AWS solutions medium security documentation change
Summary
Updated documentation to add detailed steps for enabling automated remediations via DynamoDB configuration and added filtering options
Security assessment
Added explicit warnings about scoping automated remediations to appropriate accounts/regions and introduced resource filtering capabilities. These changes help prevent unintended remediation actions, reducing risk of accidental resource modifications. The filtering configuration (account/OU/tag-based) provides security controls for remediation scope.
Diff
diff --git a/solutions/latest/automated-security-response-on-aws/enable-fully-automated-remediations.md b/solutions/latest/automated-security-response-on-aws/enable-fully-automated-remediations.md index 6c368e77b..59d8dfb15 100644 --- a//solutions/latest/automated-security-response-on-aws/enable-fully-automated-remediations.md +++ b//solutions/latest/automated-security-response-on-aws/enable-fully-automated-remediations.md @@ -5 +5 @@ -Confirm that you have no resources this finding may accidentally be applied toEnable the ruleConfigure the resourceConfirm that the remediation resolved the finding +Example: Enable fully-automated remediations for Lambda.1Locate the Remediation Configuration DynamoDB TableModify the Remediation Configuration TableConfigure the resourceConfirm that the remediation resolved the finding(Optional) Configure Filtering for Fully-Automated Remediations @@ -11 +11,5 @@ The other mode of operation for the solution is to automatically remediate findi -## Confirm that you have no resources this finding may accidentally be applied to +###### Important + +Before enabling fully automated remediations, ensure the solution is configured in the accounts and regions where you are conformable with the solution making automated changes. If you would like to narrow the scope of the solution’s automated remediations, see the section below on filtering fully-automated remediations. + +## Example: Enable fully-automated remediations for Lambda.1 @@ -24 +28,22 @@ Account | Purpose | Action in us-east-1 | Action in us-west-2 -## Enable the rule +## Locate the Remediation Configuration DynamoDB Table + +In the Admin account, view the `Outputs` for the Admin stack in the CloudFormation console. You will see an output titled `RemediationConfigurationDynamoDBTable`. + +This is the name of the Remediation Configuration DynamoDB table, which controls automated remediation configurations for the solution. Copy the value of this output and locate the corresponding DynamoDB table in the DynamoDB console. + +Account | Purpose | Action in us-east-1 | Action in us-west-2 +---|---|---|--- +`111111111111` | Admin | Locate the Remediation Configuration DynamoDB table. | None +`222222222222` | Member | None | None + +## Modify the Remediation Configuration Table + +In the DynamoDB console where you have located the Remediation Configuration table, select **Explore Table Items**. + +Each item in the table corresponds to a Security Hub control supported by the solution. Each item has a `automatedRemediationEnabled` attribute that can be modified to enable fully-automated remediations for the associated control. + +To enable Lambda.1, under **Scan or query items** select **Query**. Under **Partition key: controlId** enter `Lambda.1` and click **Run**. You will see a single item returned corresponding to the Lambda.1 control. + + + +Now, select the `Lambda.1` item then click **Actions > Edit item**. @@ -26 +51,3 @@ Account | Purpose | Action in us-east-1 | Action in us-west-2 -In the Admin account, locate an EventBridge rule named **SC_2.0.0_Lambda.1_AutoTrigger** and enable it. + + +Finally, change the `automatedRemediationEnabled` attribute value to **True**. Click **Save and Close**. @@ -30 +57 @@ Account | Purpose | Action in us-east-1 | Action in us-west-2 -`111111111111` | Admin | Enable the automated remediation rules | None +`111111111111` | Admin | Modify the Remediation Configuration DynamoDB table. | None @@ -48 +75 @@ Account | Purpose | Action in us-east-1 | Action in us-west-2 -`111111111111` | Admin | Enable the automated remediation rules | None +`111111111111` | Admin | None | None @@ -50,0 +78,23 @@ Account | Purpose | Action in us-east-1 | Action in us-west-2 +## (Optional) Configure Filtering for Fully-Automated Remediations + +If you would like to limit the scope in which the solution runs remediations, you can apply filters. These filters will only apply to fully-automated remediations and will not impact manually invoked remediations. + +The solution offers filtering on the following dimensions: + + 1. Account Ids + + 2. Organizational Units (OUs) + + 3. Resource Tags + + + + +Each dimension is configurable by modifying the Systems Manager Parameters deployed by the solution corresponding to the given dimension. All filtering parameters in Parameter Store can be located in the Admin account under the `/ASR/Filters/` path. + +Each dimension has two parameters for configuration, one for filter value and another for the filter mode. For example, the Account Ids dimension has two parameters named `/ASR/Filters/AccountFilters` and `/ASR/Filters/AccountFilterMode`. Both must be modified to configure filtering on Account Ids. + +For example, to limit fully-automated remediations to run in only accounts `111111111111` and `222222222222`, you would change the value of `/ASR/Filters/AccountFilters` to **"111111111111, 222222222222"**. Then, change the value of `/ASR/Filters/AccountFilterMode` to **"Include"**. The solution will then ignore any findings generated for accounts other than 111111111111 or 222222222222. + +Each filter parameter takes a comma-delimited list of values to filter on, and each "mode" parameter can be set to either **Include** , **Exclude** , or **Disabled**. +