Q: Why should customers use the AWS Security Hub Automated Response and Remediation solution?
A: The continued evolution of security threats, and increases in volume, make it increasingly difficult, expensive, and time consuming for security teams to react quickly to threats. AWS Security Hub gives customers a comprehensive view of their security posture across AWS accounts. Customers can create CloudWatch Event rules to invoke on-demand response workflows for selected findings across their AWS accounts, or they can use CloudWatch Event rules to take fully automated actions on specific types of findings. Many customers find the process to set up CloudWatch Event rules difficult and time consuming and creating the permissions to enable them to run cross-account can be complex. The AWS Security Hub Automated Response and Remediation solution simplifies this process by offering predefined response and remediation actions to common security controls.
Q: Which customers should use the AWS Security Hub Automated Response and Remediation solution?
A: Any customer who plans to develop, deploy, evaluate, or secure workloads in AWS and wants to leverage security automation to save time and money.
Q: How does the AWS Security Hub Automated Response and Remediation solution work?
A: The solution creates a Service Catalog Portfolio of predefined security response and remediation actions, or playbooks. Customers choose the individual playbooks they want to deploy in their Security Hub primary account from the AWS Service Catalog Portfolio. Each playbook contains the necessary custom actions, IAM roles, and Amazon CloudWatch events in addition to any Systems Manager Automation documents, AWS Lambda functions, or AWS Step Functions needed to start the remediation workflow within a single AWS account, or across multiple accounts.
Q: How much does this solution cost?
A: The AWS Security Hub Automated Response and Remediation solution is free to launch; however, you pay for the resources that it deploys: AWS Security Hub, Amazon CloudWatch, AWS IAM, AWS Service Catalog, and AWS Systems Manager or AWS Lambda. The cost to run the solution depends on the number of remediations executed per month. Your costs may vary based on a number of factors, such as change activity in your accounts, number of accounts, and whether or not you automatically remediate findings as they occur. The nature of Security Hub Findings is that after initial remediation of pre-existing findings in an account, the daily volume drops significantly. The largest contributor to cost is AWS Service Catalog. Refer to the implementation guide for sample cost calculations.
Q: Can customers write their own security playbooks?
A: Yes. AWS Security Hub gives customers the option to create custom actions and manually invoke a response or remediation action on a security finding. For more information about setting up your project and customizing your playbooks, refer to the README.md in GitHub.
Q: How does this solution differ from AWS Security Hub?
A: The AWS Security Hub Automated Response and Remediation solution adds automation on top of Security Hub Findings using Security Hub custom rules. AWS Security Hub provides you with a comprehensive view of your security state within AWS and your compliance with security standards and best practices. Security Hub collects findings from the security services enabled across your AWS accounts, services, and supported third-party partners to help you analyze your security trends and identify security issues.
Q: How does this solution differ from AWS Config?
A: The AWS Security Hub Automated Response and Remediation solution adds automation on top of Security Hub Findings using Security Hub custom rules and AWS Config. AWS Config is a fully managed detection service that records and evaluates configurations of your AWS resources. In order for the AWS Security Hub Automated Response and Remediation solution to run security checks in an account, you must have AWS Config enabled in that account.
Q: How does this solution differ from Amazon Detective?
A: The AWS Security Hub Automated Response and Remediation solution adds automation on top of Security Hub Findings using Security Hub custom rules. Amazon Detective is an incident response service that analyzes and investigates the root cause of security finding. Amazon Detective does not currently offer an automated response and remediation feature.
Q: Can customers deploy this solution in any AWS Region?
A: This solution uses AWS Service Catalog and AWS Systems Manager which are currently available in specific AWS Regions only. This solution works in all of the Regions that support these services. For the most current availability by Region, refer to the AWS Regional Services List.
Training and Certification
AWS Training and Certification builds your competence, confidence, and credibility through practical cloud skills that help you innovate and build your future. Learn more »
Getting Started with AWS Security, Identity, and Compliance
This course provides an overview of AWS security technology, use cases, benefits, and services.
AWS Certified Security - Specialty
This exam tests your technical expertise in securing the AWS platform. This is for anyone in an experienced security role.
AWS Certified Solutions Architect – Associate
This exam validates your ability to effectively demonstrate knowledge of how to architect and deploy secure and robust applications on AWS technologies.
The AWS Partner Network (APN) is focused on helping partners build successful AWS-based businesses to drive superb solutions and customer experiences. APN Partners are focused on customer success, helping you take full advantage of all the business benefits that AWS has to offer. With their deep expertise on AWS, APN Partners are uniquely positioned to help your company at any stage of your Cloud Adoption Journey and to help you solve some of your most complex problems.
Related AWS products
Visit the following pages to learn more about the services we used to build this AWS Solutions Implementation.