AWS Security Hub Automated Response and Remediation
Automated Security Response on AWS is an add-on solution that works with AWS Security Hub to provide a ready-to-deploy architecture and a library of automated playbooks.
| Category | Security Automation & Orchestration |
|---|---|
| Community Stars | 404 |
| Last Commit | last week |
| Last page update | 19 days ago |
| Pricing Details | Free to use under Apache License 2.0 |
| Target Audience | AWS Security Hub customers looking to automate security responses. |
The AWS Security Hub Automated Response and Remediation solution manages manually remediating security findings in large and complex AWS environments. This solution leverages a robust technical architecture to automate the response and remediation of security issues.
At its core, the solution utilizes AWS Security Hub to aggregate and analyze security findings from various AWS services such as AWS Config, Amazon GuardDuty, and AWS Firewall Manager. These findings are then matched against industry standards like the CIS AWS Foundations Benchmark and AWS Foundational Security Best Practices. When a finding is identified, the solution triggers predefined response and remediation actions, known as "Playbooks," which are executed using AWS Lambda and AWS Systems Manager (SSM) automation documents.
The technical architecture involves several key components:
- Event Triggering: Security Hub findings are sent as Amazon EventBridge events, which trigger custom actions defined in the Security Hub console.
- Orchestration: AWS Step Functions in the delegated administrator account invoke the remediation actions in the member accounts containing the resources that produced the security findings.
- Remediation: SSM automation documents perform the necessary actions to remediate the findings, such as disabling public access to S3 buckets, removing public access rules from security groups, and enforcing password policies.
- Logging and Notification: The results of the remediation actions are logged to Amazon CloudWatch Logs, and notifications are sent via Amazon Simple Notification Service (SNS). The Security Hub finding is updated to reflect the remediation status.
Operational considerations include the need for cross-account IAM roles to facilitate the orchestration of remediations across different accounts. Additionally, the solution requires careful configuration and testing to ensure that automated remediations do not inadvertently disrupt critical resources. The deployment process involves creating S3 buckets for solution templates and source code, and using AWS Cloud Development Kit (CDK) to generate the necessary CloudFormation templates.
From a technical details perspective, the solution supports sub-minute granularity for most remediation actions, though the performance of these actions can be impacted by the scale and complexity of the environment. The use of SSM automation documents and Lambda functions ensures that remediations are executed efficiently, but the solution also incurs costs related to the use of these services, particularly in multi-account setups.