Architecture details

This section describes the components and AWS services that make up this solution and the architecture details on how these components work together.

AWS services in this solution

The solution uses the following services. Core services are required to use the solution, and supporting services connect the core services.

AWS service	Description
Amazon EventBridge	Core. EventBridge rules are used to listen and trigger on events emitted by AWS Security Hub and AWS Security Hub CSPM.
AWS IAM	Core. Deploys many roles to allow remediations on different resources.
AWS Lambda	Core. Deploys multiple lambda functions that will be used by the step function orchestator to remediate issues. Serves as the backend for the solution’s Web UI integrated with API Gateway.
AWS Security Hub	Core. Provides customers with a comprehensive view of their AWS security state.
AWS Step Functions	Core. Deploys an orchestrator that will invoke the remediation documents with AWS Systems Manager API calls.
AWS Systems Manager	Core. Deploys System Manager Automation Documents that contain the remediation logic to be executed by the solution. Uses Parameter Store to maintain solution metadata and configuration settings.
AWS DynamoDB	Core. Stores the last run remediation in each account and Region to optimize scheduling of remediations. Stores findings generated by AWS Security Hub & AWS Security Hub CSPM. Stores remediation and solution configuration metadata. Stores data for users accessing the solution’s Web UI.
AWS CloudTrail	Supporting. Records changes that the solution makes to your AWS resources and displays them on a CloudWatch dashboard.
Amazon CloudWatch	Supporting. Deploys log groups that the different playbooks will use to log results. Collects metrics to display on a custom dashboard with alarms.
Amazon Simple Notification Service	Supporting. Deploys SNS topics that receive a notification once a remediation has been completed.
AWS SQS	Supporting. Assists with scheduling remediations so that the solution can run remediations in parallel. Buffers Lambda executions using Lambda EventSource Mappings.
AWS Key Management Service	Supporting. Used to encrypt data for remediations.
AWS Config	Supporting. Records all resources for use with AWS Security Hub.
Amazon S3	Supporting. Stores exported remediation history and log data. Hosts the solution’s Web UI as a Single-page Application (SPA).
Amazon CloudFront	Supporting. Delivers the solution’s Web UI
Amazon API Gateway	Supporting. Creates the solution’s REST API to support the user interface.
AWS WAF	Supporting. Protects the solution’s Web UI.
Amazon Cognito	Supporting. Used to authenticate and authorize access to the solution’s Web UI.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

AWS Well-Architected design considerations

AWS Security Hub integration