aws-samples · muakvik · Mar 9, 2026 · Mar 9, 2026 · Mar 10, 2026 · Mar 10, 2026
diff --git a/README.md b/README.md
@@ -10,6 +10,33 @@ Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-
 
 ## <!-- omit in toc -->
 
+---
+
+## ⚠️ AWS SRA Code Library & Control Tower 4.0: Compatibility Notice<!-- omit in toc -->
+
+AWS Control Tower 4.0 introduces architectural changes that affect the existing SRA code library, including how AWS Config, CloudTrail, and S3 log buckets are structured and referenced. If you're upgrading to CT 4.0 or have already done so, follow the steps below to restore compatibility.
+
+### Steps to Resolve<!-- omit in toc -->
+
+**Step 1: Follow the Upgrade Instructions**
+
+Review the key CT 4.0 changes that impact SRA and apply the corresponding updates to your local deployment:
+
+- Enable AWS Config and CloudTrail via Control Tower before deploying SRA — these are now optional integrations in CT 4.0 and must be explicitly enabled.
+- Update your local SRA templates to reference the new dedicated S3 buckets for Config logs (`aws-controltower-config-logs-{LogArchiveAccountId}-{suffix}`) instead of the legacy shared CT logs bucket.
+
+For full migration details, refer to the [Control Tower 4.0 migration guide](https://docs.aws.amazon.com/controltower/latest/userguide/ct-migrate.html) and [Upgrading to CT 4.0 best practices](https://docs.aws.amazon.com/controltower/latest/userguide/ct-update.html).
+
+**Step 2: Reach Out to Your AWS Account Manager**
+
+If you've followed the instructions above and are still experiencing issues, contact your AWS Account Manager. They can connect you with the right AWS support resources for further troubleshooting.
+
+**Step 3: Don't Have an Account Manager? Cut Us a Ticket**
+
+If you don't have an AWS Account Manager, [submit a GitHub issue](https://github.com/aws-samples/aws-security-reference-architecture-examples/issues) directly to the SRA team. We'll provide support on a best-effort basis.
+
+---
+
 ## Table of Contents<!-- omit in toc -->
 
 - [Introduction](#introduction)

diff --git a/aws_sra_examples/solutions/account/account_alternate_contacts/lambda/src/app.py b/aws_sra_examples/solutions/account/account_alternate_contacts/lambda/src/app.py
@@ -330,7 +330,7 @@ def process_accounts(event: Union[CloudFormationCustomResourceEvent, dict], para
         if is_account_with_exclude_tags(account, params):
             continue
 
-        if event.get("local_testing") == "true" or event.get("ResourceProperties", {}).get("local_testing") == "true":  # type: ignore
+        if event.get("local_testing") == "true" or event.get("ResourceProperties", {}).get("local_testing") == "true":
             local_testing(account, params)
         else:
             sns_message = {"Action": params["action"], "AccountId": account["Id"]}

diff --git a/...ra_examples/solutions/genai/bedrock_guardrails/templates/sra-bedrock-guardrails-main.yaml b/...ra_examples/solutions/genai/bedrock_guardrails/templates/sra-bedrock-guardrails-main.yaml
@@ -277,6 +277,13 @@ Parameters:
 
 Resources:
   rBedrockGuardrailsLambdaRole:
+    Metadata:
+      checkov:
+        skip: 
+          - id: CKV_AWS_107
+            comment: "No credentials are exposed to the Lambda function."
+          - id: CKV_AWS_111
+            comment: "IAM write actions require wildcard in resource."
     Type: AWS::IAM::Role
     Properties:
       RoleName: !Ref pBedrockGuardrailLambdaRoleName
@@ -471,4 +478,4 @@ Resources:
 Outputs:
   BedrockGuardrailsLambdaFunctionArn:
     Description: ARN of the Lambda function
-    Value: !GetAtt rBedrockGuardrailsLambdaFunction.Arn
+    Value: !GetAtt rBedrockGuardrailsLambdaFunction.Arn
diff --git a/aws_sra_examples/solutions/genai/bedrock_org/templates/sra-bedrock-org-main.yaml b/aws_sra_examples/solutions/genai/bedrock_org/templates/sra-bedrock-org-main.yaml
@@ -464,6 +464,13 @@ Metadata:
 
 Resources:
   rBedrockOrgLambdaRole:
+    Metadata:
+      checkov:
+        skip: 
+          - id: CKV_AWS_107
+            comment: "No credentials are exposed to the Lambda function."
+          - id: CKV_AWS_111
+            comment: "IAM write actions require wildcard in resource."
     Type: AWS::IAM::Role
     Properties:
       RoleName: !Ref pBedrockOrgLambdaRoleName
@@ -768,4 +775,4 @@ Resources:
 Outputs:
   BedrockOrgLambdaFunctionArn:
     Description: ARN of the Lambda function
-    Value: !GetAtt rBedrockOrgLambdaFunction.Arn
+    Value: !GetAtt rBedrockOrgLambdaFunction.Arn
diff --git a/aws_sra_examples/solutions/s3/s3_block_account_public_access/lambda/src/app.py b/aws_sra_examples/solutions/s3/s3_block_account_public_access/lambda/src/app.py
@@ -298,7 +298,7 @@ def process_accounts(event: Union[CloudFormationCustomResourceEvent, dict], para
         if is_account_with_exclude_tags(account, params):
             continue
 
-        if event.get("local_testing") == "true" or event.get("ResourceProperties", {}).get("local_testing") == "true":  # type: ignore
+        if event.get("local_testing") == "true" or event.get("ResourceProperties", {}).get("local_testing") == "true":
             local_testing(account, params)
         else:
             sns_message = {"Action": params["action"], "AccountId": account["Id"]}

diff --git a/...les/solutions/shield_advanced/shield_advanced/templates/sra-shield-advanced-main-ssm.yaml b/...les/solutions/shield_advanced/shield_advanced/templates/sra-shield-advanced-main-ssm.yaml
@@ -150,8 +150,6 @@ Metadata:
         default: SRA Solution Version
       pSRAStagingS3BucketName:
         default: SRA Staging S3 Bucket Name
-      pSRAAlarmEmail:
-        default: (Optional) SRA Alarm Email
       pProtectionGroup0AccountId:
         default: AWS Account Id where the Protection Group is created
       pProtectionGroup0Id:

diff --git a/pyproject.toml b/pyproject.toml
@@ -133,7 +133,6 @@ safe_licenses = [
   "MIT License",
   "BSD License",
   "Apache Software License",
-  "PSF-2.0",
   "ISC License (ISCL)"
 ]