# Automated Security Response on AWS Resolve common security threats and improve your security posture - **Version**: 3.1.4 - **Released**: 4/2026 - **Author**: AWS - **Est. deployment time**: 30 mins - **Estimated cost**: [See details](/solutions/latest/automated-security-response-on-aws/cost.html) ## Overview Automated Security Response on AWS is an AWS Solution that enhances [AWS Security Hub](https://aws.amazon.com/security-hub/) by automatically addressing common security issues across your organization's AWS environment. When Security Hub identifies a potential security concern, this solution initiates pre-defined responses to resolve the issue efficiently. It also operates across multiple AWS accounts for comprehensive security coverage. This solution logs all actions taken, sends notifications to your relevant parties, and can integrate with your existing ticketing services. By automating the remediation of your Security Hub findings, you can maintain a strong security posture with reduced manual effort, aligning with industry best practices and compliance standards while streamlining your overall security management process. ## Benefits ### Automatic remediations Deploy a predefined set of response and remediation actions to respond to threats automatically. ### Remediation playbooks Enable remediations aligned to AWS Foundations Benchmarks or AWS Foundational Security Best Practices out of the box. ### Manage or delegate View and remediate findings in the Automated Security Response on AWS web UI, or delegate control of remediations at the account level. ### Extensible and customizable Extend this solution with custom remediation and playbook implementations, or deploy a custom playbook for a new set of controls. ## How it works You can automatically deploy this architecture using the implementation guide and the accompanying AWS CloudFormation template. [Open implementation guide](/solutions/latest/automated-security-response-on-aws/?.html) ![Architecture diagram](/images/solutions/automated-security-response-on-aws/images/automated-security-response-on-aws-1.png) 1. **Step 1**: **Detect** : AWS Security Hub provides customers with a comprehensive view of their AWS security state. It helps them to measure their environment against security industry standards and best practices. It works by collecting events and data from other AWS services, such as AWS Config, Amazon Guard Duty, and AWS Firewall Manager. These events and data are analyzed against security standards, such as CIS AWS Foundations Benchmark. Exceptions are asserted as *findings* in the AWS Security Hub console. New findings are sent as Amazon EventBridge events. 1. **Step 2**: **Listen** : EventBridge events are emitted by AWS Security Hub for every finding created or modified by the service. Automated Security Response on AWS (ASR) deploys two EventBridge rules that listen for finding events generated by AWS Security Hub: - **Custom Action** EventBridge Rule: Listens for custom actions events emitted by AWS Security Hub CSPM when the 'Remediate with ASR' custom action is triggered by a user. The event is forwarded to the Orchestrator for remediation. - **Findings** EventBridge Rule: Listens for all finding create or update events emitted by AWS Security Hub and AWS Security Hub CSPM. These events are forwarded to the Pre-Processor’s SQS Queue for further processing. 1. **Step 3**: **Initiate** : You can initiate remediations by-hand, or configure them to run automatically. To run a remediation manually, you can use the Web UI deployed by the solution or the custom actions feature in AWS Security Hub CSPM. After careful testing in a non-production environment, you can also activate automated remediations. You can activate automations for individual remediations — you don’t need to activate automatic initiations on all remediations. To configure remediations to run automatically, see the Enable fully-automated remediations page. 1. **Step 4**: **Pre-remediate** : In the admin account, AWS Step Functions processes the remediation event and prepares it to be scheduled. 1. **Step 5**: **Schedule** : The solution invokes the scheduling AWS Lambda function to place the remediation event in the Amazon DynamoDB state table. 1. **Step 6**: **Orchestrate** : In the admin account, Step Functions uses cross-account AWS Identity and Access Management (IAM) roles. Step Functions invokes the remediation in the member account containing the resource that produced the security finding. 1. **Step 7**: **Remediate** : An AWS Systems Manager Automation document in the member account performs the action required to remediate the finding on the target resource, such as disabling Lambda public access. Optionally, you can enable the Action Log feature in the member stacks with the **EnableCloudTrailForASRActionLog** parameter. This feature captures actions taken by the solution in your Member accounts and displays them in the solution’s Amazon CloudWatch dashboard. 1. **Step 8**: **(Optional) Create a ticket** : If you use the **TicketGenFunctionName** parameter to enable ticketing in the Admin stack, the solution invokes the provided ticket generator Lambda function. This Lambda function creates a ticket in your ticketing service after the remediation has successfully executed in the Member account. We provide stacks for integration with Jira and ServiceNow. 1. **Step 9**: **Notify and log** : The playbook logs the results to a CloudWatch log group, sends a notification to an Amazon Simple Notification Service (Amazon SNS) topic, and updates the Security Hub finding. The solution maintains an audit trail of actions in the finding notes. ## Deploy with confidence - **We'll walk you through it**: Get started fast. Read the implementation guide for deployment steps, architecture details, cost information, and customization options. [Open guide](/solutions/latest/automated-security-response-on-aws/?.html) - **Let's make it happen**: Ready to deploy? Open the CloudFormation template in the AWS Console to begin setting up the infrastructure you need. You'll be prompted to access your AWS account if you haven't yet logged in. [Launch Admin stack](https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/new?&templateURL=https://solutions-reference.s3.amazonaws.com/automated-security-response-on-aws/latest/automated-security-response-admin.template&redirectId=SolutionWeb) [Launch Member accounts stack](https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/new?&templateURL=https://solutions-reference.s3.amazonaws.com/automated-security-response-on-aws/latest/automated-security-response-member.template&redirectId=SolutionWeb) [Launch Member roles stack](https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/new?&templateURL=https://solutions-reference.s3.amazonaws.com/automated-security-response-on-aws/latest/automated-security-response-member-roles.template&redirectId=SolutionWeb) ## Deployment options - **Source Code**: The source code for this AWS Solution is available in GitHub. [Go to github](https://github.com/aws-solutions/automated-security-response-on-aws/?refid=sl_card) - **CloudFormation templates**: View or modify the CloudFormation template to customize your deployment. [Download template](/solutions/latest/automated-security-response-on-aws/aws-cloudformation-template.html?refid=sl_card) - **Implementation guide**: Follow the implementation guide for step-by-step actions to deploy this AWS Solution. [Download guide](/pdfs/solutions/latest/automated-security-response-on-aws/automated-security-response-on-aws.pdf?refid=sl_card#solution-overview) ## Related content - **Case Study: TUI**: Global travel company TUI Group improved security control management by using Automated Security Response on AWS to automate security management across its AWS landscape. [Learn more](https://aws.amazon.com/solutions/case-studies/tui-case-study/) - **AWS Certified Security - Specialty**: Validate your knowledge and advanced technical skills in securing workloads and architectures on AWS. [Learn more](https://aws.amazon.com/certification/certified-security-specialty/) - **Video**: Intuit uses an AWS Solution to automate Security Hub remediations [Learn more](https://www.youtube.com/watch?v=E1UC3V61uyQ) - **Video**: Solving with AWS Solutions: Intuit automates Security Hub remediations [Learn more](https://www.youtube.com/watch?v=h1PMyBsHR-s) ## Customer stories ### 6pillars.ai “At 6pillars.ai, we see organizations struggling with alert fatigue and compliance drift daily. AUTOMATE+, powered by Automated Security Response on AWS, delivers automated remediation while ensuring enterprise-grade availability. We've uniquely integrated ASR capabilities into Well-Architected Framework, FTR and Control Tower workflows, providing comprehensive, non-breaking security automation. We enable our Well-Architected partners to benefit from automated deployment that has demonstrated up to 80% time savings in maintaining continuous compliance.” **Lorenzo Modesto, CEO, 6pillars.ai** ### Magnet Forensics “At Magnet Forensics, we specialize in digital forensics software that helps law enforcement, government agencies, and corporate investigators recover and analyze digital evidence. We were looking to build our own automated, event-driven responses to security findings when we discovered Automated Security Response on AWS. After deploying this solution across our organization and using its playbooks for industry and AWS best practices, we've improved our security posture and significantly reduced our team's manual remediation efforts by up to 40%” **Jamie McQuaid, Technical Manager for Engineering Security, Magnet Forensics** --- ## AWS Support - [Get support for this AWS Solution](/solutions/latest/automated-security-response-on-aws/contact-aws-support.html)