What does this AWS Solutions Implementation do?

The continued evolution of security threats makes it difficult, expensive, and time-consuming for security teams to react. The AWS Security Hub Automated Response and Remediation solution addresses this challenge by providing predefined response and remediation actions based on industry compliance standards and best practices.

AWS Security Hub Automated Response and Remediation is an add-on solution that works with AWS Security Hub to provide a ready-to-deploy architecture and a library of automated playbooks. The solution makes it easier for AWS Security Hub customers to resolve common security findings and to improve their security posture in AWS.

The solution creates an AWS Service Catalog Portfolio of predefined security response and remediation actions called playbooks. Customers choose the individual playbooks they want to deploy in their Security Hub primary account. Each playbook contains the necessary custom actions, Identity and Access Management (IAM) roles, Amazon CloudWatch Events, Systems Manager Automation documents, AWS Lambda functions, and AWS Step Functions needed to start a remediation workflow within a single AWS account, or across multiple accounts.

AWS Solutions Implementation overview

The diagram below presents the serverless architecture you can automatically deploy using the solution's implementation guide and accompanying AWS CloudFormation template.

AWS Security Hub Automated Response and Remediation | Architecture Diagram
 Click to enlarge

AWS Security Hub Automated Response and Remediation solution architecture

The AWS Security Hub Automated Response and Remediation solution contains the following main workflows: detect, ingest, remediate, and log.

Detect: AWS Security Hub provides customers with a comprehensive view of their AWS security state. It helps them to measure their environment against security industry standards and best practices. It works by collecting events and data from other AWS services, such as AWS Config, Amazon Guard Duty, and AWS Firewall Manager. These events and data are analyzed against security standards, such as CIS AWS Foundations Benchmark. Exceptions are asserted as findings in the AWS Security Hub console. New findings are sent as Amazon CloudWatch Events.

Ingest: AWS Security Hub Custom Actions and Amazon CloudWatch Events rules initiate Security Hub Automated Response and Remediation playbooks to address findings. Two CloudWatch Event Rules are deployed for each supported control by the solution: one rule to match the custom action event (user-initiated remediation), and one rule (disabled by default) to match the real-time finding event. Customers can use the Security Hub Custom Action menu to initiate automated remediation, or after careful testing in a non-production environment, they can enable automatic triggering for automated remediation. This decision can be made per remediation—it is not necessary to enable automatic triggers on all remediations.

Remediate: Using cross-account AWS Identity and Access Management (IAM) roles, the automated remediation uses the AWS API to perform the tasks needed to remediate findings. All playbooks in this solution call AWS Lambda functions. Some Lambda functions perform remediation directly. Others use AWS Systems Manager automation documents.

Log: The playbook logs the results to the Amazon CloudWatch Logs group for the solution, sends a notification to an Amazon Simple Notification Service (Amazon SNS) topic, and updates the Security Hub finding. An audit trail of actions taken is maintained in the finding notes. On the Security Hub dashboard, the finding workflow status is changed from NEW to either NOTIFIED or RESOLVED on the Security Hub dashboard. The security finding notes are updated to reflect the remediation performed. 

AWS Security Hub Automated Response and Remediation

Version 1.1.0
Last updated: 11/2020
Author: AWS

Estimated deployment time: 10 min

Use the button below to subscribe to solution updates.

Note: To subscribe to RSS updates, you must have an RSS plug-in enabled for the browser you are using.  

Did this Solutions Implementation help you?
Provide feedback 


AWS Security Hub integration

Initiate remediations and findings using custom actions in the Security Hub console.

Remediation playbooks

Access remediation playbooks supporting the Center for Internet Security (CIS) Amazon Foundations benchmarks, version 1.2.0.

One-click cross-account remediation

Easily deploy the solution across primary and member accounts.

Automatic remediations

Deploy a predefined set of response and remediation actions to respond to threats automatically.
Build icon
Deploy a Solution yourself

Browse our library of AWS Solutions Implementations to get answers to common architectural problems.

Learn more 
Find an APN partner
Find an APN Partner

Find AWS certified consulting and technology partners to help you get started.

Learn more 
Explore icon
Explore Solutions Consulting Offers

Browse our portfolio of Consulting Offers to get AWS-vetted help with solution deployment.

Learn more