# Deploy the solution Deploy the solution **Important** If the [consolidated control findings](deciding-where-to-deploy-each-stack.md#consolidated-controls-findings) feature is turned on in Security Hub, only enable the Security Control (SC) playbook when deploying this solution. If the feature is not turned on, **only** enable the playbooks for the security standards that are enabled in Security Hub. Consolidated control findings is enabled by default if you enable Security Hub CSPM on or after February 23, 2023. This solution uses [AWS CloudFormation templates and stacks](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-whatis-concepts.html) to automate its deployment. The CloudFormation templates specify the AWS resources included in this solution and their properties. The CloudFormation stack provisions the resources that are described in the templates. In order for the solution to function, three templates must be deployed. First, decide where to deploy the templates, then decide how to deploy them. This overview will describe the templates and how to decide where and how to deploy them. The next sections will have more detailed instructions for deploying each stack as a Stack or StackSet. # Deciding where to deploy each stack The three templates will be referred to by the following names and contain the following resources: + Admin stack: orchestrator step function, event rules and Security Hub custom action. + Member stack: remediation SSM Automation documents. + Member roles stack: IAM roles for remediations. The Admin stack must be deployed once, in a single account and a single Region. It must be deployed into the account and Region that you have configured as the aggregation destination for Security Hub findings for your organization. If you wish to use the Action Log feature to monitor management events, you must deploy the Admin stack in your organization’s management account or a delegated administrator account. The solution operates on Security Hub findings, so it will not be able to operate on findings from a particular account and Region if that account or Region has not been configured to aggregate findings in the Security Hub administrator account and Region. **Important** If you are using [AWS Security Hub (non-CSPM)](https://aws.amazon.com/security-hub/) then you are responsible for ensuring your member accounts onboarded with [AWS Security Hub CSPM](https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html) are also onboarded with AWS Security Hub (non-CSPM). Regions aggregated in AWS Security Hub CSPM should also match regions aggregated in AWS Security Hub (non-CSPM). For example, an organization has accounts operating in Regions `us-east-1` and `us-west-2`, with account `111111111111` as the Security Hub delegated administrator in Region `us-east-1`. Accounts `222222222222` and `333333333333` must be Security Hub member accounts for the delegated administrator account `111111111111`. All three accounts must be configured to aggregate findings from `us-west-2` to `us-east-1`. The Admin stack must be deployed to account `111111111111` in `us-east-1`. For more details on finding aggregation, consult the documentation for Security Hub [delegated administrator accounts](https://docs.aws.amazon.com/securityhub/latest/userguide/designate-orgs-admin-account.html) and [cross-Region aggregation](https://docs.aws.amazon.com/securityhub/latest/userguide/finding-aggregation.html). The Admin stack must complete deployment first before deploying the member stacks so that a trust relationship can be created from the member accounts to the hub account. The member stack must be deployed into every account and Region in which you wish to remediate findings. This can include the Security Hub delegated administrator account in which you previously deployed the ASR Admin stack.The automation documents must execute in the member accounts in order to use the free tier for SSM Automation. Using the previous example, if you want to remediate findings from all accounts and Regions, the member stack must be deployed to all three accounts (`111111111111`, `222222222222`, and `333333333333`) and both Regions (`us-east-1` and `us-west-2`). The member roles stack must be deployed to every account, but it contains global resources (IAM roles) that can only be deployed once per account. It does not matter in which Region you deploy the member roles stack, so for simplicity we suggest deploying to the same Region in which the Admin stack is deployed. Using the previous example, we suggest deploying the member roles stack to all three accounts (`111111111111`, `222222222222`, and `333333333333`) in `us-east-1`. ## Deciding how to deploy each stack The options for deploying a stack are + CloudFormation StackSet (self-managed permissions) + CloudFormation StackSet (service-managed permissions) + CloudFormation Stack StackSets with service-managed permissions are the most convenient because they do not require deploying your own roles and can automatically deploy to new accounts in the organization. Unfortunately, this method does not support nested stacks, which we use in both the Admin stack and the member stack. The only stack that can be deployed this way is the member roles stack. Be aware that when deploying to the entire organization, the organization management account is not included, so if you want to remediate findings in the organization management account, you must deploy to this account separately. The member stack must be deployed to every account and Region but cannot be deployed using StackSets with service-managed permissions because it contains nested stacks. So we suggest deploying this stack with StackSets with self-managed permissions. The Admin stack is only deployed once, so it can be deployed as a plain CloudFormation stack or as a StackSet with self-managed permissions in a single account and Region. ## Consolidated control findings The accounts in your organization can be configured with the consolidated control findings feature of Security Hub turned on or off. See [Consolidated control findings](https://docs.aws.amazon.com/securityhub/latest/userguide/controls-findings-create-update.html#consolidated-control-findings) in the *AWS Security Hub User Guide*. **Important** When this feature is enabled, you must use solution version 2.0.0 or later and enable the "SC" (Security Control) playbook in both the Admin and Member stacks. These stacks deploy the automation documents needed to work with consolidated control IDs. You do not need to deploy stacks for individual standards (such as AWS FSBP) when using consolidated control findings. ## China Deployment The solution does support deployment in China regions, however **you must use the following Launch buttons for one-click deployment in China regions, rather than the Launch buttons provided in other sections of this guide.** Using the "Launch Solution" buttons provided in upcoming sections in this guide will not work if you are deploying in China regions. You can still download the templates from any S3 bucket link and deploy the stacks by uploading the template file. + **automated-security-response-admin.template**: [https://cn-north-1.console.amazonaws.cn/cloudformation/home?region=cn-north-1#/stacks/new?stackName=automated-security-response-on-aws-admin&templateURL=https:%2F%2Fs3---cn-north-1.amazonaws.com.rproxy.govskope.ca.cn%2Fsolutions-reference-cn%2Fautomated-security-response-on-aws%2Flatest%2Fautomated-security-response-admin.template&redirectId=ImplementationGuide](https://cn-north-1.console.amazonaws.cn/cloudformation/home?region=cn-north-1#/stacks/new?stackName=automated-security-response-on-aws-admin&templateURL=https:%2F%2Fs3---cn-north-1.amazonaws.com.rproxy.govskope.ca.cn%2Fsolutions-reference-cn%2Fautomated-security-response-on-aws%2Flatest%2Fautomated-security-response-admin.template&redirectId=ImplementationGuide) + **automated-security-response-member-roles.template**: [https://cn-north-1.console.amazonaws.cn/cloudformation/home?region=cn-north-1#/stacks/new?stackName=automated-security-response-on-aws-member-roles&templateURL=https:%2F%2Fs3---cn-north-1.amazonaws.com.rproxy.govskope.ca.cn%2Fsolutions-reference-cn%2Fautomated-security-response-on-aws%2Flatest%2Fautomated-security-response-member-roles.template&redirectId=ImplementationGuide](https://cn-north-1.console.amazonaws.cn/cloudformation/home?region=cn-north-1#/stacks/new?stackName=automated-security-response-on-aws-member-roles&templateURL=https:%2F%2Fs3---cn-north-1.amazonaws.com.rproxy.govskope.ca.cn%2Fsolutions-reference-cn%2Fautomated-security-response-on-aws%2Flatest%2Fautomated-security-response-member-roles.template&redirectId=ImplementationGuide) + **automated-security-response-member.template**: [https://cn-north-1.console.amazonaws.cn/cloudformation/home?region=cn-north-1#/stacks/new?stackName=automated-security-response-on-aws-member&templateURL=https:%2F%2Fs3---cn-north-1.amazonaws.com.rproxy.govskope.ca.cn%2Fsolutions-reference-cn%2Fautomated-security-response-on-aws%2Flatest%2Fautomated-security-response-member.template&redirectId=ImplementationGuide](https://cn-north-1.console.amazonaws.cn/cloudformation/home?region=cn-north-1#/stacks/new?stackName=automated-security-response-on-aws-member&templateURL=https:%2F%2Fs3---cn-north-1.amazonaws.com.rproxy.govskope.ca.cn%2Fsolutions-reference-cn%2Fautomated-security-response-on-aws%2Flatest%2Fautomated-security-response-member.template&redirectId=ImplementationGuide) ## GovCloud (US) Deployment The solution does support deployment in GovCloud (US) regions, however **you must use the following Launch buttons for one-click deployment in GovCloud (US) regions, rather than the Launch buttons provided in other sections of this guide.** Using the "Launch Solution" buttons provided in upcoming sections in this guide will not work if you are deploying in GovCloud (US) regions. You can still download the templates from any S3 bucket link and deploy the stacks by uploading the template file. + **automated-security-response-admin.template**: [https://console.amazonaws-us-gov.com/cloudformation/home?region=us-gov-west-1#/stacks/new?stackName=automated-security-response-on-aws-admin&templateURL=https:%2F%2Fs3.us-gov-west-1.amazonaws.com%2Fsolutions-reference-us-gov%2Fautomated-security-response-on-aws%2Flatest%2Fautomated-security-response-admin.template&redirectId=ImplementationGuide](https://console.amazonaws-us-gov.com/cloudformation/home?region=us-gov-west-1#/stacks/new?stackName=automated-security-response-on-aws-admin&templateURL=https:%2F%2Fs3.us-gov-west-1.amazonaws.com%2Fsolutions-reference-us-gov%2Fautomated-security-response-on-aws%2Flatest%2Fautomated-security-response-admin.template&redirectId=ImplementationGuide) + **automated-security-response-member-roles.template**: [https://console.amazonaws-us-gov.com/cloudformation/home?region=us-gov-west-1#/stacks/new?stackName=automated-security-response-on-aws-member-roles&templateURL=https:%2F%2Fs3.us-gov-west-1.amazonaws.com%2Fsolutions-reference-us-gov%2Fautomated-security-response-on-aws%2Flatest%2Fautomated-security-response-member-roles.template&redirectId=ImplementationGuide](https://console.amazonaws-us-gov.com/cloudformation/home?region=us-gov-west-1#/stacks/new?stackName=automated-security-response-on-aws-member-roles&templateURL=https:%2F%2Fs3.us-gov-west-1.amazonaws.com%2Fsolutions-reference-us-gov%2Fautomated-security-response-on-aws%2Flatest%2Fautomated-security-response-member-roles.template&redirectId=ImplementationGuide) + **automated-security-response-member.template**: [https://console.amazonaws-us-gov.com/cloudformation/home?region=us-gov-west-1#/stacks/new?stackName=automated-security-response-on-aws-member&templateURL=https:%2F%2Fs3.us-gov-west-1.amazonaws.com%2Fsolutions-reference-us-gov%2Fautomated-security-response-on-aws%2Flatest%2Fautomated-security-response-member.template&redirectId=ImplementationGuide](https://console.amazonaws-us-gov.com/cloudformation/home?region=us-gov-west-1#/stacks/new?stackName=automated-security-response-on-aws-member&templateURL=https:%2F%2Fs3.us-gov-west-1.amazonaws.com%2Fsolutions-reference-us-gov%2Fautomated-security-response-on-aws%2Flatest%2Fautomated-security-response-member.template&redirectId=ImplementationGuide) # AWS CloudFormation templates [https://solutions-reference.s3.amazonaws.com/automated-security-response-on-aws/latest/automated-security-response-admin.template](https://solutions-reference.s3.amazonaws.com/automated-security-response-on-aws/latest/automated-security-response-admin.template) **automated-security-response-admin.template** - Use this template to launch the Automated Security Response on AWS solution. The template installs the core components of the solution, a nested stack for the AWS Step Functions logs, and one nested stack for each security standard you choose to activate. Services used include Amazon Simple Notification Service, AWS Key Management Service, AWS Identity and Access Management, AWS Lambda, AWS Step Functions, Amazon CloudWatch Logs, Amazon S3, and AWS Systems Manager. ## Admin account support The following templates are installed in the AWS Security Hub admin account to turn on the security standards that you want to support. You can choose which of the following templates to install when installing the `automated-security-response-admin.template`. **automated-security-response-orchestrator-log.template** - Creates a CloudWatch logs group for the Orchestrator Step Function. **automated-security-response-webui-nested-stack.template** - Creates the resources to support the solution’s Web UI. **AFSBPStack.template** - AWS Foundational Security Best Practices v1.0.0 rules. **CIS120Stack.template** - CIS Amazon Web Services Foundations benchmarks, v1.2.0 rules. **CIS140Stack.template** - CIS Amazon Web Services Foundations benchmarks, v1.4.0 rules. **CIS300Stack.template** - CIS Amazon Web Services Foundations benchmarks, v3.0.0 rules. **PCI321Stack.template** - PCI-DSS v3.2.1 rules. **NISTStack.template** - National Institute of Standards and Technology (NIST), v5.0.0 rules. **SCStack.template** - Security Controls v2.0.0 rules. ## Member roles [https://solutions-reference.s3.amazonaws.com/automated-security-response-on-aws/latest/automated-security-response-member-roles.template](https://solutions-reference.s3.amazonaws.com/automated-security-response-on-aws/latest/automated-security-response-member-roles.template) **automated-security-response-member-roles.template** - Defines the remediation roles needed in each AWS Security Hub member account. ## Member accounts [https://solutions-reference.s3.amazonaws.com/automated-security-response-on-aws/latest/automated-security-response-member.template](https://solutions-reference.s3.amazonaws.com/automated-security-response-on-aws/latest/automated-security-response-member.template) **automated-security-response-member.template** - Use this template after you set up the core solution to install AWS Systems Manager automation runbooks and permissions in each of your AWS Security Hub member accounts (including the admin account). This template allows you to choose which security standard playbooks to install. The `automated-security-response-member.template` installs the following templates based on your selections: **automated-security-response-remediation-runbooks.template** - Common remediation code used by one or more of the security standards. **AFSBPMemberStack.template** - AWS Foundational Security Best Practices v1.0.0 settings, permissions, and remediation runbooks. **CIS120MemberStack.template** - CIS Amazon Web Services Foundations benchmarks, version 1.2.0 settings, permissions, and remediation runbooks. **CIS140MemberStack.template** - CIS Amazon Web Services Foundations benchmarks, version 1.4.0 settings, permissions, and remediation runbooks. **CIS300MemberStack.template** - CIS Amazon Web Services Foundations benchmarks, version 3.0.0 settings, permissions, and remediation runbooks. **PCI321MemberStack.template** - PCI-DSS v3.2.1 settings, permissions, and remediation runbooks. **NISTMemberStack.template** - National Institute of Standards and Technology (NIST), v5.0.0 settings, permissions, and remediation runbooks. **SCMemberStack.template** - Security Control settings, permissions, and remediation runbooks. **automated-security-response-member-cloudtrail.template** - Used in the Action Log feature to track and audit and service activity. ## Ticket system integration Use one of the following templates to integrate with your ticketing system. [https://solutions-reference.s3.amazonaws.com/automated-security-response-on-aws/latest/blueprints/JiraBlueprintStack.template](https://solutions-reference.s3.amazonaws.com/automated-security-response-on-aws/latest/blueprints/JiraBlueprintStack.template) **JiraBlueprintStack.template** - Deploy if you use Jira as your ticketing system. [https://solutions-reference.s3.amazonaws.com/automated-security-response-on-aws/latest/blueprints/ServiceNowBlueprintStack.template](https://solutions-reference.s3.amazonaws.com/automated-security-response-on-aws/latest/blueprints/ServiceNowBlueprintStack.template) **ServiceNowBlueprintStack.template** - Deploy if you use ServiceNow as your ticketing system. If you want to integrate a different external ticketing system, you can use either of these stacks as blueprint to understand how to implement your own custom integration. # Automated deployment - StackSets **Note** We recommend deploying with StackSets. However, for single account deployments or for testing or evaluation purposes, consider the [stacks deployment](deployment.md) option. Before you launch the solution, review the architecture, solution components, security, and design considerations discussed in this guide. Follow the step-by-step instructions in this section to configure and deploy the solution into your AWS Organizations. **Time to deploy:** Approximately 30 minutes per account, depending upon StackSet parameters. ## Prerequisites [AWS Organizations](https://aws.amazon.com/organizations/) helps you centrally manage and govern your multi-account AWS environment and resources. StackSets work best with AWS Organizations. If you have previously deployed v1.3.x or earlier of this solution, you must uninstall the existing solution. For more information, refer to [Update the solution](update-the-solution.md). Before you deploy this solution, review your AWS Security Hub deployment: + There must be a delegated Security Hub admin account in your AWS Organization. + Security Hub should be configured to aggregate findings across Regions. For more information, refer to [Aggregating findings across Regions](https://docs.aws.amazon.com/securityhub/latest/userguide/finding-aggregation.html) in the AWS Security Hub User Guide. + You should [activate Security Hub](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-prereq-config.html) for your organization in each Region where you have AWS usage. This procedure assumes that you have multiple accounts using AWS Organizations, and have delegated an AWS Organizations admin account and an AWS Security Hub admin account. **Please note that this solution works with both [AWS Security Hub and AWS Security Hub CSPM](https://docs.aws.amazon.com/securityhub/latest/userguide/what-are-securityhub-services.html).** ## Deployment overview **Note** StackSets deployment for this solution uses a combination of service-managed and self-managed StackSets. Self-Managed StackSets must be used currently as they use nested StackSets, which are not yet supported with service-managed StackSets. Deploy the StackSets from a [delegated administrator account](https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-cloudformation.html) in your AWS Organizations. **Planning** Use the following form to help with StackSets deployment. Prepare your data, then copy and paste the values during deployment. ``` AWS Organizations admin account ID: _______________ Security Hub admin account ID: _______________ CloudTrail Logs Group: ______________________________ Member account IDs (comma-separated list): ___________________, ___________________, ___________________, ___________________, ___________________ AWS Organizations OUs (comma-separated list): ___________________, ___________________, ___________________, ___________________, ___________________ ``` [(Optional) Step 0: Deploy the ticketing integration stack](#step-0-stackset) + If you intend to use the ticketing feature, deploy the ticketing integration stack into your Security Hub admin account first. + Copy the Lambda function name from this stack and provide it as input to the admin stack (see Step 1). [Step 1: Launch the admin stack in the delegated Security Hub admin account](#step-1-stackset) + Using a self-managed StackSet, launch the `automated-security-response-admin.template` AWS CloudFormation template into your AWS Security Hub admin account in the same Region as your Security Hub admin. This template uses nested stacks. + Choose which Security Standards to install. By default, only SC is selected (Recommended). + Choose an existing Orchestrator log group to use. Select `Yes` if `SO0111-ASR- Orchestrator` already exists from a previous installation. + Choose whether to enable the solution’s Web UI. If you choose to enable this feature, you must also enter an email address to be assigned an administrator role. + Select your preferences for collecting CloudWatch metrics related to the solution’s operational health. For more information on self-managed StackSets, refer to [Grant self-managed permissions](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-prereqs-self-managed.html) in the *AWS CloudFormation User Guide*. [Step 2: Install the remediation roles into each AWS Security Hub member account](#step-2-stackset) Wait for Step 1 to complete deployment, because the template in Step 2 references IAM roles created by Step 1. + Using a service-managed StackSet, launch the `automated-security-response-member-roles.template` AWS CloudFormation template into a single Region in each account in your AWS Organizations. + Choose to install this template automatically when a new account joins the organization. + Enter the account ID of your AWS Security Hub admin account. + Enter a value for the `namespace` which will be used to prevent resource name conflicts with a previous or concurrent deployment in the same account. Enter a string of up to 9 lowercase alphanumeric characters. [Step 3: Launch the member stack into each AWS Security Hub member account and Region](#step-3-stackset) + Using self-managed StackSets, launch the `automated-security-response-member.template` AWS CloudFormation template into all Regions where you have AWS resources in every account in your AWS Organization managed by the same Security Hub admin. **Note** Until service-managed StackSets support nested stacks, you must do this step for any new accounts that join the organization. + Choose which Security Standard playbooks to install. + Provide the name of a CloudTrail log group (used by some remediations). + Enter the account ID of your AWS Security Hub admin account. + Enter a value for the `namespace` which will be used to prevent resource name conflicts with a previous or concurrent deployment in the same account. Enter a string of up to 9 lowercase alphanumeric characters. This should match the `namespace` value you selected for the Member Roles stack, additionally, the namespace value does not need to be unique per member account. ## (Optional) Step 0: Launch a ticket system integration stack 1. If you intend to use the ticketing feature, launch the respective integration stack first. 1. Choose the provided integration stacks for Jira or ServiceNow, or use them as a blueprint to implement your own custom integration. **To deploy the Jira stack**: 1. Enter a name for your stack. 1. Provide the URI to your Jira instance. 1. Provide the project key for the Jira project that you want to send tickets to. 1. Create a new key-value secret in Secrets Manager that holds your Jira `Username` and `Password`. **Note** You can choose to use a Jira API key in place of your password by providing your username as `Username` and your API key as the `Password`. 1. Add the ARN of this secret as input to the stack. **Provide a stack name Jira project information, and Jira API credentials.** ![\[ticket system integration stack jira\]](http://docs.aws.amazon.com/solutions/latest/automated-security-response-on-aws/images/ticket-system-integration-stack-jira.png) **Jira Field Configuration**: After deploying the Jira stack, you can customize Jira ticket fields by setting the `JIRA_FIELDS_MAPPING` environment variable on the Lambda function. This JSON string overrides default Jira ticket fields and must follow the Jira API fields structure. Default values when `JIRA_FIELDS_MAPPING` is empty or fields are not specified: + **priority**: `{"id": "3"}` (Medium priority) + **issuetype**: `{"id": "10006"}` (Task) + **accountId**: Automatically retrieved using the `GET /rest/api/2/myself` API endpoint Example configuration with custom fields: ``` { "reporter": {"accountId": "123456:494dcbff-1b80-482c-a89d-56ae81c145a4"}, "priority": {"id": "1"}, "issuetype": {"id": "10006"}, "assignee": {"accountId": "123456:another-user-id"}, "customfield_10001": "custom value" } ``` Common Jira field IDs: + **Priority IDs**: 1 (Highest), 2 (High), 3 (Medium), 4 (Low), 5 (Lowest) + **Issue Type ID**: Varies by Jira project (e.g., 10006 for Task) + **Account ID**: Format `123456:494dcbff-1b80-482c-a89d-56ae81c145a4` You can find your Jira field IDs and account IDs using the Jira REST API: + `GET /rest/api/2/myself` for account ID + `GET /rest/api/2/priority` for priority IDs + `GET /rest/api/2/project/{projectKey}` for issue type IDs For more information, refer to the [Jira REST API v2 Issue POST format](https://developer.atlassian.com/server/jira/platform/rest/v10000/api-group-issue/#api-api-2-issue-post). **To deploy the ServiceNow stack**: 1. Enter a name for your stack. 1. Provide the URI of your ServiceNow instance. 1. Provide your ServiceNow table name. 1. Create an API key in ServiceNow with permission to modify the table you intend to write to. 1. Create a secret in Secrets Manager with the key `API_Key` and provide the secret ARN as input to the stack. **Provide a stack name ServiceNow project information, and ServiceNow API credentials.** ![\[ticket system integration stack servicenow\]](http://docs.aws.amazon.com/solutions/latest/automated-security-response-on-aws/images/ticket-system-integration-stack-servicenow.png) **To create a custom integration stack**: Include a Lambda function that the solution orchestrator Step Functions can call for each remediation. The Lambda function should take the input provided by Step Functions, construct a payload according to the requirements of your ticketing system, and make a request to your system to create the ticket. ## Step 1: Launch the admin stack in the delegated Security Hub admin account 1. Launch the [admin stack](https://solutions-reference.s3.amazonaws.com/automated-security-response-on-aws/latest/automated-security-response-admin.template), `automated-security-response-admin.template`, with your Security Hub admin account. Typically, one per organization in a single Region. Because this stack uses nested stacks, you must deploy this template as a self-managed StackSet. ### Parameters | Parameter | Default | Description | | --- | --- | --- | | **Load SC Admin Stack** | `yes` | Specify whether to install the admin components for automated remediation of SC controls. | | **Load AFSBP Admin Stack** | `no` | Specify whether to install the admin components for automated remediation of FSBP controls. | | **Load CIS120 Admin Stack** | `no` | Specify whether to install the admin components for automated remediation of CIS120 controls. | | **Load CIS140 Admin Stack** | `no` | Specify whether to install the admin components for automated remediation of CIS140 controls. | | **Load CIS300 Admin Stack** | `no` | Specify whether to install the admin components for automated remediation of CIS300 controls. | | **Load PC1321 Admin Stack** | `no` | Specify whether to install the admin components for automated remediation of PC1321 controls. | | **Load NIST Admin Stack** | `no` | Specify whether to install the admin components for automated remediation of NIST controls. | | **Reuse Orchestrator Log Group** | `no` | Select whether or not to reuse an existing `SO0111-ASR-Orchestrator` CloudWatch Logs group. This simplifies reinstallation and upgrades without losing log data from a previous version. Reuse existing `Orchestrator Log Group` choose `yes` if the `Orchestrator Log Group` still exists from an earlier deployment in this account, otherwise `no`. If you are performing a stack update from an earlier version than v2.3.0 choose `no` | | **ShouldDeployWebUI** | `yes` | Deploy the Web UI components including API Gateway, Lambda functions, and CloudFront distribution. Select "yes" to enable the web-based user interface for viewing findings and remediation status. If you choose to disable this feature, you can still configure automated remediations and run remediations on-demand using the Security Hub CSPM custom action. | | **AdminUserEmail** | *(Optional input)* | Email address for the initial admin user. This user will have full administrative access to the ASR Web UI. Required **only** when Web UI is enabled. | | **Use CloudWatch Metrics** | `yes` | Specify whether to enable CloudWatch Metrics for monitoring the solution. This will create a CloudWatch Dashboard for viewing metrics. | | **Use CloudWatch Metrics Alarms** | `yes` | Specify whether to enable CloudWatch Metrics Alarms for the solution. This will create Alarms for certain metrics collected by the solution. | | **RemediationFailureAlarmThreshold** | `5` | Specify the threshold for percentage of remediation failures per control ID. For example, if you enter `5`, you receive an alarm if a control ID fails more than 5% of remediations at a given day. This parameter functions only if alarms are created (see the **Use CloudWatch Metrics Alarms** parameter). | | **EnableEnhancedCloudWatchMetrics** | `no` | If `yes`, creates additional CloudWatch metrics to track all control IDs individually on the CloudWatch dashboard and as CloudWatch alarms. See the [Cost](cost.md#additional-cost-enhanced-metrics) section to understand the additional cost that this incurs. | | **TicketGenFunctionName** | *(Optional input)* | Optional. Leave blank if you don’t want to integrate a ticketing system. Otherwise, provide the Lambda function name from the stack output of [Step 0](deployment.md#step-0), for example: `SO0111-ASR-ServiceNow-TicketGenerator`. | **Configure StackSet options** ![\[configre stackset options\]](http://docs.aws.amazon.com/solutions/latest/automated-security-response-on-aws/images/configre-stackset-options.png) 1. For the **Account numbers** parameter, enter the account ID of the AWS Security Hub admin account. 1. For the **Specify regions** parameter, select only the Region where Security Hub admin is turned on. Wait for this step to complete before going on to Step 2. ## Step 2: Install the remediation roles into each AWS Security Hub member account Use a service-managed StackSets to deploy the [member roles template](https://solutions-reference.s3.amazonaws.com/automated-security-response-on-aws/latest/automated-security-response-member-roles.template), `automated-security-response-member-roles.template`. This StackSet must be deployed in one Region per member account. It defines the global roles that allow cross-account API calls from the ASR Orchestrator step function. ### Parameters | Parameter | Default | Description | | --- | --- | --- | | **Namespace** | ** | Enter a string of up to 9 lowercase alphanumeric characters. Unique namespace to be added as a suffix to remediation IAM role names. The same namespace should be used in the Member Roles and Member stacks. This string should be unique for each solution deployment, but does not need to be changed during stack updates. The namespace value does **not** need to be unique per member account. | | **Sec Hub Account Admin** | ** | Enter the 12-digit account ID for the AWS Security Hub admin account. This value grants permissions to the admin account’s solution role. | 1. Deploy to the entire organization (typical) or to organizational units, as per your organizations policies. 1. Turn on automatic deployment so new accounts in the AWS Organizations receive these permissions. 1. For the **Specify regions** parameter, select a single Region. IAM roles are global. You can continue to Step 3 while this StackSet deploys. **Specify StackSet details** ![\[specify stackset details\]](http://docs.aws.amazon.com/solutions/latest/automated-security-response-on-aws/images/specify-stackset-details.png) ## Step 3: Launch the member stack into each AWS Security Hub member account and Region Because the [member stack](https://solutions-reference.s3.amazonaws.com/automated-security-response-on-aws/latest/automated-security-response-member.template) uses nested stacks, you must deploy as a self-managed StackSet. This does not support automatic deployment to new accounts in the AWS Organization. ### Parameters | Parameter | Default | Description | | --- | --- | --- | | **Provide the name of the LogGroup to be used to create Metric Filters and Alarms** | ** | Specify the name of a CloudWatch Logs group where CloudTrail logs API calls. This is used for CIS 3.1-3.14 remediations. | | **Load SC Member Stack** | `yes` | Specify whether to install the member components for automated remediation of SC controls. | | **Load AFSBP Member Stack** | `no` | Specify whether to install the member components for automated remediation of FSBP controls. | | **Load CIS120 Member Stack** | `no` | Specify whether to install the member components for automated remediation of CIS120 controls. | | **Load CIS140 Member Stack** | `no` | Specify whether to install the member components for automated remediation of CIS140 controls. | | **Load CIS300 Member Stack** | `no` | Specify whether to install the member components for automated remediation of CIS300 controls. | | **Load PC1321 Member Stack** | `no` | Specify whether to install the member components for automated remediation of PC1321 controls. | | **Load NIST Member Stack** | `no` | Specify whether to install the member components for automated remediation of NIST controls. | | **Create S3 Bucket For Redshift Audit Logging** | `no` | Select `yes` if the S3 bucket should be created for the FSBP RedShift.4 remediation. For details of the S3 bucket and the remediation, review the [Redshift.4 remediation](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-redshift-4) in the *AWS Security Hub User Guide*. | | **Sec Hub Admin Account** | ** | Enter the 12-digit account ID for the AWS Security Hub admin account. | | **Namespace** | ** | Enter a string of up to 9 lowercase alphanumeric characters. This string becomes part of the IAM role names and Action Log S3 bucket. Use the same value for member stack deployment and member roles stack deployment. String should be unique for each solution deployment, but does not need to be changed during stack updates. | | **EnableCloudTrailForASRActionLog** | `no` | Select `yes` if you want to monitor management events conducted by the solution on the CloudWatch dashboard. The solution creates a CloudTrail trail in each member account where you select `yes`. You must deploy the solution into an AWS Organization to enable this feature. **Additionally, you can only enable this feature in a single region within the same account.** See the [Cost](cost.md#additional-cost-action-log) section to understand the additional cost that this incurs. | **Accounts** ![\[accounts\]](http://docs.aws.amazon.com/solutions/latest/automated-security-response-on-aws/images/accounts.png) **Deployment locations**: You may specify a list of account numbers or organizational units. **Specify regions**: Select all of the Regions where you want to remediate findings. You can adjust Deployment options as appropriate for the number of accounts and Regions. Region Concurrency can be parallel. # Automated deployment - Stacks **Note** For multi-account customers, we strongly recommend [deployment with StackSets](deployment-stackset.md). Before you launch the solution, review the architecture, solution components, security, and design considerations discussed in this guide. Follow the step-by-step instructions in this section to configure and deploy the solution into your account. **Time to deploy:** Approximately 30 minutes ## Prerequisites Before you deploy this solution, ensure that AWS Security Hub is in the same AWS Region as your primary and secondary accounts. If you have previously deployed this solution, you must uninstall the existing solution. For more information, refer to [Update the solution](update-the-solution.md). ## Deployment overview Use the following steps to deploy this solution on AWS. [(Optional) Step 0: Launch a ticket system integration stack](#step-0) + If you intend to use the ticketing feature, deploy the ticketing integration stack into your Security Hub admin account first. + Copy the Lambda function name from this stack and provide it as input to the admin stack (see Step 1). [Step 1: Launch the admin stack](#step-1) + Launch the `automated-security-response-admin.template` AWS CloudFormation template into your AWS Security Hub admin account. + Choose which security standards to install. + Choose an existing Orchestrator log group to use (select `Yes` if `SO0111-ASR-Orchestrator` already exists from a previous installation). [Step 2: Install the remediation roles into each AWS Security Hub member account](#step-2) + Launch the `automated-security-response-member-roles.template` AWS CloudFormation template into one Region per member account. + Enter the 12-digit account IG for the AWS Security Hub admin account. [Step 3: Launch the member stack](#step-3) + Specify the name of the CloudWatch Logs group to use with CIS 3.1-3.14 remediations. It must be the name of a CloudWatch Logs log group that receives CloudTrail logs. + Choose whether to install the remediation roles. Install these roles only once per account. + Select which playbooks to install. + Enter the account ID of the AWS Security Hub admin account. [Step 4: (Optional) Adjust the available remediations](#step-4) + Remove any remediations on a per-member account basis. This step is optional. ## (Optional) Step 0: Launch a ticket system integration stack 1. If you intend to use the ticketing feature, launch the respective integration stack first. 1. Choose the provided integration stacks for Jira or ServiceNow, or use them as a blueprint to implement your own custom integration. **To deploy the Jira stack**: 1. Enter a name for your stack. 1. Provide the URI to your Jira instance. 1. Provide the project key for the Jira project that you want to send tickets to. 1. Create a new key-value secret in Secrets Manager that holds your Jira `Username` and `Password`. **Note** You can choose to use a Jira API key in place of your password by providing your username as `Username` and your API key as the `Password`. 1. Add the ARN of this secret as input to the stack. **"Provide a stack name Jira project information, and Jira API credentials.** ![\[ticket system integration stack jira\]](http://docs.aws.amazon.com/solutions/latest/automated-security-response-on-aws/images/ticket-system-integration-stack-jira.png) **Jira Field Configuration**: For information on customizing Jira ticket fields, refer to the Jira Field Configuration section in [Step 0 of the StackSet deployment](deployment-stackset.md#step-0-stackset). **To deploy the ServiceNow stack**: 1. Enter a name for your stack. 1. Provide the URI of your ServiceNow instance. 1. Provide your ServiceNow table name. 1. Create an API key in ServiceNow with permission to modify the table you intend to write to. 1. Create a secret in Secrets Manager with the key `API_Key` and provide the secret ARN as input to the stack. **Provide a stack name ServiceNow project information, and ServiceNow API credentials.** ![\[ticket system integration stack servicenow\]](http://docs.aws.amazon.com/solutions/latest/automated-security-response-on-aws/images/ticket-system-integration-stack-servicenow.png) **To create a custom integration stack**: Include a Lambda function that the solution orchestrator Step Functions can call for each remediation. The Lambda function should take the input provided by Step Functions, construct a payload according to the requirements of your ticketing system, and make a request to your system to create the ticket. ## Step 1: Launch the admin stack **Important** This solution includes data collection. We use this data to better understand how customers use this solution and related services and products. AWS owns the data gathered though this survey. Data collection is subject to the [AWS Privacy Notice](https://aws.amazon.com/privacy/). This automated AWS CloudFormation template deploys the Automated Security Response on AWS solution in the AWS Cloud. Before you launch the stack, you must enable Security Hub and complete the [prerequisites](#prerequisites). **Note** You are responsible for the cost of the AWS services used while running this solution. For more details, visit to the [Cost](cost.md) section in this guide, and refer to the pricing webpage for each AWS service used in this solution. 1. Sign in to the AWS Management Console from the account where the AWS Security Hub is currently configured, and use the button below to launch the `automated-security-response-admin.template` AWS CloudFormation template. [https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/new?stackName=automated-security-response-on-aws-admin&templateURL=https:%2F%2Fs3.amazonaws.com%2Fsolutions-reference%2Fautomated-security-response-on-aws%2Flatest%2Fautomated-security-response-admin.template&redirectId=ImplementationGuide](https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/new?stackName=automated-security-response-on-aws-admin&templateURL=https:%2F%2Fs3.amazonaws.com%2Fsolutions-reference%2Fautomated-security-response-on-aws%2Flatest%2Fautomated-security-response-admin.template&redirectId=ImplementationGuide) You can also [download the template](https://solutions-reference.s3.amazonaws.com/automated-security-response-on-aws/latest/automated-security-response-admin.template) as a starting point for your own implementation. 1. The template launches in the US East (N. Virginia) Region by default. To launch this solution in a different AWS Region, use the Region selector in the AWS Management Console navigation bar. **Note** This solution uses AWS Systems Manager which is currently available in specific AWS Regions only. The solution works in all of the Regions that support this service. For the most current availability by Region, refer to the [AWS Regional Services List](https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/). 1. On the **Create stack** page, verify that the correct template URL is in the **Amazon S3 URL** text box and then choose **Next**. 1. On the **Specify stack details** page, assign a name to your solution stack. For information about naming character limitations, refer to [IAM and STS limits](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html) in the *AWS Identity and Access Management User Guide*. 1. On the **Parameters** page, choose **Next**. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/solutions/latest/automated-security-response-on-aws/deployment.html) **Note** You must manually enable automatic remediations in the Admin account after deploying or updating the solution’s CloudFormation stacks. 1. On the **Configure stack options** page, choose **Next**. 1. On the **Review** page, review and confirm the settings. Check the box acknowledging that the template will create AWS Identity and Access Management (IAM) resources. 1. Choose **Create stack** to deploy the stack. You can view the status of the stack in the AWS CloudFormation console in the **Status** column. You should receive a CREATE\$1COMPLETE status in approximately 15 minutes. ## Step 2: Install the remediation roles into each AWS Security Hub member account The `automated-security-response-member-roles.template` StackSet must be deployed in only one Region per member account. It defines the global roles that allow cross-account API calls from the ASR Orchestrator step function. 1. Sign in to the AWS Management Console for each AWS Security Hub member account (including the admin account, which is also a member). Select the button to launch the `automated-security-response-member-roles.template` AWS CloudFormation template. You can also [download the template](https://solutions-reference.s3.amazonaws.com/automated-security-response-on-aws/latest/automated-security-response-member-roles.template) as a starting point for your own implementation. [https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/new?stackName=automated-security-response-on-aws-member-roles&templateURL=https:%2F%2Fs3.amazonaws.com%2Fsolutions-reference%2Fautomated-security-response-on-aws%2Flatest%2Fautomated-security-response-member-roles.template&redirectId=ImplementationGuide](https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/new?stackName=automated-security-response-on-aws-member-roles&templateURL=https:%2F%2Fs3.amazonaws.com%2Fsolutions-reference%2Fautomated-security-response-on-aws%2Flatest%2Fautomated-security-response-member-roles.template&redirectId=ImplementationGuide) 1. The template launches in the US East (N. Virginia) Region by default. To launch this solution in a different AWS Region, use the Region selector in the AWS Management Console navigation bar. 1. On the **Create stack** page, verify that the correct template URL is in the Amazon S3 URL text box and then choose **Next**. 1. On the **Specify stack details** page, assign a name to your solution stack. For information about naming character limitations, refer to IAM and STS limits in the AWS Identity and Access Management User Guide. 1. On the **Parameters** page, specify the following parameters and choose Next. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/solutions/latest/automated-security-response-on-aws/deployment.html) 1. On the **Configure stack options** page, choose **Next**. 1. On the **Review** page, review and confirm the settings. Check the box acknowledging that the template will create AWS Identity and Access Management (IAM) resources. 1. Choose **Create stack** to deploy the stack. You can view the status of the stack in the AWS CloudFormation console in the **Status** column. You should receive a CREATE\$1COMPLETE status in approximately 5 minutes. You may continue with the next step while this stack loads. ## Step 3: Launch the member stack **Important** This solution includes data collection. We use this data to better understand how customers use this solution and related services and products. AWS owns the data gathered though this survey. Data collection is subject to the AWS Privacy Policy. The `automated-security-response-member` stack must be installed into each Security Hub member account. This stack defines the runbooks for automated remediation. The admin for each member account can control what remediations are available via this stack. 1. Sign in to the AWS Management Console for each AWS Security Hub member account (including the admin account, which is also a member). Select the button to launch the `automated-security-response-member.template` AWS CloudFormation template. [https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/new?stackName=automated-security-response-on-aws-member&templateURL=https:%2F%2Fs3.amazonaws.com%2Fsolutions-reference%2Fautomated-security-response-on-aws%2Flatest%2Fautomated-security-response-member.template&redirectId=ImplementationGuide](https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/new?stackName=automated-security-response-on-aws-member&templateURL=https:%2F%2Fs3.amazonaws.com%2Fsolutions-reference%2Fautomated-security-response-on-aws%2Flatest%2Fautomated-security-response-member.template&redirectId=ImplementationGuide) You can also [download the template](https://solutions-reference.s3.amazonaws.com/automated-security-response-on-aws/latest/automated-security-response-member.template) as a starting point for your own implementation. . The template launches in the US East (N. Virginia) Region by default. To launch this solution in a different AWS Region, use the Region selector in the AWS Management Console navigation bar. \$1 **Note** This solution uses AWS Systems Manager, which is currently available in the majority of AWS Regions. The solution works in all of the Regions that support these services. For the most current availability by Region, refer to the [AWS Regional Services List](https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/). 1. On the **Create stack** page, verify that the correct template URL is in the **Amazon S3 URL** text box and then choose **Next**. 1. On the **Specify stack details** page, assign a name to your solution stack. For information about naming character limitations, refer to [IAM and STS limits](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html) in the *AWS Identity and Access Management User Guide*. 1. On the **Parameters** page, specify the following parameters and choose **Next**. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/solutions/latest/automated-security-response-on-aws/deployment.html) 1. On the **Configure stack options** page, choose **Next**. 1. On the **Review** page, review and confirm the settings. Check the box acknowledging that the template will create AWS Identity and Access Management (IAM) resources. 1. Choose **Create stack** to deploy the stack. You can view the status of the stack in the AWS CloudFormation console in the **Status** column. You should receive a CREATE\$1COMPLETE status in approximately 15 minutes. ## Step 4: (Optional) Adjust the available remediations If you want to remove specific remediations from a member account, you can do so by updating the nested stack for the security standard. For simplicity, the nested stack options are not propagated to the root stack. 1. Sign in to the [AWS CloudFormation console](https://console.aws.amazon.com/cloudformation/home) and select the nested stack. 1. Choose **Update**. 1. Select **Update nested stack** and choose **Update stack**. **Update nested stack** ![\[nested stack\]](http://docs.aws.amazon.com/solutions/latest/automated-security-response-on-aws/images/nested-stack.png) 1. Select **Use current template** and choose **Next**. 1. Adjust the available remediations. Change the values for desired controls to `Available` and undesired controls to `Not available`. **Note** Turning off a remediation removes the solutions remediation runbook for the security standard and control. 1. On the **Configure stack options** page, choose **Next**. 1. On the **Review** page, review and confirm the settings. Check the box acknowledging that the template will create AWS Identity and Access Management (IAM) resources. 1. Choose **Update stack**. You can view the status of the stack in the AWS CloudFormation console in the **Status** column. You should receive a CREATE\$1COMPLETE status in approximately 15 minutes. # Control Tower (CT) deployment The Customizations for AWS Control Tower (CfCT) guide is for administrators, DevOps professionals, independent software vendors, IT infrastructure architects, and systems integrators who want to customize and extend their AWS Control Tower environments for their company and customers. It provides information about customizing and extending the AWS Control Tower environment with the CfCT customization package. **Time to deploy:** Approximately 30 minutes ## Prerequisites Before deploying this solution, ensure that it is intended for **AWS Control Tower administrators**. When you’re ready to set up your landing zone using the AWS Control Tower console or APIs, follow these steps: To get started with AWS Control Tower, see: [Getting Started with AWS Control Tower](https://docs.aws.amazon.com/controltower/latest/userguide/getting-started-with-control-tower.html) To learn how to customize your landing zone, refer to: [Customizing Your Landing Zone](https://docs.aws.amazon.com/controltower/latest/userguide/customize-landing-zone.html) To launch and deploy your landing zone, see: [Landing Zone Deployment Guide](https://docs.aws.amazon.com/controltower/latest/userguide/deployment.html) ## Deployment overview Use the following steps to deploy this solution on AWS. [Step 1: Build and deploy S3 bucket](#step-1-cfn) **Note** S3 bucket Configuration – for ADMIN only. This is a one-time setup step and should not be repeated by end users. The S3 buckets store the deployment package, including the AWS CloudFormation template and Lambda code required for ASR to run. These resources are deployed using CfCt or StackSet. **1. Configure the S3 Bucket** Set up the S3 bucket that will be used for storing and serving your deployment packages. **2. Set Up the Environment** Prepare the necessary environment variables, credentials, and tools required for the build and deployment process. **3. Configure S3 Bucket Policies** Define and apply the appropriate bucket policies to control access and permissions. **4. Prepare the Build** Compile, package, or otherwise prepare your application or assets for deployment. **5. Deploy Packages to S3** Upload the prepared build artifacts to the designated S3 bucket. [Step 2: Stacks deployment to AWS Control Tower](#step-2-cfn) **1. Create Build Manifest for ASR Components** Define a build manifest that lists all ASR components, their versions, dependencies, and build instructions. **2. Update the CodePipeline** Modify the AWS CodePipeline configuration to include the new build steps, artifacts, or stages required for deploying the ASR components. ## Step 1: Build and deploy to S3 bucket AWS Solutions use two buckets: a bucket for global access to templates, which is accessed via HTTPS, and regional buckets for access to assets within the region, such as Lambda code. **1. Configure the S3 Bucket** Pick a unique bucket name, e.g. asr-staging. Set two environment variables on your terminal, one should be the base bucket name with -reference as suffix, the other with your intended deployment region as suffix: ``` export BASE_BUCKET_NAME=asr-staging-$(date +%s) export TEMPLATE_BUCKET_NAME=$BASE_BUCKET_NAME-reference export REGION=us-east-1 export ASSET_BUCKET_NAME=$BASE_BUCKET_NAME-$REGION ``` **2. Environment Setup** In your AWS account, create two buckets with these names, e.g. asr-staging-reference and asr-staging-us-east-1. (The reference bucket will hold the CloudFormation templates, the regional bucket will hold all other assets like the lambda code bundle.) Your buckets should be encrypted and disallow public access ``` aws s3 mb s3://$TEMPLATE_BUCKET_NAME/ aws s3 mb s3://$ASSET_BUCKET_NAME/ ``` **Note** When creating your buckets, ensure they are not publicly accessible. Use random bucket names. Disable public access. Use KMS encryption. And verify bucket ownership before uploading. **3. S3 buckets policy setup** Update the \$1TEMPLATE\$1BUCKET\$1NAME S3 bucket policy to include PutObject permissions for the execute account ID. Assign this permission to an IAM role within the execute account that is authorized to write to the bucket. This setup allows you to avoid creating the bucket in the Management account. ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": "*", "Action": "s3:GetObject", "Resource": [ "arn:aws:s3:::template-bucket-name/*", "arn:aws:s3:::template-bucket-name" ], "Condition": { "StringEquals": { "aws:PrincipalOrgID": "org-id" } } }, { "Effect": "Allow", "Principal": "*", "Action": "s3:PutObject", "Resource": [ "arn:aws:s3:::template-bucket-name/*", "arn:aws:s3:::template-bucket-name" ], "Condition": { "ArnLike": { "aws:PrincipalArn": "arn:aws:iam::account-id:role/iam-role-name" } } } ] } ``` Alter the asset S3 bucket policy to include permissions. Assign this permission to an IAM role within the execute account that is authorized to write to the bucket. Repeat this setup for each regional asset bucket (e.g., asr-staging-us-east-1, asr-staging-eu-west-1, etc.), allowing deployments across multiple regions without needing to create the buckets in the Management account. **4. Build Preparation** + Prerequisites: + AWS CLI v2 + Python 3.11\$1 with pip + AWS CDK 2.171.1\$1 + Node.js 20\$1 with npm + Poetry v2 with plugin to export + Git clone [https://github.com/aws-solutions/automated-security-response-on-aws.git](https://github.com/aws-solutions/automated-security-response-on-aws.git) First ensure that you’ve run npm install in the source folder. Next from the deployment folder in your cloned repo, run build-s3-dist.sh, passing the root name of your bucket (ex. mybucket) and the version you are building (ex. v1.0.0). We recommend using a semver version based on the version downloaded from GitHub (ex. GitHub: v1.0.0, your build: v1.0.0.mybuild) ``` chmod +x build-s3-dist.sh export SOLUTION_NAME=automated-security-response-on-aws export SOLUTION_VERSION=v1.0.0.mybuild ./build-s3-dist.sh -b $BASE_BUCKET_NAME -v $SOLUTION_VERSION ``` **5. Deploy packages to S3** ``` cd deployment aws s3 cp global-s3-assets/ s3://$TEMPLATE_BUCKET_NAME/$SOLUTION_NAME/$SOLUTION_VERSION/ --recursive --acl bucket-owner-full-control aws s3 cp regional-s3-assets/ s3://$ASSET_BUCKET_NAME/$SOLUTION_NAME/$SOLUTION_VERSION/ --recursive --acl bucket-owner-full-control ``` ## Step 2: Stacks deployment to AWS Control Tower **1. Build manifest for ASR components** After deploying ASR artifacts to the S3 buckets, update the Control Tower [pipeline manifest](https://docs.aws.amazon.com/controltower/latest/userguide/cfcn-byo-customizations.html) to reference the new version, and then trigger the pipeline run, refer to: [controltower deployment](https://docs.aws.amazon.com/controltower/latest/userguide/deployment.html) **Important** To ensure correct deployment of the ASR solution, refer to the official AWS documentation for detailed information on the CloudFormation templates overview and parameters description. Info links below: [CloudFormation Templates](https://docs.aws.amazon.com/en_us/solutions/latest/automated-security-response-on-aws/aws-cloudformation-template.html) [Parameters overview Guide](https://docs.aws.amazon.com/solutions/latest/automated-security-response-on-aws/deployment.html) The manifest for the ASR components looks like this: ``` region: us-east-1 # version: 2021-03-15 # Control Tower Custom CloudFormation Resources resources: - name: resource_file: s3:// parameters: - parameter_key: UseCloudWatchMetricsAlarms parameter_value: "yes" - parameter_key: TicketGenFunctionName parameter_value: "" - parameter_key: ShouldDeployWebUI parameter_value: "yes" - parameter_key: AdminUserEmail parameter_value: "" - parameter_key: LoadSCAdminStack parameter_value: "yes" - parameter_key: LoadCIS120AdminStack parameter_value: "no" - parameter_key: LoadCIS300AdminStack parameter_value: "no" - parameter_key: UseCloudWatchMetrics parameter_value: "yes" - parameter_key: LoadNIST80053AdminStack parameter_value: "no" - parameter_key: LoadCIS140AdminStack parameter_value: "no" - parameter_key: ReuseOrchestratorLogGroup parameter_value: "yes" - parameter_key: LoadPCI321AdminStack parameter_value: "no" - parameter_key: RemediationFailureAlarmThreshold parameter_value: "5" - parameter_key: LoadAFSBPAdminStack parameter_value: "no" - parameter_key: EnableEnhancedCloudWatchMetrics parameter_value: "no" deploy_method: stack_set deployment_targets: accounts: # :type: list - # and/or - regions: - - name: resource_file: s3:// parameters: - parameter_key: SecHubAdminAccount parameter_value: - parameter_key: Namespace parameter_value: deploy_method: stack_set deployment_targets: organizational_units: - - name: resource_file: s3:// parameters: - parameter_key: SecHubAdminAccount parameter_value: - parameter_key: LoadCIS120MemberStack parameter_value: "no" - parameter_key: LoadNIST80053MemberStack parameter_value: "no" - parameter_key: Namespace parameter_value: - parameter_key: CreateS3BucketForRedshiftAuditLogging parameter_value: "no" - parameter_key: LoadAFSBPMemberStack parameter_value: "no" - parameter_key: LoadSCMemberStack parameter_value: "yes" - parameter_key: LoadPCI321MemberStack parameter_value: "no" - parameter_key: LoadCIS140MemberStack parameter_value: "no" - parameter_key: EnableCloudTrailForASRActionLog parameter_value: "no" - parameter_key: LogGroupName parameter_value: - parameter_key: LoadCIS300MemberStack parameter_value: "no" deploy_method: stack_set deployment_targets: accounts: # :type: list - # and/or - organizational_units: - regions: # :type: list - ``` **2. Code pipeline update** Add a manifest file to a custom-control-tower-configuration.zip and run a CodePipeline, refer to: [code pipeline overview](https://docs.aws.amazon.com/controltower/latest/userguide/cfct-codepipeline-overview.html)