Deciding where to deploy each stack - Automated Security Response on AWS

Deciding where to deploy each stack

The three templates will be referred to by the following names and contain the following resources:

  • Admin stack: orchestrator step function, event rules and Security Hub custom action.

  • Member stack: remediation SSM Automation documents.

  • Member roles stack: IAM roles for remediations.

The Admin stack must be deployed once, in a single account and a single Region. It must be deployed into the account and Region that you have configured as the aggregation destination for Security Hub findings for your organization.

The solution operates on Security Hub findings, so it will not be able to operate on findings from a particular account and Region if that account or Region has not been configured to aggregate findings in the Security Hub administrator account and Region.

For example, an organization has accounts operating in Regions us-east-1 and us-west-2, with account 111111111111 as the Security Hub delegated administrator in Region us-east-1. Accounts 222222222222 and 333333333333 must be Security Hub member accounts for the delegated administrator account 111111111111. All three accounts must be configured to aggregate findings from us-west-2 to us-east-1. The Admin stack must be deployed to account 111111111111 in us-east-1.

For more details on finding aggregation, consult the documentation for Security Hub delegated administrator accounts and cross-Region aggregation.

The Admin stack must complete deployment first before deploying the member stacks so that a trust relationship can be created from the member accounts to the hub account.

The member stack must be deployed into every account and Region in which you wish to remediate findings. This can include the Security Hub delegated administrator account in which you previously deployed the ASR Admin stack.The automation documents must execute in the member accounts in order to use the free tier for SSM Automation.

Using the previous example, if you want to remediate findings from all accounts and Regions, the member stack must be deployed to all three accounts (111111111111, 222222222222, and 333333333333) and both Regions (us-east-1 and us-west-2).

The member roles stack must be deployed to every account, but it contains global resources (IAM roles) that can only be deployed once per account. It does not matter in which Region you deploy the member roles stack, so for simplicity we suggest deploying to the same Region in which the Admin stack is deployed.

Using the previous example, we suggest deploying the member roles stack to all three accounts (111111111111, 222222222222, and 333333333333) in us-east-1.

Deciding how to deploy each stack

The options for deploying a stack are

  • CloudFormation StackSet (self-managed permissions)

  • CloudFormation StackSet (service-managed permissions)

  • CloudFormation Stack

StackSets with service-managed permissions are the most convenient because they do not require deploying your own roles and can automatically deploy to new accounts in the organization. Unfortunately, this method does not support nested stacks, which we use in both the Admin stack and the member stack. The only stack that can be deployed this way is the member roles stack.

Be aware that when deploying to the entire organization, the organization management account is not included, so if you want to remediate findings in the organization management account, you must deploy to this account separately.

The member stack must be deployed to every account and Region but cannot be deployed using StackSets with service-managed permissions because it contains nested stacks. So we suggest deploying this stack with StackSets with self-managed permissions.

The Admin stack is only deployed once, so it can be deployed as a plain CloudFormation stack or as a StackSet with self-managed permissions in a single account and Region.

Consolidated Control Findings

The accounts in your organization can be configured with the Consolidated Control Findings feature of Security Hub turned on or off. See Consolidated control findings in the AWS Security Hub User Guide.


If enabled, you must use v2.0.0 of the solution or later. In addition, you must deploy both the Admin and Member nested stacks for the “SC” or “security control” standards. This deploys the automation documents and EventBridge rules for use with the consolidated control IDs generated when this feature is turned on. There is no need to deploy the Admin or Member nested stacks for specific standards (e.g. AWS FSBP) when using this feature.