Adding new remediations - AWS Security Hub Automated Response and Remediation

Adding new remediations

Adding a new remediation to an existing Playbook does not require modification to the solution itself.


The instructions that follow leverage resources installed by the solution as a starting point. By convention, most solution resource names contain SHARR and/or SO0111 to make it easy to locate and identify them.


AWS Security Hub Response and Remediation (SHARR) runbooks must follow the following standard naming:


Standard: The abbreviation for the security standard. This must match standards supported by SHARR. It must be one of “CIS”, “AFSBP”, or “PCI”.

Version: The version of the standard. Again, this must match the version supported by SHARR and the version in the finding data.

Control: The control ID of the control to be remediated. This must match the finding data.

  1. Create a runbook in the member account(s).

  2. Create an IAM role in the member account(s).

  3. (Optional) Create an automatic remediation rule in the Admin account.

Step 1. Create a runbook in the member account(s)

  1. Sign in to the AWS Systems Manager console and obtain an example of the finding JSON.

  2. Create an automation runbook that remediates the finding. In the Owned by me tab, use any of the SHARR- documents under the Documents tab as a starting point.

  3. The AWS Step Functions in the Admin account will run your runbook. Your runbook must specify the remediation role in order to be passed when calling the runbook.

Step 2. Create an IAM role in the member account(s)

  1. Sign in to the AWS Identity and Access Management console.

  2. Obtain an example from the IAM SO0111 roles and create a new role. The role name must start with SO0111-Remediate-<standard>-<version>-<control>. For example, if adding CIS v1.2.0 control 5.6 the role must be SO0111-Remediate-CIS-1.2.0-5.6.

  3. Using the example, create a properly scoped role that allows only the necessary API calls to perform remediation.

At this point, your remediation is active and available for automated remediation from the SHARR Custom Action in AWS Security Hub.

Step 3: (Optional) Create an automatic remediation rule in the admin account

Automatic (not “automated”) remediation is the immediate execution of the remediation as soon as the finding is received by AWS Security Hub. Carefully consider the risks before using this option.

  1. View an example rule for the same Security Standard in CloudWatch Events. The naming standard for rules is standard_control_AutoTrigger.

  2. Copy the event pattern from the example to be used.

  3. Change the GeneratorId value to match the GeneratorId in your Finding JSON.

  4. Save and enable the rule.