v3.0.0

[3.0.0] - 2025-11-13

Added

• Optional Web User Interface to run remediations, view past remediations, and delegate access to the solution
  • When the ShouldDeployWebUI parameter is "yes", you must enter a value for AdminUserEmail which will be granted administrator access to the Web UI. You will receive temporary credential and a login link via email.
  • Deploying the Web UI provisions additional resources such as a CloudFront distribution, Cognito User Pool, S3 bucket for hosting, and more.
• Support for Security Control findings in Security Hub v2
  • The solution continues to support Security Hub CSPM in addition to Security Hub v2
• API Gateway REST API to support the new Web User Interface
• Automated remediation filtering capabilities based on Account ID, Organizational Unit ID, and resource tags
  • Controlled via SSM parameters under ASR/Filters/
• Pre-Processor Lambda function to centralize processing of Security Hub finding events
• DynamoDB tables to store Security Hub finding data, remediation history data, and automated remediation settings
• Complete list of supported control IDs in solutions-reference/automated-security-response-on-aws/latest/supported-controls.json
• EventBridge rule to run a weekly refresh of the Findings DynamoDB table
• EventBridge rule to capture and handle Step Function failures in the Orchestrator

Changed

• Security Hub events are now consumed by a single EventBridge rule and forwarded to the Pre-processor
• Enabling / Disabling automated remediations is now controlled by the Remediation Configuration DynamoDB table, which can be modified post-deployment. See the Implementation Guide for details.
  • You can find the DynamoDB table name in the Stack Outputs after deploying the Admin stack
  • Automated remediations are still toggled per Control ID, and are disabled by default
• Updated several dependencies to address security vulnerabilities
• Migrated to Node's built-in randomUUID() instead of importing uuid
• This solution sends operational metrics to AWS (the "Data") about the use of this solution. We use this Data to better understand how customers use this solution and related services and products. AWS’s collection of this Data is subject to the AWS Privacy Notice.

Removed

• EventBridge rules per Control ID
• Filtering configuration in Admin stack parameters
  • Filtering settings are now configurable in Systems Manager Parameter Store, e.g. ASR/Filters/AccountFilters

Fixed

• S3.1 control ID in the CIS v3 playbook (2.1.4 -> 2.1.4.1)
• Improved logic in EnableCloudTrailToCloudWatchLogging_waitforloggroup remediation script
• Finding link in SNS notifications now links to the finding directly, instead of the control view in the Security Hub console
• Fixed bugs in CloudTrail.5 and CloudWatch.1 remediations
• Fixed resource ID parameter in CloudTrail.4 and CloudTrail.7 control runbooks
• Improved error handling in the Orchestrator Step Function
• Included CreateServiceLinkedRole permissions in GuardDuty.1 remediation role

v2.3.2

[2.3.2] - 2025-08-14

Fixed

• Fix order for ECR.1 remediation in SC list

v2.3.1

[2.3.1] - 2025-08-06

Added

• AWS Lambda Powertools Logger & Tracer support for all services
• Added the SNS topic name to the logs
• Added missing ECR.1 remediation in SC list

Fixed

• Remove tag for EventSourceMapping
• Added missing condition on log group in Admin stack to skip creation on solution re-deployment

v2.3.0

[2.3.0] - 2025-07-16

Added

• Remediations for additional control ids, see source/playbooks/SC/lib/sc_remediations.ts for details
• Filtering by Account ID for automated remediation executions
• AssumeRoleFailure step to the Orchestrator Step Function for error handling
• Enhanced failure metric states
• Anonymized metrics for CloudFormation parameter selections
• SSM parameters security validation

Removed

• ServiceCatalog Application Registry integration
• Deprecated zlib package from CloudTrail Event Processor lambda
• requirements_dev.txt from version control
• Redundant anonymized metric publishing from check_ssm_execution lambda

Changed

• Upgraded NodeJS runtime for CloudTrail Event Processor lambda from 20->22
• Refactored member roles & remediation runbook stacks into separate files
• Replaced resource names and references to old solution name ("SHARR") with current solution name ("ASR")
  • Some logical IDs with references to "SHARR" were not changed to avoid breaking the update path
  • Any KMS key names/aliases/logical IDs were left unchanged to avoid disrupting encryption.
• Renamed error strings published by Orchestrator steps as "States" and consumed in cloudwatch_metrics.ts
• Removed AwsSolutionsChecks from CDK build
• Updated grouping of CloudWatch metrics parameters for clarity
• Updated dependencies: Jinja2, Cryptography, babel, aws-cdk-lib, aws-cdk, urllib3, moto, @cdklabs/cdk-ssm-documents, jest libs
• Support for Poetry v2
• Refactored lambdas and runbooks for code quality
• 'Estimated Hours Saved' dashboard widget
• Renamed CloudFormation templates to align with current solution name: Automated Security Response on AWS (ASR)
• Appended account ID to action log ManagementEvents S3 bucket to avoid bucket name clashing among member stack deployments with the same namespace

Fixed

• Python handler referenced in RevokeUnusedIAMUserCredentials.yaml to match RevokeUnusedIAMUserCredentials.py
• Remediation runbooks that rely on unstable Resources.Details finding field
• Regular expression patterns used in runbooks to match KMS Key ARNs
• Race condition in applogger.py when two instances of SendNotifications lambda are running in parallel
  • Caused by lack of exception handling when log group does not yet exist

v2.2.1

[2.2.1] - 2025-01-27

Changed

• Modified the org-id-lookup custom resource to avoid throwing an error when the Admin stack is deployed in a non-Organization account.

Security

• Upgrade jinja2 to mitigate CVE-2024-56201

v2.2.0

[2.2.0] - 2024-12-16

Added

• Option to integrate an external ticket system by providing a lambda function name at deployment time
• Integration stacks for Jira and ServiceNow as external ticketing systems
• Widget "Total successful remediations" on the CloudWatch Dashboard
• Detailed success/failure metrics on the CloudWatch Dashboard grouped by control id
• Detailed log of account management actions taken by ASR on the CloudWatch Dashboard
• Remediations for additional control ids
• Playbook for CIS 3.0 standard
• Integrated Poetry for python dependency management
• Integration with AWS Lambda Powertools Logger & Tracer
• Deletion protection and autoscaling to scheduling table

Changed

• More detailed notifications
• Added namespace to member roles to avoid name conflicts when reinstalling the solution
• Removed CloudFormation retention policies for member IAM roles where unnecessary

Fixed

• Config.1 remediation script to allow non-"default" Config recorder name
• parse_non_string_types.py script to allow boolean values

v2.1.4

[2.1.4] - 2024-11-18

Changed

• Upgraded python runtimes in all control runbooks from python3.8 to python3.11.
  • Upgrade is done at build-time temporarily, until the cdklabs/cdk-ssm-documents package adds support for newer python runtimes.

Security

• Upgraded cross-spawn to mitigate CVE-2024-21538

v2.1.3

[2.1.3] - 2024-09-18

Fixed

• Resolved an issue in the remediation scripts for EC2.18 and EC2.19 where security group rules with IpProtocol set to "-1" were being incorrectly ignored.

Changed

• Upgraded all Python runtimes in remediation SSM documents from Python 3.8 to Python 3.11.

V2.1.2

Fixed

• Disabled AppRegistry for certain playbooks to avoid errors when updating solution
• Created list of playbooks instead of creating stacks dynamically to avoid this in the future

Security

• Updated braces package version for CVE-2024-4068 - https://avd.aquasec.com/nvd/cve-2024-4068

V2.1.1

Changed

• Changed order of CloudFormation parameters to emphasize the Security Control playbook
• Changed default for all playbooks other than SC to 'no'
• Updated descriptions of playbook parameters
• Updated architecture diagram