AWS Security ChangesHomeSearch

AWS solutions medium security documentation change

Service: solutions · 2025-07-18 · Security-related medium

File: solutions/latest/automated-security-response-on-aws/deployment.md

Summary

Updated template names from 'aws-sharr-*' to 'automated-security-response-*', added TargetAccountIDs parameters, improved documentation clarity

Security assessment

Added new parameters (TargetAccountIDs and TargetAccountIDsStrategy) that control remediation scope, which directly impacts security by allowing granular control over automated remediation targets. This change introduces security-focused configuration options to limit remediation actions to specific accounts.

Diff

diff --git a/solutions/latest/automated-security-response-on-aws/deployment.md b/solutions/latest/automated-security-response-on-aws/deployment.md
index 8da497d9a..ec5a6ffef 100644
--- a//solutions/latest/automated-security-response-on-aws/deployment.md
+++ b//solutions/latest/automated-security-response-on-aws/deployment.md
@@ -36 +36 @@ Step 1: Launch the admin stack
-  * Launch the `aws-sharr-deploy.template` AWS CloudFormation template into your AWS Security Hub admin account.
+  * Launch the `automated-security-response-admin.template` AWS CloudFormation template into your AWS Security Hub admin account.
@@ -40 +40 @@ Step 1: Launch the admin stack
-  * Choose an existing Orchestrator log group to use (select `Yes` if `SO0111-SHARR-Orchestrator` already exists from a previous installation).
+  * Choose an existing Orchestrator log group to use (select `Yes` if `SO0111-ASR-Orchestrator` already exists from a previous installation).
@@ -47 +47 @@ Step 2: Install the remediation roles into each AWS Security Hub member account
-  * Launch the `aws-sharr-member-roles.template` AWS CloudFormation template into one Region per member account.
+  * Launch the `automated-security-response-member-roles.template` AWS CloudFormation template into one Region per member account.
@@ -135 +135 @@ You are responsible for the cost of the AWS services used while running this sol
-  1. Sign in to the AWS Management Console from the account where the AWS Security Hub is currently configured, and use the button below to launch the `aws-sharr-deploy.template` AWS CloudFormation template.
+  1. Sign in to the AWS Management Console from the account where the AWS Security Hub is currently configured, and use the button below to launch the `automated-security-response-admin.template` AWS CloudFormation template.
@@ -137 +137 @@ You are responsible for the cost of the AWS services used while running this sol
-[ ![aws-sharr-deploy-template launch button](/images/solutions/latest/automated-security-response-on-aws/images/launch-button.png) ](https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/new?stackName=automated-security-response-on-aws-admin&templateURL=https:%2F%2Fs3.amazonaws.com%2Fsolutions-reference%2Fautomated-security-response-on-aws%2Flatest%2Faws-sharr-deploy.template&redirectId=ImplementationGuide)
+[ ![automated-security-response-admin-template launch button](/images/solutions/latest/automated-security-response-on-aws/images/launch-button.png) ](https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/new?stackName=automated-security-response-on-aws-admin&templateURL=https:%2F%2Fs3.amazonaws.com%2Fsolutions-reference%2Fautomated-security-response-on-aws%2Flatest%2Fautomated-security-response-admin.template&redirectId=ImplementationGuide)
@@ -138,0 +139 @@ You are responsible for the cost of the AWS services used while running this sol
+You can also [download the template](https://solutions-reference.s3.amazonaws.com/automated-security-response-on-aws/latest/automated-security-response-admin.template) as a starting point for your own implementation.
@@ -140,5 +141 @@ You are responsible for the cost of the AWS services used while running this sol
-
-
-You can also [download the template](https://solutions-reference.s3.amazonaws.com/automated-security-response-on-aws/latest/aws-sharr-deploy.template) as a starting point for your own implementation. . The template launches in the US East (N. Virginia) Region by default. To launch this solution in a different AWS Region, use the Region selector in the AWS Management Console navigation bar.
-
-+
+  2. The template launches in the US East (N. Virginia) Region by default. To launch this solution in a different AWS Region, use the Region selector in the AWS Management Console navigation bar.
@@ -150 +147 @@ This solution uses AWS Systems Manager which is currently available in specific
-  1. On the **Create stack** page, verify that the correct template URL is in the **Amazon S3 URL** text box and then choose **Next**.
+  3. On the **Create stack** page, verify that the correct template URL is in the **Amazon S3 URL** text box and then choose **Next**.
@@ -152 +149 @@ This solution uses AWS Systems Manager which is currently available in specific
-  2. On the **Specify stack details** page, assign a name to your solution stack. For information about naming character limitations, refer to [IAM and STS limits](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html) in the _AWS Identity and Access Management User Guide_.
+  4. On the **Specify stack details** page, assign a name to your solution stack. For information about naming character limitations, refer to [IAM and STS limits](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html) in the _AWS Identity and Access Management User Guide_.
@@ -154 +151 @@ This solution uses AWS Systems Manager which is currently available in specific
-  3. On the **Parameters** page, choose **Next**.
+  5. On the **Parameters** page, choose **Next**.
@@ -165 +162 @@ Parameter | Default | Description
-**Reuse Orchestrator Log Group** |  `no` |  Select whether or not to reuse an existing `SO0111-SHARR-Orchestrator` CloudWatch Logs group. This simplifies reinstallation and upgrades without losing log data from a previous version. If you are upgrading from v1.2 or above, select `yes`.  
+**Reuse Orchestrator Log Group** |  `no` |  Select whether or not to reuse an existing `SO0111-ASR-Orchestrator` CloudWatch Logs group. This simplifies reinstallation and upgrades without losing log data from a previous version. Reuse existing `Orchestrator Log Group` choose `yes` if the `Orchestrator Log Group` still exists from an earlier deployment in this account, otherwise `no`. If you are performing a stack update from an earlier version than v2.3.0 choose `no`  
@@ -170,0 +168,2 @@ Parameter | Default | Description
+**TargetAccountIDs** |  `ALL` |  A list of AWS account IDs to control the scope of automated remediation. Use "ALL" to target all accounts in the organization. Or provide a comma-separated list of 12-digit AWS Account IDs. Example: "123456789012,098765432109"  
+**TargetAccountIDsStrategy** |  `INCLUDE` |  Defines how the solution applies automated remediations based on the TargetAccountIDs list. INCLUDE: Run automated remediations only for accounts listed. EXCLUDE: Run automated remediations for all accounts except those listed.  
@@ -172 +170,0 @@ Parameter | Default | Description
-  4. On the **Configure stack options** page, choose **Next**.
@@ -174 +171,0 @@ Parameter | Default | Description
-  5. On the **Review** page, review and confirm the settings. Check the box acknowledging that the template will create AWS Identity and Access Management (IAM) resources.
@@ -176 +173,10 @@ Parameter | Default | Description
-  6. Choose **Create stack** to deploy the stack.
+
+###### Note
+
+You must manually enable automatic remediations in the Admin account after deploying or updating the solution’s CloudFormation stacks.
+
+  1. On the **Configure stack options** page, choose **Next**.
+
+  2. On the **Review** page, review and confirm the settings. Check the box acknowledging that the template will create AWS Identity and Access Management (IAM) resources.
+
+  3. Choose **Create stack** to deploy the stack.
@@ -185 +191 @@ You can view the status of the stack in the AWS CloudFormation console in the **
-The `aws-sharr-member-roles.template` StackSet must be deployed in only one Region per member account. It defines the global roles that allow cross-account API calls from the SHARR Orchestrator step function.
+The `automated-security-response-member-roles.template` StackSet must be deployed in only one Region per member account. It defines the global roles that allow cross-account API calls from the ASR Orchestrator step function.
@@ -187 +193 @@ The `aws-sharr-member-roles.template` StackSet must be deployed in only one Regi
-  1. Sign in to the AWS Management Console for each AWS Security Hub member account (including the admin account, which is also a member). Select the button to launch the `aws-sharr-member-roles.template` AWS CloudFormation template. You can also [download the template](https://solutions-reference.s3.amazonaws.com/automated-security-response-on-aws/latest/aws-sharr-member-roles.template) as a starting point for your own implementation.
+  1. Sign in to the AWS Management Console for each AWS Security Hub member account (including the admin account, which is also a member). Select the button to launch the `automated-security-response-member-roles.template` AWS CloudFormation template. You can also [download the template](https://solutions-reference.s3.amazonaws.com/automated-security-response-on-aws/latest/automated-security-response-member-roles.template) as a starting point for your own implementation.
@@ -189 +195 @@ The `aws-sharr-member-roles.template` StackSet must be deployed in only one Regi
-[ ![Launch solution](/images/solutions/latest/automated-security-response-on-aws/images/launch-button.png) ](https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/new?stackName=automated-security-response-on-aws-member-roles&templateURL=https:%2F%2Fs3.amazonaws.com%2Fsolutions-reference%2Fautomated-security-response-on-aws%2Flatest%2Faws-sharr-member-roles.template&redirectId=ImplementationGuide)
+[ ![Launch solution](/images/solutions/latest/automated-security-response-on-aws/images/launch-button.png) ](https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/new?stackName=automated-security-response-on-aws-member-roles&templateURL=https:%2F%2Fs3.amazonaws.com%2Fsolutions-reference%2Fautomated-security-response-on-aws%2Flatest%2Fautomated-security-response-member-roles.template&redirectId=ImplementationGuide)
@@ -201 +207 @@ Parameter | Default | Description
-**Namespace** |  `<Requires input>` |  Enter a string of up to 9 lowercase alphanumeric characters. This string becomes part of the IAM role names. Use the same value for member stack deployment and member roles stack deployment.  
+**Namespace** |  `<Requires input>` |  Enter a string of up to 9 lowercase alphanumeric characters. Unique namespace to be added as a suffix to remediation IAM role names. The same namespace should be used in the Member Roles and Member stacks. This string should be unique for each solution deployment, but does not need to be changed during stack updates. The namespace value does **not** need to be unique per member account.  
@@ -223 +229 @@ To opt out of this feature, download the template, modify the AWS CloudFormation
-The `aws-sharr-member` stack must be installed into each Security Hub member account. This stack defines the runbooks for automated remediation. The admin for each member account can control what remediations are available via this stack.
+The `automated-security-response-member` stack must be installed into each Security Hub member account. This stack defines the runbooks for automated remediation. The admin for each member account can control what remediations are available via this stack.
@@ -225 +231 @@ The `aws-sharr-member` stack must be installed into each Security Hub member acc
-  1. Sign in to the AWS Management Console for each AWS Security Hub member account (including the admin account, which is also a member). Select the button to launch the `aws-sharr-member.template` AWS CloudFormation template.
+  1. Sign in to the AWS Management Console for each AWS Security Hub member account (including the admin account, which is also a member). Select the button to launch the `automated-security-response-member.template` AWS CloudFormation template.
@@ -227 +233 @@ The `aws-sharr-member` stack must be installed into each Security Hub member acc
-[ ![aws-sharr-member.template, Launch solution](/images/solutions/latest/automated-security-response-on-aws/images/launch-button.png) ](https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/new?stackName=automated-security-response-on-aws-member&templateURL=https:%2F%2Fs3.amazonaws.com%2Fsolutions-reference%2Fautomated-security-response-on-aws%2Flatest%2Faws-sharr-member.template&redirectId=ImplementationGuide)
+[ ![automated-security-response-member.template, Launch solution](/images/solutions/latest/automated-security-response-on-aws/images/launch-button.png) ](https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/new?stackName=automated-security-response-on-aws-member&templateURL=https:%2F%2Fs3.amazonaws.com%2Fsolutions-reference%2Fautomated-security-response-on-aws%2Flatest%2Fautomated-security-response-member.template&redirectId=ImplementationGuide)
@@ -232 +238 @@ The `aws-sharr-member` stack must be installed into each Security Hub member acc
-You can also [download the template](https://solutions-reference.s3.amazonaws.com/automated-security-response-on-aws/latest/aws-sharr-member.template) as a starting point for your own implementation. . The template launches in the US East (N. Virginia) Region by default. To launch this solution in a different AWS Region, use the Region selector in the AWS Management Console navigation bar.
+You can also [download the template](https://solutions-reference.s3.amazonaws.com/automated-security-response-on-aws/latest/automated-security-response-member.template) as a starting point for your own implementation. . The template launches in the US East (N. Virginia) Region by default. To launch this solution in a different AWS Region, use the Region selector in the AWS Management Console navigation bar.
@@ -258 +264 @@ Parameter | Default | Description
-**Namespace** |  `<Requires input>` |  Enter a string of up to 9 lowercase alphanumeric characters. This string becomes part of the IAM role names and Action Log S3 bucket. Use the same value for member stack deployment and member roles stack deployment. This string must follow Amazon S3 naming rules for general purpose S3 buckets.  
+**Namespace** |  `<Requires input>` |  Enter a string of up to 9 lowercase alphanumeric characters. This string becomes part of the IAM role names and Action Log S3 bucket. Use the same value for member stack deployment and member roles stack deployment. String should be unique for each solution deployment, but does not need to be changed during stack updates.  
@@ -313 +319 @@ Automated deployment - StackSets
-Monitor the solution with Service Catalog AppRegistry
+Control Tower (CT) deployment