I tried upgrading Automated Security Response on AWS (ASR) to v3 and using the Web UI
This page has been translated by machine translation. View original
Introduction
Are you using Automated Security Response on AWS (referred to as ASR, formerly known as SHARR)?
ASR is one of the AWS solutions that automatically remediates findings detected by AWS Security Hub CSPM.
Recently, I happened to check the GitHub repository and noticed that the major version had been upgraded to v3.
Since I hadn't updated the version for a while, I decided to take this opportunity to upgrade from v2.2.1 to v3.1.1.
If you're using it for the first time, please refer to the procedures in the official documentation.
What Has Changed
When transitioning to v3, there were mainly the following changes:
- Web UI has been added, allowing you to check and execute remediation history
- Support for Security Hub v2, with Security Control findings support
- Filtering functionality moved from stack parameters to SSM Parameter Store
- EventBridge rules consolidated from per-Control ID rules to a single rule
- Added DynamoDB tables for storing finding data, remediation history, etc.
I'll check the details later, but the newly added UI looks like this, allowing you to execute and check remediation history.
For more detailed update information, please refer to the release notes.
In this article, I'll go through the update procedure for v3 and examine the Web UI.
Architecture
The overall architecture looks like this. Mainly UI-related resources have been added.
Quoted from Architecture Overview - Automated Security Response on AWS
Web UI Parameters Added in v3.0.0
With v3.0.0, Web UI functionality was added, requiring new parameters for the Admin stack.
| Parameter | Description | Example |
|---|---|---|
ShouldDeployWebUI |
Whether to deploy the Web UI | yes or no |
AdminUserEmail |
Web UI administrator's email address | admin@example.com |
If ShouldDeployWebUI is set to yes, AdminUserEmail is required.
Since I'm planning to use the UI in this case, I'll proceed with both settings configured.
Update Procedure
The procedures in this article assume that you are deployed in a multi-account environment.
Also, stack names may vary depending on the documents or blogs you reference, as they are customizable. Please adjust accordingly.
Step 1: Update the Admin Stack
First, update the Admin stack (aws-sharr-deploy). This is typically in your management account or the delegated account for Security Hub CSPM.
- Open the CloudFormation console in the target account
- Select the
aws-sharr-deploystack - Click "Update"
- Select "Replace current template"
- Enter the following in the Amazon S3 URL:
https://solutions-reference.s3.amazonaws.com/automated-security-response-on-aws/v3.1.1/automated-security-response-admin.template
- On the parameter configuration screen, set the new parameters:
ShouldDeployWebUI:yes(if you want to use the Web UI)AdminUserEmail: Administrator's email address
- Click "Next" and review the change set
- Click "Submit" to update the stack
Wait for the update to complete. At this point, you'll receive login information for the UI, which I'll describe in more detail later.
Step 2: Update the Member Roles Stack
Next, update the Member Roles stack (aws-sharr-member-roles) deployed in each member account.
Log in to the account where you deployed the StackSets and update them.
-
Open the CloudFormation console in the target account
-
Select "StackSets" and choose the
aws-sharr-member-rolesstack set from the self-managed tab -
Click "Actions" then "Edit stack set details"
-
Select "Replace current template" and enter the following in the Amazon S3 URL:
https://solutions-reference.s3.amazonaws.com/automated-security-response-on-aws/v3.1.1/automated-security-response-member-roles.template
-
Maintain the existing values for parameters
-
Configure regions and deployment options as needed
-
Click "Submit" to update the StackSet (initiating batch deployment to each account)
Step 3: Update the Member Stack
Finally, update the Member stack (aws-sharr-member) deployed in each member account.
Similar to Step 2, log in to the account where you deployed the StackSets and update them.
-
Open the CloudFormation console in the target account
-
Select "StackSets" and choose the
aws-sharr-memberstack set from the self-managed tab -
Click "Actions" then "Edit stack set details"
-
Select "Replace current template" and enter the following in the Amazon S3 URL:
https://solutions-reference.s3.amazonaws.com/automated-security-response-on-aws/v3.1.1/automated-security-response-member.template -
Maintain the existing values for parameters
-
Configure regions and deployment options as needed
-
Click "Submit" to update the StackSet
Once the updates are applied, the process is complete.
Web UI Features and Usage
Now that the deployment is complete, let's look at the newly added Web UI.
Previously, you had to directly check the Step Functions execution history and logs, but now you can check and operate remediation status through a dedicated screen on a resource basis.
Login Process
After deploying the Admin stack, the Web UI URL and initial password will be sent to the email address specified in AdminUserEmail.
When logging in for the first time, you'll be prompted to change your password, so set a new password and log in.
Findings (Remediate)
The Findings to Remediate screen is displayed immediately after login.
This shows a list of unremediated findings detected by Security Hub CSPM.
From here, you can select the target finding and manually execute remediation actions.
Use this when you want to remediate immediately or retry resources that failed automatic remediation.
When you click Remediate, a confirmation screen for the target remediation appears.
As a test, I specified an account without a remediation stack deployed, and the Status became Failed.
When I clicked on it, it showed me the cause - that there was no member role to execute.
It's helpful that the UI shows this level of detail.
Unable to assume the Orchestrator Member Role (SO0111-ASR-Orchestrator-Member) in account 111111111111. Please verify that the automated-security-response-member-roles stack is deployed in the account and the Orchestrator Member Role is valid.
Execution History (Remediate)
From the left navigation's Remediate > Execution History, you can check the history of previously executed remediation actions.
You can see a list of execution history, which should be useful for troubleshooting.
Access Control
From the left navigation's Access Control, you can manage users of the Web UI.
You can invite other members from Invite Users and check the user list from View Users. Use this when granting permissions to operation team members.
Users invited as Delegated Admins here will be able to perform operations other than user management.
Note that user management must be performed by the initially registered admin user.
Summary
I've summarized the upgrade procedure for ASR v3.x.
The key points for the update are:
- Template names changed from
aws-sharr-*toautomated-security-response-* - Update in this order: Admin stack → Member Roles stack → Member stack
- If using the Web UI, you need to set the
ShouldDeployWebUIandAdminUserEmailparameters
I hope this serves as a reference for those who use ASR and are considering an upgrade.
