Uninstall the solution - Automated Security Response on AWS
V1.0.0-V1.2.1V1.3.xV1.4.0 and later

Uninstall the solution

Use the following procedure to uninstall the solution with the AWS Management Console.

V1.0.0-V1.2.1

For releases v1.0.0 to v1.2.1, use Service Catalog to uninstall the CIS and/or AFSBP Playbooks. With v1.3.0 Service Catalog is no longer used.

  1. Sign in to the AWS CloudFormation console and navigate to the Security Hub primary account.

  2. Choose Service Catalog to terminate any provisioned playbooks, remove any security groups, roles, or users.

  3. Remove the spoke CISPermissions.template template form the Security Hub member accounts.

  4. Remove the spoke AFSBPMemberStack.template template form the Security Hub admin and member accounts.

  5. Navigate to the Security Hub primary account, select the solution’s installation stack, and then choose Delete.

Note

CloudWatch Logs group logs are retained. We recommend retaining these logs as required by your organization’s log retention policy.

V1.3.x

  1. Remove the aws-sharr-member.template from each member account.

  2. Remove the aws-sharr-admin.template from the admin account.

    Note

    Removal of the admin template in v1.3.0 will likely fail on the Custom Action removal. This is a known issue that will be fixed in the next release. Use the following instructions to fix this issue:

    1. Sign in to the AWS Security Hub management console.

    2. In the admin account, go to Settings.

    3. Select the Custom actions tab.

    4. Manually delete the entry Remediate with SHARR.

    5. Delete the stack again.

V1.4.0 and later

Stack deployment

  1. Remove the aws-sharr-member.template from each member account.

  2. Remove the aws-sharr-admin.template from the admin account.

StackSet deployment

For each StackSet, remove stacks, then remove the StackSet in the reverse order of deployment.

Note that IAM roles from the aws-sharr-member-roles.template are retained even if the template is removed. This is so that remediations using these roles continue to function. These SO0111-* roles can be manually removed after verifying that they are no longer in use by active remediations, such as CloudTrail to CloudWatch logging, or RDS Enhanced Monitoring.