Versions Compared

Version Old Version 2 New Version Current
Changes made by

Paul Tompkins

6pillars

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Overall AUTOMATE+ AUTOMATE LIGHT

Requires AWS Security Hub & AWS Config to be pre-enabled. A one time set of findings is provided to AUTOMATE LIGHT.

AUTOMATE (Read Only) & AUTOMATE+ (Continuous Compliance) enables the following AWS-native services during deployment for use by the SaaS platform (If not already setupenabled):

  • AWS Security Hub

  • AWS Config

And we leverage:

  • IAM Roles/Policies

  • SSM Documents/Parameters

  • EventBridge Rules

  • Cloudwatch log groups

  • Step Functions

  • SNS topics

  • KMS keys

  • S3 buckets

  • , which leverages an S3 bucket and an SNS Topic.

  • One AWS SNS Topic: To public security events to AUTOMATE. Also uses one KMS key.

  • Two AWS EventBridge Rules: Route events from AWS Security Hub to the associated AWS SNS Topic.

  • An AWS Lambda: Creates a custom action that targets AWS Security Hub.

  • An IAM role: An IAM role is created to run the Lambda in the environment.

AUTOMATE+ in addition to the above also deploys:

  • AWS Security Hub Automated Security Response (the engine that provides remediation & continuous compliance)

  • AWS Systems Manager

  • AWS Lambdas

  • AWS Step Functions

  • Additional AWS SNS Topics

  • An additional AWS KMS Key

  • AWS CloudWatch groups

Its important to highlight that AUTOMATE+ has a few key requirements in order for a deployment to progress smoothly, we attempt to highlight the main ones below;:

Note: A An AWS Cross Account Role is required used during the 15 minute deployment peroid, find more information on this here.

  • IAM user requirements during deployment

During deployment an IAM user is required to:
‎ ‎ ‎ a) Be logged into the relevant AWS account.
‎ ‎ ‎ b) Have the relevant permissions to deploy AWS CloudFormation Stacks.
‎ ‎ ‎ c) Appropriate permissions in order to deploy & configure the related AWS native services for AUTOMATE+ to function.


Details on these permissions can be found here.

  • IAM role requirements

AUTOMATE+ deploys a number of roles which are required in order to facilitate automation post deployment. These roles are visible within your AWS Account. The deployed roles have the following name suffixes:

‎ ‎ a) six-pillars-aws-security
‎ ‎ ‎ role

b) SO0111
‎ ‎ ‎ six-pillars-config

c) AWSServiceRole AWSServiceRoleForConfig‎ ‎ ‎ d) AWS-QuickSetup-StackSet

d) SO0111 (AUTOMATE+ only)

Should you experience any issues while deploying AUTOMATE+, please contact us at support@6pillars.ai and we will be able to assist.