Automated deployment - AWS Security Hub Automated Response and Remediation

Automated deployment

Before you launch the solution, review the architecture, solution components, security, and design considerations discussed in this guide. Follow the step-by-step instructions in this section to configure and deploy the solution into your account.

Time to deploy: Approximately 10 minutes

Prerequisites

Before you deploy this solution, ensure that AWS Security Hub is in the same AWS Region as your primary and secondary accounts. If you have previously deployed this solution, you will need to uninstall the existing solution. For more information, refer to Solution updates.

Deployment overview

Use the following steps to deploy this solution on AWS.

Step. 1 Launch the stack

  • Launch the AWS CloudFormation template into your AWS account.

Step. 2 Configure service catalog portfolio permissions

  • Grant access to IAM users.

Step. 3 Deploy the playbook(s)

  • Install or upgrade CIS or AFSB playbooks.

Step 1. Launch the stack

This automated AWS CloudFormation template deploys the AWS Security Hub Automated Response and Remediation solution in the AWS Cloud. Before you launch the stack, you must enable Security Hub and complete the prerequisites.

Note

You are responsible for the cost of the AWS services used while running this solution. For more details, visit to the Cost section in this guide, and refer to the pricing webpage for each AWS service used in this solution.

  1. Sign in to the AWS Management Console from the account where the AWS Security Hub is currently configured, and use the button below to launch the aws-sharr-deploy.template AWS CloudFormation template.

    
                aws-sharr-deploy.template launch button

    You can also download the template as a starting point for your own implementation.

  2. The template launches in the US East (N. Virginia) Region by default. To launch this solution in a different AWS Region, use the Region selector in the AWS Management Console navigation bar.

    Note

    This solution uses AWS Service Catalog, and AWS Systems Manager which are currently available in specific AWS Regions only. The solution works in all of the Regions that support these services. For the most current availability by Region, refer to the AWS Regional Services List.

  3. On the Create stack page, verify that the correct template URL is in the Amazon S3 URL text box and then choose Next.

  4. On the Specify stack details page, assign a name to your solution stack. For information about naming character limitations, see IAM and STS limits in the AWS Identity and Access Management User Guide.

  5. On the Parameters page, choose Next.

  6. On the Configure stack options page, choose Next.

  7. On the Review page, review and confirm the settings. Check the box acknowledging that the template will create AWS Identity and Access Management (IAM) resources.

  8. Choose Create stack to deploy the stack.

You can view the status of the stack in the AWS CloudFormation console in the Status column. You should receive a CREATE_COMPLETE status in approximately 10 minutes.

Note

The solution deploys the aws-sharr-deploy.template into your AWS account. The template requires an input to send anonymous data, which is defaulted to Yes. The automated deployment creates the foundation components needed for automated response and remediation playbooks in AWS Service Catalog. The playbooks themselves are deployed from an AWS Service Catalog portfolio that is created in your Security Hub primary account after you deploy the template.

Step 2. Configure service catalog portfolio permissions

Note

If you are deploying this solution in an AWS Region in China, skip this step and refer to Deploy the solution playbooks in AWS Regions in China to deploy the solution playbooks.

To grant access to IAM users, do one of the following:

  • Add them to the default solution IAM groups

  • Add IAM users, roles, or groups to the AWS Service Catalog portfolio

For more information, refer Creating IAM Roles in the AWS Identity and Access Management User Guide.

With the applicable permissions, users will have access to the Products and Provisioned Products menu in AWS Service Catalog.

Solution IAM groups

By default, access to the AWS Security Hub Automated Response and Remediation’s Service Catalog portfolio is limited to members of the following IAM groups created by the solution.

SO0111-SHARR_Catalog_Admin: This role allows members to have administrative access to the solution’s portfolio, Security Hub Playbooks (SO0111).

SO0111-SHARR_Catalog_User: This role allows members to deploy, update, and terminate playbooks in the solution’s portfolio, Security Hub Playbooks (SO0111).

Use the following process to grant IAM users access and add them to groups.

  1. From the Security Hub primary account, navigate to the IAM console.

  2. From the IAM menu, select Groups.

  3. Filter the list to solution groups, and then in the search box, enter SO0111.

  4. Choose Add users to group.

  5. Choose the IAM users.

  6. Choose Add users.

User IAM permissions

Use the following process to add existing IAM users, roles, or groups, and to grant AWS Service Catalog permissions.

  1. From the Security Hub primary account, navigate to the AWS Service Catalog console.

  2. From the Administration menu, choose Portfolios.

  3. Choose Security Hub Playbooks (SO0111).

  4. Choose the Groups, roles, and users tab, and then choose Add groups, roles, users.

  5. Choose the appropriate IAM entity type.

  6. Use the search box to locate the IAM entities to grant access to. Note that the IAM entity selected must have permissions configured to allow AWS Service Catalog access.

  7. Choose the entities to add and then choose Add access.

Step 3: Deploy the playbook(s)

Note

If you are deploying this solution in an AWS Region in China, skip this step and refer to Deploy the solution playbooks in AWS Regions in China to deploy the solution playbooks.

AWS Security Hub Automated Response and Remediation currently includes the CIS v1.2.0 and AFSBP v1.0.0 playbooks. To install and upgrade playbooks, use AWS Service Catalog.

Prerequisite

Before you deploy playbooks, verify that you have access to the AWS Service Catalog products.

Playbook: CIS v1.2.0

  1. From the Security Hub primary account, navigate to AWS Service Catalog in the AWS Management Console.

  2. From the left navigation menu, select Products.

  3. Confirm that CIS appears in the list of product names.

Deployment – Admin account

  1. From the Security Hub Admin account, navigate to the AWS Service Catalog and choose CIS.

  2. Choose Launch Product.

  3. Enter a name for the instance. For example, CIS-v-1-2-0.

  4. Choose the latest version.

  5. Choose Next.

    On the Parameters page, each individual remediation has the option to be invoked automatically when a matching Amazon CloudWatch Logs event occurs for the finding. Use with care. The remediations cannot be automatically undone. By default, the automatic initiation is turned off for all remediations. Make your selections and then choose Next.

Member account deployment – CIS v1.2.0

After you successfully deploy the solution in the admin account, and deploy the CIS playbooks from AWS Service Catalog, you must set up permissions to any account where security findings are to be remediated. This is required for the solution's automation functions.


              CISPermissions.template button

Select the button to download the CISPermissions.template AWS CloudFormation template and then deploy it to the secondary accounts.

You can either use AWS CloudFormation StackSets, or manually sign in to each account and then deploy the permissions template.

Playbook: AFSBP v1.0.0

The AWS Foundational Security Best Practices (AFSBP) playbook uses a loosely-coupled architecture that leverages AWS Systems Manager Runbooks for remediation. This allows more granular control at the account level. Account owners can choose which remediations to activate on their account through the AFSBP Member template parameters.

  1. From the Security Hub primary account, navigate to AWS Service Catalog in the AWS Management Console.

  2. From the left navigation menu, select Products.

  3. Confirm that AFSBP appears in the list of product names.

Deployment – Admin account

  1. From the Security Hub Admin account, navigate to the AWS Service Catalog and choose AFSBP.

  2. Choose Launch Product.

  3. Enter a name for the instance. For example, AFSBP-v100.

  4. Choose the latest version.

  5. Choose Next.

    On the Parameters page, each individual remediation has the option to be invoked automatically when a matching Amazon CloudWatch Logs event occurs for the finding.

    Note

    Use this option with caution. The automated remediations cannot be undone. By default, the automatic initiation is turned off for all remediations.

    Some remediations might result in additional AWS Service costs. You can select which remediations you want to install to avoid additional costs.

  6. Make your selections and then choose Next.

Member account deployment – AFSBP v1.0.0

After you successfully deploy the solution in the Admin account, and deploy the AFSBP Admin component from AWS Service Catalog, you must deploy the AFSBP Member template to any account where security findings are to be remediated (including the Admin account). This is required for the solution's automation functions. This template installs IAM roles and AWS Systems Manager runbooks in the member account.


              AFSBPMemberStack.template template button

Select the button to download the AFSBPMemberStack.template AWS CloudFormation template and then deploy it to the secondary accounts.

You can use AWS CloudFormation StackSets, or manually sign in to each account and then deploy the Member template.