# Architecture details
This section describes the components and AWS services that make up this solution and the architecture details on how these components work together.
# AWS Security Hub integration
Deploying the `automated-security-response-admin` stack creates integration with [AWS Security Hub CSPM’s](https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html) custom action feature. When AWS Security Hub CSPM console users click **Actions >** **Remediate with ASR**, the selected findings are sent to EventBridge and trigger the remediation workflow.
Cross-account permissions and AWS Systems Manager runbooks must be deployed to all AWS Security Hub accounts (admin and member) using the `automated-security-response-member.template` and `automated-security-response-member-roles.template` CloudFormation templates. For more information, refer to [Playbooks](playbooks.md). This template allows automated remediation in the target account.
Users can configure fully-automated remediations on a per-control basis using Amazon DynamoDB. This option activates fully automatic remediation of findings as soon as they are reported to AWS Security Hub. By default, automatic initiations are turned off. This option can be changed at any time after installation by modifying the [Remediation Configuration DynamoDB table](enable-fully-automated-remediations.md).
# Cross-account remediation
Automated Security Response on AWS uses cross-account roles to work across primary and secondary accounts using cross-account roles. These roles are deployed to member accounts during solution installation. Each remediation is assigned an individual role. The remediation process in the primary account is granted permission to assume the remediation role in the account that requires remediation. Remediation is performed by AWS Systems Manager runbooks running in the account that requires remediation.
# Playbooks
A set of remediations is grouped into a package called a *playbook*. Playbooks are installed, updated, and removed using this solution’s templates. For information about supported remediations in each playbook, refer to [Developer Guide → Playbooks](https://docs.aws.amazon.com/en_us/solutions/latest/automated-security-response-on-aws/playbooks-1.html). This solution currently supports the following playbooks:
+ Security Control, a playbook aligned with the Consolidated control findings feature of AWS Security Hub, published February 23, 2023.
**Important**
When [Consolidated control findings](deciding-where-to-deploy-each-stack.md#consolidated-controls-findings) are enabled in Security Hub, this is the only playbook that should be enabled in the solution.
+ [Center for Internet Security (CIS) Amazon Web Services Foundations benchmarks, version 1.2.0](https://docs.aws.amazon.com/securityhub/latest/userguide/cis-aws-foundations-benchmark.html#cis1v2-standard), published May 18, 2018.
+ [Center for Internet Security (CIS) Amazon Web Services Foundations benchmarks, version 1.4.0](https://docs.aws.amazon.com/securityhub/latest/userguide/cis-aws-foundations-benchmark.html#cis1v4-standard), published November 9, 2022.
+ [Center for Internet Security (CIS) Amazon Web Services Foundations benchmarks, version 3.0.0](https://docs.aws.amazon.com/securityhub/latest/userguide/cis-aws-foundations-benchmark.html#cis3v0-standard), published May 13, 2024.
+ [AWS Foundational Security Best Practices (FSBP) version 1.0.0](https://docs.aws.amazon.com/securityhub/latest/userguide/fsbp-standard.html), published March 2021.
+ [Payment Card Industry Data Security Standards (PCI-DSS) version 3.2.1](https://docs.aws.amazon.com/securityhub/latest/userguide/pci-standard.html), published May 2018.
+ [National Institute of Standards and Technology (NIST) version 5.0.0](https://docs.aws.amazon.com/securityhub/latest/userguide/nist-standard.html), published November 2023.
After deploying the solution’s CloudFormation stacks, the playbooks are ready to use immediately—no additional configuration is required to enable remediations for the Security Standards listed above.
## Centralized logging
Automated Security Response on AWS logs to a single CloudWatch Logs group, SO0111-ASR. These logs contain detailed logging from the solution for troubleshooting and management of the solution.
# Notifications
This solution uses an Amazon Simple Notification Service (Amazon SNS) topic to publish remediation results. You can use subscriptions to this topic to extend the capabilities of the solution. For example, you can send email notifications and update trouble tickets.
+ **SO0111-ASR\$1Topic** – Used to send general informational and error messages related to executed remediations.
+ **SO0111-ASR\$1Alarm\$1Topic** – Used to notify when one of the solution’s alarms is triggered, indicating that the solution is not functioning as expected.
## AWS services in this solution
The solution uses the following services. Core services are required to use the solution, and supporting services connect the core services.
| AWS service | Description |
| --- | --- |
| [Amazon EventBridge](https://aws.amazon.com/eventbridge/) | **Core**. EventBridge rules are used to listen and trigger on events emitted by AWS Security Hub and AWS Security Hub CSPM. |
| [AWS IAM](https://aws.amazon.com/iam/) | **Core**. Deploys many roles to allow remediations on different resources. |
| [AWS Lambda](https://aws.amazon.com/lambda/) | **Core.** Deploys multiple lambda functions that will be used by the step function orchestator to remediate issues. Serves as the backend for the solution’s Web UI integrated with API Gateway. |
| [AWS Security Hub](https://aws.amazon.com/security-hub/) | **Core**. Provides customers with a comprehensive view of their AWS security state. |
| [AWS Step Functions](https://aws.amazon.com/step-functions/) | **Core**. Deploys an orchestrator that will invoke the remediation documents with AWS Systems Manager API calls. |
| [AWS Systems Manager](https://aws.amazon.com/systems-manager/) | **Core**. Deploys System Manager Automation Documents that contain the remediation logic to be executed by the solution. Uses Parameter Store to maintain solution metadata and configuration settings. |
| [AWS DynamoDB](https://aws.amazon.com/dynamodb/) | **Core**. Stores the last run remediation in each account and Region to optimize scheduling of remediations. Stores findings generated by AWS Security Hub & AWS Security Hub CSPM. Stores remediation and solution configuration metadata. Stores data for users accessing the solution’s Web UI. |
| [AWS CloudTrail](https://aws.amazon.com/cloudtrail) | **Supporting.** Records changes that the solution makes to your AWS resources and displays them on a CloudWatch dashboard. |
| [Amazon CloudWatch](https://aws.amazon.com/cloudwatch/) | **Supporting**. Deploys log groups that the different playbooks will use to log results. Collects metrics to display on a custom dashboard with alarms. |
| [Amazon Simple Notification Service](https://aws.amazon.com/sns/) | **Supporting**. Deploys SNS topics that receive a notification once a remediation has been completed. |
| [AWS SQS](https://aws.amazon.com/sqs/) | **Supporting**. Assists with scheduling remediations so that the solution can run remediations in parallel. Buffers Lambda executions using Lambda EventSource Mappings. |
| [AWS Key Management Service](https://aws.amazon.com/kms) | **Supporting**. Used to encrypt data for remediations. |
| [AWS Config](https://aws.amazon.com/config) | **Supporting**. Records all resources for use with AWS Security Hub. |
| [Amazon S3](https://aws.amazon.com/s3) | **Supporting**. Stores exported remediation history and log data. Hosts the solution’s Web UI as a Single-page Application (SPA). |
| [Amazon CloudFront](https://aws.amazon.com/cloudfront) | **Supporting**. Delivers the solution’s Web UI |
| [Amazon API Gateway](https://aws.amazon.com/apigateway) | **Supporting**. Creates the solution’s REST API to support the user interface. |
| [AWS WAF](https://aws.amazon.com/waf) | **Supporting**. Protects the solution’s Web UI. |
| [Amazon Cognito](https://aws.amazon.com/cognito) | **Supporting**. Used to authenticate and authorize access to the solution’s Web UI. |