AWS Security ChangesHomeSearch

AWS solutions documentation change

Service: solutions · 2025-07-18 · Documentation low

File: solutions/latest/automated-security-response-on-aws/adding-new-remediations.md

Summary

Updated documentation to add CDK workflow instructions for creating remediations, including IAM role setup and security control integration. Rebranded SHARR references to ASR and expanded remediation implementation guidance.

Security assessment

The changes document how to implement security controls and automated remediations, but there's no evidence of addressing a specific vulnerability. The updates focus on workflow improvements and IaC integration rather than patching security flaws.

Diff

diff --git a/solutions/latest/automated-security-response-on-aws/adding-new-remediations.md b/solutions/latest/automated-security-response-on-aws/adding-new-remediations.md
index 5a19df120..8f3720e4b 100644
--- a//solutions/latest/automated-security-response-on-aws/adding-new-remediations.md
+++ b//solutions/latest/automated-security-response-on-aws/adding-new-remediations.md
@@ -5 +5 @@
-OverviewStep 1. Create a runbook in the member account(s)Step 2. Create an IAM role in the member account(s)Step 3: (Optional) Create an automatic remediation rule in the admin account
+Overview of manually workflowOverview of CDK workflow
@@ -9 +9 @@ OverviewStep 1. Create a runbook in the member account(s)Step 2. Create an IAM r
-Adding a new remediation to an existing playbook does not require modification to the solution itself.
+Remediations can be added manually by updating the appropriate playbook files, or programmatically by extending the solution through CDK constructs, depending on your preferred workflow.
@@ -13 +13 @@ Adding a new remediation to an existing playbook does not require modification t
-The instructions that follow leverage resources installed by the solution as a starting point. By convention, most solution resource names contain **SHARR** and/or **SO0111** to make it easy to locate and identify them.
+The instructions that follow leverage resources installed by the solution as a starting point. By convention, most solution resource names contain **ASR** and/or **SO0111** to make it easy to locate and identify them.
@@ -15 +15 @@ The instructions that follow leverage resources installed by the solution as a s
-## Overview
+## Overview of manually workflow
@@ -21 +21 @@ ASR-`<standard>`-`<version>`-`<control>`
-**Standard** : The abbreviation for the security standard. This must match standards supported by SHARR. It must be one of "CIS", "AFSBP", "PCI", "NIST", or "SC".
+**Standard** : The abbreviation for the security standard. This must match standards supported by ASR. It must be one of "CIS", "AFSBP", "PCI", "NIST", or "SC".
@@ -23 +23 @@ ASR-`<standard>`-`<version>`-`<control>`
-**Version** : The version of the standard. Again, this must match the version supported by SHARR and the version in the finding data.
+**Version** : The version of the standard. Again, this must match the version supported by ASR and the version in the finding data.
@@ -36 +36 @@ ASR-`<standard>`-`<version>`-`<control>`
-## Step 1. Create a runbook in the member account(s)
+### Step 1. Create a runbook in the member account(s)
@@ -47 +47 @@ ASR-`<standard>`-`<version>`-`<control>`
-## Step 2. Create an IAM role in the member account(s)
+### Step 2. Create an IAM role in the member account(s)
@@ -58 +58 @@ ASR-`<standard>`-`<version>`-`<control>`
-At this point, your remediation is active and available for automated remediation from the SHARR Custom Action in AWS Security Hub.
+At this point, your remediation is active and available for automated remediation from the ASR Custom Action in AWS Security Hub.
@@ -60 +60 @@ At this point, your remediation is active and available for automated remediatio
-## Step 3: (Optional) Create an automatic remediation rule in the admin account
+### Step 3: (Optional) Create an automatic remediation rule in the admin account
@@ -74,0 +75,248 @@ Automatic (not "automated") remediation is the immediate execution of the remedi
+## Overview of CDK workflow
+
+In summary, the following files in the ASR repo will be modified or added. In this example, a new remediation for ElastiCache.2 was added to the SC and AFSBP playbooks.
+
+###### Note
+
+All new remediations should be added to the SC playbook, since it consolidates all remediations available in ASR. If you intend to deploy only a specific set of playbooks (e.g., AFSBP), then you can either: (1) add the remediation to **only** your intended playbook(s), or (2) add the remediation to all playbooks for which it exists in the corresponding Security Hub Standard, in addition to the SC playbook. The second option is recommended for flexibility.
+
+In this example, ElastiCache.2 is included in the following Security Hub Standards:
+
+  * AFSBP
+
+  * NIST.800-53.r5 SI-2
+
+  * NIST.800-53.r5 SI-2(2)
+
+  * NIST.800-53.r5 SI-2(4)
+
+  * NIST.800-53.r5 SI-2(5)
+
+  * PCI DSS v4.0.1/6.3.3
+
+
+
+
+Since, by default, ASR only implements playbooks for AFSBP and NIST.800-53, we will add this new remediation to those playbooks in addition to SC.
+
+**Modify**
+
+  * source/lib/remediation-runbook-stack.ts
+
+  * source/playbooks/AFSBP/lib/[standard name]_remediations.ts
+
+  * source/playbooks/NIST80053/lib/control_runbooks-construct.ts
+
+  * source/playbooks/NIST80053/lib/[standard name]_remediations.ts
+
+  * source/playbooks/SC/lib/control_runbooks-construct.ts
+
+  * source/playbooks/SC/lib/sc_remediations.ts
+
+  * source/test/regex_registry.ts
+
+
+
+
+**Add**
+
+  * source/playbooks/SC/ssmdocs/SC_ElastiCache.2.ts
+
+  * source/playbooks/SC/ssmdocs/descriptions/ElastiCache.2.md
+
+  * source/remediation_runbooks/EnableElastiCacheVersionUpgrades.yaml
+
+
+
+
+###### Note
+
+The name chosen for the runbook can be any string, as long as it is consistent with the rest of the changes made.
+
+  * source/playbooks/NIST80053/ssmdocs/NIST80053_ElastiCache.2.ts
+
+  * source/playbooks/AFSBP/ssmdocs/AFSBP_ElastiCache.2.yaml
+
+
+
+
+**Development steps**
+
+  1. Create the Remediation Runbook.
+
+  2. Create the Control Runbooks.
+
+  3. Integrate Each Control Runbook with a Playbook.
+
+  4. Create the Remediation IAM Role & Integrate Remediation Runbook
+
+  5. Update Unit Tests
+
+
+
+
+### Step 1: Create the Remediation Runbook
+
+This is the SSM document used to remediate resources. It must include the `AutomationAssumeRole` parameter, which is the IAM role with permissions to execute the remediation. View the existing file `source/remediation_runbooks/EnableElastiCacheVersionUpgrades.yaml` as a reference when creating new remediation runbooks.
+
+All new runbooks should be added to the `source/remediation_runbooks/` directory.
+
+### Step 2: Create the Control Runbooks
+
+A control runbook is a playbook-specific runbook that parses the finding data from the given standard and executes the appropriate Remediation Runbook. Since we are adding the ElastiCache.2 remediation to the SC, AFSBP, and NIST80053 playbooks, we must create a new control runbook for each. The following files are created:
+
+  * source/playbooks/SC/ssmdocs/SC_ElastiCache.2.ts
+
+  * source/playbooks/NIST80053/ssmdocs/NIST80053_ElastiCache.2.ts
+
+  * source/playbooks/AFSBP/ssmdocs/AFSBP_ElastiCache.2.yaml
+
+
+
+
+The naming of these files is important and must follow the format <PLAYBOOK_NAME>_<CONTROL.ID>.ts/yaml
+
+Some playbooks in ASR support IaC control runbooks in TypeScript, while others must be written in raw YAML. Reference the existing remediations in the respective playbook as examples. In this example, we will cover the SC playbook, which uses IaC.
+
+In the SC playbook, your new control runbook should export a class that extends ControlRunbookDocument and matches the name of your remediation runbook. Take a look at the example below:
+    
+    
+    export class EnableElastiCacheVersionUpgrades extends ControlRunbookDocument {
+      constructor(scope: Construct, id: string, props: ControlRunbookProps) {
+        super(scope, id, {
+          ...props,
+          securityControlId: 'ElastiCache.2',
+          remediationName: 'EnableElastiCacheVersionUpgrades',
+          scope: RemediationScope.REGIONAL,
+          resourceIdRegex: <Regex>,
+          resourceIdName: 'ClusterId',
+          updateDescription: new StringFormat('Automatic minor version upgrades enabled for cluster %s.', [
+            StringVariable.of(`ParseInput.ClusterId`),
+          ]),
+        });
+      }
+    }
+
+  * `securityControlId` is the control ID for the remediation that you are adding, as it is defined in the [consolidated controls view in Security Hub](https://docs.aws.amazon.com/securityhub/latest/userguide/asff-changes-consolidation.html#securityhub-findings-format-changes-ids-titles).
+
+  * `remediationName` is the name you have chosen for your remediation runbook.
+
+  * `scope` is the scope of the resource you are remediating, indicating whether it exists globally or in a specific region.
+
+  * `resourceIdRegex` is the regex used to capture the resource ID that you would like to pass to the remediation runbook as a parameter. Only one group should be captured, all other groups should be non-capturing. If you would like to pass the entire ARN, omit this field.
+
+  * `resourceIdName` is the name you would like to set for the resource ID captured using `resourceIdRegex`, this should match the resource ID parameter name in your remediation runbook.
+
+  * `updateDescription` is the string you would like to assign to the "notes" section of the finding in Security Hub once the remediation succeeds.
+
+
+
+
+You must also export a function called `createControlRunbook` which returns a new instance of your class. For ElastiCache.2, this looks like:
+    
+    
+    export function createControlRunbook(scope: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
+      return new EnableElastiCacheVersionUpgrades(scope, id, { ...props, controlId: 'ElastiCache.2' });
+    }
+
+where `controlId` is the control ID as defined in the Security Standard associated with the playbook under which you are operating.
+
+If the Security Hub control has parameters that you would like to pass to your remediation runbook, you can pass them by adding overrides to the following methods: \- `getExtraSteps`: defines default values for each parameter implemented for the control in Security Hub
+
+###### Note
+
+Each parameter from Security Hub must be given a default value
+
+  * `getInputParamsStepOutput`: defines the outputs for the GetInputParams step of the control runbook
+
+  * Each output has a `name`, `outputType`, and `selector`. The `selector` should be the same selector used in the `getExtraSteps` method override.
+
+  * `getRemediationParams`: defines the parameters passed to the remediation runbook, fetched from the GetInputParams step outputs.
+
+
+
+
+To view an example, navigate to the `source/playbooks/SC/ssmdocs/SC_DynamoDB.1.ts` file.