From 6f704d89767a9a145b6c045aa0f9724168ed5134 Mon Sep 17 00:00:00 2001
From: muakvik <mukavik@amazon.com>
Date: Mon, 9 Mar 2026 14:30:46 -0500
Subject: [PATCH 1/5] docs: Add AWS Control Tower 4.0 compatibility notice to
 README

---
 README.md | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/README.md b/README.md
index aa982c49..47a13325 100644
--- a/README.md
+++ b/README.md
@@ -10,6 +10,33 @@ Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-
 
 ## <!-- omit in toc -->
 
+---
+
+## ⚠️ AWS SRA Code Library & Control Tower 4.0: Compatibility Notice<!-- omit in toc -->
+
+AWS Control Tower 4.0 introduces architectural changes that affect the existing SRA code library, including how AWS Config, CloudTrail, and S3 log buckets are structured and referenced. If you're upgrading to CT 4.0 or have already done so, follow the steps below to restore compatibility.
+
+### Steps to Resolve<!-- omit in toc -->
+
+**Step 1: Follow the Upgrade Instructions**
+
+Review the key CT 4.0 changes that impact SRA and apply the corresponding updates to your local deployment:
+
+- Enable AWS Config and CloudTrail via Control Tower before deploying SRA — these are now optional integrations in CT 4.0 and must be explicitly enabled.
+- Update your local SRA templates to reference the new dedicated S3 buckets for Config logs (`aws-controltower-config-logs-{LogArchiveAccountId}-{suffix}`) instead of the legacy shared CT logs bucket.
+
+For full migration details, refer to the [Control Tower 4.0 migration guide](https://docs.aws.amazon.com/controltower/latest/userguide/ct-migrate.html) and [Upgrading to CT 4.0 best practices](https://docs.aws.amazon.com/controltower/latest/userguide/ct-update.html).
+
+**Step 2: Reach Out to Your AWS Account Manager**
+
+If you've followed the instructions above and are still experiencing issues, contact your AWS Account Manager. They can connect you with the right AWS support resources for further troubleshooting.
+
+**Step 3: Don't Have an Account Manager? Cut Us a Ticket**
+
+If you don't have an AWS Account Manager, [submit a GitHub issue](https://github.com/aws-samples/aws-security-reference-architecture-examples/issues) directly to the SRA team. We'll provide support on a best-effort basis.
+
+---
+
 ## Table of Contents<!-- omit in toc -->
 
 - [Introduction](#introduction)

From f4da0fd3466cd3861fd5d875b1537eb617f677ac Mon Sep 17 00:00:00 2001
From: cyphronix <57731583+cyphronix@users.noreply.github.com>
Date: Tue, 10 Mar 2026 13:41:07 -0600
Subject: [PATCH 2/5] removing unused license

---
 pyproject.toml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/pyproject.toml b/pyproject.toml
index 260bf403..548abf09 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -133,7 +133,6 @@ safe_licenses = [
   "MIT License",
   "BSD License",
   "Apache Software License",
-  "PSF-2.0",
   "ISC License (ISCL)"
 ]
 

From cb795bb8033f3f150812762e6d84aef78e1dd362 Mon Sep 17 00:00:00 2001
From: cyphronix <57731583+cyphronix@users.noreply.github.com>
Date: Tue, 10 Mar 2026 13:45:38 -0600
Subject: [PATCH 3/5] remove duplicate alarm email

---
 .../shield_advanced/templates/sra-shield-advanced-main-ssm.yaml | 2 --
 1 file changed, 2 deletions(-)

diff --git a/aws_sra_examples/solutions/shield_advanced/shield_advanced/templates/sra-shield-advanced-main-ssm.yaml b/aws_sra_examples/solutions/shield_advanced/shield_advanced/templates/sra-shield-advanced-main-ssm.yaml
index abfaf76e..1422e134 100644
--- a/aws_sra_examples/solutions/shield_advanced/shield_advanced/templates/sra-shield-advanced-main-ssm.yaml
+++ b/aws_sra_examples/solutions/shield_advanced/shield_advanced/templates/sra-shield-advanced-main-ssm.yaml
@@ -150,8 +150,6 @@ Metadata:
         default: SRA Solution Version
       pSRAStagingS3BucketName:
         default: SRA Staging S3 Bucket Name
-      pSRAAlarmEmail:
-        default: (Optional) SRA Alarm Email
       pProtectionGroup0AccountId:
         default: AWS Account Id where the Protection Group is created
       pProtectionGroup0Id:

From bf9d56f03edb89c8f7ee83ce5569b2c07ee586c0 Mon Sep 17 00:00:00 2001
From: cyphronix <57731583+cyphronix@users.noreply.github.com>
Date: Tue, 10 Mar 2026 13:47:16 -0600
Subject: [PATCH 4/5] remove unused ignore

---
 .../account/account_alternate_contacts/lambda/src/app.py        | 2 +-
 .../s3/s3_block_account_public_access/lambda/src/app.py         | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/aws_sra_examples/solutions/account/account_alternate_contacts/lambda/src/app.py b/aws_sra_examples/solutions/account/account_alternate_contacts/lambda/src/app.py
index 095c2b97..4e7fa51e 100644
--- a/aws_sra_examples/solutions/account/account_alternate_contacts/lambda/src/app.py
+++ b/aws_sra_examples/solutions/account/account_alternate_contacts/lambda/src/app.py
@@ -330,7 +330,7 @@ def process_accounts(event: Union[CloudFormationCustomResourceEvent, dict], para
         if is_account_with_exclude_tags(account, params):
             continue
 
-        if event.get("local_testing") == "true" or event.get("ResourceProperties", {}).get("local_testing") == "true":  # type: ignore
+        if event.get("local_testing") == "true" or event.get("ResourceProperties", {}).get("local_testing") == "true":
             local_testing(account, params)
         else:
             sns_message = {"Action": params["action"], "AccountId": account["Id"]}
diff --git a/aws_sra_examples/solutions/s3/s3_block_account_public_access/lambda/src/app.py b/aws_sra_examples/solutions/s3/s3_block_account_public_access/lambda/src/app.py
index 565282ba..20bf5fa9 100644
--- a/aws_sra_examples/solutions/s3/s3_block_account_public_access/lambda/src/app.py
+++ b/aws_sra_examples/solutions/s3/s3_block_account_public_access/lambda/src/app.py
@@ -298,7 +298,7 @@ def process_accounts(event: Union[CloudFormationCustomResourceEvent, dict], para
         if is_account_with_exclude_tags(account, params):
             continue
 
-        if event.get("local_testing") == "true" or event.get("ResourceProperties", {}).get("local_testing") == "true":  # type: ignore
+        if event.get("local_testing") == "true" or event.get("ResourceProperties", {}).get("local_testing") == "true":
             local_testing(account, params)
         else:
             sns_message = {"Action": params["action"], "AccountId": account["Id"]}

From af4a1ffffd9b775e93fb8ace0397979074dd5eff Mon Sep 17 00:00:00 2001
From: cyphronix <57731583+cyphronix@users.noreply.github.com>
Date: Tue, 10 Mar 2026 13:55:46 -0600
Subject: [PATCH 5/5] update checkov exceptions

---
 .../templates/sra-bedrock-guardrails-main.yaml           | 9 ++++++++-
 .../bedrock_org/templates/sra-bedrock-org-main.yaml      | 9 ++++++++-
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/aws_sra_examples/solutions/genai/bedrock_guardrails/templates/sra-bedrock-guardrails-main.yaml b/aws_sra_examples/solutions/genai/bedrock_guardrails/templates/sra-bedrock-guardrails-main.yaml
index c56d0df9..16f0f6d1 100644
--- a/aws_sra_examples/solutions/genai/bedrock_guardrails/templates/sra-bedrock-guardrails-main.yaml
+++ b/aws_sra_examples/solutions/genai/bedrock_guardrails/templates/sra-bedrock-guardrails-main.yaml
@@ -277,6 +277,13 @@ Parameters:
 
 Resources:
   rBedrockGuardrailsLambdaRole:
+    Metadata:
+      checkov:
+        skip: 
+          - id: CKV_AWS_107
+            comment: "No credentials are exposed to the Lambda function."
+          - id: CKV_AWS_111
+            comment: "IAM write actions require wildcard in resource."
     Type: AWS::IAM::Role
     Properties:
       RoleName: !Ref pBedrockGuardrailLambdaRoleName
@@ -471,4 +478,4 @@ Resources:
 Outputs:
   BedrockGuardrailsLambdaFunctionArn:
     Description: ARN of the Lambda function
-    Value: !GetAtt rBedrockGuardrailsLambdaFunction.Arn
\ No newline at end of file
+    Value: !GetAtt rBedrockGuardrailsLambdaFunction.Arn
diff --git a/aws_sra_examples/solutions/genai/bedrock_org/templates/sra-bedrock-org-main.yaml b/aws_sra_examples/solutions/genai/bedrock_org/templates/sra-bedrock-org-main.yaml
index 291c4000..8d43eca5 100644
--- a/aws_sra_examples/solutions/genai/bedrock_org/templates/sra-bedrock-org-main.yaml
+++ b/aws_sra_examples/solutions/genai/bedrock_org/templates/sra-bedrock-org-main.yaml
@@ -464,6 +464,13 @@ Metadata:
 
 Resources:
   rBedrockOrgLambdaRole:
+    Metadata:
+      checkov:
+        skip: 
+          - id: CKV_AWS_107
+            comment: "No credentials are exposed to the Lambda function."
+          - id: CKV_AWS_111
+            comment: "IAM write actions require wildcard in resource."
     Type: AWS::IAM::Role
     Properties:
       RoleName: !Ref pBedrockOrgLambdaRoleName
@@ -768,4 +775,4 @@ Resources:
 Outputs:
   BedrockOrgLambdaFunctionArn:
     Description: ARN of the Lambda function
-    Value: !GetAtt rBedrockOrgLambdaFunction.Arn
\ No newline at end of file
+    Value: !GetAtt rBedrockOrgLambdaFunction.Arn