AWS Security ChangesHomeSearch

AWS solutions documentation change

Service: solutions · 2025-11-16 · Documentation medium

File: solutions/latest/automated-security-response-on-aws/aws-security-hub-integration.md

Summary

Updated remediation workflow documentation to reference CSPM integration and changed configuration method from CloudWatch Events to DynamoDB

Security assessment

While the change updates documentation about security remediation workflows (a security feature), there is no evidence of addressing a specific vulnerability. The switch to DynamoDB for configuration management improves operational control but isn't explicitly security-motivated.

Diff

diff --git a/solutions/latest/automated-security-response-on-aws/aws-security-hub-integration.md b/solutions/latest/automated-security-response-on-aws/aws-security-hub-integration.md
index 9a05a2f13..e8e8a91e1 100644
--- a//solutions/latest/automated-security-response-on-aws/aws-security-hub-integration.md
+++ b//solutions/latest/automated-security-response-on-aws/aws-security-hub-integration.md
@@ -7 +7 @@
-Deploying the `automated-security-response-admin` stack creates integration with AWS Security Hub’s custom action feature. When AWS Security Hub console users select **Findings for remediation** , the solution routes the finding record for remediation using an AWS Step Functions.
+Deploying the `automated-security-response-admin` stack creates integration with [AWS Security Hub CSPM’s](https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html) custom action feature. When AWS Security Hub CSPM console users click **Actions >** **Remediate with ASR** , the selected findings are sent to EventBridge and trigger the remediation workflow.
@@ -11 +11 @@ Cross-account permissions and AWS Systems Manager runbooks must be deployed to a
-Users can automatically initiate automated remediations on a per-remediation basis using Amazon CloudWatch events rules. This option activates fully automatic remediation of findings as soon as they are reported to AWS Security Hub. By default, automatic initiations are turned off. This option can be changed at any time during or after installation of the playbook by turning on the CloudWatch Events rules in the AWS Security Hub admin account.
+Users can configure fully-automated remediations on a per-control basis using Amazon DynamoDB. This option activates fully automatic remediation of findings as soon as they are reported to AWS Security Hub. By default, automatic initiations are turned off. This option can be changed at any time after installation by modifying the [Remediation Configuration DynamoDB table](./enable-fully-automated-remediations.html).