
+- Added Checkov Lambda Function suppressions for CKV_AWS_115 (Reserved Concurrent Executions) and CKV_AWS_117 (Run within a VPC) to all solution templates with Lambda Function configurations.
+- Updated the [customizations-for-aws-control-tower.template](aws_sra_examples/solutions/common/common_cfct_setup/templates/customizations-for-aws-control-tower.template) to the latest version v2.4.0 and added Checkov suppressions.
+- Updated pyproject.toml dependencies to the latest versions.
+
 ## 2022-05-23
 
 ### Changed<!-- omit in toc -->
 
@@ -255,6 +255,10 @@ Resources:
         rules_to_suppress:
           - id: W35
             reason: "This S3 bucket is used as the destination for 'CustomControlTowerPipelineS3Bucket' and 'CustomControlTowerPipelineArtifactS3Bucket'"
+      checkov:
+        skip:
+          - id: CKV_AWS_18
+            comment: S3 access logging is not enabled.
     Properties:
       AccessControl: LogDeliveryWrite
       VersioningConfiguration:
@@ -490,6 +494,10 @@ Resources:
         rules_to_suppress:
           - id: W11
             reason: "Allow Resource * for Cloudformation/SSM API: needs to support user defined cfn templates and ssm parameter names."
+      checkov:
+        skip:
+          - id: CKV_AWS_108
+            comment: "Allow Resource * for Cloudformation/SSM API: needs to support user defined cfn templates and ssm parameter names."
     Properties:
       AssumeRolePolicyDocument:
         Version: "2012-10-17"
@@ -997,6 +1005,16 @@ Resources:
             reason: "This lambda function does not need access to VPC resources"
           - id: W92
             reason: "This use case does not need to set the ReservedConcurrentExecutions"
+      checkov:
+        skip:
+          - id: CKV_AWS_115
+            comment: Lambda does not need reserved concurrent executions.
+          - id: CKV_AWS_116
+            comment: DLQ not needed, as Lambda function only triggered by CloudFormation events.
+          - id: CKV_AWS_117
+            comment: Lambda does not need to communicate with VPC resources.
+          - id: CKV_AWS_173
+            comment: Environment variables are not sensitive
     Properties:
       Environment:
         Variables:
@@ -1090,6 +1108,14 @@ Resources:
             reason: "The role name is defined to identify Custom Control Tower resources."
           - id: W11
             reason: "Allow Resource * for KMS/SSM/Org/SC/CFN API. Key ID is generated by the service. Other resources are customer defined."
+      checkov:
+        skip:
+          - id: CKV_AWS_108
+            comment: "Allow Resource * for KMS/SSM/Org/SC/CFN API. Key ID is generated by the service. Other resources are customer defined."
+          - id: CKV_AWS_109
+            comment: "Allow Resource * for KMS/SSM/Org/SC/CFN API. Key ID is generated by the service. Other resources are customer defined."
+          - id: CKV_AWS_111
+            comment: "Allow Resource * for KMS/SSM/Org/SC/CFN API. Key ID is generated by the service. Other resources are customer defined."
     Properties:
       RoleName: CustomControlTowerStateMachineLambdaRole
       AssumeRolePolicyDocument:
@@ -1264,6 +1290,16 @@ Resources:
             reason: "This lambda function does not need access to VPC resources"
           - id: W92
             reason: "This use case does not need to set the ReservedConcurrentExecutions"
+      checkov:
+        skip:
+          - id: CKV_AWS_115
+            comment: Lambda does not need reserved concurrent executions.
+          - id: CKV_AWS_116
+            comment: DLQ not needed, as Lambda function only triggered by CloudFormation events.
+          - id: CKV_AWS_117
+            comment: Lambda does not need to communicate with VPC resources.
+          - id: CKV_AWS_173
+            comment: Environment variables are not sensitive
     Properties:
       Environment:
         Variables:
@@ -2881,6 +2917,16 @@ Resources:
             reason: "This lambda function does not need access to VPC resources"
           - id: W92
             reason: "This use case does not need to set the ReservedConcurrentExecutions"
+      checkov:
+        skip:
+          - id: CKV_AWS_115
+            comment: Lambda does not need reserved concurrent executions.
+          - id: CKV_AWS_116
+            comment: DLQ not needed, as Lambda function only triggered by CloudFormation events.
+          - id: CKV_AWS_117
+            comment: Lambda does not need to communicate with VPC resources.
+          - id: CKV_AWS_173
+            comment: Environment variables are not sensitive
     Properties:
       Environment:
         Variables: