AWS Security ChangesHomeSearch

AWS solutions documentation change

Service: solutions · 2025-11-16 · Documentation low

File: solutions/latest/automated-security-response-on-aws/architecture-overview.md

Summary

Updated architecture diagram filename and revised process flow description with more detailed EventBridge rule explanations, added guidance about manual vs automated remediations, and renumbered steps

Security assessment

The changes enhance documentation of security automation processes (EventBridge rules for Security Hub findings, remediation initiation methods) but do not address a specific security vulnerability. The updates provide clearer operational guidance for security response features rather than patching weaknesses.

Diff

diff --git a/solutions/latest/automated-security-response-on-aws/architecture-overview.md b/solutions/latest/automated-security-response-on-aws/architecture-overview.md
index 7cf0f8374..047924c67 100644
--- a//solutions/latest/automated-security-response-on-aws/architecture-overview.md
+++ b//solutions/latest/automated-security-response-on-aws/architecture-overview.md
@@ -17 +17 @@ Deploying this solution with the default parameters builds the following environ
-![aws security hub automated response architecture](/images/solutions/latest/automated-security-response-on-aws/images/aws-security-hub-automated-response-architecture.png)
+![automated security response on aws architecture diagram](/images/solutions/latest/automated-security-response-on-aws/images/automated-security-response-on-aws-architecture-diagram.png)
@@ -23 +23 @@ AWS CloudFormation resources are created from AWS Cloud Development Kit (AWS CDK
-The high-level process flow for the solution components deployed with the AWS CloudFormation template is as follows:
+The high-level flow for the solution components deployed with the AWS CloudFormation template is as follows:
@@ -27 +27 @@ The high-level process flow for the solution components deployed with the AWS Cl
-  2. **Initiate** : You can initiate events against findings using custom actions, which result in EventBridge events. AWS Security Hub [custom actions](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cwe-custom-actions.html) and EventBridge [rules](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-rules.html) initiate Automated Security Response on AWS playbooks to address findings. The solution deploys:
+  2. **Listen** : EventBridge events are emitted by AWS Security Hub for every finding created or modified by the service. Automated Security Response on AWS (ASR) deploys two EventBridge rules that listen for finding events generated by AWS Security Hub:
@@ -29 +29 @@ The high-level process flow for the solution components deployed with the AWS Cl
-    1. One EventBridge rule to match the custom action event
+     * **Custom Action** EventBridge Rule: Listens for [custom actions](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cwe-custom-actions.html) events emitted by AWS Security Hub CSPM when the 'Remediate with ASR' custom action is triggered by a user. The event is forwarded to the Orchestrator for remediation.
@@ -31 +31 @@ The high-level process flow for the solution components deployed with the AWS Cl
-    2. One EventBridge event rule for each supported control (deactivated by default) to match the real-time finding event
+     * **Findings** EventBridge Rule: Listens for all finding create or update events emitted by AWS Security Hub and AWS Security Hub CSPM. These events are forwarded to the Pre-Processor’s SQS Queue for further processing.
@@ -33 +33 @@ The high-level process flow for the solution components deployed with the AWS Cl
-You can use the **Custom actions** menu in the Security Hub console to initiate automated remediation. After careful testing in a non-production environment, you can also activate automated remediations. You can activate automations for individual remediations — you don’t need to activate automatic initiations on all remediations.
+  3. **Initiate** : You can initiate remediations by-hand, or configure them to run automatically. To run a remediation manually, you can use the Web UI deployed by the solution or the custom actions feature in AWS Security Hub CSPM. After careful testing in a non-production environment, you can also activate automated remediations. You can activate automations for individual remediations — you don’t need to activate automatic initiations on all remediations. To configure remediations to run automatically, see the [Enable fully-automated remediations page.](./enable-fully-automated-remediations.html)
@@ -35 +35 @@ You can use the **Custom actions** menu in the Security Hub console to initiate
-  3. **Pre-remediate** : In the admin account, [AWS Step Functions](https://aws.amazon.com/step-functions/) processes the remediation event and prepares it to be scheduled.
+  4. **Pre-remediate** : In the admin account, [AWS Step Functions](https://aws.amazon.com/step-functions/) processes the remediation event and prepares it to be scheduled.
@@ -37 +37 @@ You can use the **Custom actions** menu in the Security Hub console to initiate
-  4. **Schedule** : The solution invokes the scheduling [AWS Lambda](https://aws.amazon.com/lambda) function to place the remediation event in the [Amazon DynamoDB](https://aws.amazon.com/dynamodb) state table.
+  5. **Schedule** : The solution invokes the scheduling [AWS Lambda](https://aws.amazon.com/lambda) function to place the remediation event in the [Amazon DynamoDB](https://aws.amazon.com/dynamodb) state table.
@@ -39 +39 @@ You can use the **Custom actions** menu in the Security Hub console to initiate
-  5. **Orchestrate** : In the admin account, Step Functions uses cross-account [AWS Identity and Access Management](https://aws.amazon.com/iam/) (IAM) roles. Step Functions invokes the remediation in the member account containing the resource that produced the security finding.
+  6. **Orchestrate** : In the admin account, Step Functions uses cross-account [AWS Identity and Access Management](https://aws.amazon.com/iam/) (IAM) roles. Step Functions invokes the remediation in the member account containing the resource that produced the security finding.
@@ -41 +41 @@ You can use the **Custom actions** menu in the Security Hub console to initiate
-  6. **Remediate** : An [AWS Systems Manager](https://aws.amazon.com/systems-manager/) [Automation document](https://docs.aws.amazon.com/systems-manager/latest/userguide/automation-documents.html) in the member account performs the action required to remediate the finding on the target resource, such as disabling Lambda public access.
+  7. **Remediate** : An [AWS Systems Manager](https://aws.amazon.com/systems-manager/) [Automation document](https://docs.aws.amazon.com/systems-manager/latest/userguide/automation-documents.html) in the member account performs the action required to remediate the finding on the target resource, such as disabling Lambda public access.
@@ -45 +45 @@ Optionally, you can enable the Action Log feature in the member stacks with the
-  7. **(Optional) Create a ticket** : If you use the **TicketGenFunctionName** parameter to enable ticketing in the Admin stack, the solution invokes the provided ticket generator Lambda function. This Lambda function creates a ticket in your ticketing service after the remediation has successfully executed in the Member account. We provide [stacks for integration with Jira and ServiceNow](./aws-cloudformation-template.html#ticket-system-integration).
+  8. **(Optional) Create a ticket** : If you use the **TicketGenFunctionName** parameter to enable ticketing in the Admin stack, the solution invokes the provided ticket generator Lambda function. This Lambda function creates a ticket in your ticketing service after the remediation has successfully executed in the Member account. We provide [stacks for integration with Jira and ServiceNow](./aws-cloudformation-template.html#ticket-system-integration).
@@ -47 +47 @@ Optionally, you can enable the Action Log feature in the member stacks with the
-  8. **Notify and log** : The playbook logs the results to a CloudWatch [log group](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/Working-with-log-groups-and-streams.html), sends a notification to an [Amazon Simple Notification Service](https://aws.amazon.com/sns/) (Amazon SNS) topic, and updates the Security Hub finding. The solution maintains an audit trail of actions in the [finding notes](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings.html).
+  9. **Notify and log** : The playbook logs the results to a CloudWatch [log group](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/Working-with-log-groups-and-streams.html), sends a notification to an [Amazon Simple Notification Service](https://aws.amazon.com/sns/) (Amazon SNS) topic, and updates the Security Hub finding. The solution maintains an audit trail of actions in the [finding notes](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings.html).