Design considerations - AWS Security Hub Automated Response and Remediation

Design considerations

AWS Security Hub deployment

AWS Security Hub deployment and configuration is a prerequisite for this solution. For more information about setting up AWS Security Hub, refer to Setting up AWS Security Hub in the AWS Security Hub User Guide.

At minimum, you must have a working Security Hub configured in their primary account. You can deploy this solution in the same account (and AWS Region) as the Security Hub primary account. In each Security Hub primary and secondary account, you must also deploy a spoke template that allows AssumeRole permissions to the solution’s AWS Lambda functions.

Solution updates

To upgrade this solution to the latest version, you must delete the existing stack first and then reinstall the latest version of the stack. For deletion instructions, refer to Uninstall the solution. Note that any log data is retained and there is no loss of operational data.

Stack vs StackSets deployment

A stack set lets you create stacks in AWS accounts across AWS Regions by using a single AWS CloudFormation template. Starting with verson 1.4, this solution supports stack set deployment by splitting resources based on where and how they are deployed. Multi-account customers, particularly those using AWS Organizations, can benefit from using stack sets for deployment across many accounts. It reduces the effort needed to install and maintain the solution. For more information about StackSets, refer to Using AWS CloudFormation StackSets.

Regional deployments

This solution uses AWS Service Catalog and Systems Manager, which are currently available in specific AWS Regions only. The solution works in all of the Regions that support these services. For the most current availability by Region, refer to the AWS Regional Services List.