Overview
Automated Security Response on AWS is an add-on that works with AWS Security Hub and provides predefined response and remediation actions based on industry compliance standards and best practices for security threats. When using Security Hub, this AWS Solution can help you fix common security problems while improving your overall security on AWS. This solution can help you align your workloads to the Well-Architected Security pillar best practices.
Benefits
Initiate remediations and findings using custom actions in the Security Hub console.
Configure AWS Foundations Benchmarks or AWS Foundational Security Best Practices.
Deploy a predefined set of response and remediation actions to respond to threats automatically.
Extend this solution with custom remediation and playbook implementations. Or, deploy a custom playbook for a new set of controls.
Technical details
You can automatically deploy this architecture using the implementation guide and the accompanying AWS CloudFormation template.
Prerequisite: Security Hub findings aggregated in the delegated administrator account initiate AWS Step Functions. Step Functions invokes a remediation SSM automation document in the member account containing the resource that produced the AWS Security Hub finding.
1. Detect: Security Hub provides you with a comprehensive view of their AWS security state. It helps you to measure your environment against security industry standards and best practices. It works by collecting events and data from other AWS services, such as AWS Config, Amazon GuardDuty, and AWS Firewall Manager.
These events and data are analyzed against security standards, such as CIS AWS Foundations Benchmark. Exceptions are asserted as findings in the Security Hub console. New findings are sent as Amazon EventBridge.
2. Initiate: You can initiate events against findings using custom actions, which result in Amazon EventBridge Events. AWS Security Hub Custom Actions and Amazon EventBridge rules initiate Automated Security Response on AWS playbooks to address findings. One EventBridge rule is deployed to match the custom action event, and one EventBridge Event Rule is deployed for each supported control (deactivated by default) to match the real-time finding event.
You can use the Security Hub Custom Action menu to initiate automated remediation, or after careful testing in a non-production environment, you can activate automated remediations. This can be activated per remediation—it is not necessary to activate automatic initiations on all remediations.
3. Orchestrate: Using cross-account AWS Identity and Access Management (IAM) roles, AWS Step Functions in the admin account invokes the remediation in the member account containing the resource that produced the security finding.
4. Remediate: An AWS Systems Manager Automation Document in the member account performs the action required to remediate the finding on the target resource, such as disabling AWS Lambda public access.
5. Log: The playbook logs the results to an Amazon CloudWatch Logs group, sends a notification to an Amazon Simple Notification Service (Amazon SNS) topic, and updates the Security Hub finding. An audit trail of actions taken is maintained in the finding notes.
On the Security Hub dashboard, the finding workflow status is changed from NEW to either NOTIFIED or RESOLVED on the Security Hub dashboard. The security finding notes are updated to reflect the remediation performed.
Prerequisite: Security Hub findings aggregated in the delegated administrator account initiate AWS Step Functions. Step Functions invokes a remediation SSM automation document in the member account containing the resource that produced the AWS Security Hub finding.
1. Detect: Security Hub provides you with a comprehensive view of their AWS security state. It helps you to measure your environment against security industry standards and best practices. It works by collecting events and data from other AWS services, such as AWS Config, Amazon GuardDuty, and AWS Firewall Manager.
These events and data are analyzed against security standards, such as CIS AWS Foundations Benchmark. Exceptions are asserted as findings in the Security Hub console. New findings are sent as Amazon EventBridge.
2. Initiate: You can initiate events against findings using custom actions, which result in Amazon EventBridge Events. AWS Security Hub Custom Actions and Amazon EventBridge rules initiate Automated Security Response on AWS playbooks to address findings. One EventBridge rule is deployed to match the custom action event, and one EventBridge Event Rule is deployed for each supported control (deactivated by default) to match the real-time finding event.
You can use the Security Hub Custom Action menu to initiate automated remediation, or after careful testing in a non-production environment, you can activate automated remediations. This can be activated per remediation—it is not necessary to activate automatic initiations on all remediations.
3. Orchestrate: Using cross-account AWS Identity and Access Management (IAM) roles, AWS Step Functions in the admin account invokes the remediation in the member account containing the resource that produced the security finding.
4. Remediate: An AWS Systems Manager Automation Document in the member account performs the action required to remediate the finding on the target resource, such as disabling AWS Lambda public access.
5. Log: The playbook logs the results to an Amazon CloudWatch Logs group, sends a notification to an Amazon Simple Notification Service (Amazon SNS) topic, and updates the Security Hub finding. An audit trail of actions taken is maintained in the finding notes.
On the Security Hub dashboard, the finding workflow status is changed from NEW to either NOTIFIED or RESOLVED on the Security Hub dashboard. The security finding notes are updated to reflect the remediation performed.
- Publish Date
Related content
AvalonBay Communities Inc. migrated to a serverless architecture on AWS, accelerating development by 75 percent while reducing costs by 40 percent and maintaining strong security.
This course provides an overview of AWS security technology, use cases, benefits, and services.
This exam tests your technical expertise in securing the AWS platform. This is for anyone in an experienced security role.