Overview
This AWS Solution is an add-on that works with AWS Security Hub and provides predefined response and remediation actions based on industry compliance standards and best practices for security threats. It helps AWS Security Hub customers to resolve common security findings and to improve their security posture in AWS.
The solution creates playbooks for customers to individually choose what they want to deploy in their Security Hub primary account. Each playbook contains the necessary custom actions, IAM roles, and Amazon EventBridge events in addition to any Systems Manager Automation documents, AWS Lambda functions, or AWS Step Functions needed to start the remediation workflow within a single AWS account, or across multiple accounts.
Benefits
Initiate remediations and findings using custom actions in the Security Hub console.
Easily deploy the Solution across primary and member accounts.
Access remediation playbooks supporting standards such as the Center for Internet Security (CIS) AWS Foundations benchmarks v1.4.0 or AWS Foundational Security Best Practices (AFSBP) v1.0.0.
Deploy a predefined set of response and remediation actions to respond to threats automatically.
Extend the solution with custom remediation and Playbook implementations by deploying customized AWS Systems Manager automation documents and AWS IAM Roles. To support an entire new set of controls that is not implemented by the solution, deploy a custom Playbook.
Technical details
The diagram below presents the serverless architecture that you can build using the Solution's implementation guide and accompanying AWS CloudFormation template.
Automated Security Response on AWS contains the following main workflows: detect, ingest, remediate, and log.
1. Detect: AWS Security Hub provides customers with a comprehensive view of their AWS security state. It helps them to measure their environment against security industry standards and best practices. It works by collecting events and data from other AWS services, such as AWS Config, Amazon Guard Duty, and AWS Firewall Manager. These events and data are analyzed against security standards, such as CIS AWS Foundations Benchmark. Exceptions are asserted as findings in the AWS Security Hub console. New findings are sent as Amazon EventBridge.
2. Ingest: You can initiate events against findings using custom actions, which result in Amazon EventBridge Events. AWS Security Hub Custom Actions and Amazon EventBridge rules initiate Automated Security Response on AWS playbooks to address findings. One EventBridge rule is deployed to match the custom action event, and one Amazon EventBridge Event Rule is deployed for each supported control (deactivated by default) to match the real-time finding event.
You can use the Security Hub Custom Action menu to initiate automated remediation, or after careful testing in a non-production environment, they can activate automated remediations. This can be activated per remediation—it is not necessary to activate automatic initiations on all remediations.
3. Remediate: Using cross-account AWS Identity and Access Management (IAM) roles, the automated remediation uses the AWS API to perform the tasks needed to remediate findings. All playbooks in this solution are implemented as AWS Systems Manager documents. These documents are categorized based on the security control ID. An AWS Step Function receives the finding from the Amazon Eventbridge events, then the AWS Step Function invokes the documents with AWS Systems Manager API calls.
4. Log: The playbook logs the results to an Amazon CloudWatch Logs group, sends a notification to an Amazon Simple Notification Service (Amazon SNS) topic, and updates the Security Hub finding. An audit trail of actions taken is maintained in the finding notes. On the Security Hub dashboard, the finding workflow status is changed from NEW to either NOTIFIED or RESOLVED on the Security Hub dashboard. The security finding notes are updated to reflect the remediation performed.
1. Detect: AWS Security Hub provides customers with a comprehensive view of their AWS security state. It helps them to measure their environment against security industry standards and best practices. It works by collecting events and data from other AWS services, such as AWS Config, Amazon Guard Duty, and AWS Firewall Manager. These events and data are analyzed against security standards, such as CIS AWS Foundations Benchmark. Exceptions are asserted as findings in the AWS Security Hub console. New findings are sent as Amazon EventBridge.
2. Ingest: You can initiate events against findings using custom actions, which result in Amazon EventBridge Events. AWS Security Hub Custom Actions and Amazon EventBridge rules initiate Automated Security Response on AWS playbooks to address findings. One EventBridge rule is deployed to match the custom action event, and one Amazon EventBridge Event Rule is deployed for each supported control (deactivated by default) to match the real-time finding event.
You can use the Security Hub Custom Action menu to initiate automated remediation, or after careful testing in a non-production environment, they can activate automated remediations. This can be activated per remediation—it is not necessary to activate automatic initiations on all remediations.
3. Remediate: Using cross-account AWS Identity and Access Management (IAM) roles, the automated remediation uses the AWS API to perform the tasks needed to remediate findings. All playbooks in this solution are implemented as AWS Systems Manager documents. These documents are categorized based on the security control ID. An AWS Step Function receives the finding from the Amazon Eventbridge events, then the AWS Step Function invokes the documents with AWS Systems Manager API calls.
4. Log: The playbook logs the results to an Amazon CloudWatch Logs group, sends a notification to an Amazon Simple Notification Service (Amazon SNS) topic, and updates the Security Hub finding. An audit trail of actions taken is maintained in the finding notes. On the Security Hub dashboard, the finding workflow status is changed from NEW to either NOTIFIED or RESOLVED on the Security Hub dashboard. The security finding notes are updated to reflect the remediation performed.
Related content
Getting Started with AWS Security, Identity, and Compliance
This course provides an overview of AWS security technology, use cases, benefits, and services.
AWS Certified Security - Specialty
This exam tests your technical expertise in securing the AWS platform. This is for anyone in an experienced security role.