Automated deployment - StackSets - AWS Security Hub Automated Response and Remediation

Automated deployment - StackSets

Before you launch the solution, review the architecture, solution components, security, and design considerations discussed in this guide. Follow the step-by-step instructions in this section to configure and deploy the solution into your AWS Organizations.

Time to deploy: Approximately 15 minutes per account, depending upon StackSet parameters.

Prerequisites

AWS Organizations helps you centrally manage and govern your multi-account AWS environment and resources. StackSets work best with AWS Organizations. If you have previously deployed this solution, you must uninstall the existing solution. For more information, refer to Solution updates.

Before you deploy this solution, review your AWS Security Hub deployment:

  • There must be a delegated Security Hub Admin account in your AWS Organization.

  • Security Hub should be configured to aggregate findings across Regions. For more information, refer to Aggregating findings across Regions in the AWS Security Hub User Guide.

  • You should enable Security Hub for your organization in each Region where you have AWS usage.

This procedure assumes that you have multiple accounts using AWS Organizations, and have delegated an AWS Organizations Admin account and an AWS Security Hub Admin account.

Deployment overview

Note

StackSet deployment for this solution uses a combination of service-managed and self-managed StackSets. Self-Managed StackSets must be used currently as they use nested StackSets, which are not yet supported with service-managed StackSets.

Deploy the StackSets from a delegated administrator account in your AWS Organizations.

Step. 1: Launch the Admin stack in the delegated Security Hub Admin account

  • Using a self-managed StackSet, launch the aws-sharr-deploy.template AWS CloudFormation template into your AWS Security Hub Admin account in the same Region as your Security Hub Admin. This template uses nested stacks.

  • Choose which Security Standards to install. By default, all are selected (Recommended)

  • Choose an existing Orchestrator log group to use. Select Yes if SO0111-SHARR- Orchestrator already exists from a previous installation.

Step 2: Install the Remediation Roles into each AWS Security Hub Member account

  • Using a service-managed StackSet, Launch the aws-sharr-member-roles.template AWS CloudFormation template into a single Region in each account in your AWS Organizations.

  • Choose to install this template automatically when a new account joins the organization.

  • Enter the account ID of your AWS Security Hub Admin account.

Step. 3: Launch the Member stack into each AWS Security Hub Member account and Region

  • Using a self-managed StackSet, launch the aws-sharr-member.template AWS CloudFormation template into all Regions where you have AWS resources in every account in your AWS Organization managed by the same Security Hub Admin.

    Note

    Until service-managed StackSets support nested stacks, you must do this step for any new accounts that join the organization.

  • Choose which Security Standard playbooks to install.

  • Provide the name of a CloudTrail logs group (used by some remediations).

  • Enter the account ID of your AWS Security Hub Admin account.

Important

This solution includes an option to send anonymous operational metrics to AWS. We use this data to better understand how customers use this solution and related services and products. AWS owns the data gathered though this survey. Data collection is subject to the AWS Privacy Policy.

To opt out of this feature, download the template, modify the AWS CloudFormation mapping section, and then use the AWS CloudFormation console to upload your template and deploy the solution. For more information, refer to the Collection of operational metrics section of this guide.

Step 1. Launch the Admin stack in the delegated Security Hub Admin account

  1. Deploy the Admin stack, aws-sharr-deploy.template, with your Security Hub Admin account. Typically, one per organization in a single Region. Because this stack uses nested stacks, you must deploy this template as a self-managed StackSet.

    
         Figure 6: Configure StackSet options
    Figure 6: Configure StackSet options
  2. For the Account numbers parameter, enter the account ID of the AWS Security Hub Admin account.

  3. For the Specify regions parameter, select only the Region where Security Hub Admin is turned on. 3. Wait for this step to complete before going on to Step 2.

Step 2. Install the remediation roles into each AWS Security Hub Member account

Use a service-managed StackSet to deploy the Member Roles template, aws-sharr-member-roles.template. This StackSet must be deployed in one Region per member account. It defines the global roles that allow cross-account API calls from the SHARR Orchestrator step function.

  1. Deploy to the entire organization (typical) or to organizational units, as per your organizations policies.

  2. Turn on automatic deployment so new accounts in the AWS Organizations receive these permissions.

  3. For the Specify regions parameter, select a single Region. IAM roles are global. You can continue to Step 3 while this StackSet deploys.

    
            Figure 7: Specify StackSet details
    Figure 7: Specify StackSet details

Step 3. - Option 1: Launch the Member stack into each AWS Security Hub Member account and Region

Because this stack uses nested stacks, you must deploy as a self-managed StackSet. This does not support automatic deployment to new accounts in the AWS Organization.

Parameters

LogGroup Configuration: Choose the log group that receives CloudTrail logs. If none exists, or if the log group is different for each account, choose a convenient value. Account Administrators must update the Systems Manager – Parameter Store /Solutions/SO0111/Metrics_LogGroupName parameter after creating a CloudWatch Logs Group for CloudTrail logs. This is required for remediations that create metrics alarms on API calls.

Standards: Choose the standards to load in the member account. This only installs the AWS Systems Manager runbooks – it does not enable the Security Standard.

SecHubAdminAccount: Enter the account ID of the AWS Security Hub Admin account where you installed the SHARR Admin template.


          Figure 8: Accounts
Figure 8: Accounts

Deployment locations: You may specify a list of account numbers or organizational units.

Specify regions: Select all of the Regions where you want to remediate findings. You can adjust Deployment options as appropriate for the number of accounts and Regions. Region Concurrency can be parallel.

Step 3. Option 2: Use service-managed stacks to customize and launch in member accounts

By launching the four stacks for the member accounts individually, you can control specifically which remediations are enabled and automatically add new member accounts.

  1. Create a service-managed Stackset to deploy the Remediation runbooks using template aws-sharr-remediations.template. These are the lowest-level AWS Systems Manager documents that each perform a specific remediation action. A Remediation runbook can be used by one or more controls.

  2. For each of the playbooks you decide to support in your Member accounts, create a service-managed StackSet. Within each of these playbooks you can use the parameters to turn on or off the remediation of specific controls. Turning off a remediation for a control prevents installation of the solution runbook.