Automated deployment - Stacks
Note
For multi-account customers, we strongly recommend deployment with StackSets.
Before you launch the solution, review the architecture, solution components, security, and design considerations discussed in this guide. Follow the step-by-step instructions in this section to configure and deploy the solution into your account.
Time to deploy: Approximately 30 minutes
Prerequisites
Before you deploy this solution, ensure that AWS Security Hub is in the same AWS Region as your primary and secondary accounts. If you have previously deployed this solution, you must uninstall the existing solution. For more information, refer to Update the solution.
Deployment overview
Use the following steps to deploy this solution on AWS.
(Optional) Step 0: Launch a ticket system integration stack
-
If you intend to use the ticketing feature, deploy the ticketing integration stack into your Security Hub admin account first.
-
Copy the Lambda function name from this stack and provide it as input to the admin stack (see Step 1).
Step 1: Launch the admin stack
-
Launch the
aws-sharr-deploy.template
AWS CloudFormation template into your AWS Security Hub admin account. -
Choose which security standards to install.
-
Choose an existing Orchestrator log group to use (select
Yes
ifSO0111-SHARR-Orchestrator
already exists from a previous installation).
Step 2: Install the remediation roles into each AWS Security Hub member account
-
Launch the
aws-sharr-member-roles.template
AWS CloudFormation template into one Region per member account. -
Enter the 12-digit account IG for the AWS Security Hub admin account.
Step 3: Launch the member stack
-
Specify the name of the CloudWatch Logs group to use with CIS 3.1-3.14 remediations. It must be the name of a CloudWatch Logs log group that receives CloudTrail logs.
-
Choose whether to install the remediation roles. Install these roles only once per account.
-
Select which playbooks to install.
-
Enter the account ID of the AWS Security Hub admin account.
Step 4: (Optional) Adjust the available remediations
-
Remove any remediations on a per-member account basis. This step is optional.
(Optional) Step 0: Launch a ticket system integration stack
-
If you intend to use the ticketing feature, launch the respective integration stack first.
-
Choose the provided integration stacks for Jira or ServiceNow, or use them as a blueprint to implement your own custom integration.
To deploy the Jira stack:
-
Enter a name for your stack.
-
Provide the URI to your Jira instance.
-
Provide the project key for the Jira project that you want to send tickets to.
-
Create a new key-value secret in Secrets Manager that holds your Jira
Username
andPassword
.Note
You can choose to use a Jira API key in place of your password by providing your username as
Username
and your API key as thePassword
. -
Add the ARN of this secret as input to the stack.
To deploy the ServiceNow stack:
-
Enter a name for your stack.
-
Provide the URI of your ServiceNow instance.
-
Provide your ServiceNow table name.
-
Create an API key in ServiceNow with permission to modify the table you intend to write to.
-
Create a secret in Secrets Manager with the key
API_Key
and provide the secret ARN as input to the stack.
To create a custom integration stack: Include a Lambda function that the solution orchestrator Step Functions can call for each remediation. The Lambda function should take the input provided by Step Functions, construct a payload according to the requirements of your ticketing system, and make a request to your system to create the ticket.
-
Step 1: Launch the admin stack
Important
This solution includes an option to send anonymized operational metrics to AWS. We use
this data to better understand how customers use this solution and related services and
products. AWS owns the data gathered though this survey. Data collection is subject to the
AWS Privacy Notice
To opt out of this feature, download the template, modify the AWS CloudFormation mapping section, and then use the AWS CloudFormation console to upload your template and deploy the solution. For more information, refer to the Anonymized data collection section of this guide.
This automated AWS CloudFormation template deploys the Automated Security Response on AWS solution in the AWS Cloud. Before you launch the stack, you must enable Security Hub and complete the prerequisites.
Note
You are responsible for the cost of the AWS services used while running this solution. For more details, visit to the Cost section in this guide, and refer to the pricing webpage for each AWS service used in this solution.
-
Sign in to the AWS Management Console from the account where the AWS Security Hub is currently configured, and use the button below to launch the
aws-sharr-deploy.template
AWS CloudFormation template.You can also download the template
as a starting point for your own implementation. -
The template launches in the US East (N. Virginia) Region by default. To launch this solution in a different AWS Region, use the Region selector in the AWS Management Console navigation bar.
Note
This solution uses AWS Systems Manager which is currently available in specific AWS Regions only. The solution works in all of the Regions that support this service. For the most current availability by Region, refer to the AWS Regional Services List
. -
On the Create stack page, verify that the correct template URL is in the Amazon S3 URL text box and then choose Next.
-
On the Specify stack details page, assign a name to your solution stack. For information about naming character limitations, refer to IAM and STS limits in the AWS Identity and Access Management User Guide.
-
On the Parameters page, choose Next.
Parameter Default Description Load SC Admin Stack yes
Specify whether to install the admin components for automated remediation of SC controls. Load AFSBP Admin Stack no
Specify whether to install the admin components for automated remediation of FSBP controls. Load CIS120 Admin Stack no
Specify whether to install the admin components for automated remediation of CIS120 controls. Load CIS140 Admin Stack no
Specify whether to install the admin components for automated remediation of CIS140 controls. Load CIS300 Admin Stack no
Specify whether to install the admin components for automated remediation of CIS300 controls. Load PC1321 Admin Stack no
Specify whether to install the admin components for automated remediation of PC1321 controls. Load NIST Admin Stack no
Specify whether to install the admin components for automated remediation of NIST controls. Reuse Orchestrator Log Group no
Select whether or not to reuse an existing
SO0111-SHARR-Orchestrator
CloudWatch Logs group. This simplifies reinstallation and upgrades without losing log data from a previous version. If you are upgrading from v1.2 or above, selectyes
.Use CloudWatch Metrics yes
Specify whether to enable CloudWatch Metrics for monitoring the solution. This will create a CloudWatch Dashboard for viewing metrics. Use CloudWatch Metrics Alarms yes
Specify whether to enable CloudWatch Metrics Alarms for the solution. This will create Alarms for certain metrics collected by the solution. RemediationFailureAlarmThreshold 5
Specify the threshold for percentage of remediation failures per control ID. For example, if you enter
5
, you receive an alarm if a control ID fails more than 5% of remediations at a given day.This parameter functions only if alarms are created (see the Use CloudWatch Metrics Alarms parameter).
EnableEnhancedCloudWatchMetrics no
If
yes
, creates additional CloudWatch metrics to track all control IDs individually on the CloudWatch dashboard and as CloudWatch alarms.See the Cost section to understand the additional cost that this incurs.
TicketGenFunctionName (Optional input) Optional. Leave blank if you don’t want to integrate a ticketing system. Otherwise, provide the Lambda function name from the stack output of Step 0, for example:
SO0111-ASR-ServiceNow-TicketGenerator
. -
On the Configure stack options page, choose Next.
-
On the Review page, review and confirm the settings. Check the box acknowledging that the template will create AWS Identity and Access Management (IAM) resources.
-
Choose Create stack to deploy the stack.
You can view the status of the stack in the AWS CloudFormation console in the Status column. You should receive a CREATE_COMPLETE status in approximately 15 minutes.
Step 2: Install the remediation roles into each AWS Security Hub member account
The aws-sharr-member-roles.template
StackSet must be deployed in only one
Region per member account. It defines the global roles that allow cross-account API calls
from the SHARR Orchestrator step function.
-
Sign in to the AWS Management Console for each AWS Security Hub member account (including the admin account, which is also a member). Select the button to launch the
aws-sharr-member-roles.template
AWS CloudFormation template. You can also download the templateas a starting point for your own implementation. -
The template launches in the US East (N. Virginia) Region by default. To launch this solution in a different AWS Region, use the Region selector in the AWS Management Console navigation bar.
-
On the Create stack page, verify that the correct template URL is in the Amazon S3 URL text box and then choose Next.
-
On the Specify stack details page, assign a name to your solution stack. For information about naming character limitations, refer to IAM and STS limits in the AWS Identity and Access Management User Guide.
-
On the Parameters page, specify the following parameters and choose Next.
Parameter Default Description Namespace <Requires input>
Enter a string of up to 9 lowercase alphanumeric characters. This string becomes part of the IAM role names. Use the same value for member stack deployment and member roles stack deployment. Sec Hub Account Admin <Requires input>
Enter the 12-digit account ID for the AWS Security Hub admin account. This value grants permissions to the admin account’s solution role. -
On the Configure stack options page, choose Next.
-
On the Review page, review and confirm the settings. Check the box acknowledging that the template will create AWS Identity and Access Management (IAM) resources.
-
Choose Create stack to deploy the stack.
You can view the status of the stack in the AWS CloudFormation console in the Status column. You should receive a CREATE_COMPLETE status in approximately 5 minutes. You may continue with the next step while this stack loads.
Step 3: Launch the member stack
Important
This solution includes an option to send anonymized operational metrics to AWS. We use this data to better understand how customers use this solution and related services and products. AWS owns the data gathered though this survey. Data collection is subject to the AWS Privacy Policy.
To opt out of this feature, download the template, modify the AWS CloudFormation mapping section, and then use the AWS CloudFormation console to upload your template and deploy the solution. For more information, refer to the Collection of operational metrics section of this guide.
The aws-sharr-member
stack must be installed into each Security Hub member
account. This stack defines the runbooks for automated remediation. The admin for each
member account can control what remediations are available via this stack.
-
Sign in to the AWS Management Console for each AWS Security Hub member account (including the admin account, which is also a member). Select the button to launch the
aws-sharr-member.template
AWS CloudFormation template.You can also download the template
as a starting point for your own implementation. -
The template launches in the US East (N. Virginia) Region by default. To launch this solution in a different AWS Region, use the Region selector in the AWS Management Console navigation bar.
Note
This solution uses AWS Systems Manager, which is currently available in the majority of AWS Regions. The solution works in all of the Regions that support these services. For the most current availability by Region, refer to the AWS Regional Services List
. -
On the Create stack page, verify that the correct template URL is in the Amazon S3 URL text box and then choose Next.
-
On the Specify stack details page, assign a name to your solution stack. For information about naming character limitations, refer to IAM and STS limits in the AWS Identity and Access Management User Guide.
-
On the Parameters page, specify the following parameters and choose Next.
Parameter Default Description Provide the name of the LogGroup to be used to create Metric Filters and Alarms <Requires input>
Specify the name of a CloudWatch Logs group where CloudTrail logs API calls. This is used for CIS 3.1-3.14 remediations. Load SC Member Stack yes
Specify whether to install the member components for automated remediation of SC controls. Load AFSBP Member Stack no
Specify whether to install the member components for automated remediation of FSBP controls. Load CIS120 Member Stack no
Specify whether to install the member components for automated remediation of CIS120 controls. Load CIS140 Member Stack no
Specify whether to install the member components for automated remediation of CIS140 controls. Load CIS300 Member Stack no
Specify whether to install the member components for automated remediation of CIS300 controls. Load PC1321 Member Stack no
Specify whether to install the member components for automated remediation of PC1321 controls. Load NIST Member Stack no
Specify whether to install the member components for automated remediation of NIST controls. Create S3 Bucket For Redshift Audit Logging no
Select
yes
if the S3 bucket should be created for the FSBP RedShift.4 remediation. For details of the S3 bucket and the remediation, review the Redshift.4 remediation in the AWS Security Hub User Guide.Sec Hub Admin Account <Requires input>
Enter the 12-digit account ID for the AWS Security Hub admin account. Namespace <Requires input>
Enter a string of up to 9 lowercase alphanumeric characters. This string becomes part of the IAM role names and Action Log S3 bucket. Use the same value for member stack deployment and member roles stack deployment. This string must follow Amazon S3 naming rules for general purpose S3 buckets. EnableCloudTrailForASRActionLog no
Select
yes
if you want to monitor management events conducted by the solution on the CloudWatch dashboard. The solution creates a CloudTrail trail in each member account where you selectyes
. You must deploy the solution into an AWS Organization to enable this feature. See the Cost section to understand the additional cost that this incurs. -
On the Configure stack options page, choose Next.
-
On the Review page, review and confirm the settings. Check the box acknowledging that the template will create AWS Identity and Access Management (IAM) resources.
-
Choose Create stack to deploy the stack.
You can view the status of the stack in the AWS CloudFormation console in the Status column. You should receive a CREATE_COMPLETE status in approximately 15 minutes.
Step 4: (Optional) Adjust the available remediations
If you want to remove specific remediations from a member account, you can do so by updating the nested stack for the security standard. For simplicity, the nested stack options are not propagated to the root stack.
-
Sign in to the AWS CloudFormation console
and select the nested stack. -
Choose Update.
-
Select Update nested stack and choose Update stack.
Update nested stack -
Select Use current template and choose Next.
-
Adjust the available remediations. Change the values for desired controls to
Available
and undesired controls toNot available
.Note
Turning off a remediation removes the solutions remediation runbook for the security standard and control.
-
On the Configure stack options page, choose Next.
-
On the Review page, review and confirm the settings. Check the box acknowledging that the template will create AWS Identity and Access Management (IAM) resources.
-
Choose Update stack.
You can view the status of the stack in the AWS CloudFormation console in the Status column. You should receive a CREATE_COMPLETE status in approximately 15 minutes.