Automated deployment - Stacks - AWS Security Hub Automated Response and Remediation

Automated deployment - Stacks

Before you launch the solution, review the architecture, solution components, security, and design considerations discussed in this guide. Follow the step-by-step instructions in this section to configure and deploy the solution into your account.

Time to deploy: Approximately 15 minutes

Prerequisites

Before you deploy this solution, ensure that AWS Security Hub is in the same AWS Region as your primary and secondary accounts. If you have previously deployed this solution, you must uninstall the existing solution. For more information, refer to Solution updates.

Deployment overview

Use the following steps to deploy this solution on AWS.

Step. 1 Launch the Admin stack

  • Launch the aws-sharr-deploy.template AWS CloudFormation template into your AWS Security Hub Admin account.

  • Choose which Security Standards to install.

  • Choose an existing Orchestrator log group to use (select Yes if SO0111-SHARR- Orchestrator already exists from a previous installation).

Step. 2. Launch the Member stack

  • Specify the name of the CloudWatch Logs group to use with CIS 3.1-3.14 remediations. It must be the name of a CloudWatch Logs log group that receives CloudTrail logs.

  • Choose whether to install the Remediation Roles. Install these roles only once per account.

  • Select which playbooks to install.

  • Enter the account ID of the AWS Security Hub Admin account.

Step. 3 (Optional) Adjust the available remediations

  • Remove any remediations on a per-member account basis. This step is optional.

Step 1. Launch the Admin stack

Important

This solution includes an option to send anonymous operational metrics to AWS. We use this data to better understand how customers use this solution and related services and products. AWS owns the data gathered though this survey. Data collection is subject to the AWS Privacy Policy.

To opt out of this feature, download the template, modify the AWS CloudFormation mapping section, and then use the AWS CloudFormation console to upload your template and deploy the solution. For more information, refer to the Collection of operational metrics section of this guide.

This automated AWS CloudFormation template deploys the AWS Security Hub Automated Response and Remediation solution in the AWS Cloud. Before you launch the stack, you must enable Security Hub and complete the prerequisites.

Note

You are responsible for the cost of the AWS services used while running this solution. For more details, visit to the Cost section in this guide, and refer to the pricing webpage for each AWS service used in this solution.

  1. Sign in to the AWS Management Console from the account where the AWS Security Hub is currently configured, and use the button below to launch the aws-sharr-deploy.template AWS CloudFormation template.

    
                aws-sharr-deploy.template launch button

    You can also download the template as a starting point for your own implementation.

  2. The template launches in the US East (N. Virginia) Region by default. To launch this solution in a different AWS Region, use the Region selector in the AWS Management Console navigation bar.

    Note

    This solution uses AWS Service Catalog, and AWS Systems Manager which are currently available in specific AWS Regions only. The solution works in all of the Regions that support these services. For the most current availability by Region, refer to the AWS Regional Services List.

  3. On the Create stack page, verify that the correct template URL is in the Amazon S3 URL text box and then choose Next.

  4. On the Specify stack details page, assign a name to your solution stack. For information about naming character limitations, refer to IAM and STS limits in the AWS Identity and Access Management User Guide.

  5. On the Parameters page, choose Next.

    • For each security standard, specify whether to install the Admin components for automated remediation.

    • Select whether or not to reuse an existing SO0111-SHARR-Orchestrator CloudWatch Logs group. This simplifies reinstallation and upgrades without losing log data from a previous version. If you are upgrading from v1.2 or above, choose Yes.

    
             Admin stack details
    Figure 2: Admin stack details
  6. On the Configure stack options page, choose Next.

  7. On the Review page, review and confirm the settings. Check the box acknowledging that the template will create AWS Identity and Access Management (IAM) resources.

  8. Choose Create stack to deploy the stack.

You can view the status of the stack in the AWS CloudFormation console in the Status column. You should receive a CREATE_COMPLETE status in approximately 15 minutes.

Step 2. Install the remediation roles into each AWS Security Hub Member account

The aws-sharr-member-roles.template StackSet must be deployed in only one Region per member account. It defines the global roles that allow cross-account API calls from the SHARR Orchestrator step function.

  1. Sign in to the AWS Management Console for each AWS Security Hub member account (including the Admin account, which is also a member). Select the button to launch the aws-sharr-member-roles.template AWS CloudFormation template. You can also download the template as a starting point for your own implementation.

    
                aws-sharr-member-roles.template launch button

  2. The template launches in the US East (N. Virginia) Region by default. To launch this solution in a different AWS Region, use the Region selector in the AWS Management Console navigation bar.

  3. On the Create stack page, verify that the correct template URL is in the Amazon S3 URL text box and then choose Next.

  4. On the Specify stack details page, assign a name to your solution stack. For information about naming character limitations, refer to IAM and STS limits in the AWS Identity and Access Management User Guide.

  5. On the Parameters page, specify the following parameters and choose Next.

    1. Enter the 12-digit account ID for the AWS Security Hub Admin account. This value grants permissions to the Admin account’s solution role.

  6. On the Configure stack options page, choose Next.

  7. On the Review page, review and confirm the settings. Check the box acknowledging that the template will create AWS Identity and Access Management (IAM) resources.

  8. Choose Create stack to deploy the stack.

    You can view the status of the stack in the AWS CloudFormation console in the Status column. You should receive a CREATE_COMPLETE status in approximately 5 minutes. You may continue with the next step while this stack loads.

Step 3. Launch the Member stack

Important

This solution includes an option to send anonymous operational metrics to AWS. We use this data to better understand how customers use this solution and related services and products. AWS owns the data gathered though this survey. Data collection is subject to the AWS Privacy Policy.

To opt out of this feature, download the template, modify the AWS CloudFormation mapping section, and then use the AWS CloudFormation console to upload your template and deploy the solution. For more information, refer to the Collection of operational metrics section of this guide.

The aws-sharr-member stack must be installed into each Security Hub member account. This stack defines the runbooks for automated remediation. The admin for each member account can control what remediations are available via this stack.

  1. Sign in to the AWS Management Console from the account where the AWS Security Hub is currently configured, and use the button below to launch the aws-sharr-member.template AWS CloudFormation template.

    
                aws-sharr-member.template launch button

    You can also download the template as a starting point for your own implementation.

  2. The template launches in the US East (N. Virginia) Region by default. To launch this solution in a different AWS Region, use the Region selector in the AWS Management Console navigation bar.

    Note

    This solution uses AWS Systems Manager, which is currently available in the majority of AWS Regions. The solution works in all of the Regions that support these services. For the most current availability by Region, refer to the AWS Regional Services List.

  3. On the Create stack page, verify that the correct template URL is in the Amazon S3 URL text box and then choose Next.

  4. On the Specify stack details page, assign a name to your solution stack. For information about naming character limitations, refer to IAM and STS limits in the AWS Identity and Access Management User Guide.

  5. On the Parameters page, specify the following parameters and choose Next.

    • Specify the name of a AWS CloudFormation Logs group where CloudTrail logs API calls. This is used for CIS 3.1-3.14 remediations.

    • For each security standard, indicate whether to install the member stack components for automated remediation, which includes IAM roles and AWS Systems Manager runbooks..

    • Enter the 12-digit account ID for the AWS Security Hub Admin account.

    
             Member stack details
    Figure 3: Member stack details
  6. On the Configure stack options page, choose Next.

  7. On the Review page, review and confirm the settings. Check the box acknowledging that the template will create AWS Identity and Access Management (IAM) resources.

  8. Choose Create stack to deploy the stack.

You can view the status of the stack in the AWS CloudFormation console in the Status column. You should receive a CREATE_COMPLETE status in approximately 15 minutes.

Step 4: (Optional) Adjust the available remediations

If you want to remove specific remediations from a member account, you can do so by updating the nested stack for the security standard. For simplicity, the nested stack options are not propagated to the root stack.

  1. Sign in to the AWS CloudFormation console and select the nested stack.

  2. Choose Update.

  3. Select Update nested stack and choose Update stack.

    
             Update nested stack
    Figure 4: Update nested stack
  4. Select Use current template and choose Next.

  5. Adjust the available remediations.

    Note

    Turning off a remediation removes the solutions remediation runbook for the security standard and control.

    
             Adjust available remediations
    Figure 5: Adjust available remediations
  6. On the Configure stack options page, choose Next.

  7. On the Review page, review and confirm the settings. Check the box acknowledging that the template will create AWS Identity and Access Management (IAM) resources.

  8. Choose Update stack.

You can view the status of the stack in the AWS CloudFormation console in the Status column. You should receive a CREATE_COMPLETE status in approximately 15 minutes.