# Automatically address security threats with predefined response and remediation actions in AWS Security Hub
This implementation guide provides an overview of the Automated Security Response on AWS solution, its reference architecture and components, considerations for planning the deployment, configuration steps for deploying the Automated Security Response on AWS solution to the Amazon Web Services (AWS) Cloud.
Use this navigation table to quickly find answers to these questions:
| If you want to . . . | Read . . . |
| --- | --- |
| Know the cost for running this solution | [Cost](cost.md) |
| Understand the security considerations for this solution | [Security](security.md) |
| Know how to plan for quotas for this solution | [Quotas](quotas.md) |
| Know which AWS Regions are supported for this solution | [Supported AWS Regions](plan-your-deployment.md#supported-aws-regions) |
| View or download the AWS CloudFormation template included in this solution to automatically deploy the infrastructure resources (the "stack") for this solution | [AWS CloudFormation templates](aws-cloudformation-template.md) |
| Access the source code and optionally use the AWS Cloud Development Kit (AWS CDK) to deploy the solution. | [GitHub repository](https://github.com/aws-solutions/automated-security-response-on-aws) |
The continued evolution of security requires proactive steps to secure data which can make it difficult, expensive, and time-consuming for security teams to react. The Automated Security Response on AWS solution helps you quickly react to address security issues by providing predefined responses and remediation actions based on industry compliance standards and best practices.
Automated Security Response on AWS is an AWS Solution that works with [AWS Security Hub](https://aws.amazon.com/security-hub/) to improve your security and helps align your workloads to the Well-Architected Security pillar best practices ([SEC10](https://docs.aws.amazon.com/wellarchitected/latest/framework/sec-10.html)). This solution makes it easier for AWS Security Hub customers to resolve common security findings and improve their security posture in AWS.
You can select specific playbooks to deploy in your Security Hub primary account. Each playbook contains the necessary custom actions, [Identity and Access Management](https://aws.amazon.com/iam/) (IAM) roles, [Amazon EventBridge rules](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-rules.html), [AWS Systems Manager](https://aws.amazon.com/systems-manager/) automation documents, [AWS Lambda](https://aws.amazon.com/lambda/) functions, and [AWS Step Functions](https://aws.amazon.com/step-functions/) needed to start a remediation workflow within a single AWS account, or across multiple accounts. Remediations work from the Actions menu in AWS Security Hub and allow authorized users to remediate a finding across all of their AWS Security Hub-managed accounts with a single action. For example, you can apply recommendations from the Center for Internet Security (CIS) AWS Foundations Benchmark, a compliance standard for securing AWS resources, to ensure passwords expire within 90 days and enforce encryption of event logs stored in AWS.
**Note**
Remediation is intended for emergent situations that require immediate action. This solution makes changes to remediate findings only when initiated by you via the AWS Security Hub Management console, or when automated remediation has been enabled using the Remediation Configuration DynamoDB table. To revert these changes, you must manually put resources back in their original state.
When remediating AWS resources deployed as a part of the CloudFormation stack, be aware that this might cause a drift. When possible, remediate stack resources by modifying the code that defines the stack resources and updating the stack. For more information, refer to [What is drift?](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-stack-drift.html#what-is-drift) in the *AWS CloudFormation User Guide*.
Automated Security Response on AWS includes the playbook remediations for the security standards defined as part of the following:
+ [Center for Internet Security (CIS) AWS Foundations Benchmark v1.2.0](https://docs.aws.amazon.com/securityhub/latest/userguide/cis-aws-foundations-benchmark.html#cis1v2-standard)
+ [CIS AWS Foundations Benchmark v1.4.0](https://docs.aws.amazon.com/securityhub/latest/userguide/cis-aws-foundations-benchmark.html#cis1v4-standard)
+ [CIS AWS Foundations Benchmark v3.0.0](https://docs.aws.amazon.com/securityhub/latest/userguide/cis-aws-foundations-benchmark.html#cis3v0-standard)
+ [AWS Foundational Security Best Practices (FSBP) v.1.0.0](https://docs.aws.amazon.com/securityhub/latest/userguide/fsbp-standard.html)
+ [Payment Card Industry Data Security Standard (PCI-DSS) v3.2.1](https://docs.aws.amazon.com/securityhub/latest/userguide/pci-standard.html)
+ [National Institute of Standards and Technology (NIST) SP 800-53 Rev. 5](https://docs.aws.amazon.com/securityhub/latest/userguide/nist-standard.html)
The solution also includes a Security Controls (SC) playbook for the [consolidated control findings feature](https://docs.aws.amazon.com/securityhub/latest/userguide/controls-findings-create-update.html#consolidated-control-findings) of AWS Security Hub. For more information, refer to [Playbooks](playbooks.md). We recommend using the SC playbook along with consolidated control findings in Security Hub.
This implementation guide discusses architectural considerations and configuration steps for deploying the Automated Security Response on AWS solution in the AWS Cloud. It includes links to [AWS CloudFormation](https://aws.amazon.com/cloudformation/) templates that launch, configure, and run the AWS compute, network, storage, and other services required to deploy this solution on AWS, using AWS best practices for security and availability.
The guide is intended for IT infrastructure architects, administrators, and DevOps professionals who have practical experience architecting in the AWS Cloud.
# Features and benefits
The Automated Security Response on AWS provides the following features:
**Automatically remediate findings for specific controls**
Configure the solution to automatically remediate findings for specific controls by modifying the Remediation Configuration DynamoDB table deployed to the admin account.
**Manage remediations across multiple accounts and Regions from one location**
From an AWS Security Hub administrator account that is configured as the aggregation destination for your organization’s accounts and Regions, initiate a remediation for a finding in any account and Region in which the solution is deployed.
**Get notified of remediation actions and results**
Subscribe to the Amazon SNS topic deployed by the solution to be notified when remediations are initiated and whether or not the remediation was successful.
**Use the Web User Interface to start, view, and manage remediations**
You will have the option to enable the solution’s Web UI when deplying the Admin stack, which will provide a comprehensive user-friendly view to run remediations and view all past remediations performed by the solution.
**Integrate with ticket systems like Jira or ServiceNow**
To help your organization react to remediations (for example, updating your infrastructure code), this solution can push tickets to your external ticketing system.
**Use AWSConfigRemediations in the GovCloud and China partitions**
Some of the remediations included in the solution are repackages of AWS-owned AWSConfigRemediation documents that are available in the commercial partition but not in GovCloud or China. Deploy this solution to make use of these documents in those partitions.
**Extend the solution with custom remediation and Playbook implementations**
The solution is designed to be extensible and customizable. To specify an alternative remediation implementation, deploy customized AWS Systems Manager automation documents and AWS IAM Roles. To support an entire new set of controls that is not implemented by the solution, deploy a custom Playbook.
# Use cases
**Enforce compliance to a standard across your organization’s accounts and Regions**
Deploy the Playbook for a standard (for example, AWS Foundational Security Best Practices) to be able to use the provided remediations. Automatically or manually initiate remediations for resources in any account and Region in which the solution is deployed to fix resources that are out of compliance.
**Deploy custom remediations or Playbooks to meet your organization’s compliance needs**
Use the provided Orchestrator components as a framework. Build custom remediations to address out-of-compliance resources according to your organization’s specific needs.
# Concepts and definitions
This section describes key concepts and defines terminology specific to this solution:
**remediation, remediation runbook**
An implementation of a set of steps that resolves a finding. For example, a remediation for the control Security Control (SC) Lambda.1 "Lambda function policies should prohibit public access" would modify the policy of the relevant AWS Lambda Function to remove statements that allow public access.
**control runbook**
One of a set of AWS Systems Manager (SSM) automation documents that the Orchestrator uses to route an initiated remediation for a specific control to the correct remediation runbook. For example, the remediations for SC Lambda.1 and AWS Foundational Security Best Practices (FSBP) Lambda.1 are implemented with the same remediation runbook. The Orchestrator invokes the control runbook for each control, which are named ASR-AFSBP\$1Lambda.1 and ASR-SC\$12.0.0\$1Lambda.1, respectively. Each control runbook invokes the same remediation runbook, which in this case would be ASR-RemoveLambdaPublicAccess.
**orchestrator**
The Step Functions deployed by the solution that takes as input a finding object from AWS Security Hub and invokes the correct control runbook in the target account and Region. The Orchestrator also notifies the solution SNS Topic when the remediation is started and when the remediation succeeds or fails.
**standard**
A group of controls defined by an organization as part of a compliance framework. For example, one of the standards supported by AWS Security Hub and this solution is AWS FSBP.
**control**
A description of the properties that a resource should or should not have in order to be in compliance. For example, the control AWS FSBP Lambda.1 states that AWS Lambda Functions should prohibit public access. A function that allows public access would fail this control.
**consolidated control findings, security control, security controls view**
A feature of AWS Security Hub that, when activated, displays findings with their consolidated control IDs rather than IDs that correspond to a particular standard. For example, the controls AWS FSBP S3.2, CIS v1.2.0 2.3, CIS v1.4.0 2.1.5.2, and PCI-DSS v3.2.1 S3.1 all map to the consolidated (SC) control S3.2 "S3 Buckets should prohibit public read access." When this feature is turned on, SC runbooks are used.
**[Solution Web UI] delegated admin**
In the context of the solution’s Web UI, a delegated admin is a user that has been invited by the admin and has full access to run remediations and view remediation history. This user can also view and manage other Account Operator users.
**[Solution Web UI] account operator**
In the context of the solution’s Web UI, an account operator is a user invited by an admin or delegated admin to access the solution’s Web UI. This user is associated with a list of AWS Account Ids provided in their invitation; they may only run remediations and view remediation history as it pertains to resources in these accounts.
For a general reference of AWS terms, refer to the [AWS Glossary](https://docs.aws.amazon.com/general/latest/gr/glos-chap.html).