This line in the readme is not clear to me:

Please make sure to check cloudtrail for the arn:aws:sts, just find the event open it and copy the sts. It should be in the format provided below:

I am trying to create a cloud formation script to create the resources but cannot seem to get that Principal set to a working value.
arn:aws:sts::${AWS::AccountId}:assumed-role/${ScanFunctionRoleName}/${ScanFunctionRoleName}

What should the two bits after assumed-role be? Where would you find this in cloudtrail?

Attached is my attempt at cloud formation script...

example.txt

The results mostly work except that when the antivirus-scan function runs it gets a 403 trying to copy the uploaded file from the source bucket when it does not yet have the CLEAN tag assigned. I verified that if I set the CLEAN tag manually it copies just fine.

Stack Overflow to the rescue! What is the arn of an assumed role assumed by a lambda function.
It turns out to be arn:aws:sts::${AWS::AccountId}:assumed-role/${RoleName}/${FunctionName} where Role name is the name of your lambda function execution role, and function name is the name of your lambda function.

Can someone clarify how to find the sts arn in the cloud trail? I found it in CreateGrant events from my cloud formation script, but trying the steps by hand I cannot find an Event that contains that value. Without those details, it might be better to remove the mention of cloudtrail since it would be easy enough to figure out what that sts arn should be.