Prerequisites Deployment overview (Optional) Step 0: Launch a ticket system integration stack Step 1: Launch the admin stack in the delegated Security Hub admin account Step 2: Install the remediation roles into each AWS Security Hub member account Step 3: Launch the member stack into each AWS Security Hub member account and Region

Automated deployment - StackSets

Note

We recommend deploying with StackSets. However, for single account deployments or for testing or evaluation purposes, consider the stacks deployment option.

Before you launch the solution, review the architecture, solution components, security, and design considerations discussed in this guide. Follow the step-by-step instructions in this section to configure and deploy the solution into your AWS Organizations.

Time to deploy: Approximately 30 minutes per account, depending upon StackSet parameters.

Prerequisites

AWS Organizations helps you centrally manage and govern your multi-account AWS environment and resources. StackSets work best with AWS Organizations.

If you have previously deployed v1.3.x or earlier of this solution, you must uninstall the existing solution. For more information, refer to Update the solution.

Before you deploy this solution, review your AWS Security Hub deployment:

There must be a delegated Security Hub admin account in your AWS Organization.
Security Hub should be configured to aggregate findings across Regions. For more information, refer to Aggregating findings across Regions in the AWS Security Hub User Guide.
You should activate Security Hub for your organization in each Region where you have AWS usage.

This procedure assumes that you have multiple accounts using AWS Organizations, and have delegated an AWS Organizations admin account and an AWS Security Hub admin account.

Please note that this solution works with both AWS Security Hub and AWS Security Hub CSPM.

Deployment overview

Note

StackSets deployment for this solution uses a combination of service-managed and self-managed StackSets. Self-Managed StackSets must be used currently as they use nested StackSets, which are not yet supported with service-managed StackSets.

Deploy the StackSets from a delegated administrator account in your AWS Organizations.

Planning

Use the following form to help with StackSets deployment. Prepare your data, then copy and paste the values during deployment.

AWS Organizations admin account ID: _______________
Security Hub admin account ID: _______________
CloudTrail Logs Group: ______________________________
Member account IDs (comma-separated list):
___________________,
___________________,
___________________,
___________________,
___________________
AWS Organizations OUs (comma-separated list):
___________________,
___________________,
___________________,
___________________,
___________________

(Optional) Step 0: Deploy the ticketing integration stack

If you intend to use the ticketing feature, deploy the ticketing integration stack into your Security Hub admin account first.
Copy the Lambda function name from this stack and provide it as input to the admin stack (see Step 1).

Step 1: Launch the admin stack in the delegated Security Hub admin account

Using a self-managed StackSet, launch the automated-security-response-admin.template AWS CloudFormation template into your AWS Security Hub admin account in the same Region as your Security Hub admin. This template uses nested stacks.
Choose which Security Standards to install. By default, only SC is selected (Recommended).
Choose an existing Orchestrator log group to use. Select Yes if SO0111-ASR- Orchestrator already exists from a previous installation.
Choose whether to enable the solution’s Web UI. If you choose to enable this feature, you must also enter an email address to be assigned an administrator role.
Select your preferences for collecting CloudWatch metrics related to the solution’s operational health.

For more information on self-managed StackSets, refer to Grant self-managed permissions in the AWS CloudFormation User Guide.

Step 2: Install the remediation roles into each AWS Security Hub member account

Wait for Step 1 to complete deployment, because the template in Step 2 references IAM roles created by Step 1.

Using a service-managed StackSet, launch the automated-security-response-member-roles.template AWS CloudFormation template into a single Region in each account in your AWS Organizations.
Choose to install this template automatically when a new account joins the organization.
Enter the account ID of your AWS Security Hub admin account.
Enter a value for the namespace which will be used to prevent resource name conflicts with a previous or concurrent deployment in the same account. Enter a string of up to 9 lowercase alphanumeric characters.

Step 3: Launch the member stack into each AWS Security Hub member account and Region

Using self-managed StackSets, launch the automated-security-response-member.template AWS CloudFormation template into all Regions where you have AWS resources in every account in your AWS Organization managed by the same Security Hub admin.

Note
Until service-managed StackSets support nested stacks, you must do this step for any new accounts that join the organization.
Choose which Security Standard playbooks to install.
Provide the name of a CloudTrail log group (used by some remediations).
Enter the account ID of your AWS Security Hub admin account.
Enter a value for the namespace which will be used to prevent resource name conflicts with a previous or concurrent deployment in the same account. Enter a string of up to 9 lowercase alphanumeric characters. This should match the namespace value you selected for the Member Roles stack, additionally, the namespace value does not need to be unique per member account.

(Optional) Step 0: Launch a ticket system integration stack

If you intend to use the ticketing feature, launch the respective integration stack first.
Choose the provided integration stacks for Jira or ServiceNow, or use them as a blueprint to implement your own custom integration.

To deploy the Jira stack:
1. Enter a name for your stack.
2. Provide the URI to your Jira instance.
3. Provide the project key for the Jira project that you want to send tickets to.
4. Create a new key-value secret in Secrets Manager that holds your Jira Username and Password.
  
  Note
  You can choose to use a Jira API key in place of your password by providing your username as Username and your API key as the Password.
5. Add the ARN of this secret as input to the stack.
  
  Provide a stack name Jira project information, and Jira API credentials.
  
  To deploy the ServiceNow stack:
6. Enter a name for your stack.
7. Provide the URI of your ServiceNow instance.
8. Provide your ServiceNow table name.
9. Create an API key in ServiceNow with permission to modify the table you intend to write to.
10. Create a secret in Secrets Manager with the key API_Key and provide the secret ARN as input to the stack.
  
  Provide a stack name ServiceNow project information, and ServiceNow API credentials.
  
  To create a custom integration stack: Include a Lambda function that the solution orchestrator Step Functions can call for each remediation. The Lambda function should take the input provided by Step Functions, construct a payload according to the requirements of your ticketing system, and make a request to your system to create the ticket.

Step 1: Launch the admin stack in the delegated Security Hub admin account

Launch the admin stack, automated-security-response-admin.template, with your Security Hub admin account. Typically, one per organization in a single Region. Because this stack uses nested stacks, you must deploy this template as a self-managed StackSet.

Parameters

Parameter	Default	Description
Load SC Admin Stack	`yes`	Specify whether to install the admin components for automated remediation of SC controls.
Load AFSBP Admin Stack	`no`	Specify whether to install the admin components for automated remediation of FSBP controls.
Load CIS120 Admin Stack	`no`	Specify whether to install the admin components for automated remediation of CIS120 controls.
Load CIS140 Admin Stack	`no`	Specify whether to install the admin components for automated remediation of CIS140 controls.
Load CIS300 Admin Stack	`no`	Specify whether to install the admin components for automated remediation of CIS300 controls.
Load PC1321 Admin Stack	`no`	Specify whether to install the admin components for automated remediation of PC1321 controls.
Load NIST Admin Stack	`no`	Specify whether to install the admin components for automated remediation of NIST controls.
Reuse Orchestrator Log Group	`no`	Select whether or not to reuse an existing `SO0111-ASR-Orchestrator` CloudWatch Logs group. This simplifies reinstallation and upgrades without losing log data from a previous version. Reuse existing `Orchestrator Log Group` choose `yes` if the `Orchestrator Log Group` still exists from an earlier deployment in this account, otherwise `no`. If you are performing a stack update from an earlier version than v2.3.0 choose `no`
ShouldDeployWebUI	`yes`	Deploy the Web UI components including API Gateway, Lambda functions, and CloudFront distribution. Select "yes" to enable the web-based user interface for viewing findings and remediation status. If you choose to disable this feature, you can still configure automated remediations and run remediations on-demand using the Security Hub CSPM custom action.
AdminUserEmail	(Optional input)	Email address for the initial admin user. This user will have full administrative access to the ASR Web UI. Required only when Web UI is enabled.
Use CloudWatch Metrics	`yes`	Specify whether to enable CloudWatch Metrics for monitoring the solution. This will create a CloudWatch Dashboard for viewing metrics.
Use CloudWatch Metrics Alarms	`yes`	Specify whether to enable CloudWatch Metrics Alarms for the solution. This will create Alarms for certain metrics collected by the solution.
RemediationFailureAlarmThreshold	`5`	Specify the threshold for percentage of remediation failures per control ID. For example, if you enter `5`, you receive an alarm if a control ID fails more than 5% of remediations at a given day. This parameter functions only if alarms are created (see the Use CloudWatch Metrics Alarms parameter).
EnableEnhancedCloudWatchMetrics	`no`	If `yes`, creates additional CloudWatch metrics to track all control IDs individually on the CloudWatch dashboard and as CloudWatch alarms. See the Cost section to understand the additional cost that this incurs.
TicketGenFunctionName	(Optional input)	Optional. Leave blank if you don’t want to integrate a ticketing system. Otherwise, provide the Lambda function name from the stack output of Step 0, for example: `SO0111-ASR-ServiceNow-TicketGenerator`.

Configure StackSet options

For the Account numbers parameter, enter the account ID of the AWS Security Hub admin account.
For the Specify regions parameter, select only the Region where Security Hub admin is turned on. Wait for this step to complete before going on to Step 2.

Step 2: Install the remediation roles into each AWS Security Hub member account

Use a service-managed StackSets to deploy the member roles template, automated-security-response-member-roles.template. This StackSet must be deployed in one Region per member account. It defines the global roles that allow cross-account API calls from the ASR Orchestrator step function.

Parameters

Parameter	Default	Description
Namespace	`<Requires input>`	Enter a string of up to 9 lowercase alphanumeric characters. Unique namespace to be added as a suffix to remediation IAM role names. The same namespace should be used in the Member Roles and Member stacks. This string should be unique for each solution deployment, but does not need to be changed during stack updates. The namespace value does not need to be unique per member account.
Sec Hub Account Admin	`<Requires input>`	Enter the 12-digit account ID for the AWS Security Hub admin account. This value grants permissions to the admin account’s solution role.

Deploy to the entire organization (typical) or to organizational units, as per your organizations policies.
Turn on automatic deployment so new accounts in the AWS Organizations receive these permissions.
For the Specify regions parameter, select a single Region. IAM roles are global. You can continue to Step 3 while this StackSet deploys.

Specify StackSet details

Step 3: Launch the member stack into each AWS Security Hub member account and Region

Because the member stack uses nested stacks, you must deploy as a self-managed StackSet. This does not support automatic deployment to new accounts in the AWS Organization.

Parameters

Parameter	Default	Description
Provide the name of the LogGroup to be used to create Metric Filters and Alarms	`<Requires input>`	Specify the name of a CloudWatch Logs group where CloudTrail logs API calls. This is used for CIS 3.1-3.14 remediations.
Load SC Member Stack	`yes`	Specify whether to install the member components for automated remediation of SC controls.
Load AFSBP Member Stack	`no`	Specify whether to install the member components for automated remediation of FSBP controls.
Load CIS120 Member Stack	`no`	Specify whether to install the member components for automated remediation of CIS120 controls.
Load CIS140 Member Stack	`no`	Specify whether to install the member components for automated remediation of CIS140 controls.
Load CIS300 Member Stack	`no`	Specify whether to install the member components for automated remediation of CIS300 controls.
Load PC1321 Member Stack	`no`	Specify whether to install the member components for automated remediation of PC1321 controls.
Load NIST Member Stack	`no`	Specify whether to install the member components for automated remediation of NIST controls.
Create S3 Bucket For Redshift Audit Logging	`no`	Select `yes` if the S3 bucket should be created for the FSBP RedShift.4 remediation. For details of the S3 bucket and the remediation, review the Redshift.4 remediation in the AWS Security Hub User Guide.
Sec Hub Admin Account	`<Requires input>`	Enter the 12-digit account ID for the AWS Security Hub admin account.
Namespace	`<Requires input>`	Enter a string of up to 9 lowercase alphanumeric characters. This string becomes part of the IAM role names and Action Log S3 bucket. Use the same value for member stack deployment and member roles stack deployment. String should be unique for each solution deployment, but does not need to be changed during stack updates.
EnableCloudTrailForASRActionLog	`no`	Select `yes` if you want to monitor management events conducted by the solution on the CloudWatch dashboard. The solution creates a CloudTrail trail in each member account where you select `yes`. You must deploy the solution into an AWS Organization to enable this feature. Additionally, you can only enable this feature in a single region within the same account. See the Cost section to understand the additional cost that this incurs.

Accounts

Deployment locations: You may specify a list of account numbers or organizational units.

Specify regions: Select all of the Regions where you want to remediate findings. You can adjust Deployment options as appropriate for the number of accounts and Regions. Region Concurrency can be parallel.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

AWS CloudFormation templates

Automated deployment - Stacks