Automatically address security threats with predefined response and remediation actions in AWS Security Hub - AWS Security Hub Automated Response and Remediation

Automatically address security threats with predefined response and remediation actions in AWS Security Hub

Publication date: August 2020 (last update: September 2021)

The continued evolution of security threats makes it difficult, expensive, and time-consuming for security teams to react. The AWS Security Hub Automated Response and Remediation solution helps you quickly react to address these threats by providing predefined response and remediation actions based on industry compliance standards and best practices.

This solution is an add-on solution that works with AWS Security Hub to provide a ready-to-deploy architecture and a library of automated playbooks. This solution makes it easier for AWS Security Hub customers to resolve common security findings and to improve their security posture in AWS.

You can select specific playbooks to deploy in your Security Hub primary account. Each playbook contains the necessary custom actions, Identity and Access Management (IAM) roles, Amazon CloudWatch Events, AWS Systems Manager automation documents, AWS Lambda functions, and AWS Step Functions needed to start a remediation workflow within a single AWS account, or across multiple accounts. Remediations work from the Actions menu in AWS Security Hub and allow authorized users to remediate a finding across all of their AWS Security Hub-managed accounts with a single click. For example, you can apply recommendations from the Center for Internet Security (CIS) AWS Foundations Benchmark, a compliance standard for securing AWS resources, to ensure passwords expire within 90 days and enforce encryption of event logs stored in AWS.

Note

Remediation is intended for emergent situations that require immediate action. This solution makes changes to remediate findings only when initiated by you via the AWS Security Hub Management console. To revert these changes, you must manually put resources back in their original state.

When remediating AWS resources deployed as a part of the CloudFormation stack, be aware that this might cause a drift. When possible, remediate stack resources by modifying the code that defines the stack resources and updating the stack. For more information, refer to What is drift? in the AWS CloudFormation User Guide.

AWS Security Hub Automated Response and Remediation includes the playbook remediations for the security standards defined as part of the Center for Internet Security (CIS) AWS Foundations Benchmark v1.2.0 and AWS Foundational Security Best Practices (AFSBP) v.1.0.0, and Payment Card Industry Data Security Standard (PCI-DSS) v3.2.1. For more information, refer to Playbooks.

This implementation guide discusses architectural considerations and configuration steps for deploying the AWS Security Hub Automated Response and Remediation solution in the Amazon Web Services (AWS) Cloud. It includes links to AWS CloudFormation templates that launch, configure, and run the AWS compute, network, storage, and other services required to deploy this solution on AWS, using AWS best practices for security and availability.

The guide is intended for IT infrastructure architects, administrators, and DevOps professionals who have practical experience architecting in the AWS Cloud.