Automatically address security threats with predefined response and remediation actions in AWS Security Hub - Automated Security Response on AWS

Automatically address security threats with predefined response and remediation actions in AWS Security Hub

Publication date: August 2020 (last update: April 2024)

This implementation guide provides an overview of the Automated Security Response on AWS solution, its reference architecture and components, considerations for planning the deployment, configuration steps for deploying the Automated Security Response on AWS solution to the Amazon Web Services (AWS) Cloud.

Use this navigation table to quickly find answers to these questions:

If you want to . . . Read . . .
Know the cost for running this solution Cost
Understand the security considerations for this solution Security
Know how to plan for quotas for this solution Quotas
Know which AWS Regions are supported for this solution Supported AWS Regions
View or download the AWS CloudFormation template included in this solution to automatically deploy the infrastructure resources (the “stack”) for this solution AWS CloudFormation templates

Access the source code and optionally use the AWS Cloud Development Kit (AWS CDK) to deploy the solution.

GitHub repository

The continued evolution of security requires proactive steps to secure data which can make it difficult, expensive, and time-consuming for security teams to react. The Automated Security Response on AWS solution helps you quickly react to address security issues by providing predefined responses and remediation actions based on industry compliance standards and best practices.

This solution is an add-on solution that works with AWS Security Hub to provide a ready-to-deploy architecture and a library of automated playbooks. This solution makes it easier for AWS Security Hub customers to resolve common security findings and to improve their security posture in AWS.

You can select specific playbooks to deploy in your Security Hub primary account. Each playbook contains the necessary custom actions, Identity and Access Management (IAM) roles, Amazon EventBridge rules, AWS Systems Manager automation documents, AWS Lambda functions, and AWS Step Functions needed to start a remediation workflow within a single AWS account, or across multiple accounts. Remediations work from the Actions menu in AWS Security Hub and allow authorized users to remediate a finding across all of their AWS Security Hub-managed accounts with a single action. For example, you can apply recommendations from the Center for Internet Security (CIS) AWS Foundations Benchmark, a compliance standard for securing AWS resources, to ensure passwords expire within 90 days and enforce encryption of event logs stored in AWS.

Note

Remediation is intended for emergent situations that require immediate action. This solution makes changes to remediate findings only when initiated by you via the AWS Security Hub Management console, or when automated remediation has been enabled using the Amazon EventBridge rule for a specific control. To revert these changes, you must manually put resources back in their original state.

When remediating AWS resources deployed as a part of the CloudFormation stack, be aware that this might cause a drift. When possible, remediate stack resources by modifying the code that defines the stack resources and updating the stack. For more information, refer to What is drift? in the AWS CloudFormation User Guide.

Automated Security Response on AWS includes the playbook remediations for the security standards defined as part of the Center for Internet Security (CIS) AWS Foundations Benchmark v1.2.0, CIS AWS Foundations Benchmark v1.4.0, AWS Foundational Security Best Practices (FSBP) v.1.0.0, Payment Card Industry Data Security Standard (PCI-DSS) v3.2.1, and National Institute of Standards and Technology (NIST) SP 800-53 Rev. 5. The solution also includes a Security Controls (SC) playbook for the consolidated control findings feature of AWS Security Hub. For more information, refer to Playbooks.

This implementation guide discusses architectural considerations and configuration steps for deploying the Automated Security Response on AWS solution in the AWS Cloud. It includes links to AWS CloudFormation templates that launch, configure, and run the AWS compute, network, storage, and other services required to deploy this solution on AWS, using AWS best practices for security and availability.

The guide is intended for IT infrastructure architects, administrators, and DevOps professionals who have practical experience architecting in the AWS Cloud.