AWS Security ChangesHomeSearch

AWS solutions high security documentation change

Service: solutions · 2025-11-16 · Security-related high

File: solutions/latest/automated-security-response-on-aws/deployment-stackset.md

Summary

Added parameters for security control standards (SC, AFSBP, CIS, PC1321, NIST), CloudWatch monitoring/alarms, Web UI authentication, and resource namespace management. Enhanced documentation for member stack configurations and CloudTrail integration.

Security assessment

The changes explicitly document security features such as automated remediation for compliance standards (CIS, NIST, etc.), Web UI access controls (AdminUserEmail), and monitoring of remediation failures (RemediationFailureAlarmThreshold). These additions help users configure security controls and monitor their effectiveness, directly impacting security posture.

Diff

diff --git a/solutions/latest/automated-security-response-on-aws/deployment-stackset.md b/solutions/latest/automated-security-response-on-aws/deployment-stackset.md
index 19e3bca4f..1423c8d24 100644
--- a//solutions/latest/automated-security-response-on-aws/deployment-stackset.md
+++ b//solutions/latest/automated-security-response-on-aws/deployment-stackset.md
@@ -35,0 +36,2 @@ This procedure assumes that you have multiple accounts using AWS Organizations,
+**Please note that this solution works with both[AWS Security Hub and AWS Security Hub CSPM](https://docs.aws.amazon.com/securityhub/latest/userguide/what-are-securityhub-services.html).**
+
@@ -81,0 +84,4 @@ Step 1: Launch the admin stack in the delegated Security Hub admin account
+  * Choose whether to enable the solution’s Web UI. If you choose to enable this feature, you must also enter an email address to be assigned an administrator role.
+
+  * Select your preferences for collecting CloudWatch metrics related to the solution’s operational health.
+
@@ -96,0 +103,2 @@ Wait for Step 1 to complete deployment, because the template in Step 2 reference
+  * Enter a value for the `namespace` which will be used to prevent resource name conflicts with a previous or concurrent deployment in the same account. Enter a string of up to 9 lowercase alphanumeric characters.
+
@@ -110 +118 @@ Until service-managed StackSets support nested stacks, you must do this step for
-  * Provide the name of a CloudTrail logs group (used by some remediations).
+  * Provide the name of a CloudTrail log group (used by some remediations).
@@ -113,0 +122,2 @@ Until service-managed StackSets support nested stacks, you must do this step for
+  * Enter a value for the `namespace` which will be used to prevent resource name conflicts with a previous or concurrent deployment in the same account. Enter a string of up to 9 lowercase alphanumeric characters. This should match the `namespace` value you selected for the Member Roles stack, additionally, the namespace value does not need to be unique per member account.
+
@@ -167,0 +178,23 @@ You can choose to use a Jira API key in place of your password by providing your
+
+
+
+### Parameters
+
+Parameter | Default | Description  
+---|---|---  
+**Load SC Admin Stack** |  `yes` |  Specify whether to install the admin components for automated remediation of SC controls.  
+**Load AFSBP Admin Stack** |  `no` |  Specify whether to install the admin components for automated remediation of FSBP controls.  
+**Load CIS120 Admin Stack** |  `no` |  Specify whether to install the admin components for automated remediation of CIS120 controls.  
+**Load CIS140 Admin Stack** |  `no` |  Specify whether to install the admin components for automated remediation of CIS140 controls.  
+**Load CIS300 Admin Stack** |  `no` |  Specify whether to install the admin components for automated remediation of CIS300 controls.  
+**Load PC1321 Admin Stack** |  `no` |  Specify whether to install the admin components for automated remediation of PC1321 controls.  
+**Load NIST Admin Stack** |  `no` |  Specify whether to install the admin components for automated remediation of NIST controls.  
+**Reuse Orchestrator Log Group** |  `no` |  Select whether or not to reuse an existing `SO0111-ASR-Orchestrator` CloudWatch Logs group. This simplifies reinstallation and upgrades without losing log data from a previous version. Reuse existing `Orchestrator Log Group` choose `yes` if the `Orchestrator Log Group` still exists from an earlier deployment in this account, otherwise `no`. If you are performing a stack update from an earlier version than v2.3.0 choose `no`  
+**ShouldDeployWebUI** |  `yes` |  Deploy the Web UI components including API Gateway, Lambda functions, and CloudFront distribution. Select "yes" to enable the web-based user interface for viewing findings and remediation status. If you choose to disable this feature, you can still configure automated remediations and run remediations on-demand using the Security Hub CSPM custom action.  
+**AdminUserEmail** |  _(Optional input)_ |  Email address for the initial admin user. This user will have full administrative access to the ASR Web UI. Required **only** when Web UI is enabled.  
+**Use CloudWatch Metrics** |  `yes` |  Specify whether to enable CloudWatch Metrics for monitoring the solution. This will create a CloudWatch Dashboard for viewing metrics.  
+**Use CloudWatch Metrics Alarms** |  `yes` |  Specify whether to enable CloudWatch Metrics Alarms for the solution. This will create Alarms for certain metrics collected by the solution.  
+**RemediationFailureAlarmThreshold** |  `5` |  Specify the threshold for percentage of remediation failures per control ID. For example, if you enter `5`, you receive an alarm if a control ID fails more than 5% of remediations at a given day. This parameter functions only if alarms are created (see the **Use CloudWatch Metrics Alarms** parameter).  
+**EnableEnhancedCloudWatchMetrics** |  `no` |  If `yes`, creates additional CloudWatch metrics to track all control IDs individually on the CloudWatch dashboard and as CloudWatch alarms. See the [Cost](./cost.html#additional-cost-enhanced-metrics) section to understand the additional cost that this incurs.  
+**TicketGenFunctionName** |  _(Optional input)_ |  Optional. Leave blank if you don’t want to integrate a ticketing system. Otherwise, provide the Lambda function name from the stack output of [Step 0](./deployment.html#step-0), for example: `SO0111-ASR-ServiceNow-TicketGenerator`.  
+  
@@ -172 +205 @@ You can choose to use a Jira API key in place of your password by providing your
-  2. For the **Account numbers** parameter, enter the account ID of the AWS Security Hub admin account.
+  1. For the **Account numbers** parameter, enter the account ID of the AWS Security Hub admin account.
@@ -174 +207 @@ You can choose to use a Jira API key in place of your password by providing your
-  3. For the **Specify regions** parameter, select only the Region where Security Hub admin is turned on. Wait for this step to complete before going on to Step 2.
+  2. For the **Specify regions** parameter, select only the Region where Security Hub admin is turned on. Wait for this step to complete before going on to Step 2.
@@ -182,0 +216,7 @@ Use a service-managed StackSets to deploy the [member roles template](https://so
+### Parameters
+
+Parameter | Default | Description  
+---|---|---  
+**Namespace** |  `<Requires input>` |  Enter a string of up to 9 lowercase alphanumeric characters. Unique namespace to be added as a suffix to remediation IAM role names. The same namespace should be used in the Member Roles and Member stacks. This string should be unique for each solution deployment, but does not need to be changed during stack updates. The namespace value does **not** need to be unique per member account.  
+**Sec Hub Account Admin** |  `<Requires input>` |  Enter the 12-digit account ID for the AWS Security Hub admin account. This value grants permissions to the admin account’s solution role.  
+  
@@ -202,5 +242,14 @@ Because the [member stack](https://solutions-reference.s3.amazonaws.com/automate
-**LogGroup Configuration** : Choose the log group that receives CloudTrail logs. If none exists, or if the log group is different for each account, choose a convenient value. Account administrators must update the Systems Manager - Parameter Store /Solutions/SO0111/Metrics_LogGroupName parameter after creating a CloudWatch Logs Group for CloudTrail logs. This is required for remediations that create metrics alarms on API calls.
-
-**Standards** : Choose the standards to load in the member account. This only installs the AWS Systems Manager runbooks - it does not enable the Security Standard.
-
-**SecHubAdminAccount** : Enter the account ID of the AWS Security Hub Admin account where you installed the solution’s admin template.
+Parameter | Default | Description  
+---|---|---  
+**Provide the name of the LogGroup to be used to create Metric Filters and Alarms** |  `<Requires input>` |  Specify the name of a CloudWatch Logs group where CloudTrail logs API calls. This is used for CIS 3.1-3.14 remediations.  
+**Load SC Member Stack** |  `yes` |  Specify whether to install the member components for automated remediation of SC controls.  
+**Load AFSBP Member Stack** |  `no` |  Specify whether to install the member components for automated remediation of FSBP controls.  
+**Load CIS120 Member Stack** |  `no` |  Specify whether to install the member components for automated remediation of CIS120 controls.  
+**Load CIS140 Member Stack** |  `no` |  Specify whether to install the member components for automated remediation of CIS140 controls.  
+**Load CIS300 Member Stack** |  `no` |  Specify whether to install the member components for automated remediation of CIS300 controls.  
+**Load PC1321 Member Stack** |  `no` |  Specify whether to install the member components for automated remediation of PC1321 controls.  
+**Load NIST Member Stack** |  `no` |  Specify whether to install the member components for automated remediation of NIST controls.  
+**Create S3 Bucket For Redshift Audit Logging** |  `no` |  Select `yes` if the S3 bucket should be created for the FSBP RedShift.4 remediation. For details of the S3 bucket and the remediation, review the [Redshift.4 remediation](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-redshift-4) in the _AWS Security Hub User Guide_.  
+**Sec Hub Admin Account** |  `<Requires input>` |  Enter the 12-digit account ID for the AWS Security Hub admin account.  
+**Namespace** |  `<Requires input>` |  Enter a string of up to 9 lowercase alphanumeric characters. This string becomes part of the IAM role names and Action Log S3 bucket. Use the same value for member stack deployment and member roles stack deployment. String should be unique for each solution deployment, but does not need to be changed during stack updates.  
+**EnableCloudTrailForASRActionLog** |  `no` |  Select `yes` if you want to monitor management events conducted by the solution on the CloudWatch dashboard. The solution creates a CloudTrail trail in each member account where you select `yes`. You must deploy the solution into an AWS Organization to enable this feature. **Additionally, you can only enable this feature in a single region within the same account.** See the [Cost](./cost.html#additional-cost-action-log) section to understand the additional cost that this incurs.