diff --git a/examples/organizational/README.md b/examples/organizational/README.md
index 3751d2e1..9e363e37 100644
--- a/examples/organizational/README.md
+++ b/examples/organizational/README.md
@@ -145,9 +145,9 @@ $ terraform apply
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | 4.21.0 |
-| [aws.member](#provider\_aws.member) | 4.21.0 |
-| [sysdig](#provider\_sysdig) | 0.5.37 |
+| [aws](#provider\_aws) | 4.22.0 |
+| [aws.member](#provider\_aws.member) | 4.22.0 |
+| [sysdig](#provider\_sysdig) | 0.5.39 |
## Modules
diff --git a/examples/single-account-apprunner/README.md b/examples/single-account-apprunner/README.md
index 2b31294f..bd98aae0 100644
--- a/examples/single-account-apprunner/README.md
+++ b/examples/single-account-apprunner/README.md
@@ -72,7 +72,7 @@ $ terraform apply
| Name | Version |
|------|---------|
-| [sysdig](#provider\_sysdig) | 0.5.37 |
+| [sysdig](#provider\_sysdig) | 0.5.39 |
## Modules
diff --git a/examples/single-account-ecs/README.md b/examples/single-account-ecs/README.md
index 195ad828..41f9ed77 100644
--- a/examples/single-account-ecs/README.md
+++ b/examples/single-account-ecs/README.md
@@ -72,7 +72,7 @@ $ terraform apply
| Name | Version |
|------|---------|
-| [sysdig](#provider\_sysdig) | 0.5.37 |
+| [sysdig](#provider\_sysdig) | 0.5.39 |
## Modules
diff --git a/examples/single-account-k8s/README.md b/examples/single-account-k8s/README.md
index 768358d8..fd14b12b 100644
--- a/examples/single-account-k8s/README.md
+++ b/examples/single-account-k8s/README.md
@@ -84,9 +84,9 @@ $ terraform apply
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | 4.21.0 |
+| [aws](#provider\_aws) | 4.22.0 |
| [helm](#provider\_helm) | 2.6.0 |
-| [sysdig](#provider\_sysdig) | 0.5.37 |
+| [sysdig](#provider\_sysdig) | 0.5.39 |
## Modules
diff --git a/examples/trigger-events/README.md b/examples/trigger-events/README.md
index 047ec5b7..0789e4f4 100644
--- a/examples/trigger-events/README.md
+++ b/examples/trigger-events/README.md
@@ -49,7 +49,7 @@ $ terraform apply
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | 4.21.0 |
+| [aws](#provider\_aws) | 4.22.0 |
## Modules
diff --git a/modules/infrastructure/cloudtrail/README.md b/modules/infrastructure/cloudtrail/README.md
index 2d277d62..26dbc43d 100644
--- a/modules/infrastructure/cloudtrail/README.md
+++ b/modules/infrastructure/cloudtrail/README.md
@@ -12,7 +12,7 @@
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | 4.21.0 |
+| [aws](#provider\_aws) | 4.22.0 |
## Modules
diff --git a/modules/infrastructure/cloudtrail/data.tf b/modules/infrastructure/cloudtrail/data.tf
new file mode 100644
index 00000000..785f2aed
--- /dev/null
+++ b/modules/infrastructure/cloudtrail/data.tf
@@ -0,0 +1 @@
+data "aws_caller_identity" "me" {}
diff --git a/modules/infrastructure/cloudtrail/main.tf b/modules/infrastructure/cloudtrail/main.tf
index ee118251..c644d4ce 100644
--- a/modules/infrastructure/cloudtrail/main.tf
+++ b/modules/infrastructure/cloudtrail/main.tf
@@ -23,5 +23,3 @@ resource "aws_cloudtrail" "cloudtrail" {
aws_sns_topic_policy.allow_cloudtrail_publish
]
}
-
-data "aws_caller_identity" "me" {}
diff --git a/modules/infrastructure/cloudtrail/sns_permissions.tf b/modules/infrastructure/cloudtrail/sns_permissions.tf
index 21b82632..605b2973 100644
--- a/modules/infrastructure/cloudtrail/sns_permissions.tf
+++ b/modules/infrastructure/cloudtrail/sns_permissions.tf
@@ -1,3 +1,8 @@
+locals {
+ cross_account = data.aws_caller_identity.me.account_id != var.organizational_config.sysdig_secure_for_cloud_member_account_id
+}
+
+
resource "aws_sns_topic_policy" "allow_cloudtrail_publish" {
arn = aws_sns_topic.cloudtrail.arn
policy = data.aws_iam_policy_document.cloudtrail_sns.json
@@ -20,18 +25,13 @@ data "aws_iam_policy_document" "cloudtrail_sns" {
# Organizational Requirements
# note; this statement is required to be on the SNS creation, don't move to other module as policies cannot be overriten/exteneded after creation
dynamic "statement" {
- for_each = var.is_organizational ? [1] : []
+ for_each = var.is_organizational && local.cross_account ? [1] : []
content {
sid = "AllowSysdigSecureForCloudSubscribe"
effect = "Allow"
principals {
- identifiers = [
- "arn:aws:iam::${var.organizational_config.sysdig_secure_for_cloud_member_account_id}:role/${var.organizational_config.organizational_role_per_account}"
- ]
- type = "AWS"
- # more open policy but without requiring aws provider role
- # identifiers = ["sqs.amazonaws.com"]
- # type = "Service"
+ identifiers = ["arn:aws:iam::${var.organizational_config.sysdig_secure_for_cloud_member_account_id}:role/${var.organizational_config.organizational_role_per_account}"]
+ type = "AWS"
}
actions = ["sns:Subscribe"]
resources = [aws_sns_topic.cloudtrail.arn]
diff --git a/modules/infrastructure/cloudtrail_s3-sns-sqs/README.md b/modules/infrastructure/cloudtrail_s3-sns-sqs/README.md
index ecc51363..e36201c6 100644
--- a/modules/infrastructure/cloudtrail_s3-sns-sqs/README.md
+++ b/modules/infrastructure/cloudtrail_s3-sns-sqs/README.md
@@ -46,7 +46,7 @@ EVENT FILTER/fine-tunning, regarding what we want to send to Sysdig Cloud-Connec
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | 4.21.0 |
+| [aws](#provider\_aws) | 4.22.0 |
## Modules
diff --git a/modules/infrastructure/codebuild/README.md b/modules/infrastructure/codebuild/README.md
index d8da32ff..7776eb8d 100644
--- a/modules/infrastructure/codebuild/README.md
+++ b/modules/infrastructure/codebuild/README.md
@@ -12,7 +12,7 @@
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | 4.21.0 |
+| [aws](#provider\_aws) | 4.22.0 |
## Modules
diff --git a/modules/infrastructure/ecs-vpc/README.md b/modules/infrastructure/ecs-vpc/README.md
index d9435588..bec4cb7e 100644
--- a/modules/infrastructure/ecs-vpc/README.md
+++ b/modules/infrastructure/ecs-vpc/README.md
@@ -13,7 +13,7 @@
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | 4.21.0 |
+| [aws](#provider\_aws) | 4.22.0 |
## Modules
diff --git a/modules/infrastructure/permissions/cloud-connector/README.md b/modules/infrastructure/permissions/cloud-connector/README.md
index 3ed5e5ae..da4c5019 100644
--- a/modules/infrastructure/permissions/cloud-connector/README.md
+++ b/modules/infrastructure/permissions/cloud-connector/README.md
@@ -12,7 +12,7 @@
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | 4.21.0 |
+| [aws](#provider\_aws) | 4.22.0 |
## Modules
diff --git a/modules/infrastructure/permissions/cloud-scanning/README.md b/modules/infrastructure/permissions/cloud-scanning/README.md
index 432ad97c..f753cfbe 100644
--- a/modules/infrastructure/permissions/cloud-scanning/README.md
+++ b/modules/infrastructure/permissions/cloud-scanning/README.md
@@ -12,7 +12,7 @@
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | 4.21.0 |
+| [aws](#provider\_aws) | 4.22.0 |
## Modules
diff --git a/modules/infrastructure/permissions/general/README.md b/modules/infrastructure/permissions/general/README.md
index 568e493f..383315b1 100644
--- a/modules/infrastructure/permissions/general/README.md
+++ b/modules/infrastructure/permissions/general/README.md
@@ -15,7 +15,7 @@ General permissions that apply to both cloud-connector and cloud-scanning module
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | 4.21.0 |
+| [aws](#provider\_aws) | 4.22.0 |
## Modules
diff --git a/modules/infrastructure/permissions/iam-user/README.md b/modules/infrastructure/permissions/iam-user/README.md
index 55172cfd..15ad6f8c 100644
--- a/modules/infrastructure/permissions/iam-user/README.md
+++ b/modules/infrastructure/permissions/iam-user/README.md
@@ -45,7 +45,7 @@ Note: Contact us if this authentication system does not match your requirement.
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | 4.21.0 |
+| [aws](#provider\_aws) | 4.22.0 |
## Modules
diff --git a/modules/infrastructure/permissions/org-role-ecs/README.md b/modules/infrastructure/permissions/org-role-ecs/README.md
index 7185e085..53612958 100644
--- a/modules/infrastructure/permissions/org-role-ecs/README.md
+++ b/modules/infrastructure/permissions/org-role-ecs/README.md
@@ -31,8 +31,8 @@ The aim of this module is to manage the organizational **managed account** requi
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | 4.21.0 |
-| [aws.member](#provider\_aws.member) | 4.21.0 |
+| [aws](#provider\_aws) | 4.22.0 |
+| [aws.member](#provider\_aws.member) | 4.22.0 |
## Modules
diff --git a/modules/infrastructure/permissions/org-role-eks/README.md b/modules/infrastructure/permissions/org-role-eks/README.md
index 53181f52..410b0225 100644
--- a/modules/infrastructure/permissions/org-role-eks/README.md
+++ b/modules/infrastructure/permissions/org-role-eks/README.md
@@ -29,7 +29,7 @@ The aim of this module is to manage the organizational **managed account** requi
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | 4.21.0 |
+| [aws](#provider\_aws) | 4.22.0 |
## Modules
diff --git a/modules/infrastructure/resource-group/README.md b/modules/infrastructure/resource-group/README.md
index 7e878158..d76b30f0 100644
--- a/modules/infrastructure/resource-group/README.md
+++ b/modules/infrastructure/resource-group/README.md
@@ -13,7 +13,7 @@
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | 4.21.0 |
+| [aws](#provider\_aws) | 4.22.0 |
## Modules
diff --git a/modules/infrastructure/sqs-sns-subscription/README.md b/modules/infrastructure/sqs-sns-subscription/README.md
index b447d6d1..d468396f 100644
--- a/modules/infrastructure/sqs-sns-subscription/README.md
+++ b/modules/infrastructure/sqs-sns-subscription/README.md
@@ -12,7 +12,7 @@
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | 4.21.0 |
+| [aws](#provider\_aws) | 4.22.0 |
## Modules
diff --git a/modules/infrastructure/ssm/README.md b/modules/infrastructure/ssm/README.md
index ec8d0ed4..92adbc09 100644
--- a/modules/infrastructure/ssm/README.md
+++ b/modules/infrastructure/ssm/README.md
@@ -16,7 +16,7 @@ and pass it, in a safe way, to all the modules that require it.
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | 4.21.0 |
+| [aws](#provider\_aws) | 4.22.0 |
## Modules
diff --git a/modules/services/cloud-bench/README.md b/modules/services/cloud-bench/README.md
index 13d1a6cc..47fe5635 100644
--- a/modules/services/cloud-bench/README.md
+++ b/modules/services/cloud-bench/README.md
@@ -26,9 +26,9 @@ Deployed on **Sysdig Backend**
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | 4.21.0 |
+| [aws](#provider\_aws) | 4.22.0 |
| [random](#provider\_random) | 3.3.2 |
-| [sysdig](#provider\_sysdig) | 0.5.37 |
+| [sysdig](#provider\_sysdig) | 0.5.39 |
## Modules
diff --git a/modules/services/cloud-connector-ecs/README.md b/modules/services/cloud-connector-ecs/README.md
index 8a7cb8ac..9997eb7f 100644
--- a/modules/services/cloud-connector-ecs/README.md
+++ b/modules/services/cloud-connector-ecs/README.md
@@ -15,8 +15,8 @@ A task deployed on an **ECS deployment** will detect events in your infrastructu
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | 4.21.0 |
-| [sysdig](#provider\_sysdig) | 0.5.37 |
+| [aws](#provider\_aws) | 4.22.0 |
+| [sysdig](#provider\_sysdig) | 0.5.39 |
## Modules
diff --git a/use-cases/_questionnaire.md b/use-cases/_questionnaire.md
index 73d35916..0b8b371f 100644
--- a/use-cases/_questionnaire.md
+++ b/use-cases/_questionnaire.md
@@ -29,9 +29,9 @@ modules, and we also offer [AWS Cloudformation templates](https://github.com/sys
- if so, does that S3 bucket already have any "Event Notification System"? Is it an SNS we could subscribe to?
- if so, does that S3 bucket already have an "Amazon EventBridge" system activated?
- whether it's organizational or not, could you give us a quick picture of the account setup in terms of purpose?
-- how many **regions** do you work with?
+- how many **regions** do you work with?
- is secure for cloud to be deployed on the same region as your existing resources?
- - (aws-only) if in previous point you said you have a cloudtrail, cloudtrail-sns, or cloudtrail-s3, in which region is it?
+ - (aws-only) if in previous point you said you have a cloudtrail, cloudtrail-sns, or cloudtrail-s3, in which region is it?
- how do you handle **IAM permissions**? would you let our Terraform scripts set them up for you, or you want to set them yourself manually? any restriction we may be aware of?
- how do you handle **outbound newtwork connection** securization? does your infrastructure have any customized VPC/firewally setup?
- **Deployment** type