Automated deployment - AWS Security Hub Automated Response and Remediation

Automated deployment

Before you launch the solution, review the architecture, configuration, network security, and other considerations discussed in this guide. Follow the step-by-step instructions in this section to configure and deploy the solution into your account.

Important

To upgrade this solution to the current version, you must delete the existing stack. For deletion instructions, refer to Appendix E.

Time to deploy: Approximately 10 minutes

Prerequisites

Before you deploy this solution, ensure that AWS Security Hub is enabled in the same AWS Region as your primary and secondary accounts.

Deployment overview

Use the following steps to deploy this solution on AWS.

Step 1. Launch the stack

This automated AWS CloudFormation template deploys the AWS Security Hub Automated Response and Remediation solution in the AWS Cloud. Before you launch the stack, you must enable Security Hub and complete the prerequisites.

Note

You are responsible for the cost of the AWS services used while running this solution. For more details, visit to the Cost section in this guide, and refer to the pricing webpage for each AWS service used in this solution.

  1. Sign in to the AWS Management Console from the account where the AWS Security Hub is currently configured, and use the button below to launch the aws-sharr-deploy.template AWS CloudFormation template. 
                aws-sharr-deploy.template launch button

    You can also download the template as a starting point for your own implementation.

  2. The template launches in the US East (N. Virginia) Region by default. To launch this solution in a different AWS Region, use the Region selector in the AWS Management Console navigation bar.

    Note

    This solution uses AWS Service Catalog, and AWS Systems Manager which are currently available in specific AWS Regions only. The solution works in all of the Regions that support these services. For the most current availability by Region, refer to the AWS Regional Services List.

  3. On the Create stack page, verify that the correct template URL is in the Amazon S3 URL text box and then choose Next.

  4. On the Specify stack details page, assign a name to your solution stack. For information about naming character limitations, see IAM and STS Quotas in the AWS Identity and Access Management User Guide.

  5. On the Parameters page, choose Next.

  6. On the Configure stack options page, choose Next.

  7. On the Review page, review and confirm the settings. Check the box acknowledging that the template will create AWS Identity and Access Management (IAM) resources.

  8. Choose Create stack to deploy the stack.

You can view the status of the stack in the AWS CloudFormation console in the Status column. You should receive a CREATE_COMPLETE status in approximately 10 minutes.

Note

The solution deploys the aws-sharr-deploy.template into your AWS account. The template requires an input to send anonymous data, which is defaulted to Yes. The automated deployment creates the foundation components needed for automated response and remediation playbooks in AWS Service Catalog. The playbooks themselves are deployed from an AWS Service Catalog portfolio that is created in your Security Hub primary account after you deploy the template.

Step 2. Configure service catalog portfolio permissions

Note

If you are deploying this solution in an AWS Region in China, skip this step and refer to Appendix A to deploy the solution playbooks.

To grant access to IAM users, do one of the following:

  • Add them to the default solution IAM groups

  • Add IAM users, roles, or groups to the AWS Service Catalog portfolio

For more information, refer Creating IAM Roles in the AWS Identity and Access Management User Guide.

With the applicable permissions, users will have access to the Products and Provisioned Products menu in AWS Service Catalog.

Solution IAM groups

By default, access to the AWS Security Hub Automated Response and Remediation’s Service Catalog portfolio is limited to members of the following IAM groups created by the solution.

SO0111-SHARR_Catalog_Admin: This role allows members to have administrative access to the solution’s portfolio, Security Hub Playbooks (SO0111).

SO0111-SHARR_Catalog_User: This role allows members to deploy, update, and terminate playbooks in the solution’s portfolio, Security Hub Playbooks (SO0111).

Use the following process to grant IAM users access and add them to groups.

  1. From the Security Hub primary account, navigate to the IAM console in the AWS Security Hub primary account.

  2. From the IAM menu, select Groups.

  3. Filter the list to solution groups, and then in the search box, enter SO0111.

  4. Choose Add users to group.

  5. Choose the IAM users.

  6. Choose Add users.

User IAM permissions

Use the following process to add existing IAM users, roles, or groups, and to grant AWS Service Catalog permissions.

  1. From the Security Hub primary account, navigate to the AWS Service Catalog console.

  2. From the Administration menu, choose Portfolios.

  3. Choose Security Hub Playbooks (SO0111).

  4. Choose the Groups, roles, and users tab, and then choose Add groups, roles, users.

  5. Choose the appropriate IAM entity type.

  6. Use the search box to locate the IAM entities to grant access to. Note that the IAM entity selected must have permissions configured to allow AWS Service Catalog access.

  7. Choose the entities to add and then choose Add access.

Step 3: Deploy the playbook(s)

Note

If you are deploying this solution in an AWS Region in China, skip this step and refer to Appendix A to deploy the solution playbooks.

AWS Security Hub Automated Response and Remediation Version currently includes the CIS v1.2.0 playbook. Future releases might include additional playbooks. To install and upgrade playbooks, use AWS Service Catalog.

Prerequisite

Before you deploy playbooks, verify that you have access to the AWS Service Catalog products:

  1. From the Security Hub primary account, navigate to AWS Service Catalog in the AWS Management Console.

  2. From the left navigation menu, open Products.

  3. Confirm that CIS appears in the list of product names.

Deployment

  1. From the Security Hub primary account, navigate to the AWS Service Catalog console and choose CIS.

  2. Choose Launch Product.

  3. Enter a name for the instance. For example, CIS-v-1-2-0.

  4. Choose the latest version.

  5. Choose Next.

    On the Parameters page, each individual remediation has the option to be triggered automatically when a matching CloudWatch Logs event occurs for the finding. Use with care. The remediations cannot be automatically undone. By default, the automatic trigger is disabled for all remediations. Make your selections and then choose Next.

Step 4. Deploy the solution permissions

After you successfully deploy the solution in the primary account, and deploy the CIS playbooks from AWS Service Catalog, you must set up permissions to any secondary member accounts where security findings are to be remediated. This is required for the solution's automation functions.

Use the button below to download the CISPermission.template AWS CloudFormation template and then deploy it to the secondary accounts.

You can either use AWS CloudFormation StackSets, or manually sign in to each account and then deploy the permissions template.


          cispermissions.template button