Automated Remediation of Security Hub Findings

In the dynamic world of cloud computing, ensuring robust security is crucial. AWS offers a comprehensive suite of tools for automating security responses, enhancing efficiency, and ensuring a secure cloud environment. This blog post goes through automated remediation of security issues using AWS Security Hub, Amazon EventBridge Events, AWS Systems Manager, and AWS Step Functions.

Enhanced Automated Remediation Process

Detect with AWS Security Hub

Security Hub monitors your AWS environment by collecting data from services like AWS Config, Amazon Guard Duty, and AWS Firewall Manager. It analyzes this data against standards like the CIS AWS Foundations Benchmark, identifying security issues as findings, which are then sent as Amazon EventBridge events.

Initiate with Custom Actions and EventBridge Rules

Custom actions in the Security Hub trigger EventBridge events, initiating the automated response process. You can selectively activate these responses for specific remediations after thorough testing in a non-production environment.

Orchestrate with AWS Step Functions

Using cross-account IAM roles, Step Functions in an admin account can invoke remediation actions in member accounts where the security findings originated, ensuring centralized control across multiple accounts.

Remediate with AWS Systems Manager

The invoked Step Function triggers an AWS Systems Manager Automation Document in the member account to perform necessary actions, like disabling public access to AWS Lambda functions or modifying S3 bucket permissions.

Log and Update

Actions are logged to Amazon CloudWatch Logs, and notifications are sent via Amazon SNS. The Security Hub finding is updated, changing its status from NEW to NOTIFIED or RESOLVED and documenting the remediation steps in the finding notes.

Example Use Case: S3 Bucket Remediatio

Consider a finding in the Security Hub indicating public read access to an S3 bucket. The remediation workflow proceeds as follows:

• EventBridge Event Triggered

The finding is sent to EventBridge Events.

• Step Function Initiated

A specific Step Function state machine is triggered.

• Systems Manager Automation Document Executed

The state machine executes an Automation document to modify the S3 bucket’s permissions, removing public access.

• Verification and Closure

The state machine verifies the successful execution of the action and updates the finding status in Security Hub.

Benefits of Automated Remediation

• Efficiency

Frees up your security team to focus on complex threats by automating responses to common findings.

• Consistency

Ensures remediation actions are performed consistently in line with your organization’s policies.

• Speed

Responds to and remedies findings faster than manual processes.

• Scalability

Scales effectively to manage an increasing volume of findings as your AWS environment grows.

Conclusion

By leveraging AWS Security Hub, Amazon EventBridge Events, AWS Systems Manager, and AWS Step Functions, organizations can create sophisticated, automated remediation playbooks. These playbooks not only efficiently address security findings but also maintain an audit trail and provide real-time status updates, thereby enhancing the security posture of AWS environments. This approach empowers security teams to concentrate on strategic security initiatives, knowing that routine security findings are managed effectively and transparently.

This blog post is based on Automated Security Response on AWS Solution and it’s implementation guide. Reference: https://docs.aws.amazon.com/solutions/latest/automated-security-response-on-aws/solution-overview.html