diff --git a/docs/guides/hosting-guardrails/installation/pre-installation/checklist/index.md b/docs/guides/hosting-guardrails/installation/pre-installation/checklist/index.md
index ad117054..93f122c3 100644
--- a/docs/guides/hosting-guardrails/installation/pre-installation/checklist/index.md
+++ b/docs/guides/hosting-guardrails/installation/pre-installation/checklist/index.md
@@ -12,7 +12,7 @@ sidebar_label: Pre-install Checklist
     - **Wildcards**: If wildcards are not allowed for the Guardrails TLS certificate, you must add at least two domains to the certificate:  `gateway.cloudportal.company.com` and `{workspace_name}.cloudportal.company.com`. For environments that host more than one workspace, a domain will need to be added to the certificate for each workspace.
 1. **HA/DR Config**: Decide on your HA/DR configuration.  Guardrails can be installed in up to 3 availability zones across 3 regions for mission critical production applications or in a single region/az for dev/sandbox environments.
 1. **Networking**: Decide on how you will configure your networking. Turbot Support recommends that you use the Turbot Guardrails Enterprise Foundation (TEF) product to create the VPC and necessary Security Groups for your initial deployment.  After successful initial install of the environment you can then progressively harden the VPC to enterprise standards.  If you choose to install Guardrails into a custom VPC, it must be set up BEFORE installation starts.
-1. **Security Groups**: If using a custom VPC, the Guardrails Samples repo contains a [CloudFormation template](https://github.com/turbot/guardrails-samples/blob/master/installation/security_groups.yml) to create the three required security groups with the required ports.  If a proxy is in use, the security group rule for the proxy port must be added to the `OutboundInternetSecurityGroup` resource.
+1. **Security Groups**: If using a custom VPC, the Guardrails Samples repo contains a [CloudFormation template](https://github.com/turbot/guardrails-samples/blob/main/enterprise_installation/guardrails_security_groups.yml) to create the three required security groups with the required ports.  If a proxy is in use, the security group rule for the proxy port must be added to the `OutboundInternetSecurityGroup` resource.
 1. **Event Handling**: Plan out how events will get from the managed cloud accounts back to Guardrails for processing.  Turbot Support recommends using an API Gateway when the Guardails console is only reachable from internal networks.
 1. **DNS**: Guardrails can use Route53 or third party DNS resolution. Turbot Support recommends Route53 for ease of maintenance during upgrades. Private Route53 hosted zones may be used with proper inbound resolvers.
 1. **Custom IAM Roles**: If the organization requires custom external roles not created by Guardrails, refer to the guide for creating [Custom Guardrails IAM Roles](/guardrails/docs/guides/hosting-guardrails/installation/pre-installation/external-role).