Summary Prerequisites and limitations Architecture Tools Best practices Epics Related resources Attachments

Automate remediation for AWS Security Hub standard findings

Created by Chandini Penmetsa (AWS) and Aromal Raj Jayarajan (AWS)

Summary

With AWS Security Hub, you can enable checks for standard best practices such as the following:

AWS Foundational Security Best Practices
CIS AWS Foundations Benchmark
Payment Card Industry Data Security Standard (PCI DSS)

Each of these standards has predefined controls. Security Hub checks for the control in a given AWS account and reports the findings.

AWS Security Hub sends all findings to Amazon EventBridge by default. This pattern provides a security control that deploys an EventBridge rule to identify AWS Foundational Security Best Practices standard findings. The rule identifies the following findings for automatic scaling, virtual private clouds (VPCs), Amazon Elastic Block Store (Amazon EBS), and Amazon Relational Database Service (Amazon RDS) from the AWS Foundational Security Best Practices standard:

[AutoScaling.1] Auto Scaling groups associated with a load balancer should use load balancer health checks
[EC2.2] The VPC default security group should not allow inbound and outbound traffic
[EC2.6] VPC flow logging should be enabled in all VPCs
[EC2.7] EBS default encryption should be enabled
[RDS.1] RDS snapshots should be private
[RDS.6] Enhanced monitoring should be configured for RDS DB instances and clusters
[RDS.7] RDS clusters should have deletion protection enabled

The EventBridge rule forwards these findings to an AWS Lambda function, which remediates the finding. The Lambda function then sends a notification with remediation information to an Amazon Simple Notification Service (Amazon SNS) topic.

Prerequisites and limitations

Prerequisites

An active AWS account
An email address where you want to receive the remediation notification
Security Hub and AWS Config enabled in the AWS Region where you intend to deploy the control
An Amazon Simple Storage Service (Amazon S3) bucket in same Region as the control to upload the AWS Lambda code

Limitations

This security control automatically remediates new findings reported after the security control deployment. To remediate existing findings, select the findings manually on the Security Hub console. Then, under Actions, select the AFSBPRemedy custom action that was created as part of the deployment by AWS CloudFormation.
This security control is regional and must be deployed in the AWS Regions that you intend to monitor.
For the EC2.6 remedy, to enable VPC Flow Logs, an Amazon CloudWatch Logs log group will be created with /VpcFlowLogs/vpc_id format. If a log group exists with same name, the existing log group will be used.
For the EC2.7 remedy, to enable Amazon EBS default encryption, the default AWS Key Management Service (AWS KMS) key is used. This change prevents the use of certain instances that do not support encryption.

Architecture

Target technology stack

Lambda function
Amazon SNS topic
EventBridge rule
AWS Identity and Access Management (IAM) roles for the Lambda function, VPC Flow Logs, and Amazon RDS Enhanced Monitoring

Target architecture

Workflow for automating remediation for AWS Security Hub findings.

Automation and scale

If you are using AWS Organizations, you can use AWS CloudFormation StackSets to deploy this template in multiple accounts that you want this to monitor.

Tools

AWS CloudFormation is a service that helps you model and set up AWS resources by using infrastructure as code.
Amazon EventBridge delivers a stream of real-time data from your own applications, software as a service (SaaS) applications, and AWS services, routing that data to targets such as Lambda functions.
AWS Lambda supports running code without provisioning or managing servers.
Amazon Simple Storage Service (Amazon S3) is a highly scalable object storage service that you can use for a wide range of storage solutions, including websites, mobile applications, backups, and data lakes.
Amazon Simple Notification Service (Amazon SNS) coordinates and manages the delivery or sending of messages between publishers and clients, including web servers and email addresses. Subscribers receive all messages published to the topics to which they subscribe, and all subscribers to a topic receive the same messages.

Best practices

Epics

Task	Description	Skills required
Define the Amazon S3 bucket.	On the Amazon S3 console, choose or create an Amazon S3 bucket with a unique name that does not contain leading slashes. An Amazon S3 bucket name is globally unique, and the namespace is shared by all AWS accounts. Your Amazon S3 bucket must be in the same Region as the Security Hub findings that are being evaluated.	Cloud Architect
Upload the Lambda code to the Amazon S3 bucket.	Upload the Lambda code .zip file that's provided in the "Attachments" section to the defined Amazon S3 bucket.	Cloud Architect
Deploy the AWS CloudFormation template.	Deploy the AWS CloudFormation template that's provided as an attachment to this pattern. In the next epic, provide the values for the parameters.	Cloud Architect

Task	Description	Skills required
Provide the Amazon S3 bucket name.	Enter the name of the Amazon S3 bucket that you created in the first epic.	Cloud Architect
Provide the Amazon S3 prefix.	Provide the location of the Lambda code .zip file in your Amazon S3 bucket, without leading slashes (for example, `<directory>/<file-name>.zip`).	Cloud Architect
Provide the ARN of the Amazon SNS topic.	If you want to use an existing Amazon SNS topic for remediation notifications, provide the Amazon Resource Name (ARN) of the Amazon SNS topic. If you want to use a new Amazon SNS topic, keep the value as `None` (the default value).	Cloud Architect
Provide an email address.	Provide an email address where you want to receive the remediation notifications (needed only when you want AWS CloudFormation to create the Amazon SNS topic).	Cloud Architect
Define the logging level.	Define the logging level and frequency for your Lambda function. `Info` designates detailed informational messages on the application’s progress. `Error` designates error events that could still allow the application to continue running. `Warning` designates potentially harmful situations.	Cloud Architect
Provide the ARN of the IAM role for VPC Flow Logs.	Provide the ARN of the IAM role to be used for VPC Flow Logs. If you enter `None`, AWS CloudFormation creates an IAM role and uses it.	Cloud Architect
Provide the ARN of the IAM role for Amazon RDS Enhanced Monitoring.	Provide the ARN of the IAM role to be used for Amazon RDS Enhanced Monitoring. If you enter `None`, AWS CloudFormation creates an IAM role and uses it.	Cloud Architect

Task	Description	Skills required
Confirm the Amazon SNS subscription.	When the template successfully deploys, if a new Amazon SNS topic was created, a subscription message is sent to the email address that you provided. To receive remediation notifications, you must confirm this subscription email message.	Cloud Architect

Related resources

Attachments

To access additional content that is associated with this document, unzip the following file: attachment.zip

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Automate incident response and forensics

Automate security scans for cross-account workloads using Amazon Inspector