Automatically address security threats with predefined response and remediation actions in AWS Security Hub
Publication date: August 2020 (last update: September 2024)
This implementation guide provides an overview of the Automated Security Response on AWS solution, its reference architecture and components, considerations for planning the deployment, configuration steps for deploying the Automated Security Response on AWS solution to the Amazon Web Services (AWS) Cloud.
Use this navigation table to quickly find answers to these questions:
| If you want to . . . | Read . . . |
|---|---|
| Know the cost for running this solution | Cost |
| Understand the security considerations for this solution | Security |
| Know how to plan for quotas for this solution | Quotas |
| Know which AWS Regions are supported for this solution | Supported AWS Regions |
| View or download the AWS CloudFormation template included in this solution to automatically deploy the infrastructure resources (the “stack”) for this solution | AWS CloudFormation templates |
|
Access the source code and optionally use the AWS Cloud Development Kit (AWS CDK) to deploy the solution. |
GitHub repository |
The continued evolution of security requires proactive steps to secure data which can make it difficult, expensive, and time-consuming for security teams to react. The Automated Security Response on AWS solution helps you quickly react to address security issues by providing predefined responses and remediation actions based on industry compliance standards and best practices.
Automated Security Response on AWS is an AWS Solution that works with AWS Security Hub
You can select specific playbooks to deploy in your Security Hub primary account. Each playbook
contains the necessary custom actions, Identity and Access
Management
Note
Remediation is intended for emergent situations that require immediate action. This solution makes changes to remediate findings only when initiated by you via the AWS Security Hub Management console, or when automated remediation has been enabled using the Amazon EventBridge rule for a specific control. To revert these changes, you must manually put resources back in their original state.
When remediating AWS resources deployed as a part of the CloudFormation stack, be aware that this might cause a drift. When possible, remediate stack resources by modifying the code that defines the stack resources and updating the stack. For more information, refer to What is drift? in the AWS CloudFormation User Guide.
Automated Security Response on AWS includes the playbook remediations for the security standards defined as part of the Center for Internet Security (CIS) AWS Foundations Benchmark v1.2.0, CIS AWS Foundations Benchmark v1.4.0, AWS Foundational Security Best Practices (FSBP) v.1.0.0, Payment Card Industry Data Security Standard (PCI-DSS) v3.2.1, and National Institute of Standards and Technology (NIST) SP 800-53 Rev. 5. The solution also includes a Security Controls (SC) playbook for the consolidated control findings feature of AWS Security Hub. For more information, refer to Playbooks.
This implementation guide discusses architectural considerations and configuration steps for
deploying the Automated Security Response on AWS solution in the AWS Cloud. It includes links to
AWS CloudFormation
The guide is intended for IT infrastructure architects, administrators, and DevOps professionals who have practical experience architecting in the AWS Cloud.
