Overall AUTOMATE+ enables the following AWS services (If not already setup):
⦿ AWS Config
⦿ Security Hub
And we leverage:
⦿ IAM Roles/Policies
⦿ SSM Documents/Parameters
⦿ EventBridge Rules
⦿ Cloudwatch log groups
⦿ Step Functions
⦿ SNS topics
⦿ KMS keys
⦿ S3 buckets
AUTOMATE LIGHT
Requires AWS Security Hub & AWS Config to be pre-enabled. A one time set of findings is provided to AUTOMATE LIGHT.
AUTOMATE (Read Only) & AUTOMATE+ (Continuous Compliance) enables the following AWS-native services during deployment for use by the SaaS platform (If not already enabled):
AWS Security Hub
AWS Config, which leverages an S3 bucket and an SNS Topic.
One AWS SNS Topic: To public security events to AUTOMATE. Also uses one KMS key.
Two AWS EventBridge Rules: Route events from AWS Security Hub to the associated AWS SNS Topic.
An AWS Lambda: Creates a custom action that targets AWS Security Hub.
An IAM role: An IAM role is created to run the Lambda in the environment.
AUTOMATE+ in addition to the above also deploys:
AWS Security Hub Automated Security Response (the engine that provides remediation & continuous compliance)
AWS Systems Manager
AWS Lambdas
AWS Step Functions
Additional AWS SNS Topics
An additional AWS KMS Key
AWS CloudWatch groups
Its important to highlight that AUTOMATE+ has a few key requirements in order for a deployment to progress smoothly, we attempt to highlight the main ones below;:
Note: A An AWS Cross Account Role is required used during the 15 minute deployment peroid, find more information on this here:
https://www.well-architected.ai/kb/automate%2B-cross-account-role
IAM user requirements during deployment
During deployment an IAM user is required to:
a) Be logged into the relevant AWS account.
b) Have the relevant permissions to deploy AWS CloudFormation Stacks.
c) Permitted Appropriate permissions in order to deploy & configure the related AWS native services for AUTOMATE+ to function.
Details on these permissions can be found here.
IAM role requirements
AUTOMATE+ deploys a number of roles which are required in order to facilitate automation post deployment. These roles are visible within your AWS Account. The deployed roles have the following name suffixes:
a) six-pillars-aws-security
role
b) SO0111
six-pillars-config
c) AWSServiceRole AWSServiceRoleForConfig
d) AWS-QuickSetup-StackSet
--
Frequently Asked Questions (FAQ)
⦿ Controls are showing as UNKNOWN compliance status in AUTOMATE+
When you first deploy AUTOMATE+ to your AWS account, if this is the first time that you have run AWS Security Hub then it will take between 18 to 24 hours for Security Hub to generate findings.
Where Security Hub has not yet generated findings, a "NO Data" message will appear in the Security Hub control page. In these situations, AUTOMATE+ will display an UNKNOWN compliance status.
There are a number of other reasons that a control may be displaying an UNKNOWN compliance status:
Controls can be available only in certain AWS Regions. If the a control is not in your chosen AUTOMATE+ deployment region then these controls will display an UNKNOWN compliance status.
Some controls are dependent on other controls in order to generate an AWS Security Hub Finding. In these instances, Security Hub will display a No Data message and in turn an UNKNOWN compliance status.
Controls showing UNKNOWN status are excluded AUTOMATE+ compliance attainment percentage on the dashboard and other related calculations.SO0111 (AUTOMATE+ only)
Should you experience any issues while deploying AUTOMATE+, please contact us at support@6pillars.ai and we will be able to assist.