AWS Security ChangesHomeSearch

AWS solutions medium security documentation change

Service: solutions · 2025-11-16 · Security-related medium

File: solutions/latest/automated-security-response-on-aws/cfctdeployment.md

Summary

Added Control Tower deployment steps, updated S3 bucket policies with concrete values, added IAM role-based access conditions, and expanded build/deployment instructions

Security assessment

The S3 bucket policy changes restrict PutObject access to specific IAM roles (arn:aws:iam::account-id:role/iam-role-name) through explicit ArnLike conditions, which improves security by reducing overly permissive access. This demonstrates security hardening through least privilege implementation.

Diff

diff --git a/solutions/latest/automated-security-response-on-aws/cfctdeployment.md b/solutions/latest/automated-security-response-on-aws/cfctdeployment.md
index 0b40373ca..c49cf263a 100644
--- a//solutions/latest/automated-security-response-on-aws/cfctdeployment.md
+++ b//solutions/latest/automated-security-response-on-aws/cfctdeployment.md
@@ -5 +5 @@
-PrerequisitesDeployment overviewStep 1: Build and deploy to S3 bucket
+PrerequisitesDeployment overviewStep 1: Build and deploy to S3 bucketStep 2: Stacks deployment to AWS Control Tower
@@ -104,2 +104,2 @@ Update the $TEMPLATE_BUCKET_NAME S3 bucket policy to include PutObject permissio
-                    "arn:aws:s3::: name>/*",
-                    "arn:aws:s3::: name>"
+                    "arn:aws:s3:::template-bucket-name/*",
+                    "arn:aws:s3:::template-bucket-name"
@@ -109 +109,34 @@ Update the $TEMPLATE_BUCKET_NAME S3 bucket policy to include PutObject permissio
-                        "aws:PrincipalOrgID": " 
+                        "aws:PrincipalOrgID": "org-id"
+                    }
+                }
+            },
+            {
+                "Effect": "Allow",
+                "Principal": "*",
+                "Action": "s3:PutObject",
+                "Resource": [
+                    "arn:aws:s3:::template-bucket-name/*",
+                    "arn:aws:s3:::template-bucket-name"
+                ],
+                "Condition": {
+                    "ArnLike": {
+                        "aws:PrincipalArn": "arn:aws:iam::account-id:role/iam-role-name"
+                    }
+                }
+            }
+        ]
+    }
+
+Alter the asset S3 bucket policy to include permissions. Assign this permission to an IAM role within the execute account that is authorized to write to the bucket. Repeat this setup for each regional asset bucket (e.g., asr-staging-us-east-1, asr-staging-eu-west-1, etc.), allowing deployments across multiple regions without needing to create the buckets in the Management account.
+
+###### 4\. Build Preparation
+
+  * Prerequisites:
+
+    * AWS CLI v2
+
+    * Python 3.11+ with pip
+
+    * AWS CDK 2.171.1+
+
+    * Node.js 20+ with npm
@@ -110,0 +144,135 @@ Update the $TEMPLATE_BUCKET_NAME S3 bucket policy to include PutObject permissio
+    * Poetry v2 with plugin to export
+
+  * Git clone [https://github.com/aws-solutions/automated-security-response-on-aws.git](https://github.com/aws-solutions/automated-security-response-on-aws.git)
+
+
+
+
+First ensure that you’ve run npm install in the source folder.
+
+Next from the deployment folder in your cloned repo, run build-s3-dist.sh, passing the root name of your bucket (ex. mybucket) and the version you are building (ex. v1.0.0). We recommend using a semver version based on the version downloaded from GitHub (ex. GitHub: v1.0.0, your build: v1.0.0.mybuild)
+    
+    
+    chmod +x build-s3-dist.sh
+    export SOLUTION_NAME=automated-security-response-on-aws
+    export SOLUTION_VERSION=v1.0.0.mybuild
+    ./build-s3-dist.sh -b $BASE_BUCKET_NAME -v $SOLUTION_VERSION
+
+**5\. Deploy packages to S3**
+    
+    
+    cd deployment
+    aws s3 cp global-s3-assets/  s3://$TEMPLATE_BUCKET_NAME/$SOLUTION_NAME/$SOLUTION_VERSION/ --recursive --acl bucket-owner-full-control
+    aws s3 cp regional-s3-assets/  s3://$ASSET_BUCKET_NAME/$SOLUTION_NAME/$SOLUTION_VERSION/ --recursive --acl bucket-owner-full-control
+
+## Step 2: Stacks deployment to AWS Control Tower
+
+###### 1\. Build manifest for ASR components
+
+After deploying ASR artifacts to the S3 buckets, update the Control Tower [pipeline manifest](https://docs.aws.amazon.com/controltower/latest/userguide/cfcn-byo-customizations.html) to reference the new version, and then trigger the pipeline run, refer to: [controltower deployment](https://docs.aws.amazon.com/controltower/latest/userguide/deployment.html)
+
+###### Important
+
+To ensure correct deployment of the ASR solution, refer to the official AWS documentation for detailed information on the CloudFormation templates overview and parameters description. Info links below: [CloudFormation Templates](https://docs.aws.amazon.com/en_us/solutions/latest/automated-security-response-on-aws/aws-cloudformation-template.html) [Parameters overview Guide](https://docs.aws.amazon.com/solutions/latest/automated-security-response-on-aws/deployment.html)
+
+The manifest for the ASR components looks like this:
+    
+    
+    region: us-east-1 #<HOME_REGION_NAME>
+    version: 2021-03-15
+    
+    # Control Tower Custom CloudFormation Resources
+    resources:
+      - name: <ADMIN STACK NAME>
+        resource_file: s3://<ADMIN TEMPLATE BUCKET path>
+        parameters:
+          - parameter_key: UseCloudWatchMetricsAlarms
+            parameter_value: "yes"
+          - parameter_key: TicketGenFunctionName
+            parameter_value: ""
+          - parameter_key: ShouldDeployWebUI
+            parameter_value: "yes"
+          - parameter_key: AdminUserEmail
+            parameter_value: "<YOUR EMAIL ADDRESS>"
+          - parameter_key: LoadSCAdminStack
+            parameter_value: "yes"
+          - parameter_key: LoadCIS120AdminStack
+            parameter_value: "no"
+          - parameter_key: LoadCIS300AdminStack
+            parameter_value: "no"
+          - parameter_key: UseCloudWatchMetrics
+            parameter_value: "yes"
+          - parameter_key: LoadNIST80053AdminStack
+            parameter_value: "no"
+          - parameter_key: LoadCIS140AdminStack
+            parameter_value: "no"
+          - parameter_key: ReuseOrchestratorLogGroup
+            parameter_value: "yes"
+          - parameter_key: LoadPCI321AdminStack
+            parameter_value: "no"
+          - parameter_key: RemediationFailureAlarmThreshold
+            parameter_value: "5"
+          - parameter_key: LoadAFSBPAdminStack
+            parameter_value: "no"
+          - parameter_key: EnableEnhancedCloudWatchMetrics
+            parameter_value: "no"
+        deploy_method: stack_set
+        deployment_targets:
+         accounts: # :type: list
+            - <ACCOUNT_NAME> # and/or
+            - <ACCOUNT_NUMBER>
+        regions:
+          - <REGION_NAME>
+    
+      - name:  <ROLE MEMBER STACK NAME>
+        resource_file: s3://<ROLE MEMBER TEMPLATE BUCKET path>
+        parameters:
+          - parameter_key: SecHubAdminAccount
+            parameter_value: <ADMIN_ACCOUNT_NAME>
+          - parameter_key: Namespace
+            parameter_value: <NAMESPACE>
+        deploy_method: stack_set
+        deployment_targets:
+          organizational_units:
+            - <ORG UNIT>
+    
+      - name:  <MEMBER STACK NAME>
+        resource_file: s3://<MEMBER TEMPLATE BUCKET path>
+        parameters:
+          - parameter_key: SecHubAdminAccount
+            parameter_value: <ADMIN_ACCOUNT_NAME>
+          - parameter_key: LoadCIS120MemberStack
+            parameter_value: "no"
+          - parameter_key: LoadNIST80053MemberStack
+            parameter_value: "no"
+          - parameter_key: Namespace
+            parameter_value: <NAMESPACE>
+          - parameter_key: CreateS3BucketForRedshiftAuditLogging
+            parameter_value: "no"
+          - parameter_key: LoadAFSBPMemberStack
+            parameter_value: "no"
+          - parameter_key: LoadSCMemberStack
+            parameter_value: "yes"
+          - parameter_key: LoadPCI321MemberStack
+            parameter_value: "no"
+          - parameter_key: LoadCIS140MemberStack
+            parameter_value: "no"
+          - parameter_key: EnableCloudTrailForASRActionLog
+            parameter_value: "no"
+          - parameter_key: LogGroupName
+            parameter_value: <LOG_GROUP_NAME>
+          - parameter_key: LoadCIS300MemberStack
+            parameter_value: "no"
+        deploy_method: stack_set
+        deployment_targets:
+         accounts: # :type: list
+            - <ACCOUNT_NAME> # and/or
+            - <ACCOUNT_NUMBER>
+        organizational_units:
+          - <ORG UNIT>
+        regions: # :type: list
+          - <REGION_NAME>
+
+###### 2\. Code pipeline update
+
+Add a manifest file to a custom-control-tower-configuration.zip and run a CodePipeline, refer to: [code pipeline overview](https://docs.aws.amazon.com/controltower/latest/userguide/cfct-codepipeline-overview.html)