From 51bbaab1a9be5c916c7c5a13bc205e98aa26afc0 Mon Sep 17 00:00:00 2001 From: silavjy <67747632+silavjy@users.noreply.github.com> Date: Mon, 5 Aug 2024 10:14:17 +0200 Subject: [PATCH 1/8] Add the ssm parameter GuardDuty subscription filter name to client accounts (#208) Co-authored-by: tutunal --- EC-Delete-LandingZone.py | 5 +++++ SH/EC-Configure-Client-Account.sh | 4 ++++ 2 files changed, 9 insertions(+) diff --git a/EC-Delete-LandingZone.py b/EC-Delete-LandingZone.py index b7e3134..609f036 100644 --- a/EC-Delete-LandingZone.py +++ b/EC-Delete-LandingZone.py @@ -152,12 +152,17 @@ def main(argv): delete_ssm_parameter('/org/member/KMSCloudtrailKey_arn', account_session) delete_ssm_parameter('/org/member/SLZVersion', account_session) delete_ssm_parameter('/org/member/SecLog_cloudtrail-groupname', account_session) + delete_ssm_parameter('/org/member/SecLog_cloudtrail-group-subscription-filter-name', account_session) delete_ssm_parameter('/org/member/SecLog_insight-groupname', account_session) + delete_ssm_parameter('/org/member/SecLog_insight-group-subscription-filter-name', account_session) delete_ssm_parameter('/org/member/SecLog_securityhub-groupname', account_session) + delete_ssm_parameter('/org/member/SecLog_securityhub-group-subscription-filter-name', account_session) delete_ssm_parameter('/org/member/SecLog_config-groupname', account_session) + delete_ssm_parameter('/org/member/SecLog_config-group-subscription-filter-name', account_session) delete_ssm_parameter('/org/member/SecLog_alarms-groupname', account_session) for region in regions: delete_ssm_parameter('/org/member/SecLog_guardduty-groupname', account_session, region=region) + delete_ssm_parameter('/org/member/SecLog_guardduty-group-subscription-filter-name', account_session, region=region) print("") print(f"####### AWS Landing Zone deletion script finished. Executed in {time.time() - start_time} seconds") diff --git a/SH/EC-Configure-Client-Account.sh b/SH/EC-Configure-Client-Account.sh index d11f5ee..92f57cb 100755 --- a/SH/EC-Configure-Client-Account.sh +++ b/SH/EC-Configure-Client-Account.sh @@ -85,6 +85,7 @@ configure_client() { securityhubgroupname=`aws --profile $SECLOG ssm get-parameter --name "/org/member/SecLog_securityhub-groupname" --output text --query 'Parameter.Value'` configgroupname=`aws --profile $SECLOG ssm get-parameter --name "/org/member/SecLog_config-groupname" --output text --query 'Parameter.Value'` alarmsgroupname=`aws --profile $SECLOG ssm get-parameter --name "/org/member/SecLog_alarms-groupname" --output text --query 'Parameter.Value'` + alarmsgroupname=`aws --profile $SECLOG ssm get-parameter --name "/org/member/SecLog_alarms-groupname" --output text --query 'Parameter.Value'` echo "" @@ -162,6 +163,9 @@ configure_client() { fi aws --profile $CLIENT --region $region ssm add-tags-to-resource --resource-type "Parameter" --resource-id /org/member/SecLog_guardduty-groupname --tags file://$CFN_TAGS_FILE + aws --profile $CLIENT --region $region ssm put-parameter --name /org/member/SecLog_guardduty-group-subscription-filter-name --type String --value "DEFAULT" --overwrite + aws --profile $CLIENT --region $region ssm add-tags-to-resource --resource-type "Parameter" --resource-id /org/member/SecLog_guardduty-group-subscription-filter-name --tags file://$CFN_TAGS_FILE + done if [ ! -z "$securityhubgroupname" ] ; then From a7f21cc76ad92597fe22fda2c202af9a7334afb4 Mon Sep 17 00:00:00 2001 From: silavjy <67747632+silavjy@users.noreply.github.com> Date: Mon, 5 Aug 2024 10:18:39 +0200 Subject: [PATCH 2/8] Update EC-SLZ-Version.txt --- EC-SLZ-Version.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/EC-SLZ-Version.txt b/EC-SLZ-Version.txt index df80819..41336a1 100644 --- a/EC-SLZ-Version.txt +++ b/EC-SLZ-Version.txt @@ -1 +1 @@ -1.5.11 +1.5.12 From 9e140272db993cd40cbd2531b121622459eb9338 Mon Sep 17 00:00:00 2001 From: silavjy Date: Mon, 5 Aug 2024 10:20:47 +0200 Subject: [PATCH 3/8] added update manifest for 1.5.12 --- Updates/1.5.12/manifest.json | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 Updates/1.5.12/manifest.json diff --git a/Updates/1.5.12/manifest.json b/Updates/1.5.12/manifest.json new file mode 100644 index 0000000..8a262ff --- /dev/null +++ b/Updates/1.5.12/manifest.json @@ -0,0 +1,20 @@ +{ "version" : "1.5.12", + "regions" : ["ap-northeast-1","ap-northeast-2","ap-northeast-3","ap-south-1","ap-southeast-1","ap-southeast-2","ca-central-1","eu-central-1","eu-north-1","eu-west-1", "eu-west-2","eu-west-3","sa-east-1","us-east-1","us-east-2","us-west-1","us-west-2"], + "tags" : [ + { "Key": "Organization","Value": "EC" }, + { "Key": "Owner","Value": "DIGIT.C.1" }, + { "Key": "Environment","Value": "prod" }, + { "Key": "Criticity","Value": "high" }, + { "Key": "Project","Value": "secLZ" }, + { "Key": "Confidentiality","Value": "confidential" }, + { "Key": "ApplicationRole","Value": "security" } + ], + "accounts" : { + "exclude" : [], + "include" : [] + }, + "stacks" : { + + } + +} From 154a048f12eb14e2cb05485806adcf537ff92418 Mon Sep 17 00:00:00 2001 From: silavjy <67747632+silavjy@users.noreply.github.com> Date: Mon, 5 Aug 2024 10:25:11 +0200 Subject: [PATCH 4/8] Merged fom Master (#210) Co-authored-by: tutunal * Updated LZ script (client) updated version and added manifest for new release (#211) * Add the ssm parameter GuardDuty subscription filter name to client accounts (#208) Co-authored-by: tutunal * Update EC-SLZ-Version.txt * added update manifest for 1.5.12 From 88a1008fa8f43c58d62c0188ed3a2bedb248054a Mon Sep 17 00:00:00 2001 From: silavjy Date: Mon, 5 Aug 2024 10:46:18 +0200 Subject: [PATCH 5/8] addding missing ssm parameters to client isntall script --- EC-Delete-LandingZone.py | 2 ++ SH/EC-Configure-Client-Account.sh | 15 +++++++++++++-- 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/EC-Delete-LandingZone.py b/EC-Delete-LandingZone.py index 609f036..76a77b2 100644 --- a/EC-Delete-LandingZone.py +++ b/EC-Delete-LandingZone.py @@ -160,6 +160,8 @@ def main(argv): delete_ssm_parameter('/org/member/SecLog_config-groupname', account_session) delete_ssm_parameter('/org/member/SecLog_config-group-subscription-filter-name', account_session) delete_ssm_parameter('/org/member/SecLog_alarms-groupname', account_session) + delete_ssm_parameter('/org/member/SecLog_config-group-subscription-filter-name', account_session) + delete_ssm_parameter('/org/member/SecLog_insight-group-subscription-filter-name', account_session) for region in regions: delete_ssm_parameter('/org/member/SecLog_guardduty-groupname', account_session, region=region) delete_ssm_parameter('/org/member/SecLog_guardduty-group-subscription-filter-name', account_session, region=region) diff --git a/SH/EC-Configure-Client-Account.sh b/SH/EC-Configure-Client-Account.sh index 92f57cb..43541a7 100755 --- a/SH/EC-Configure-Client-Account.sh +++ b/SH/EC-Configure-Client-Account.sh @@ -145,6 +145,10 @@ configure_client() { aws --profile $CLIENT ssm put-parameter --name /org/member/SecLog_cloudtrail-groupname --type String --value "/aws/cloudtrail" --overwrite fi aws --profile $CLIENT ssm add-tags-to-resource --resource-type "Parameter" --resource-id /org/member/SecLog_cloudtrail-groupname --tags file://$CFN_TAGS_FILE + + aws --profile $CLIENT --region $region ssm put-parameter --name /org/member/SecLog_cloudtrail-group-subscription-filter-name --type String --value "DEFAULT" --overwrite + aws --profile $CLIENT --region $region ssm add-tags-to-resource --resource-type "Parameter" --resource-id /org/member/SecLog_cloudtrail-group-subscription-filter-name --tags file://$CFN_TAGS_FILE + if [ ! -z "$insightgroupname" ] ; then @@ -153,7 +157,10 @@ configure_client() { aws --profile $CLIENT ssm put-parameter --name /org/member/SecLog_insight-groupname --type String --value "/aws/cloudtrail/insight" --overwrite fi aws --profile $CLIENT ssm add-tags-to-resource --resource-type "Parameter" --resource-id /org/member/SecLog_insight-groupname --tags file://$CFN_TAGS_FILE - + + aws --profile $CLIENT --region $region ssm put-parameter --name /org/member/SecLog_insight-group-subscription-filter-name --type String --value "DEFAULT" --overwrite + aws --profile $CLIENT --region $region ssm add-tags-to-resource --resource-type "Parameter" --resource-id /org/member/SecLog_insight-group-subscription-filter-name --tags file://$CFN_TAGS_FILE + for region in $(aws --profile $CLIENT ec2 describe-regions --output text --query "Regions[*].[RegionName]"); do if [ ! -z "$guarddutygroupname" ] ; then @@ -182,7 +189,11 @@ configure_client() { aws --profile $CLIENT ssm put-parameter --name /org/member/SecLog_config-groupname --type String --value "/aws/events/config" --overwrite fi aws --profile $CLIENT ssm add-tags-to-resource --resource-type "Parameter" --resource-id /org/member/SecLog_config-groupname --tags file://$CFN_TAGS_FILE - + + + aws --profile $CLIENT --region $region ssm put-parameter --name /org/member/SecLog_config-group-subscription-filter-name --type String --value "DEFAULT" --overwrite + aws --profile $CLIENT --region $region ssm add-tags-to-resource --resource-type "Parameter" --resource-id /org/member/SecLog_config-group-subscription-filter-name --tags file://$CFN_TAGS_FILE + if [ ! -z "$alarmsgroupname" ] ; then aws --profile $CLIENT ssm put-parameter --name /org/member/SecLog_alarms-groupname --type String --value $alarmsgroupname --overwrite From 39507f2968bb0f5920b54a33ccf82d18ba8f8fbc Mon Sep 17 00:00:00 2001 From: silavjy Date: Mon, 5 Aug 2024 10:48:56 +0200 Subject: [PATCH 6/8] minor fix client install script --- SH/EC-Configure-Client-Account.sh | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/SH/EC-Configure-Client-Account.sh b/SH/EC-Configure-Client-Account.sh index 43541a7..4060543 100755 --- a/SH/EC-Configure-Client-Account.sh +++ b/SH/EC-Configure-Client-Account.sh @@ -146,8 +146,8 @@ configure_client() { fi aws --profile $CLIENT ssm add-tags-to-resource --resource-type "Parameter" --resource-id /org/member/SecLog_cloudtrail-groupname --tags file://$CFN_TAGS_FILE - aws --profile $CLIENT --region $region ssm put-parameter --name /org/member/SecLog_cloudtrail-group-subscription-filter-name --type String --value "DEFAULT" --overwrite - aws --profile $CLIENT --region $region ssm add-tags-to-resource --resource-type "Parameter" --resource-id /org/member/SecLog_cloudtrail-group-subscription-filter-name --tags file://$CFN_TAGS_FILE + aws --profile $CLIENT ssm put-parameter --name /org/member/SecLog_cloudtrail-group-subscription-filter-name --type String --value "DEFAULT" --overwrite + aws --profile $CLIENT ssm add-tags-to-resource --resource-type "Parameter" --resource-id /org/member/SecLog_cloudtrail-group-subscription-filter-name --tags file://$CFN_TAGS_FILE @@ -158,8 +158,8 @@ configure_client() { fi aws --profile $CLIENT ssm add-tags-to-resource --resource-type "Parameter" --resource-id /org/member/SecLog_insight-groupname --tags file://$CFN_TAGS_FILE - aws --profile $CLIENT --region $region ssm put-parameter --name /org/member/SecLog_insight-group-subscription-filter-name --type String --value "DEFAULT" --overwrite - aws --profile $CLIENT --region $region ssm add-tags-to-resource --resource-type "Parameter" --resource-id /org/member/SecLog_insight-group-subscription-filter-name --tags file://$CFN_TAGS_FILE + aws --profile $CLIENT ssm put-parameter --name /org/member/SecLog_insight-group-subscription-filter-name --type String --value "DEFAULT" --overwrite + aws --profile $CLIENT ssm add-tags-to-resource --resource-type "Parameter" --resource-id /org/member/SecLog_insight-group-subscription-filter-name --tags file://$CFN_TAGS_FILE for region in $(aws --profile $CLIENT ec2 describe-regions --output text --query "Regions[*].[RegionName]"); do @@ -191,8 +191,8 @@ configure_client() { aws --profile $CLIENT ssm add-tags-to-resource --resource-type "Parameter" --resource-id /org/member/SecLog_config-groupname --tags file://$CFN_TAGS_FILE - aws --profile $CLIENT --region $region ssm put-parameter --name /org/member/SecLog_config-group-subscription-filter-name --type String --value "DEFAULT" --overwrite - aws --profile $CLIENT --region $region ssm add-tags-to-resource --resource-type "Parameter" --resource-id /org/member/SecLog_config-group-subscription-filter-name --tags file://$CFN_TAGS_FILE + aws --profile $CLIENT ssm put-parameter --name /org/member/SecLog_config-group-subscription-filter-name --type String --value "DEFAULT" --overwrite + aws --profile $CLIENT ssm add-tags-to-resource --resource-type "Parameter" --resource-id /org/member/SecLog_config-group-subscription-filter-name --tags file://$CFN_TAGS_FILE if [ ! -z "$alarmsgroupname" ] ; then From efa277aa7d3aafb53d942a6b4ca4bb606a3fa8b9 Mon Sep 17 00:00:00 2001 From: silavjy <67747632+silavjy@users.noreply.github.com> Date: Mon, 5 Aug 2024 11:01:55 +0200 Subject: [PATCH 7/8] Merge from Master (#213) * Release/1.5.9 (#198) (#199) * Modified bucket Access control policies (removed PublicAccessBlockConfiguration added OwnershipControls) * Remove S3 AccessControl: LogDeliveryWrite from AccessLogsBucket and setting logging policy (S3:PutObject for logging service) * fix statement S3ServerAccessLogsPolicy setting principal properly * Added manifest for update script and increased release number to 1.5.9 * Add the ssm parameter GuardDuty subscription filter name to client accounts (#208) (#209) Co-authored-by: tutunal * Updated LZ script (client) updated version and added manifest for new release (#211) * Add the ssm parameter GuardDuty subscription filter name to client accounts (#208) Co-authored-by: tutunal * Update EC-SLZ-Version.txt * added update manifest for 1.5.12 --------- Co-authored-by: tutunal * Fixes on LZ client install script (#212) * Add the ssm parameter GuardDuty subscription filter name to client accounts (#208) Co-authored-by: tutunal * Update EC-SLZ-Version.txt * added update manifest for 1.5.12 * Merged fom Master (#210) * addding missing ssm parameters to client install script --------- Co-authored-by: tutunal From be5707510b899e65e5b24d0b447e74280e2dfc87 Mon Sep 17 00:00:00 2001 From: tutunal Date: Tue, 7 Jan 2025 09:56:18 +0100 Subject: [PATCH 8/8] Release 1 5 13 fixes (#215) * Release/1.5.9 (#198) (#199) * Modified bucket Access control policies (removed PublicAccessBlockConfiguration added OwnershipControls) * Remove S3 AccessControl: LogDeliveryWrite from AccessLogsBucket and setting logging policy (S3:PutObject for logging service) * fix statement S3ServerAccessLogsPolicy setting principal properly * Added manifest for update script and increased release number to 1.5.9 * added scripts for LZ reconfiguration of GD and SH * added scripts for LZ reconfiguration of GD and SH * Revert Org OU Id change and update the Config.1 control parameter * Update the version --------- Co-authored-by: silavjy <67747632+silavjy@users.noreply.github.com> Co-authored-by: silavjy --- CFN/EC-lz-Config-Guardduty-all-regions.yml | 2 +- EC-SLZ-Version.txt | 2 +- SH/EC-Disable-SecurityHub-Guardduty-MEMBER.sh | 61 +++++++++++++++++ ...sassociate-SecurityHub-Guardduty-MASTER.sh | 65 +++++++++++++++++++ ...Enable-SecurityHub-Controls-All-Regions.sh | 8 +++ 5 files changed, 136 insertions(+), 2 deletions(-) create mode 100644 SH/EC-Disable-SecurityHub-Guardduty-MEMBER.sh create mode 100644 SH/EC-Disassociate-SecurityHub-Guardduty-MASTER.sh diff --git a/CFN/EC-lz-Config-Guardduty-all-regions.yml b/CFN/EC-lz-Config-Guardduty-all-regions.yml index 09664d0..3b3ce7f 100644 --- a/CFN/EC-lz-Config-Guardduty-all-regions.yml +++ b/CFN/EC-lz-Config-Guardduty-all-regions.yml @@ -42,7 +42,7 @@ Parameters: OrganizationOuId: Description: 'Organizational OU Id' Type: String - Default: "/org/member/SecLogOU" + Default: "o-jyyw8qs5c8" Conditions: IsSecLogMasterAccount: !Equals diff --git a/EC-SLZ-Version.txt b/EC-SLZ-Version.txt index 41336a1..fa85d4d 100644 --- a/EC-SLZ-Version.txt +++ b/EC-SLZ-Version.txt @@ -1 +1 @@ -1.5.12 +1.5.13 diff --git a/SH/EC-Disable-SecurityHub-Guardduty-MEMBER.sh b/SH/EC-Disable-SecurityHub-Guardduty-MEMBER.sh new file mode 100644 index 0000000..afe6307 --- /dev/null +++ b/SH/EC-Disable-SecurityHub-Guardduty-MEMBER.sh @@ -0,0 +1,61 @@ +#!/bin/bash + +# Fetch the list of all enabled AWS regions +REGIONS=$(aws ec2 describe-regions --query "Regions[].RegionName" --output text) + +# Function to disable Security Hub +disable_securityhub() { + echo "Disabling Security Hub in region: $1" + + # Check if Security Hub is enabled + STATUS=$(aws securityhub get-findings --region $1 --max-items 1 2>&1) + if [[ "$STATUS" == *"Security Hub is not enabled"* ]]; then + echo "Security Hub is already disabled in region: $1" + return + fi + + # Disable Security Hub + aws securityhub disable-security-hub --region $1 > /dev/null 2>&1 + + if [ $? -eq 0 ]; then + echo "Successfully disabled Security Hub in region: $1" + else + echo "Failed to disable Security Hub in region: $1" + fi +} + +# Function to disable GuardDuty +disable_guardduty() { + echo "Disabling GuardDuty in region: $1" + + # Retrieve the GuardDuty Detector ID + DETECTOR_ID=$(aws guardduty list-detectors --region $1 --query "DetectorIds[0]" --output text) + + if [ -z "$DETECTOR_ID" ] || [ "$DETECTOR_ID" == "None" ]; then + echo "GuardDuty is already disabled in region: $1" + return + fi + + # Disable GuardDuty + aws guardduty delete-detector --detector-id $DETECTOR_ID --region $1 > /dev/null 2>&1 + + if [ $? -eq 0 ]; then + echo "Successfully disabled GuardDuty in region: $1" + else + echo "Failed to disable GuardDuty in region: $1" + fi +} + +# Loop through all regions and disable Security Hub and GuardDuty +for REGION in $REGIONS; do + echo "Processing region: $REGION" + + # Disable Security Hub + disable_securityhub $REGION + + # Disable GuardDuty + disable_guardduty $REGION + +done + +echo "Decommissioning Security Hub and GuardDuty completed in all regions." diff --git a/SH/EC-Disassociate-SecurityHub-Guardduty-MASTER.sh b/SH/EC-Disassociate-SecurityHub-Guardduty-MASTER.sh new file mode 100644 index 0000000..0d99067 --- /dev/null +++ b/SH/EC-Disassociate-SecurityHub-Guardduty-MASTER.sh @@ -0,0 +1,65 @@ +#!/bin/bash + +# Check if an Account ID is provided as a parameter +if [ -z "$1" ]; then + echo "Usage: $0 " + exit 1 +fi + +# Assign the passed Account ID to a variable +MEMBER_ACCOUNT_ID="$1" + +# Fetch the list of all enabled AWS regions +REGIONS=$(aws ec2 describe-regions --query "Regions[].RegionName" --output text) + +# Function to disassociate Security Hub member accounts +disassociate_securityhub() { + echo "Disassociating Security Hub members in region: $1" + + aws securityhub disassociate-members \ + --account-ids $MEMBER_ACCOUNT_ID \ + --region $1 + + if [ $? -eq 0 ]; then + echo "Successfully disassociated Security Hub member in region: $1" + else + echo "Failed to disassociate Security Hub member in region: $1" + fi +} + +# Function to disassociate GuardDuty member accounts +disassociate_guardduty() { + echo "Disassociating GuardDuty members in region: $1" + + # Retrieve the GuardDuty detector ID + DETECTOR_ID=$(aws guardduty list-detectors --region $1 --query "DetectorIds[0]" --output text) + + if [ "$DETECTOR_ID" == "None" ] || [ -z "$DETECTOR_ID" ]; then + echo "No GuardDuty detector found in region: $1. Skipping." + return + fi + + aws guardduty disassociate-members \ + --detector-id $DETECTOR_ID \ + --account-ids $MEMBER_ACCOUNT_ID \ + --region $1 + + if [ $? -eq 0 ]; then + echo "Successfully disassociated GuardDuty member in region: $1" + else + echo "Failed to disassociate GuardDuty member in region: $1" + fi +} + +# Loop through each region and disassociate members +for REGION in $REGIONS; do + echo "Processing region: $REGION" + + # Disassociate Security Hub member + disassociate_securityhub $REGION + + # Disassociate GuardDuty member + disassociate_guardduty $REGION +done + +echo "Disassociation process for Security Hub and GuardDuty completed." diff --git a/SH/EC-Enable-SecurityHub-Controls-All-Regions.sh b/SH/EC-Enable-SecurityHub-Controls-All-Regions.sh index 9a88189..7a071b9 100644 --- a/SH/EC-Enable-SecurityHub-Controls-All-Regions.sh +++ b/SH/EC-Enable-SecurityHub-Controls-All-Regions.sh @@ -61,6 +61,10 @@ configure() { # Disable "ControlId": "CIS1.14", "1.14 Ensure hardware MFA is enabled for the \"root\" account" aws --profile $PROFILE --region $region securityhub update-standards-control --standards-control-arn "arn:aws:securityhub:$region:$accountid:control/cis-aws-foundations-benchmark/v/1.2.0/1.14" --control-status "DISABLED" --disabled-reason "Managed by Cloud Broker Team" echo "CIS Check CIS1.14 update for cis-aws-foundations-benchmark in region $region: exit code $?" + + # Turn off the check for AWS Config service-linked role + aws --profile $PROFILE --region $region securityhub update-security-control --security-control-id "Config.1" --parameters '{"includeConfigServiceLinkedRoleCheck": {"ValueType": "CUSTOM", "Value": {"Boolean": false}}}' --last-update-reason "The LZ does not use the AWS Config service-linked role" + echo "Config.1 update for cis-aws-foundations-benchmark in region $region: exit code $?" done # ------------------ @@ -90,6 +94,10 @@ configure() { aws --profile $PROFILE --region $region securityhub update-standards-control --standards-control-arn "arn:aws:securityhub:$region:$accountid:control/cis-aws-foundations-benchmark/v/1.2.0/1.14" --control-status "DISABLED" --disabled-reason "Managed by Cloud Broker Team" echo "CIS Check CIS1.14 update for cis-aws-foundations-benchmark in region $region: exit code $?" + # Turn off the check for AWS Config service-linked role + aws --profile $PROFILE --region $region securityhub update-security-control --security-control-id "Config.1" --parameters '{"includeConfigServiceLinkedRoleCheck": {"ValueType": "CUSTOM", "Value": {"Boolean": false}}}' --last-update-reason "The LZ does not use the AWS Config service-linked role" + echo "Config.1 update for cis-aws-foundations-benchmark in region $region: exit code $?" + done }