From babd0be1f71f2abd55ecf1b912d1b25f4a7e01e6 Mon Sep 17 00:00:00 2001
From: Aaron Bouey <boueya@amazon.com>
Date: Tue, 21 Jan 2025 15:56:04 -0800
Subject: [PATCH 1/2] Adding config recorder service-linked role.

---
 .../sra-config-management-account-role.yaml   | 39 ++-----------------
 .../sra-config-management-account.yaml        |  2 +-
 2 files changed, 5 insertions(+), 36 deletions(-)

diff --git a/aws_sra_examples/solutions/config/config_management_account/templates/sra-config-management-account-role.yaml b/aws_sra_examples/solutions/config/config_management_account/templates/sra-config-management-account-role.yaml
index d93c62de..32ad1a5a 100644
--- a/aws_sra_examples/solutions/config/config_management_account/templates/sra-config-management-account-role.yaml
+++ b/aws_sra_examples/solutions/config/config_management_account/templates/sra-config-management-account-role.yaml
@@ -17,21 +17,13 @@ Metadata:
         Parameters:
           - pSRASolutionTagKey
           - pSRASolutionName
-          - pManagedResourcePrefix
     ParameterLabels:
-      pManagedResourcePrefix:
-        default: Managed Resource Prefix
       pSRASolutionName:
         default: SRA Solution Name
       pSRASolutionTagKey:
         default: SRA Solution Tag Key
 
 Parameters:
-  pManagedResourcePrefix:
-    AllowedValues: [aws-controltower]
-    Default: aws-controltower
-    Description: Prefix for the managed resources
-    Type: String
   pSRASolutionName:
     AllowedValues: [sra-config-management-account]
     Default: sra-config-management-account
@@ -44,31 +36,8 @@ Parameters:
     Type: String
 
 Resources:
-  rConfigRecorderRole:
-    Metadata:
-      cfn_nag:
-        rules_to_suppress:
-          - id: W28
-            reason: Explicit name provided
-    Type: AWS::IAM::Role
+  rConfigServiceLinkedRole:
+    Type: AWS::IAM::ServiceLinkedRole
     Properties:
-      RoleName: !Sub ${pManagedResourcePrefix}-ConfigRecorderRole
-      Description: Role for AWS Config Recorder
-      AssumeRolePolicyDocument:
-        Version: 2012-10-17
-        Statement:
-          - Effect: Allow
-            Action: sts:AssumeRole
-            Principal:
-              Service:
-                - config.amazonaws.com
-      ManagedPolicyArns:
-        - !Sub arn:${AWS::Partition}:iam::aws:policy/service-role/AWS_ConfigRole
-      Tags:
-        - Key: !Ref pSRASolutionTagKey
-          Value: !Ref pSRASolutionName
-
-Outputs:
-  oConfigRecorderRoleArn:
-    Description: Config Recorder Role ARN
-    Value: !GetAtt rConfigRecorderRole.Arn
+      AWSServiceName: config.amazonaws.com
+      Description: A service-linked role for the ConfigRecorder.
diff --git a/aws_sra_examples/solutions/config/config_management_account/templates/sra-config-management-account.yaml b/aws_sra_examples/solutions/config/config_management_account/templates/sra-config-management-account.yaml
index 6d2d03f1..9b2156e2 100644
--- a/aws_sra_examples/solutions/config/config_management_account/templates/sra-config-management-account.yaml
+++ b/aws_sra_examples/solutions/config/config_management_account/templates/sra-config-management-account.yaml
@@ -165,7 +165,7 @@ Resources:
     Type: AWS::Config::ConfigurationRecorder
     Properties:
       Name: !Sub ${pManagedResourcePrefix}-BaselineConfigRecorder
-      RoleARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${pManagedResourcePrefix}-ConfigRecorderRole
+      RoleARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig
       RecordingGroup:
         AllSupported: !Ref pAllSupported
         IncludeGlobalResourceTypes: !If

From 192469e2e8ba52cc2887f1c630838b202946a5a9 Mon Sep 17 00:00:00 2001
From: Aaron Bouey <boueya@amazon.com>
Date: Tue, 21 Jan 2025 16:06:42 -0800
Subject: [PATCH 2/2] Aligning template parameters to avoid possible conflicts.

---
 .../templates/sra-config-management-account-role.yaml     | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/aws_sra_examples/solutions/config/config_management_account/templates/sra-config-management-account-role.yaml b/aws_sra_examples/solutions/config/config_management_account/templates/sra-config-management-account-role.yaml
index 32ad1a5a..5b398f18 100644
--- a/aws_sra_examples/solutions/config/config_management_account/templates/sra-config-management-account-role.yaml
+++ b/aws_sra_examples/solutions/config/config_management_account/templates/sra-config-management-account-role.yaml
@@ -17,13 +17,21 @@ Metadata:
         Parameters:
           - pSRASolutionTagKey
           - pSRASolutionName
+          - pManagedResourcePrefix
     ParameterLabels:
+      pManagedResourcePrefix:
+        default: Managed Resource Prefix
       pSRASolutionName:
         default: SRA Solution Name
       pSRASolutionTagKey:
         default: SRA Solution Tag Key
 
 Parameters:
+  pManagedResourcePrefix:
+    AllowedValues: [aws-controltower]
+    Default: aws-controltower
+    Description: Prefix for the managed resources
+    Type: String
   pSRASolutionName:
     AllowedValues: [sra-config-management-account]
     Default: sra-config-management-account