{ "Description": "(SO0111) Automated Security Response on AWS Administrator Stack, v3.1.5", "AWSTemplateFormatVersion": "2010-09-09", "Metadata": { "AWS::CloudFormation::Interface": { "ParameterGroups": [ { "Label": { "default": "Consolidated Control Findings Playbook" }, "Parameters": [ "LoadSCAdminStack" ] }, { "Label": { "default": "Security Standard Playbooks" }, "Parameters": [ "LoadAFSBPAdminStack", "LoadCIS120AdminStack", "LoadCIS140AdminStack", "LoadCIS300AdminStack", "LoadNIST80053AdminStack", "LoadPCI321AdminStack" ] }, { "Label": { "default": "Orchestrator Configuration" }, "Parameters": [ "ReuseOrchestratorLogGroup" ] }, { "Label": { "default": "Web UI Configuration" }, "Parameters": [ "ShouldDeployWebUI", "AdminUserEmail" ] }, { "Label": { "default": "CloudWatch Metrics" }, "Parameters": [ "UseCloudWatchMetrics", "UseCloudWatchMetricsAlarms" ] }, { "Label": { "default": "(Optional) Enhanced CloudWatch Metrics" }, "Parameters": [ "EnableEnhancedCloudWatchMetrics", "RemediationFailureAlarmThreshold" ] }, { "Label": { "default": "(Optional) Ticketing Service Integration" }, "Parameters": [ "TicketGenFunctionName" ] } ], "ParameterLabels": { "SecurityStandardPlaybooks": { "default": "For more details see: https://docs.aws.amazon.com/solutions/latest/automated-security-response-on-aws/enable-fully-automated-remediations.html" } } } }, "Mappings": { "SourceCode": { "General": { "S3Bucket": "solutions", "KeyPrefix": "automated-security-response-on-aws/v3.1.5" } } }, "Resources": { "SHARRkeyE6BD0F56": { "Type": "AWS::KMS::Key", "Properties": { "EnableKeyRotation": true, "KeyPolicy": { "Statement": [ { "Action": [ "kms:Encrypt*", "kms:Decrypt*", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:Describe*" ], "Effect": "Allow", "Principal": { "Service": "sns.amazonaws.com" }, "Resource": "*" }, { "Action": [ "kms:Encrypt*", "kms:Decrypt*", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:Describe*" ], "Condition": { "ArnEquals": { "kms:EncryptionContext:aws:logs:arn": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":logs:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":log-group:SO0111-ASR-*" ] ] } } }, "Effect": "Allow", "Principal": { "Service": { "Fn::Join": [ "", [ "logs.", { "Ref": "AWS::URLSuffix" } ] ] } }, "Resource": "*" }, { "Action": [ "kms:Encrypt*", "kms:Decrypt*", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:Describe*" ], "Effect": "Allow", "Principal": { "Service": [ "dynamodb.amazonaws.com", "events.amazonaws.com", "sqs.amazonaws.com" ] }, "Resource": "*" }, { "Action": [ "kms:Encrypt*", "kms:Decrypt*", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:Describe*" ], "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" }, "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":lambda:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":function:SO0111-ASR-PreProcessor" ] ] } }, { "Action": "kms:*", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } }, "Resource": "*" }, { "Action": [ "kms:Decrypt", "kms:Encrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*" ], "Effect": "Allow", "Principal": { "Service": "cloudwatch.amazonaws.com" }, "Resource": "*" } ], "Version": "2012-10-17" }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ] }, "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain" }, "SHARRkeyAlias37E34763": { "Type": "AWS::KMS::Alias", "Properties": { "AliasName": "alias/SO0111-SHARR-Key", "TargetKeyId": { "Fn::GetAtt": [ "SHARRkeyE6BD0F56", "Arn" ] } } }, "SHARRKeyC551FE02": { "Type": "AWS::SSM::Parameter", "Properties": { "Description": "KMS Customer Managed Key that SHARR will use to encrypt data", "Name": "/Solutions/SO0111/CMK_ARN", "Tags": { "Solutions:SolutionID": "SO0111", "Solutions:SolutionName": "automated-security-response-on-aws", "Solutions:SolutionVersion": "v3.1.5" }, "Type": "String", "Value": { "Fn::GetAtt": [ "SHARRkeyE6BD0F56", "Arn" ] } } }, "SHARRTopic229CFB9E": { "Type": "AWS::SNS::Topic", "Properties": { "DisplayName": "Automated Security Response on AWS (SO0111) Status Topic", "KmsMasterKeyId": { "Fn::GetAtt": [ "SHARRkeyE6BD0F56", "Arn" ] }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "TopicName": "SO0111-ASR_Topic" } }, "SHARRSNSTopicB940F479": { "Type": "AWS::SSM::Parameter", "Properties": { "Description": "SNS Topic ARN where ASR will send status messages. This topic can be useful for driving additional actions, such as email notifications, trouble ticket updates.", "Name": "/Solutions/SO0111/SNS_Topic_ARN", "Tags": { "Solutions:SolutionID": "SO0111", "Solutions:SolutionName": "automated-security-response-on-aws", "Solutions:SolutionVersion": "v3.1.5" }, "Type": "String", "Value": { "Ref": "SHARRTopic229CFB9E" } } }, "SHARRversionAC0E4F96": { "Type": "AWS::SSM::Parameter", "Properties": { "Description": "Solution version for metrics.", "Name": "/Solutions/SO0111/version", "Tags": { "Solutions:SolutionID": "SO0111", "Solutions:SolutionName": "automated-security-response-on-aws", "Solutions:SolutionVersion": "v3.1.5" }, "Type": "String", "Value": "v3.1.5" } }, "ASRAccountFilters42152624": { "Type": "AWS::SSM::Parameter", "Properties": { "AllowedPattern": "^(none|\\d{12}(,\\s*\\d{12})*)$", "Description": "List of AWS Account IDs to filter remediations. Default value: none. Note: Filter only apply to automated runs, not manual executions.", "Name": "/ASR/Filters/AccountFilters", "Tags": { "Solutions:SolutionID": "SO0111", "Solutions:SolutionName": "automated-security-response-on-aws", "Solutions:SolutionVersion": "v3.1.5" }, "Type": "String", "Value": "none" } }, "ASRAccountFilterModeAD66BC2C": { "Type": "AWS::SSM::Parameter", "Properties": { "AllowedPattern": "^(Include|Exclude|Disabled)$", "Description": "Set to 'Include', 'Exclude', or 'Disabled' to control AccountFilter.", "Name": "/ASR/Filters/AccountFilterMode", "Tags": { "Solutions:SolutionID": "SO0111", "Solutions:SolutionName": "automated-security-response-on-aws", "Solutions:SolutionVersion": "v3.1.5" }, "Type": "String", "Value": "Disabled" } }, "ASROUFilters197EB5E7": { "Type": "AWS::SSM::Parameter", "Properties": { "AllowedPattern": "^(none|((o-[a-z0-9]{10,32})|(ou-[0-9a-z]{4,32}-[a-z0-9]{8,32}))(,s*((o-[a-z0-9]{10,32})|(ou-[0-9a-z]{4,32}-[a-z0-9]{8,32})))*)$", "Description": "List of organizational units to filter remediations. Default value: none. Note: Filter only apply to automated runs, not manual executions.", "Name": "/ASR/Filters/OUFilters", "Tags": { "Solutions:SolutionID": "SO0111", "Solutions:SolutionName": "automated-security-response-on-aws", "Solutions:SolutionVersion": "v3.1.5" }, "Type": "String", "Value": "none" } }, "ASROUFilterModeA5BBA529": { "Type": "AWS::SSM::Parameter", "Properties": { "AllowedPattern": "^(Include|Exclude|Disabled)$", "Description": "Set to 'Include', 'Exclude', or 'Disabled' to control OUFilters", "Name": "/ASR/Filters/OUFilterMode", "Tags": { "Solutions:SolutionID": "SO0111", "Solutions:SolutionName": "automated-security-response-on-aws", "Solutions:SolutionVersion": "v3.1.5" }, "Type": "String", "Value": "Disabled" } }, "ASRTagFilters087F3099": { "Type": "AWS::SSM::Parameter", "Properties": { "AllowedPattern": "^(none|([a-zA-Z0-9_.:/=+\\-@]{1,128})(,\\s*([a-zA-Z0-9_.:/=+\\-@]{1,128}))*)$", "Description": "List of tag keys to filter remediations. Default value: none. Note: Filter only apply to automated runs, not manual executions.", "Name": "/ASR/Filters/TagFilters", "Tags": { "Solutions:SolutionID": "SO0111", "Solutions:SolutionName": "automated-security-response-on-aws", "Solutions:SolutionVersion": "v3.1.5" }, "Type": "String", "Value": "none" } }, "ASRTagFilterModeBF28D635": { "Type": "AWS::SSM::Parameter", "Properties": { "AllowedPattern": "^(Include|Exclude|Disabled)$", "Description": "Set to 'Include', 'Exclude', or 'Disabled' to control TagFilters", "Name": "/ASR/Filters/TagFilterMode", "Tags": { "Solutions:SolutionID": "SO0111", "Solutions:SolutionName": "automated-security-response-on-aws", "Solutions:SolutionVersion": "v3.1.5" }, "Type": "String", "Value": "Disabled" } }, "ASRFindingsTable3FD52B9C": { "Type": "AWS::DynamoDB::Table", "Properties": { "AttributeDefinitions": [ { "AttributeName": "findingType", "AttributeType": "S" }, { "AttributeName": "findingId", "AttributeType": "S" }, { "AttributeName": "securityHubUpdatedAtTime#findingId", "AttributeType": "S" }, { "AttributeName": "accountId", "AttributeType": "S" }, { "AttributeName": "resourceId", "AttributeType": "S" }, { "AttributeName": "severity", "AttributeType": "S" }, { "AttributeName": "FINDING_CONSTANT", "AttributeType": "S" }, { "AttributeName": "severityNormalized#securityHubUpdatedAtTime#findingId", "AttributeType": "S" } ], "BillingMode": "PAY_PER_REQUEST", "DeletionProtectionEnabled": true, "GlobalSecondaryIndexes": [ { "IndexName": "accountId-securityHubUpdatedAtTime-GSI", "KeySchema": [ { "AttributeName": "accountId", "KeyType": "HASH" }, { "AttributeName": "securityHubUpdatedAtTime#findingId", "KeyType": "RANGE" } ], "Projection": { "ProjectionType": "ALL" } }, { "IndexName": "resourceId-securityHubUpdatedAtTime-GSI", "KeySchema": [ { "AttributeName": "resourceId", "KeyType": "HASH" }, { "AttributeName": "securityHubUpdatedAtTime#findingId", "KeyType": "RANGE" } ], "Projection": { "ProjectionType": "ALL" } }, { "IndexName": "severity-securityHubUpdatedAtTime-GSI", "KeySchema": [ { "AttributeName": "severity", "KeyType": "HASH" }, { "AttributeName": "securityHubUpdatedAtTime#findingId", "KeyType": "RANGE" } ], "Projection": { "ProjectionType": "ALL" } }, { "IndexName": "allFindings-securityHubUpdatedAtTime-GSI", "KeySchema": [ { "AttributeName": "FINDING_CONSTANT", "KeyType": "HASH" }, { "AttributeName": "securityHubUpdatedAtTime#findingId", "KeyType": "RANGE" } ], "Projection": { "ProjectionType": "ALL" } }, { "IndexName": "allFindings-severityNormalized-GSI", "KeySchema": [ { "AttributeName": "FINDING_CONSTANT", "KeyType": "HASH" }, { "AttributeName": "severityNormalized#securityHubUpdatedAtTime#findingId", "KeyType": "RANGE" } ], "Projection": { "ProjectionType": "ALL" } } ], "KeySchema": [ { "AttributeName": "findingType", "KeyType": "HASH" }, { "AttributeName": "findingId", "KeyType": "RANGE" } ], "LocalSecondaryIndexes": [ { "IndexName": "securityHubUpdatedAtTime-findingId-LSI", "KeySchema": [ { "AttributeName": "findingType", "KeyType": "HASH" }, { "AttributeName": "securityHubUpdatedAtTime#findingId", "KeyType": "RANGE" } ], "Projection": { "ProjectionType": "ALL" } } ], "PointInTimeRecoverySpecification": { "PointInTimeRecoveryEnabled": true }, "SSESpecification": { "KMSMasterKeyId": { "Fn::GetAtt": [ "SHARRkeyE6BD0F56", "Arn" ] }, "SSEEnabled": true, "SSEType": "KMS" }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "TimeToLiveSpecification": { "AttributeName": "expireAt", "Enabled": true } }, "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain" }, "ASRRemediationHistoryTable3CA12E73": { "Type": "AWS::DynamoDB::Table", "Properties": { "AttributeDefinitions": [ { "AttributeName": "findingType", "AttributeType": "S" }, { "AttributeName": "findingId#executionId", "AttributeType": "S" }, { "AttributeName": "accountId", "AttributeType": "S" }, { "AttributeName": "lastUpdatedTime#findingId", "AttributeType": "S" }, { "AttributeName": "userId", "AttributeType": "S" }, { "AttributeName": "resourceId", "AttributeType": "S" }, { "AttributeName": "REMEDIATION_CONSTANT", "AttributeType": "S" }, { "AttributeName": "findingId", "AttributeType": "S" } ], "BillingMode": "PAY_PER_REQUEST", "DeletionProtectionEnabled": true, "GlobalSecondaryIndexes": [ { "IndexName": "accountId-lastUpdatedTime-GSI", "KeySchema": [ { "AttributeName": "accountId", "KeyType": "HASH" }, { "AttributeName": "lastUpdatedTime#findingId", "KeyType": "RANGE" } ], "Projection": { "ProjectionType": "ALL" } }, { "IndexName": "userId-lastUpdatedTime-GSI", "KeySchema": [ { "AttributeName": "userId", "KeyType": "HASH" }, { "AttributeName": "lastUpdatedTime#findingId", "KeyType": "RANGE" } ], "Projection": { "ProjectionType": "ALL" } }, { "IndexName": "resourceId-lastUpdatedTime-GSI", "KeySchema": [ { "AttributeName": "resourceId", "KeyType": "HASH" }, { "AttributeName": "lastUpdatedTime#findingId", "KeyType": "RANGE" } ], "Projection": { "ProjectionType": "ALL" } }, { "IndexName": "allRemediations-lastUpdatedTime-GSI", "KeySchema": [ { "AttributeName": "REMEDIATION_CONSTANT", "KeyType": "HASH" }, { "AttributeName": "lastUpdatedTime#findingId", "KeyType": "RANGE" } ], "Projection": { "ProjectionType": "ALL" } }, { "IndexName": "findingId-lastUpdatedTime-GSI", "KeySchema": [ { "AttributeName": "findingId", "KeyType": "HASH" }, { "AttributeName": "lastUpdatedTime#findingId", "KeyType": "RANGE" } ], "Projection": { "ProjectionType": "ALL" } } ], "KeySchema": [ { "AttributeName": "findingType", "KeyType": "HASH" }, { "AttributeName": "findingId#executionId", "KeyType": "RANGE" } ], "PointInTimeRecoverySpecification": { "PointInTimeRecoveryEnabled": true }, "SSESpecification": { "KMSMasterKeyId": { "Fn::GetAtt": [ "SHARRkeyE6BD0F56", "Arn" ] }, "SSEEnabled": true, "SSEType": "KMS" }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "TimeToLiveSpecification": { "AttributeName": "expireAt", "Enabled": true } }, "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain" }, "ASRLambdaLayerDAD507E4": { "Type": "AWS::Lambda::LayerVersion", "Properties": { "CompatibleRuntimes": [ "python3.11" ], "Content": { "S3Bucket": { "Fn::Join": [ "", [ "solutions-", { "Ref": "AWS::Region" } ] ] }, "S3Key": "automated-security-response-on-aws/v3.1.5/lambda/layer-8043fe8b.zip" }, "Description": "SO0111 ASR Common functions used by the solution", "LicenseInfo": "https://www.apache.org/licenses/LICENSE-2.0" } }, "orchestratorPolicy8045810D": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogStream", "logs:PutLogEvents" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":logs:*:", { "Ref": "AWS::AccountId" }, ":log-group:*:log-stream:*" ] ] } }, { "Action": "logs:CreateLogGroup", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":logs:*:", { "Ref": "AWS::AccountId" }, ":log-group:*" ] ] } }, { "Action": [ "ssm:GetParameter", "ssm:GetParameters", "ssm:PutParameter", "ssm:DeleteParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::*:role/SO0111-ASR-Orchestrator-Member" ] ] } }, { "Action": "organizations:ListTagsForResource", "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "SO0111-ASR_Orchestrator", "Roles": [ { "Ref": "orchestratorRole46A9F242" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for read-only policies used by orchestrator Lambda functions." } ] } } }, "orchestratorRole46A9F242": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "Description": "Lambda role to allow cross account read-only ASR orchestrator functions", "RoleName": "SO0111-ASR-Orchestrator-Admin", "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W28", "reason": "Static names chosen intentionally to provide easy integration with playbook orchestrator step functions." } ] }, "guard": { "SuppressedRules": [ "IAM_NO_INLINE_POLICY_CHECK" ] } } }, "orchestratorRoleDefaultPolicyD53B3CFB": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "xray:PutTraceSegments", "xray:PutTelemetryRecords" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "orchestratorRoleDefaultPolicyD53B3CFB", "Roles": [ { "Ref": "orchestratorRole46A9F242" } ] } }, "checkSSMDocumentStateC9662D60": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "S3Bucket": { "Fn::Join": [ "", [ "solutions-", { "Ref": "AWS::Region" } ] ] }, "S3Key": "automated-security-response-on-aws/v3.1.5/lambda/check_ssm_doc_state-941474a8.zip" }, "Description": "Checks the status of an SSM Automation Document in the target account", "Environment": { "Variables": { "log_level": "info", "AWS_PARTITION": { "Ref": "AWS::Partition" }, "SOLUTION_ID": "SO0111", "SOLUTION_VERSION": "v3.1.5", "SOLUTION_TMN": "automated-security-response-on-aws", "POWERTOOLS_SERVICE_NAME": "check_ssm_doc_state", "POWERTOOLS_LOG_LEVEL": "INFO", "POWERTOOLS_LOGGER_LOG_EVENT": "false", "POWERTOOLS_TRACER_CAPTURE_RESPONSE": "true", "POWERTOOLS_TRACER_CAPTURE_ERROR": "true", "AWS_ACCOUNT_ID": { "Ref": "AWS::AccountId" }, "STACK_ID": { "Ref": "AWS::StackId" } } }, "FunctionName": "SO0111-ASR-checkSSMDocumentState", "Handler": "check_ssm_doc_state.lambda_handler", "Layers": [ { "Ref": "ASRLambdaLayerDAD507E4" } ], "MemorySize": 256, "Role": { "Fn::GetAtt": [ "orchestratorRole46A9F242", "Arn" ] }, "Runtime": "python3.11", "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Timeout": 600, "TracingConfig": { "Mode": "Active" } }, "DependsOn": [ "orchestratorRoleDefaultPolicyD53B3CFB", "orchestratorRole46A9F242" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W58", "reason": "False positive. Access is provided via a policy" }, { "id": "W89", "reason": "There is no need to run this lambda in a VPC" }, { "id": "W92", "reason": "There is no need for Reserved Concurrency" } ] } } }, "getApprovalRequirementE7F50E54": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "S3Bucket": { "Fn::Join": [ "", [ "solutions-", { "Ref": "AWS::Region" } ] ] }, "S3Key": "automated-security-response-on-aws/v3.1.5/lambda/get_approval_requirement-670818e6.zip" }, "Description": "Determines if a manual approval is required for remediation", "Environment": { "Variables": { "log_level": "info", "AWS_PARTITION": { "Ref": "AWS::Partition" }, "SOLUTION_ID": "SO0111", "SOLUTION_VERSION": "v3.1.5", "WORKFLOW_RUNBOOK": "", "SOLUTION_TMN": "automated-security-response-on-aws", "POWERTOOLS_SERVICE_NAME": "get_approval_requirement", "POWERTOOLS_LOG_LEVEL": "INFO", "POWERTOOLS_LOGGER_LOG_EVENT": "false", "POWERTOOLS_TRACER_CAPTURE_RESPONSE": "true", "POWERTOOLS_TRACER_CAPTURE_ERROR": "true", "AWS_ACCOUNT_ID": { "Ref": "AWS::AccountId" }, "STACK_ID": { "Ref": "AWS::StackId" } } }, "FunctionName": "SO0111-ASR-getApprovalRequirement", "Handler": "get_approval_requirement.lambda_handler", "Layers": [ { "Ref": "ASRLambdaLayerDAD507E4" } ], "MemorySize": 256, "Role": { "Fn::GetAtt": [ "orchestratorRole46A9F242", "Arn" ] }, "Runtime": "python3.11", "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Timeout": 600, "TracingConfig": { "Mode": "Active" } }, "DependsOn": [ "orchestratorRoleDefaultPolicyD53B3CFB", "orchestratorRole46A9F242" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W58", "reason": "False positive. Access is provided via a policy" }, { "id": "W89", "reason": "There is no need to run this lambda in a VPC" }, { "id": "W92", "reason": "There is no need for Reserved Concurrency" } ] } } }, "execAutomation5D89E251": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "S3Bucket": { "Fn::Join": [ "", [ "solutions-", { "Ref": "AWS::Region" } ] ] }, "S3Key": "automated-security-response-on-aws/v3.1.5/lambda/exec_ssm_doc-08a94590.zip" }, "Description": "Executes an SSM Automation Document in a target account", "Environment": { "Variables": { "log_level": "info", "AWS_PARTITION": { "Ref": "AWS::Partition" }, "SOLUTION_ID": "SO0111", "SOLUTION_VERSION": "v3.1.5", "SOLUTION_TMN": "automated-security-response-on-aws", "POWERTOOLS_SERVICE_NAME": "exec_ssm_doc", "POWERTOOLS_LOG_LEVEL": "INFO", "POWERTOOLS_LOGGER_LOG_EVENT": "false", "POWERTOOLS_TRACER_CAPTURE_RESPONSE": "true", "POWERTOOLS_TRACER_CAPTURE_ERROR": "true", "AWS_ACCOUNT_ID": { "Ref": "AWS::AccountId" }, "STACK_ID": { "Ref": "AWS::StackId" } } }, "FunctionName": "SO0111-ASR-execAutomation", "Handler": "exec_ssm_doc.lambda_handler", "Layers": [ { "Ref": "ASRLambdaLayerDAD507E4" } ], "MemorySize": 256, "Role": { "Fn::GetAtt": [ "orchestratorRole46A9F242", "Arn" ] }, "Runtime": "python3.11", "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Timeout": 600, "TracingConfig": { "Mode": "Active" } }, "DependsOn": [ "orchestratorRoleDefaultPolicyD53B3CFB", "orchestratorRole46A9F242" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W58", "reason": "False positive. Access is provided via a policy" }, { "id": "W89", "reason": "There is no need to run this lambda in a VPC" }, { "id": "W92", "reason": "There is no need for Reserved Concurrency" } ] } } }, "monitorSSMExecStateB496B8AF": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "S3Bucket": { "Fn::Join": [ "", [ "solutions-", { "Ref": "AWS::Region" } ] ] }, "S3Key": "automated-security-response-on-aws/v3.1.5/lambda/check_ssm_execution-dc7bd8b9.zip" }, "Description": "Checks the status of an SSM automation document execution", "Environment": { "Variables": { "log_level": "info", "AWS_PARTITION": { "Ref": "AWS::Partition" }, "SOLUTION_ID": "SO0111", "SOLUTION_VERSION": "v3.1.5", "SOLUTION_TMN": "automated-security-response-on-aws", "POWERTOOLS_SERVICE_NAME": "check_ssm_execution", "POWERTOOLS_LOG_LEVEL": "INFO", "POWERTOOLS_LOGGER_LOG_EVENT": "false", "POWERTOOLS_TRACER_CAPTURE_RESPONSE": "true", "POWERTOOLS_TRACER_CAPTURE_ERROR": "true", "AWS_ACCOUNT_ID": { "Ref": "AWS::AccountId" }, "STACK_ID": { "Ref": "AWS::StackId" } } }, "FunctionName": "SO0111-ASR-monitorSSMExecState", "Handler": "check_ssm_execution.lambda_handler", "Layers": [ { "Ref": "ASRLambdaLayerDAD507E4" } ], "MemorySize": 256, "Role": { "Fn::GetAtt": [ "orchestratorRole46A9F242", "Arn" ] }, "Runtime": "python3.11", "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Timeout": 600, "TracingConfig": { "Mode": "Active" } }, "DependsOn": [ "orchestratorRoleDefaultPolicyD53B3CFB", "orchestratorRole46A9F242" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W58", "reason": "False positive. Access is provided via a policy" }, { "id": "W89", "reason": "There is no need to run this lambda in a VPC" }, { "id": "W92", "reason": "There is no need for Reserved Concurrency" } ] } } }, "notifyPolicy320847DC": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Effect": "Allow", "Resource": "*" }, { "Action": "securityhub:BatchUpdateFindings", "Effect": "Allow", "Resource": "*" }, { "Action": [ "ssm:GetParameter", "ssm:PutParameter", "ssm:DeleteParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:GenerateDataKey" ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "SHARRkeyE6BD0F56", "Arn" ] } }, { "Action": "sns:Publish", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":sns:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":SO0111-ASR_Topic" ] ] } }, { "Action": "cloudwatch:PutMetricData", "Effect": "Allow", "Resource": "*" }, { "Action": "organizations:DescribeAccount", "Effect": "Allow", "Resource": "*" }, { "Action": [ "dynamodb:UpdateItem", "dynamodb:PutItem", "dynamodb:GetItem" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "ASRFindingsTable3FD52B9C", "Arn" ] }, { "Fn::GetAtt": [ "ASRRemediationHistoryTable3CA12E73", "Arn" ] } ] } ], "Version": "2012-10-17" }, "PolicyName": "SO0111-ASR_Orchestrator_Notifier", "Roles": [ { "Ref": "orchestratorRole46A9F242" }, { "Ref": "notifyRole40298120" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for CloudWatch Logs and Security Hub policies used by core solution Lambda function for notifications." }, { "id": "W58", "reason": "False positive. Access is provided via a policy" } ] } } }, "notifyRole40298120": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "Description": "Lambda role to perform notification and logging from orchestrator step function", "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W28", "reason": "Static names chosen intentionally to provide easy integration with playbook orchestrator step functions." } ] } } }, "notifyRoleDefaultPolicyEDFDCB10": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "xray:PutTraceSegments", "xray:PutTelemetryRecords" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "notifyRoleDefaultPolicyEDFDCB10", "Roles": [ { "Ref": "notifyRole40298120" } ] } }, "MetricResourcesMetricResourcesRoleC49ABA6D": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "Policies": [ { "PolicyDocument": { "Statement": [ { "Action": "cloudwatch:PutMetricData", "Effect": "Allow", "Resource": "*" }, { "Action": [ "logs:CreateLogStream", "logs:PutLogEvents" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":logs:*:", { "Ref": "AWS::AccountId" }, ":log-group:*:log-stream:*" ] ] } }, { "Action": "logs:CreateLogGroup", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":logs:*:", { "Ref": "AWS::AccountId" }, ":log-group:*" ] ] } }, { "Action": [ "ssm:GetParameter", "ssm:GetParameters", "ssm:PutParameter", "ssm:DeleteParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "securityhub:DescribeSecurityHubV2", "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "LambdaPolicy" } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ] }, "Metadata": { "guard": { "SuppressedRules": [ "IAM_NO_INLINE_POLICY_CHECK", "IAM_POLICYDOCUMENT_NO_WILDCARD_RESOURCE" ] } } }, "MetricResourcesASRDeploymentCustomResourceLambda02CE6550": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "S3Bucket": { "Fn::Join": [ "", [ "solutions-", { "Ref": "AWS::Region" } ] ] }, "S3Key": "automated-security-response-on-aws/v3.1.5/lambda/deployment_metrics_custom_resource-8567ef97.zip" }, "Description": "ASR - Handles deployment related custom actions", "Environment": { "Variables": { "LOG_LEVEL": "INFO", "AWS_PARTITION": { "Ref": "AWS::Partition" }, "SOLUTION_ID": "SO0111", "SOLUTION_VERSION": "v3.1.5", "POWERTOOLS_SERVICE_NAME": "deployment_metrics_custom_resource", "POWERTOOLS_LOG_LEVEL": "INFO", "POWERTOOLS_LOGGER_LOG_EVENT": "false", "POWERTOOLS_TRACER_CAPTURE_RESPONSE": "true", "POWERTOOLS_TRACER_CAPTURE_ERROR": "true", "AWS_ACCOUNT_ID": { "Ref": "AWS::AccountId" }, "STACK_ID": { "Ref": "AWS::StackId" } } }, "Handler": "deployment_metrics_custom_resource.lambda_handler", "Layers": [ { "Ref": "ASRLambdaLayerDAD507E4" } ], "MemorySize": 256, "Role": { "Fn::GetAtt": [ "MetricResourcesMetricResourcesRoleC49ABA6D", "Arn" ] }, "Runtime": "python3.11", "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Timeout": 5 }, "DependsOn": [ "MetricResourcesMetricResourcesRoleC49ABA6D" ], "Metadata": { "guard": { "SuppressedRules": [ "LAMBDA_INSIDE_VPC", "LAMBDA_CONCURRENCY_CHECK" ] } } }, "MetricResourcesASRDeploymentMetricsCustomResource0940D9B2": { "Type": "Custom::DeploymentMetrics", "Properties": { "ServiceToken": { "Fn::GetAtt": [ "MetricResourcesASRDeploymentCustomResourceLambda02CE6550", "Arn" ] }, "StackParameters": { "EnableEnhancedCloudWatchMetrics": { "Ref": "EnableEnhancedCloudWatchMetrics" }, "ShouldDeployWebUI": { "Ref": "ShouldDeployWebUI" }, "AdminUserEmail": { "Ref": "AdminUserEmail" } }, "Timestamp": "1776680926078" }, "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete" }, "sendNotifications1367638A": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "S3Bucket": { "Fn::Join": [ "", [ "solutions-", { "Ref": "AWS::Region" } ] ] }, "S3Key": "automated-security-response-on-aws/v3.1.5/lambda/send_notifications-43c2089c.zip" }, "Description": "Sends notifications and log messages", "Environment": { "Variables": { "log_level": "info", "AWS_PARTITION": { "Ref": "AWS::Partition" }, "SOLUTION_ID": "SO0111", "SOLUTION_VERSION": "v3.1.5", "SOLUTION_TMN": "automated-security-response-on-aws", "ENHANCED_METRICS": { "Ref": "EnableEnhancedCloudWatchMetrics" }, "FINDINGS_TABLE_NAME": { "Ref": "ASRFindingsTable3FD52B9C" }, "HISTORY_TABLE_NAME": { "Ref": "ASRRemediationHistoryTable3CA12E73" }, "HISTORY_TTL_DAYS": "365", "POWERTOOLS_SERVICE_NAME": "send_notifications", "POWERTOOLS_LOG_LEVEL": "INFO", "POWERTOOLS_LOGGER_LOG_EVENT": "false", "POWERTOOLS_TRACER_CAPTURE_RESPONSE": "true", "POWERTOOLS_TRACER_CAPTURE_ERROR": "true", "AWS_ACCOUNT_ID": { "Ref": "AWS::AccountId" }, "STACK_ID": { "Ref": "AWS::StackId" }, "SECURITY_HUB_V2_ENABLED": { "Fn::GetAtt": [ "MetricResourcesASRDeploymentMetricsCustomResource0940D9B2", "securityhub_v2_enabled" ] }, "DISABLE_ACCOUNT_ALIAS_LOOKUP": "false" } }, "FunctionName": "SO0111-ASR-sendNotifications", "Handler": "send_notifications.lambda_handler", "Layers": [ { "Ref": "ASRLambdaLayerDAD507E4" } ], "MemorySize": 256, "Role": { "Fn::GetAtt": [ "notifyRole40298120", "Arn" ] }, "Runtime": "python3.11", "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Timeout": 600, "TracingConfig": { "Mode": "Active" } }, "DependsOn": [ "notifyRoleDefaultPolicyEDFDCB10", "notifyRole40298120" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W58", "reason": "False positive. Access is provided via a policy" }, { "id": "W89", "reason": "There is no need to run this lambda in a VPC" }, { "id": "W92", "reason": "There is no need for Reserved Concurrency due to low request rate" } ] } } }, "sendNotificationsAllowExecutionFailureRuleInvoke7B2B1A91": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:InvokeFunction", "FunctionName": { "Fn::GetAtt": [ "sendNotifications1367638A", "Arn" ] }, "Principal": "events.amazonaws.com", "SourceArn": { "Fn::GetAtt": [ "orchestratorExecutionFailureRuleB8D32114", "Arn" ] } } }, "createCustomActionPolicyE424E925": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "cloudwatch:PutMetricData", "Effect": "Allow", "Resource": "*" }, { "Action": [ "logs:CreateLogStream", "logs:PutLogEvents" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":logs:*:", { "Ref": "AWS::AccountId" }, ":log-group:*:log-stream:*" ] ] } }, { "Action": "logs:CreateLogGroup", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":logs:*:", { "Ref": "AWS::AccountId" }, ":log-group:*" ] ] } }, { "Action": [ "securityhub:CreateActionTarget", "securityhub:DescribeActionTargets", "securityhub:DeleteActionTarget" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "ssm:GetParameter", "ssm:GetParameters", "ssm:PutParameter", "ssm:DeleteParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "SO0111-ASR_Custom_Action", "Roles": [ { "Ref": "createCustomActionRoleF0047414" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for CloudWatch Logs policies used on Lambda functions." } ] } } }, "createCustomActionRoleF0047414": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "Description": "Lambda role to allow creation of Security Hub Custom Actions", "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W28", "reason": "Static names chosen intentionally to provide easy integration with playbook templates" } ] } } }, "CreateCustomActionE7A973F5": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "S3Bucket": { "Fn::Join": [ "", [ "solutions-", { "Ref": "AWS::Region" } ] ] }, "S3Key": "automated-security-response-on-aws/v3.1.5/lambda/action_target_provider-7ea54d81.zip" }, "Description": "Custom resource to create or retrieve an action target in Security Hub", "Environment": { "Variables": { "log_level": "info", "AWS_PARTITION": { "Ref": "AWS::Partition" }, "SOLUTION_ID": "SO0111", "SOLUTION_VERSION": "v3.1.5", "POWERTOOLS_SERVICE_NAME": "action_target_provider", "POWERTOOLS_LOG_LEVEL": "INFO", "POWERTOOLS_LOGGER_LOG_EVENT": "false", "POWERTOOLS_TRACER_CAPTURE_RESPONSE": "true", "POWERTOOLS_TRACER_CAPTURE_ERROR": "true", "AWS_ACCOUNT_ID": { "Ref": "AWS::AccountId" }, "STACK_ID": { "Ref": "AWS::StackId" } } }, "FunctionName": "SO0111-SHARR-CustomAction", "Handler": "action_target_provider.lambda_handler", "Layers": [ { "Ref": "ASRLambdaLayerDAD507E4" } ], "MemorySize": 256, "Role": { "Fn::GetAtt": [ "createCustomActionRoleF0047414", "Arn" ] }, "Runtime": "python3.11", "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Timeout": 600 }, "DependsOn": [ "createCustomActionRoleF0047414" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W58", "reason": "False positive. the lambda role allows write to CW Logs" }, { "id": "W89", "reason": "There is no need to run this lambda in a VPC" }, { "id": "W92", "reason": "There is no need for Reserved Concurrency due to low request rate" } ] } } }, "deadLetterSchedulingQueue9BCE9EA8": { "Type": "AWS::SQS::Queue", "Properties": { "KmsDataKeyReusePeriodSeconds": 3600, "KmsMasterKeyId": { "Fn::GetAtt": [ "SHARRkeyE6BD0F56", "Arn" ] }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ] }, "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete" }, "deadLetterSchedulingQueuePolicy87B26533": { "Type": "AWS::SQS::QueuePolicy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "sqs:*", "Condition": { "Bool": { "aws:SecureTransport": "false" } }, "Effect": "Deny", "Principal": { "AWS": "*" }, "Resource": { "Fn::GetAtt": [ "deadLetterSchedulingQueue9BCE9EA8", "Arn" ] } } ], "Version": "2012-10-17" }, "Queues": [ { "Ref": "deadLetterSchedulingQueue9BCE9EA8" } ] } }, "SchedulingQueueB533E3CD": { "Type": "AWS::SQS::Queue", "Properties": { "KmsDataKeyReusePeriodSeconds": 3600, "KmsMasterKeyId": { "Fn::GetAtt": [ "SHARRkeyE6BD0F56", "Arn" ] }, "RedrivePolicy": { "deadLetterTargetArn": { "Fn::GetAtt": [ "deadLetterSchedulingQueue9BCE9EA8", "Arn" ] }, "maxReceiveCount": 10 }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ] }, "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete" }, "SchedulingQueuePolicy36FAAC29": { "Type": "AWS::SQS::QueuePolicy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "sqs:*", "Condition": { "Bool": { "aws:SecureTransport": "false" } }, "Effect": "Deny", "Principal": { "AWS": "*" }, "Resource": { "Fn::GetAtt": [ "SchedulingQueueB533E3CD", "Arn" ] } } ], "Version": "2012-10-17" }, "Queues": [ { "Ref": "SchedulingQueueB533E3CD" } ] } }, "orchestratorNestedLogStackNestedStackNestedLogStackNestedStackResourceE4E042A6": { "Type": "AWS::CloudFormation::Stack", "Properties": { "Parameters": { "KmsKeyArn": { "Fn::GetAtt": [ "SHARRKeyC551FE02", "Value" ] }, "ReuseOrchestratorLogGroup": { "Ref": "ReuseOrchestratorLogGroup" } }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "TemplateURL": { "Fn::Join": [ "", [ "https://", { "Fn::FindInMap": [ "SourceCode", "General", "S3Bucket" ] }, "-reference.s3.amazonaws.com/", { "Fn::FindInMap": [ "SourceCode", "General", "KeyPrefix" ] }, "/automated-security-response-orchestrator-log.template" ] ] } }, "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete" }, "orchestratorRole12B410FD": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "states.amazonaws.com" } } ], "Version": "2012-10-17" }, "Policies": [ { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogDelivery", "logs:GetLogDelivery", "logs:UpdateLogDelivery", "logs:DeleteLogDelivery", "logs:ListLogDeliveries", "logs:PutResourcePolicy", "logs:DescribeResourcePolicies", "logs:DescribeLogGroups" ], "Effect": "Allow", "Resource": "*" }, { "Action": "lambda:InvokeFunction", "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":lambda:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":function:", { "Fn::Select": [ 6, { "Fn::Split": [ ":", { "Fn::GetAtt": [ "checkSSMDocumentStateC9662D60", "Arn" ] } ] } ] } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":lambda:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":function:", { "Fn::Select": [ 6, { "Fn::Split": [ ":", { "Fn::GetAtt": [ "execAutomation5D89E251", "Arn" ] } ] } ] } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":lambda:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":function:", { "Fn::Select": [ 6, { "Fn::Split": [ ":", { "Fn::GetAtt": [ "monitorSSMExecStateB496B8AF", "Arn" ] } ] } ] } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":lambda:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":function:", { "Fn::Select": [ 6, { "Fn::Split": [ ":", { "Fn::GetAtt": [ "sendNotifications1367638A", "Arn" ] } ] } ] } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":lambda:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":function:", { "Fn::Select": [ 6, { "Fn::Split": [ ":", { "Fn::GetAtt": [ "getApprovalRequirementE7F50E54", "Arn" ] } ] } ] } ] ] }, { "Fn::If": [ "orchestratorTicketingEnabledConditionEE999626", { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":lambda:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":function:", { "Ref": "TicketGenFunctionName" } ] ] }, { "Ref": "AWS::NoValue" } ] } ] }, { "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:GenerateDataKey" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":kms:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":alias/SO0111-SHARR-Key" ] ] }, { "Fn::GetAtt": [ "SHARRKeyC551FE02", "Value" ] } ] }, { "Action": "sqs:SendMessage", "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "SchedulingQueueB533E3CD", "Arn" ] } } ], "Version": "2012-10-17" }, "PolicyName": "BasePolicy" } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ] }, "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain", "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "CloudWatch Logs permissions require resource * except for DescribeLogGroups, except for GovCloud, which only works with resource *" } ] }, "guard": { "SuppressedRules": [ "IAM_NO_INLINE_POLICY_CHECK" ] } } }, "orchestratorStateMachine77C3F8FB": { "Type": "AWS::StepFunctions::StateMachine", "Properties": { "DefinitionString": { "Fn::Join": [ "", [ "{\"StartAt\":\"Get Finding Data from Input\",\"States\":{\"Get Finding Data from Input\":{\"Type\":\"Pass\",\"Comment\":\"Extract top-level data needed for remediation\",\"Parameters\":{\"EventType.$\":\"$.detail-type\",\"Findings.$\":\"$.detail.findings\",\"CustomActionName.$\":\"$.detail.actionName\"},\"Next\":\"Process Findings\"},\"Process Findings\":{\"Type\":\"Map\",\"Comment\":\"Process all findings in CloudWatch Event\",\"Next\":\"EOJ\",\"ItemsPath\":\"$.Findings\",\"ItemSelector\":{\"Finding.$\":\"$$.Map.Item.Value\",\"EventType.$\":\"$.EventType\",\"CustomActionName.$\":\"$.CustomActionName\"},\"ItemProcessor\":{\"ProcessorConfig\":{\"Mode\":\"INLINE\"},\"StartAt\":\"Finding Workflow State NEW?\",\"States\":{\"Finding Workflow State NEW?\":{\"Type\":\"Choice\",\"Choices\":[{\"Or\":[{\"Variable\":\"$.EventType\",\"StringEquals\":\"Security Hub Findings - Custom Action\"},{\"Variable\":\"$.EventType\",\"StringEquals\":\"Security Hub Findings - API Action\"},{\"Variable\":\"$.Finding.Workflow.Status\",\"StringEquals\":\"NEW\"}],\"Next\":\"Get Remediation Approval Requirement\"}],\"Default\":\"Finding Workflow State is not NEW\"},\"Finding Workflow State is not NEW\":{\"Type\":\"Pass\",\"Parameters\":{\"Notification\":{\"Message.$\":\"States.Format('Finding Workflow State is not NEW ({}).', $.Finding.Workflow.Status)\",\"State.$\":\"States.Format('NOT_NEW')\",\"StepFunctionsExecutionId.$\":\"$$.Execution.Id\"},\"EventType.$\":\"$.EventType\",\"Finding.$\":\"$.Finding\"},\"Next\":\"notify\"},\"notify\":{\"End\":true,\"Retry\":[{\"ErrorEquals\":[\"Lambda.ClientExecutionTimeoutException\",\"Lambda.ServiceException\",\"Lambda.AWSLambdaException\",\"Lambda.SdkClientException\"],\"IntervalSeconds\":2,\"MaxAttempts\":6,\"BackoffRate\":2}],\"Type\":\"Task\",\"Comment\":\"Send notifications\",\"TimeoutSeconds\":300,\"HeartbeatSeconds\":60,\"Resource\":\"arn:", { "Ref": "AWS::Partition" }, ":states:::lambda:invoke\",\"Parameters\":{\"FunctionName\":\"", { "Fn::GetAtt": [ "sendNotifications1367638A", "Arn" ] }, "\",\"Payload.$\":\"$\"}},\"Automation Document is not Active\":{\"Type\":\"Pass\",\"Parameters\":{\"Notification\":{\"Message.$\":\"States.Format('Automation Document ({}) is not active ({}) in the member account({}).', $.AutomationDocId, $.AutomationDocument.DocState, $.Finding.AwsAccountId)\",\"State.$\":\"States.Format('RUNBOOK_NOT_ACTIVE')\",\"StepFunctionsExecutionId.$\":\"$$.Execution.Id\",\"updateSecHub\":\"yes\"},\"EventType.$\":\"$.EventType\",\"Finding.$\":\"$.Finding\",\"AccountId.$\":\"$.AutomationDocument.AccountId\",\"AutomationDocId.$\":\"$.AutomationDocument.AutomationDocId\",\"RemediationRole.$\":\"$.AutomationDocument.RemediationRole\",\"ControlId.$\":\"$.AutomationDocument.ControlId\",\"SecurityStandard.$\":\"$.AutomationDocument.SecurityStandard\",\"SecurityStandardVersion.$\":\"$.AutomationDocument.SecurityStandardVersion\"},\"Next\":\"notify\"},\"Automation Doc Active?\":{\"Type\":\"Choice\",\"Choices\":[{\"Variable\":\"$.AutomationDocument.DocState\",\"StringEquals\":\"ACTIVE\",\"Next\":\"Send Task Token\"},{\"Variable\":\"$.AutomationDocument.DocState\",\"StringEquals\":\"NOTACTIVE\",\"Next\":\"Automation Document is not Active\"},{\"Variable\":\"$.AutomationDocument.DocState\",\"StringEquals\":\"NOTENABLED\",\"Next\":\"Playbook is not enabled\"},{\"Variable\":\"$.AutomationDocument.DocState\",\"StringEquals\":\"NOTFOUND\",\"Next\":\"No Runbook for Control\"},{\"Variable\":\"$.AutomationDocument.DocState\",\"StringEquals\":\"ACCESSDENIED\",\"Next\":\"Assume Role Failure\"}],\"Default\":\"check_ssm_doc_state Error\"},\"Get Automation Document State\":{\"Next\":\"Automation Doc Active?\",\"Retry\":[{\"ErrorEquals\":[\"Lambda.ClientExecutionTimeoutException\",\"Lambda.ServiceException\",\"Lambda.AWSLambdaException\",\"Lambda.SdkClientException\"],\"IntervalSeconds\":2,\"MaxAttempts\":6,\"BackoffRate\":2},{\"ErrorEquals\":[\"Lambda.ServiceException\",\"Lambda.TooManyRequestsException\",\"States.TaskFailed\",\"States.Timeout\"],\"IntervalSeconds\":5,\"MaxAttempts\":3,\"BackoffRate\":2}],\"Catch\":[{\"ErrorEquals\":[\"States.ALL\"],\"ResultPath\":\"$.ErrorInfo\",\"Next\":\"Orchestrator Failed\"}],\"Type\":\"Task\",\"Comment\":\"Get the status of the remediation automation document in the target account\",\"TimeoutSeconds\":60,\"ResultPath\":\"$.AutomationDocument\",\"ResultSelector\":{\"DocState.$\":\"$.Payload.status\",\"Message.$\":\"$.Payload.message\",\"SecurityStandard.$\":\"$.Payload.securitystandard\",\"SecurityStandardVersion.$\":\"$.Payload.securitystandardversion\",\"PlaybookEnabled.$\":\"$.Payload.playbookenabled\",\"ControlId.$\":\"$.Payload.controlid\",\"AccountId.$\":\"$.Payload.accountid\",\"RemediationRole.$\":\"$.Payload.remediationrole\",\"AutomationDocId.$\":\"$.Payload.automationdocid\",\"ResourceRegion.$\":\"$.Payload.resourceregion\"},\"Resource\":\"arn:", { "Ref": "AWS::Partition" }, ":states:::lambda:invoke\",\"Parameters\":{\"FunctionName\":\"", { "Fn::GetAtt": [ "checkSSMDocumentStateC9662D60", "Arn" ] }, "\",\"Payload.$\":\"$\"}},\"Get Remediation Approval Requirement\":{\"Next\":\"Get Automation Document State\",\"Retry\":[{\"ErrorEquals\":[\"Lambda.ClientExecutionTimeoutException\",\"Lambda.ServiceException\",\"Lambda.AWSLambdaException\",\"Lambda.SdkClientException\"],\"IntervalSeconds\":2,\"MaxAttempts\":6,\"BackoffRate\":2}],\"Catch\":[{\"ErrorEquals\":[\"States.ALL\"],\"ResultPath\":\"$.ErrorInfo\",\"Next\":\"Orchestrator Failed\"}],\"Type\":\"Task\",\"Comment\":\"Determine whether the selected remediation requires manual approval\",\"TimeoutSeconds\":300,\"ResultPath\":\"$.Workflow\",\"ResultSelector\":{\"WorkflowDocument.$\":\"$.Payload.workflowdoc\",\"WorkflowAccount.$\":\"$.Payload.workflowaccount\",\"WorkflowRole.$\":\"$.Payload.workflowrole\",\"WorkflowConfig.$\":\"$.Payload.workflow_data\"},\"Resource\":\"arn:", { "Ref": "AWS::Partition" }, ":states:::lambda:invoke\",\"Parameters\":{\"FunctionName\":\"", { "Fn::GetAtt": [ "getApprovalRequirementE7F50E54", "Arn" ] }, "\",\"Payload.$\":\"$\"}},\"Orchestrator Failed\":{\"Type\":\"Pass\",\"Parameters\":{\"Notification\":{\"Message.$\":\"States.Format('Orchestrator failed: {}', $.ErrorInfo.Error)\",\"State.$\":\"States.Format('LAMBDA_ERROR')\",\"Details.$\":\"States.Format('Cause: {}', $.ErrorInfo.Cause)\",\"StepFunctionsExecutionId.$\":\"$$.Execution.Id\"},\"EventType.$\":\"$.EventType\",\"Finding.$\":\"$.Finding\",\"Payload.$\":\"$\"},\"Next\":\"notify\"},\"Send Task Token\":{\"Next\":\"Remediation Wait\",\"Retry\":[{\"ErrorEquals\":[\"States.TaskFailed\",\"States.Timeout\"],\"IntervalSeconds\":5,\"MaxAttempts\":3,\"BackoffRate\":2}],\"Catch\":[{\"ErrorEquals\":[\"States.ALL\"],\"ResultPath\":\"$.ErrorInfo\",\"Next\":\"Orchestrator Failed\"}],\"Type\":\"Task\",\"Comment\":\"Send Task Token to SQS Queue for Remediation Scheduling\",\"Resource\":\"arn:", { "Ref": "AWS::Partition" }, ":states:::sqs:sendMessage.waitForTaskToken\",\"Parameters\":{\"QueueUrl\":\"", { "Ref": "SchedulingQueueB533E3CD" }, "\",\"MessageBody\":{\"RemediationDetails.$\":\"$\",\"TaskToken.$\":\"$$.Task.Token\",\"AccountId.$\":\"$.AutomationDocument.AccountId\",\"ResourceRegion.$\":\"$.AutomationDocument.ResourceRegion\",\"StepFunctionsExecutionId.$\":\"$$.Execution.Id\"}}},\"Remediation Wait\":{\"Type\":\"Wait\",\"Comment\":\"Waiting for remediation\",\"TimestampPath\":\"$.PlannedTimestamp\",\"Next\":\"Execute Remediation\"},\"Execute Remediation\":{\"Next\":\"Remediation Queued\",\"Retry\":[{\"ErrorEquals\":[\"Lambda.ClientExecutionTimeoutException\",\"Lambda.ServiceException\",\"Lambda.AWSLambdaException\",\"Lambda.SdkClientException\"],\"IntervalSeconds\":2,\"MaxAttempts\":6,\"BackoffRate\":2},{\"ErrorEquals\":[\"Lambda.ServiceException\",\"Lambda.TooManyRequestsException\",\"States.TaskFailed\",\"States.Timeout\"],\"IntervalSeconds\":2,\"MaxAttempts\":2,\"BackoffRate\":2}],\"Catch\":[{\"ErrorEquals\":[\"States.ALL\"],\"ResultPath\":\"$.ErrorInfo\",\"Next\":\"Orchestrator Failed\"}],\"Type\":\"Task\",\"Comment\":\"Execute the SSM Automation Document in the target account\",\"TimeoutSeconds\":300,\"HeartbeatSeconds\":60,\"ResultPath\":\"$.SSMExecution\",\"ResultSelector\":{\"ExecState.$\":\"$.Payload.status\",\"RemediationOutput.$\":\"$.Payload.remediation_output\",\"Message.$\":\"$.Payload.message\",\"SSMExecutionId.$\":\"$.Payload.executionid\",\"Account.$\":\"$.Payload.executionaccount\",\"Region.$\":\"$.Payload.executionregion\"},\"Resource\":\"arn:", { "Ref": "AWS::Partition" }, ":states:::lambda:invoke\",\"Parameters\":{\"FunctionName\":\"", { "Fn::GetAtt": [ "execAutomation5D89E251", "Arn" ] }, "\",\"Payload.$\":\"$\"}},\"Remediation Queued\":{\"Type\":\"Pass\",\"Comment\":\"Set parameters for notification\",\"Parameters\":{\"EventType.$\":\"$.EventType\",\"CustomActionName.$\":\"$.CustomActionName\",\"Finding.$\":\"$.Finding\",\"AutomationDocument.$\":\"$.AutomationDocument\",\"SSMExecution.$\":\"$.SSMExecution\",\"Notification\":{\"Message.$\":\"States.Format('Remediation queued for {} control {} in account {}', $.AutomationDocument.SecurityStandard, $.AutomationDocument.ControlId, $.AutomationDocument.AccountId)\",\"State.$\":\"States.Format('QUEUED')\",\"SSMExecutionId.$\":\"$.SSMExecution.SSMExecutionId\",\"StepFunctionsExecutionId.$\":\"$$.Execution.Id\",\"RemediationOutput.$\":\"$.SSMExecution.RemediationOutput\"}},\"Next\":\"Queued Notification\"},\"Queued Notification\":{\"Next\":\"execMonitor\",\"Retry\":[{\"ErrorEquals\":[\"Lambda.ClientExecutionTimeoutException\",\"Lambda.ServiceException\",\"Lambda.AWSLambdaException\",\"Lambda.SdkClientException\"],\"IntervalSeconds\":2,\"MaxAttempts\":6,\"BackoffRate\":2}],\"Catch\":[{\"ErrorEquals\":[\"States.ALL\"],\"ResultPath\":\"$.ErrorInfo\",\"Next\":\"Orchestrator Failed\"}],\"Type\":\"Task\",\"Comment\":\"Send notification that a remediation has queued\",\"TimeoutSeconds\":300,\"HeartbeatSeconds\":60,\"ResultPath\":\"$.notificationResult\",\"Resource\":\"arn:", { "Ref": "AWS::Partition" }, ":states:::lambda:invoke\",\"Parameters\":{\"FunctionName\":\"", { "Fn::GetAtt": [ "sendNotifications1367638A", "Arn" ] }, "\",\"Payload.$\":\"$\"}},\"execMonitor\":{\"Next\":\"Remediation completed?\",\"Retry\":[{\"ErrorEquals\":[\"Lambda.ClientExecutionTimeoutException\",\"Lambda.ServiceException\",\"Lambda.AWSLambdaException\",\"Lambda.SdkClientException\"],\"IntervalSeconds\":2,\"MaxAttempts\":6,\"BackoffRate\":2}],\"Catch\":[{\"ErrorEquals\":[\"States.ALL\"],\"ResultPath\":\"$.ErrorInfo\",\"Next\":\"Orchestrator Failed\"}],\"Type\":\"Task\",\"Comment\":\"Monitor the remediation execution until done\",\"TimeoutSeconds\":300,\"HeartbeatSeconds\":60,\"ResultPath\":\"$.Remediation\",\"ResultSelector\":{\"ExecState.$\":\"$.Payload.status\",\"SSMExecutionId.$\":\"$.Payload.executionid\",\"RemediationState.$\":\"$.Payload.remediation_status\",\"Message.$\":\"$.Payload.message\",\"RemediationOutput.$\":\"$.Payload.remediation_output\",\"LogData.$\":\"$.Payload.logdata\",\"AffectedObject.$\":\"$.Payload.affected_object\"},\"Resource\":\"arn:", { "Ref": "AWS::Partition" }, ":states:::lambda:invoke\",\"Parameters\":{\"FunctionName\":\"", { "Fn::GetAtt": [ "monitorSSMExecStateB496B8AF", "Arn" ] }, "\",\"Payload.$\":\"$\"}},\"Wait for Remediation\":{\"Type\":\"Wait\",\"Seconds\":10,\"Next\":\"execMonitor\"},\"Remediation completed?\":{\"Type\":\"Choice\",\"Choices\":[{\"Variable\":\"$.Remediation.RemediationState\",\"StringEquals\":\"Failed\",\"Next\":\"Remediation Failed\"},{\"Variable\":\"$.Remediation.ExecState\",\"StringEquals\":\"Success\",\"Next\":\"Remediation Succeeded\"},{\"Variable\":\"$.Remediation.ExecState\",\"StringEquals\":\"TimedOut\",\"Next\":\"Remediation Failed\"},{\"Variable\":\"$.Remediation.ExecState\",\"StringEquals\":\"Cancelling\",\"Next\":\"Remediation Failed\"},{\"Variable\":\"$.Remediation.ExecState\",\"StringEquals\":\"Cancelled\",\"Next\":\"Remediation Failed\"},{\"Variable\":\"$.Remediation.ExecState\",\"StringEquals\":\"Failed\",\"Next\":\"Remediation Failed\"}],\"Default\":\"Wait for Remediation\"},\"Remediation Failed\":{\"Type\":\"Pass\",\"Comment\":\"Set parameters for notification\",\"Parameters\":{\"EventType.$\":\"$.EventType\",\"Finding.$\":\"$.Finding\",\"SSMExecution.$\":\"$.SSMExecution\",\"AutomationDocument.$\":\"$.AutomationDocument\",\"Notification\":{\"Message.$\":\"States.Format('Remediation failed for {} control {} in account {}: {}', $.AutomationDocument.SecurityStandard, $.AutomationDocument.ControlId, $.AutomationDocument.AccountId, $.Remediation.Message)\",\"RemediationOutput.$\":\"$.Remediation.RemediationOutput\",\"State.$\":\"$.Remediation.ExecState\",\"Details.$\":\"$.Remediation.LogData\",\"SSMExecutionId.$\":\"$.Remediation.SSMExecutionId\",\"StepFunctionsExecutionId.$\":\"$$.Execution.Id\",\"AffectedObject.$\":\"$.Remediation.AffectedObject\"}},\"Next\":\"notify\"},\"Remediation Succeeded\":{\"Type\":\"Pass\",\"Comment\":\"Set parameters for notification\",\"Parameters\":{\"EventType.$\":\"$.EventType\",\"Finding.$\":\"$.Finding\",\"CustomActionName.$\":\"$.CustomActionName\",\"AccountId.$\":\"$.AutomationDocument.AccountId\",\"AutomationDocId.$\":\"$.AutomationDocument.AutomationDocId\",\"RemediationRole.$\":\"$.AutomationDocument.RemediationRole\",\"ControlId.$\":\"$.AutomationDocument.ControlId\",\"SecurityStandard.$\":\"$.AutomationDocument.SecurityStandard\",\"SecurityStandardVersion.$\":\"$.AutomationDocument.SecurityStandardVersion\",\"Notification\":{\"Message.$\":\"States.Format('Remediation succeeded for {} control {} in account {}: {}', $.AutomationDocument.SecurityStandard, $.AutomationDocument.ControlId, $.AutomationDocument.AccountId, $.Remediation.Message)\",\"RemediationOutput.$\":\"$.Remediation.RemediationOutput\",\"State.$\":\"States.Format('SUCCESS')\",\"Details.$\":\"$.Remediation.LogData\",\"SSMExecutionId.$\":\"$.Remediation.SSMExecutionId\",\"StepFunctionsExecutionId.$\":\"$$.Execution.Id\",\"AffectedObject.$\":\"$.Remediation.AffectedObject\"}},\"Next\":\"Which custom action triggered this workflow?\"},\"Which custom action triggered this workflow?\":{\"Type\":\"Choice\",\"Choices\":[{\"Variable\":\"$.CustomActionName\",\"StringEquals\":\"ASR:Remediate&Ticket\",\"Next\":\"Generate Ticket\"}],\"Default\":\"notify\"},\"Generate Ticket\":{\"Next\":\"notify\",\"Retry\":[{\"ErrorEquals\":[\"Lambda.ClientExecutionTimeoutException\",\"Lambda.ServiceException\",\"Lambda.AWSLambdaException\",\"Lambda.SdkClientException\"],\"IntervalSeconds\":2,\"MaxAttempts\":6,\"BackoffRate\":2}],\"Catch\":[{\"ErrorEquals\":[\"States.ALL\"],\"ResultPath\":\"$.ErrorInfo\",\"Next\":\"Orchestrator Failed\"}],\"Type\":\"Task\",\"Comment\":\"Create ticket using ticket generator function ARN passed to the stack during deployment. The ARN in this step will be a placeholder string unless you filled in the Ticket Generator Function ARN parameter during Admin stack deployment.\",\"TimeoutSeconds\":300,\"HeartbeatSeconds\":60,\"ResultPath\":\"$.GenerateTicket\",\"ResultSelector\":{\"TicketURL.$\":\"$.Payload.TicketURL\",\"Ok.$\":\"$.Payload.Ok\",\"ResponseCode.$\":\"$.Payload.ResponseCode\",\"ResponseReason.$\":\"$.Payload.ResponseReason\"},\"Resource\":\"arn:", { "Ref": "AWS::Partition" }, ":states:::lambda:invoke\",\"Parameters\":{\"FunctionName\":\"", { "Fn::If": [ "orchestratorTicketingEnabledConditionEE999626", { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":lambda:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":function:", { "Ref": "TicketGenFunctionName" } ] ] }, "No Lambda Function ARN available. Ticketing feature is disabled." ] }, "\",\"Payload\":{\"RemediationInfo\":{\"Message.$\":\"$.Notification.Message\",\"FindingDescription.$\":\"$.Finding.Description\",\"FindingSeverity.$\":\"$.Finding.Severity.Label\",\"SecurityControlId.$\":\"$.Finding.Compliance.SecurityControlId\",\"FindingAccountId.$\":\"$.Finding.AwsAccountId\",\"AffectedResource.$\":\"$.Notification.AffectedObject\"}}}},\"check_ssm_doc_state Error\":{\"Type\":\"Pass\",\"Parameters\":{\"Notification\":{\"Message.$\":\"States.Format('check_ssm_doc_state returned an error: {}', $.AutomationDocument.Message)\",\"State.$\":\"States.Format('LAMBDA_ERROR')\",\"StepFunctionsExecutionId.$\":\"$$.Execution.Id\"},\"EventType.$\":\"$.EventType\",\"Finding.$\":\"$.Finding\"},\"Next\":\"notify\"},\"Playbook is not enabled\":{\"Type\":\"Pass\",\"Parameters\":{\"Notification\":{\"Message.$\":\"States.Format('ASR playbook for ({}) v{} is not enabled.', $.AutomationDocument.SecurityStandard, $.AutomationDocument.SecurityStandardVersion)\",\"State.$\":\"States.Format('PLAYBOOK_NOT_ENABLED')\",\"StepFunctionsExecutionId.$\":\"$$.Execution.Id\",\"updateSecHub\":\"yes\"},\"EventType.$\":\"$.EventType\",\"Finding.$\":\"$.Finding\",\"AccountId.$\":\"$.AutomationDocument.AccountId\",\"AutomationDocId.$\":\"$.AutomationDocument.AutomationDocId\",\"RemediationRole.$\":\"$.AutomationDocument.RemediationRole\",\"ControlId.$\":\"$.AutomationDocument.ControlId\",\"SecurityStandard.$\":\"$.AutomationDocument.SecurityStandard\",\"SecurityStandardVersion.$\":\"$.AutomationDocument.SecurityStandardVersion\"},\"Next\":\"notify\"},\"No Runbook for Control\":{\"Type\":\"Pass\",\"Parameters\":{\"Notification\":{\"Message.$\":\"States.Format('ASR runbook for control {} in Security Standard {} v{} could not be found in account {} in region {}. Verify that the member stacks are deployed in this account & region, and that this control is supported by ASR.', $.AutomationDocument.ControlId, $.AutomationDocument.SecurityStandard, $.AutomationDocument.SecurityStandardVersion, $.Finding.AwsAccountId, $.Finding.Region)\",\"State.$\":\"States.Format('NO_RUNBOOK')\",\"StepFunctionsExecutionId.$\":\"$$.Execution.Id\",\"updateSecHub\":\"yes\"},\"EventType.$\":\"$.EventType\",\"Finding.$\":\"$.Finding\",\"AccountId.$\":\"$.AutomationDocument.AccountId\",\"AutomationDocId.$\":\"$.AutomationDocument.AutomationDocId\",\"RemediationRole.$\":\"$.AutomationDocument.RemediationRole\",\"ControlId.$\":\"$.AutomationDocument.ControlId\",\"SecurityStandard.$\":\"$.AutomationDocument.SecurityStandard\",\"SecurityStandardVersion.$\":\"$.AutomationDocument.SecurityStandardVersion\"},\"Next\":\"notify\"},\"Assume Role Failure\":{\"Type\":\"Pass\",\"Parameters\":{\"Notification\":{\"Message.$\":\"States.Format('Unable to assume the Orchestrator Member Role (SO0111-ASR-Orchestrator-Member) in account {}. Please verify that the automated-security-response-member-roles stack is deployed in the account and the Orchestrator Member Role is valid.', $.Finding.AwsAccountId)\",\"State.$\":\"States.Format('ASSUME_ROLE_FAILURE')\",\"StepFunctionsExecutionId.$\":\"$$.Execution.Id\"},\"EventType.$\":\"$.EventType\",\"Finding.$\":\"$.Finding\",\"AccountId.$\":\"$.AutomationDocument.AccountId\",\"AutomationDocId.$\":\"$.AutomationDocument.AutomationDocId\",\"RemediationRole.$\":\"$.AutomationDocument.RemediationRole\",\"ControlId.$\":\"$.AutomationDocument.ControlId\",\"SecurityStandard.$\":\"$.AutomationDocument.SecurityStandard\",\"SecurityStandardVersion.$\":\"$.AutomationDocument.SecurityStandardVersion\"},\"Next\":\"notify\"}}}},\"EOJ\":{\"Type\":\"Pass\",\"Comment\":\"END-OF-JOB\",\"End\":true}},\"TimeoutSeconds\":82800}" ] ] }, "LoggingConfiguration": { "Destinations": [ { "CloudWatchLogsLogGroup": { "LogGroupArn": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":logs:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":log-group:SO0111-ASR-Orchestrator:*" ] ] } } } ], "IncludeExecutionData": true, "Level": "ALL" }, "RoleArn": { "Fn::GetAtt": [ "orchestratorRole12B410FD", "Arn" ] }, "StateMachineName": "SO0111-ASR-Orchestrator", "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "TracingConfiguration": { "Enabled": true } }, "DependsOn": [ "orchestratorNestedLogStackNestedStackNestedLogStackNestedStackResourceE4E042A6", "orchestratorRole12B410FD" ], "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete" }, "orchestratorSHARROrchestratorArn0ACC7B05": { "Type": "AWS::SSM::Parameter", "Properties": { "Description": "Arn of the ASR Orchestrator Step Function. This step function routes findings to remediation runbooks.", "Name": "/Solutions/SO0111/OrchestratorArn", "Tags": { "Solutions:SolutionID": "SO0111", "Solutions:SolutionName": "automated-security-response-on-aws", "Solutions:SolutionVersion": "v3.1.5" }, "Type": "String", "Value": { "Ref": "orchestratorStateMachine77C3F8FB" } } }, "orchestratorExecutionFailureRuleB8D32114": { "Type": "AWS::Events::Rule", "Properties": { "Description": "Catch Step Functions execution failures and timeouts and send notifications", "EventPattern": { "source": [ "aws.states" ], "detail-type": [ "Step Functions Execution Status Change" ], "detail": { "status": [ "TIMED_OUT", "FAILED", "ABORTED" ], "stateMachineArn": [ { "Ref": "orchestratorStateMachine77C3F8FB" } ] } }, "State": "ENABLED", "Targets": [ { "Arn": { "Fn::GetAtt": [ "sendNotifications1367638A", "Arn" ] }, "Id": "Target0", "InputPath": "$", "RetryPolicy": { "MaximumEventAgeInSeconds": 7200, "MaximumRetryAttempts": 2 } } ] } }, "EnableAdaptiveConcurrencyRole7E36E08C": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "Description": "Lambda role to enable SSM Adaptive Concurrency", "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ] } }, "EnableAdaptiveConcurrencyRoleDefaultPolicy2EB5ED2F": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:UpdateServiceSetting", "ssm:GetServiceSetting" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":servicesetting/ssm/automation/enable-adaptive-concurrency" ] ] } }, { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":logs:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":log-group:/aws/lambda/SO0111-EnableSSMAdaptiveConcurrency" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":logs:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":log-group:/aws/lambda/SO0111-EnableSSMAdaptiveConcurrency:*" ] ] } ] } ], "Version": "2012-10-17" }, "PolicyName": "EnableAdaptiveConcurrencyRoleDefaultPolicy2EB5ED2F", "Roles": [ { "Ref": "EnableAdaptiveConcurrencyRole7E36E08C" } ] } }, "EnableAdaptiveConcurrencyLambdaF1D84279": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "S3Bucket": { "Fn::Join": [ "", [ "solutions-", { "Ref": "AWS::Region" } ] ] }, "S3Key": "automated-security-response-on-aws/v3.1.5/lambda/enable_adaptive_concurrency-e2eeee6a.zip" }, "Description": "Custom resource to enable SSM Adaptive Concurrency", "FunctionName": "SO0111-EnableSSMAdaptiveConcurrency", "Handler": "enable_adaptive_concurrency.lambda_handler", "Role": { "Fn::GetAtt": [ "EnableAdaptiveConcurrencyRole7E36E08C", "Arn" ] }, "Runtime": "python3.11", "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Timeout": 300 }, "DependsOn": [ "EnableAdaptiveConcurrencyRoleDefaultPolicy2EB5ED2F", "EnableAdaptiveConcurrencyRole7E36E08C" ], "Metadata": { "guard": { "SuppressedRules": [ "LAMBDA_INSIDE_VPC", "LAMBDA_CONCURRENCY_CHECK" ] } } }, "EnableAdaptiveConcurrencyResource": { "Type": "AWS::CloudFormation::CustomResource", "Properties": { "ServiceToken": { "Fn::GetAtt": [ "EnableAdaptiveConcurrencyLambdaF1D84279", "Arn" ] }, "SolutionVersion": "v3.1.5" }, "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete" }, "EventsRuleRoleF1007C39": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "events.amazonaws.com" } } ], "Version": "2012-10-17" }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ] } }, "EventsRuleRoleDefaultPolicyDEB4CE7D": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "states:StartExecution", "Effect": "Allow", "Resource": { "Ref": "orchestratorStateMachine77C3F8FB" } } ], "Version": "2012-10-17" }, "PolicyName": "EventsRuleRoleDefaultPolicyDEB4CE7D", "Roles": [ { "Ref": "EventsRuleRoleF1007C39" } ] } }, "CSVExportAccessLogs748A02F4": { "Type": "AWS::S3::Bucket", "Properties": { "AccessControl": "LogDeliveryWrite", "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { "SSEAlgorithm": "AES256" } } ] }, "OwnershipControls": { "Rules": [ { "ObjectOwnership": "ObjectWriter" } ] }, "PublicAccessBlockConfiguration": { "BlockPublicAcls": true, "BlockPublicPolicy": true, "IgnorePublicAcls": true, "RestrictPublicBuckets": true }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "VersioningConfiguration": { "Status": "Enabled" } }, "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain", "Metadata": { "guard": { "SuppressedRules": [ "S3_BUCKET_LOGGING_ENABLED" ] } } }, "CSVExportAccessLogsPolicyAA9496B8": { "Type": "AWS::S3::BucketPolicy", "Properties": { "Bucket": { "Ref": "CSVExportAccessLogs748A02F4" }, "PolicyDocument": { "Statement": [ { "Action": "s3:*", "Condition": { "Bool": { "aws:SecureTransport": "false" } }, "Effect": "Deny", "Principal": { "AWS": "*" }, "Resource": [ { "Fn::GetAtt": [ "CSVExportAccessLogs748A02F4", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "CSVExportAccessLogs748A02F4", "Arn" ] }, "/*" ] ] } ] } ], "Version": "2012-10-17" } } }, "CSVExportBucket8BA09C35": { "Type": "AWS::S3::Bucket", "Properties": { "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "BucketKeyEnabled": true, "ServerSideEncryptionByDefault": { "KMSMasterKeyID": { "Fn::GetAtt": [ "SHARRkeyE6BD0F56", "Arn" ] }, "SSEAlgorithm": "aws:kms" } } ] }, "LifecycleConfiguration": { "Rules": [ { "ExpirationInDays": 30, "Id": "DeleteOldCSVExports", "Status": "Enabled" } ] }, "LoggingConfiguration": { "DestinationBucketName": { "Ref": "CSVExportAccessLogs748A02F4" } }, "PublicAccessBlockConfiguration": { "BlockPublicAcls": true, "BlockPublicPolicy": true, "IgnorePublicAcls": true, "RestrictPublicBuckets": true }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "VersioningConfiguration": { "Status": "Enabled" } }, "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain" }, "CSVExportBucketPolicyF64ADE56": { "Type": "AWS::S3::BucketPolicy", "Properties": { "Bucket": { "Ref": "CSVExportBucket8BA09C35" }, "PolicyDocument": { "Statement": [ { "Action": "s3:*", "Condition": { "Bool": { "aws:SecureTransport": "false" } }, "Effect": "Deny", "Principal": { "AWS": "*" }, "Resource": [ { "Fn::GetAtt": [ "CSVExportBucket8BA09C35", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "CSVExportBucket8BA09C35", "Arn" ] }, "/*" ] ] } ] } ], "Version": "2012-10-17" } } }, "WebUINestedStackNestedStackWebUINestedStackNestedStackResourceEF0A1EDB": { "Type": "AWS::CloudFormation::Stack", "Properties": { "Parameters": { "referencetoSolutionDeployStackSHARRkey63A30F17Arn": { "Fn::GetAtt": [ "SHARRkeyE6BD0F56", "Arn" ] }, "referencetoSolutionDeployStackAdminUserEmail2C06E898Ref": { "Ref": "AdminUserEmail" }, "referencetoSolutionDeployStackASRFindingsTable1A09E827Arn": { "Fn::GetAtt": [ "ASRFindingsTable3FD52B9C", "Arn" ] }, "referencetoSolutionDeployStackASRRemediationHistoryTable00A9C417Arn": { "Fn::GetAtt": [ "ASRRemediationHistoryTable3CA12E73", "Arn" ] }, "referencetoSolutionDeployStackorchestratorStateMachine22684CB4Ref": { "Ref": "orchestratorStateMachine77C3F8FB" }, "referencetoSolutionDeployStackCSVExportBucket9AEB6181Arn": { "Fn::GetAtt": [ "CSVExportBucket8BA09C35", "Arn" ] }, "referencetoSolutionDeployStackCSVExportBucket9AEB6181Ref": { "Ref": "CSVExportBucket8BA09C35" }, "referencetoSolutionDeployStackMetricResourcesASRDeploymentMetricsCustomResourceAE9F82F0securityhubv2enabled": { "Fn::GetAtt": [ "MetricResourcesASRDeploymentMetricsCustomResource0940D9B2", "securityhub_v2_enabled" ] }, "referencetoSolutionDeployStackorchestratorTicketGenFunctionNameTicketGeneratorFunctionNameDA9E1737Ref": { "Ref": "TicketGenFunctionName" } }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "TemplateURL": { "Fn::Join": [ "", [ "https://", { "Fn::FindInMap": [ "SourceCode", "General", "S3Bucket" ] }, "-reference.s3.amazonaws.com/", { "Fn::FindInMap": [ "SourceCode", "General", "KeyPrefix" ] }, "/automated-security-response-webui-nested-stack.template" ] ] } }, "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete", "Condition": "webUIEnabled" }, "RemediationConfigTable24F19C3B": { "Type": "AWS::DynamoDB::Table", "Properties": { "AttributeDefinitions": [ { "AttributeName": "controlId", "AttributeType": "S" } ], "BillingMode": "PAY_PER_REQUEST", "DeletionProtectionEnabled": true, "KeySchema": [ { "AttributeName": "controlId", "KeyType": "HASH" } ], "PointInTimeRecoverySpecification": { "PointInTimeRecoveryEnabled": true }, "SSESpecification": { "SSEEnabled": false }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ] }, "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain", "Metadata": { "guard": { "SuppressedRules": [ "DYNAMODB_TABLE_ENCRYPTED_KMS" ] } } }, "SynchronizationFindingsConstructsynchronizationPolicy58B2707B": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":logs:*:", { "Ref": "AWS::AccountId" }, ":log-group:*" ] ] } }, { "Action": "securityhub:GetFindings", "Effect": "Allow", "Resource": "*" }, { "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:GenerateDataKey" ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "SHARRkeyE6BD0F56", "Arn" ] } }, { "Action": [ "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/anonymous_metrics_uuid" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/metrics_uuid" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/version" ] ] } ] }, { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:GetParametersByPath" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:*:parameter/Solutions/SO0111/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:*:parameter/ASR/Filters" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:*:parameter/ASR/Filters/*" ] ] } ] }, { "Action": [ "organizations:ListParents", "organizations:DescribeAccount" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "SO0111-ASR_Synchronization", "Roles": [ { "Ref": "SynchronizationFindingsConstructsynchronizationRole80BFC03F" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for CloudWatch Logs policies used by synchronization Lambda function." } ] } } }, "SynchronizationFindingsConstructsynchronizationRole80BFC03F": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "Description": "Lambda role for ASR synchronization function", "RoleName": "SO0111-ASR-Synchronization", "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W28", "reason": "Static names chosen intentionally to provide easy integration with synchronization function." } ] }, "guard": { "SuppressedRules": [ "IAM_NO_INLINE_POLICY_CHECK" ] } } }, "SynchronizationFindingsConstructsynchronizationRoleDefaultPolicyAA348EF7": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "xray:PutTraceSegments", "xray:PutTelemetryRecords" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "dynamodb:BatchGetItem", "dynamodb:Query", "dynamodb:GetItem", "dynamodb:Scan", "dynamodb:ConditionCheckItem", "dynamodb:BatchWriteItem", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:DescribeTable" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "ASRFindingsTable3FD52B9C", "Arn" ] } ] }, { "Action": [ "dynamodb:GetRecords", "dynamodb:GetShardIterator" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "ASRFindingsTable3FD52B9C", "Arn" ] } ] }, { "Action": [ "dynamodb:BatchGetItem", "dynamodb:Query", "dynamodb:GetItem", "dynamodb:Scan", "dynamodb:ConditionCheckItem", "dynamodb:BatchWriteItem", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:DescribeTable" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "RemediationConfigTable24F19C3B", "Arn" ] } ] }, { "Action": [ "dynamodb:GetRecords", "dynamodb:GetShardIterator" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "RemediationConfigTable24F19C3B", "Arn" ] } ] } ], "Version": "2012-10-17" }, "PolicyName": "SynchronizationFindingsConstructsynchronizationRoleDefaultPolicyAA348EF7", "Roles": [ { "Ref": "SynchronizationFindingsConstructsynchronizationRole80BFC03F" } ] } }, "SynchronizationFindingsConstructSynchronizationFindingsLambda0E312918": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "S3Bucket": { "Fn::Join": [ "", [ "solutions-", { "Ref": "AWS::Region" } ] ] }, "S3Key": "automated-security-response-on-aws/v3.1.5/lambda/asr_lambdas-457b6b95.zip" }, "Description": "Synchronization findings lambda", "Environment": { "Variables": { "SOLUTION_TRADEMARKEDNAME": "automated-security-response-on-aws", "POWERTOOLS_SERVICE_NAME": "synchronization_findings", "POWERTOOLS_LOG_LEVEL": "INFO", "POWERTOOLS_LOGGER_LOG_EVENT": "false", "POWERTOOLS_TRACER_CAPTURE_RESPONSE": "true", "POWERTOOLS_TRACER_CAPTURE_ERROR": "true", "FINDINGS_TABLE_ARN": { "Fn::GetAtt": [ "ASRFindingsTable3FD52B9C", "Arn" ] }, "REMEDIATION_CONFIG_TABLE_ARN": { "Fn::GetAtt": [ "RemediationConfigTable24F19C3B", "Arn" ] }, "FINDINGS_TTL_DAYS": "8", "AWS_ACCOUNT_ID": { "Ref": "AWS::AccountId" }, "STACK_ID": { "Ref": "AWS::StackId" } } }, "FunctionName": "SO0111-ASR-SynchronizationFindingsLambda", "Handler": "synchronization/synchronizationHandler.handler", "MemorySize": 512, "Role": { "Fn::GetAtt": [ "SynchronizationFindingsConstructsynchronizationRole80BFC03F", "Arn" ] }, "Runtime": "nodejs22.x", "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Timeout": 900, "TracingConfig": { "Mode": "Active" } }, "DependsOn": [ "SynchronizationFindingsConstructsynchronizationRoleDefaultPolicyAA348EF7", "SynchronizationFindingsConstructsynchronizationRole80BFC03F" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W58", "reason": "False positive. Access is provided via a policy" }, { "id": "W89", "reason": "There is no need to run this lambda in a VPC" }, { "id": "W92", "reason": "There is no need for Reserved Concurrency" } ] } } }, "SynchronizationFindingsConstructCustomResourcePolicy6EC67F19": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":logs:*:", { "Ref": "AWS::AccountId" }, ":log-group:*" ] ] } }, { "Action": "lambda:InvokeFunction", "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "SynchronizationFindingsConstructSynchronizationFindingsLambda0E312918", "Arn" ] } } ], "Version": "2012-10-17" }, "PolicyName": "SO0111-ASR_SynchronizationTrigger", "Roles": [ { "Ref": "SynchronizationFindingsConstructcustomResourceRoleE4747C9B" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for CloudWatch Logs policies used by custom resource Lambda function." } ] } } }, "SynchronizationFindingsConstructcustomResourceRoleE4747C9B": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "Description": "Lambda role for ASR synchronization trigger custom resource", "RoleName": "SO0111-ASR-SynchronizationTrigger", "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W28", "reason": "Static names chosen intentionally to provide easy integration with synchronization trigger." } ] }, "guard": { "SuppressedRules": [ "IAM_NO_INLINE_POLICY_CHECK" ] } } }, "SynchronizationFindingsConstructcustomResourceRoleDefaultPolicy5DD9117A": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "xray:PutTraceSegments", "xray:PutTelemetryRecords" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "SynchronizationFindingsConstructcustomResourceRoleDefaultPolicy5DD9117A", "Roles": [ { "Ref": "SynchronizationFindingsConstructcustomResourceRoleE4747C9B" } ] } }, "SynchronizationFindingsConstructSynchronizationTriggerProvider05DEE9E7": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "S3Bucket": { "Fn::Join": [ "", [ "solutions-", { "Ref": "AWS::Region" } ] ] }, "S3Key": "automated-security-response-on-aws/v3.1.5/lambda/asr_lambdas-457b6b95.zip" }, "Description": "Custom resource provider to trigger initial synchronization", "Environment": { "Variables": { "SOLUTION_TRADEMARKEDNAME": "automated-security-response-on-aws", "POWERTOOLS_SERVICE_NAME": "synchronization_trigger", "POWERTOOLS_LOG_LEVEL": "INFO", "POWERTOOLS_LOGGER_LOG_EVENT": "false", "POWERTOOLS_TRACER_CAPTURE_RESPONSE": "true", "POWERTOOLS_TRACER_CAPTURE_ERROR": "true", "SYNCHRONIZATION_FUNCTION_NAME": { "Ref": "SynchronizationFindingsConstructSynchronizationFindingsLambda0E312918" }, "AWS_ACCOUNT_ID": { "Ref": "AWS::AccountId" }, "STACK_ID": { "Ref": "AWS::StackId" } } }, "FunctionName": "SO0111-ASR-SynchronizationTriggerProvider", "Handler": "synchronization/customResourceHandler.handler", "MemorySize": 128, "Role": { "Fn::GetAtt": [ "SynchronizationFindingsConstructcustomResourceRoleE4747C9B", "Arn" ] }, "Runtime": "nodejs22.x", "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Timeout": 300, "TracingConfig": { "Mode": "Active" } }, "DependsOn": [ "SynchronizationFindingsConstructcustomResourceRoleDefaultPolicy5DD9117A", "SynchronizationFindingsConstructcustomResourceRoleE4747C9B" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W58", "reason": "False positive. Access is provided via a policy" }, { "id": "W89", "reason": "There is no need to run this lambda in a VPC" }, { "id": "W92", "reason": "There is no need for Reserved Concurrency" } ] }, "guard": { "SuppressedRules": [ "LAMBDA_INSIDE_VPC", "LAMBDA_CONCURRENCY_CHECK" ] } } }, "SynchronizationFindingsConstructSynchronizationFindingsLambdaWeeklyRule158B7187": { "Type": "AWS::Events::Rule", "Properties": { "Description": "Weekly full synchronization of Security Hub findings - always performs complete sync", "Name": "SO0111-ASR-SynchronizationFindingsLambdaWeeklyRule", "ScheduleExpression": "cron(0 2 ? * SAT *)", "State": "ENABLED", "Targets": [ { "Arn": { "Fn::GetAtt": [ "SynchronizationFindingsConstructSynchronizationFindingsLambda0E312918", "Arn" ] }, "Id": "Target0", "Input": "{\"source\":\"aws.events\",\"detail-type\":\"Scheduled Event\",\"detail\":{\"syncType\":\"baseline\"}}", "RetryPolicy": { "MaximumRetryAttempts": 2 } } ] } }, "SynchronizationFindingsConstructSynchronizationFindingsLambdaWeeklyRuleAllowEventRuleSolutionDeployStackSynchronizationFindingsConstructSynchronizationFindingsLambda2BDA2C635C94A041": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:InvokeFunction", "FunctionName": { "Fn::GetAtt": [ "SynchronizationFindingsConstructSynchronizationFindingsLambda0E312918", "Arn" ] }, "Principal": "events.amazonaws.com", "SourceArn": { "Fn::GetAtt": [ "SynchronizationFindingsConstructSynchronizationFindingsLambdaWeeklyRule158B7187", "Arn" ] } } }, "InitialSynchronizationTrigger": { "Type": "AWS::CloudFormation::CustomResource", "Properties": { "ServiceToken": { "Fn::GetAtt": [ "SynchronizationFindingsConstructSynchronizationTriggerProvider05DEE9E7", "Arn" ] }, "TriggerReason": "WebUI deployment completed" }, "DependsOn": [ "WebUINestedStackNestedStackWebUINestedStackNestedStackResourceEF0A1EDB" ], "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete", "Condition": "webUIEnabled" }, "RemediateWithSharrCustomActionABE4122A": { "Type": "Custom::ActionTarget", "Properties": { "ServiceToken": { "Fn::GetAtt": [ "CreateCustomActionE7A973F5", "Arn" ] }, "Name": "Remediate with ASR", "Description": "Submit the finding to Automated Response and Remediation (ASR) for remediation.", "Id": "ASRRemediation" }, "DependsOn": [ "CreateCustomActionE7A973F5", "createCustomActionPolicyE424E925" ], "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete" }, "RemediateWithSharrRemediateCustomAction40B496D2": { "Type": "AWS::Events::Rule", "Properties": { "Description": "Remediate with ASR", "EventPattern": { "source": [ "aws.securityhub" ], "detail-type": [ "Security Hub Findings - Custom Action" ], "resources": [ { "Fn::GetAtt": [ "RemediateWithSharrCustomActionABE4122A", "Arn" ] } ], "detail": { "findings": { "Compliance": { "Status": [ "FAILED", "WARNING" ] } } } }, "Name": "Remediate_with_ASR_CustomAction", "State": "ENABLED", "Targets": [ { "Arn": { "Ref": "orchestratorStateMachine77C3F8FB" }, "Id": "Target0", "RoleArn": { "Fn::GetAtt": [ "EventsRuleRoleF1007C39", "Arn" ] } } ] } }, "RemediateAndTicketCustomAction4C7DC50F": { "Type": "Custom::ActionTarget", "Properties": { "ServiceToken": { "Fn::GetAtt": [ "CreateCustomActionE7A973F5", "Arn" ] }, "Name": "ASR:Remediate&Ticket", "Description": "Submit the finding to Automated Response and Remediation (ASR) for remediation and generate a ticket.", "Id": "ASRTicketing" }, "DependsOn": [ "CreateCustomActionE7A973F5", "createCustomActionPolicyE424E925" ], "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete", "Condition": "orchestratorTicketingEnabledConditionEE999626" }, "RemediateAndTicketTicketingCustomActionF52F78B4": { "Type": "AWS::Events::Rule", "Properties": { "Description": "Remediate with ASR and generate a ticket.", "EventPattern": { "source": [ "aws.securityhub" ], "detail-type": [ "Security Hub Findings - Custom Action" ], "resources": [ { "Fn::GetAtt": [ "RemediateAndTicketCustomAction4C7DC50F", "Arn" ] } ], "detail": { "findings": { "Compliance": { "Status": [ "FAILED", "WARNING" ] } } } }, "Name": "ASR_Remediate_and_Ticket_CustomAction", "State": "ENABLED", "Targets": [ { "Arn": { "Ref": "orchestratorStateMachine77C3F8FB" }, "Id": "Target0", "RoleArn": { "Fn::GetAtt": [ "EventsRuleRoleF1007C39", "Arn" ] } } ] }, "Condition": "orchestratorTicketingEnabledConditionEE999626" }, "PlaybookAdminStackAFSBP": { "Type": "AWS::CloudFormation::Stack", "Properties": { "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "TemplateURL": { "Fn::Join": [ "", [ "https://", { "Fn::FindInMap": [ "SourceCode", "General", "S3Bucket" ] }, "-reference.s3.amazonaws.com/", { "Fn::FindInMap": [ "SourceCode", "General", "KeyPrefix" ] }, "/playbooks/AFSBPStack.template" ] ] } }, "DependsOn": [ "orchestratorSHARROrchestratorArn0ACC7B05", "orchestratorStateMachine77C3F8FB" ], "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete", "Condition": "loadAFSBPCond" }, "PlaybookAdminStackCIS120": { "Type": "AWS::CloudFormation::Stack", "Properties": { "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "TemplateURL": { "Fn::Join": [ "", [ "https://", { "Fn::FindInMap": [ "SourceCode", "General", "S3Bucket" ] }, "-reference.s3.amazonaws.com/", { "Fn::FindInMap": [ "SourceCode", "General", "KeyPrefix" ] }, "/playbooks/CIS120Stack.template" ] ] } }, "DependsOn": [ "orchestratorSHARROrchestratorArn0ACC7B05", "orchestratorStateMachine77C3F8FB" ], "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete", "Condition": "loadCIS120Cond" }, "PlaybookAdminStackCIS140": { "Type": "AWS::CloudFormation::Stack", "Properties": { "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "TemplateURL": { "Fn::Join": [ "", [ "https://", { "Fn::FindInMap": [ "SourceCode", "General", "S3Bucket" ] }, "-reference.s3.amazonaws.com/", { "Fn::FindInMap": [ "SourceCode", "General", "KeyPrefix" ] }, "/playbooks/CIS140Stack.template" ] ] } }, "DependsOn": [ "orchestratorSHARROrchestratorArn0ACC7B05", "orchestratorStateMachine77C3F8FB" ], "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete", "Condition": "loadCIS140Cond" }, "PlaybookAdminStackNIST80053": { "Type": "AWS::CloudFormation::Stack", "Properties": { "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "TemplateURL": { "Fn::Join": [ "", [ "https://", { "Fn::FindInMap": [ "SourceCode", "General", "S3Bucket" ] }, "-reference.s3.amazonaws.com/", { "Fn::FindInMap": [ "SourceCode", "General", "KeyPrefix" ] }, "/playbooks/NIST80053Stack.template" ] ] } }, "DependsOn": [ "orchestratorSHARROrchestratorArn0ACC7B05", "orchestratorStateMachine77C3F8FB" ], "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete", "Condition": "loadNIST80053Cond" }, "PlaybookAdminStackPCI321": { "Type": "AWS::CloudFormation::Stack", "Properties": { "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "TemplateURL": { "Fn::Join": [ "", [ "https://", { "Fn::FindInMap": [ "SourceCode", "General", "S3Bucket" ] }, "-reference.s3.amazonaws.com/", { "Fn::FindInMap": [ "SourceCode", "General", "KeyPrefix" ] }, "/playbooks/PCI321Stack.template" ] ] } }, "DependsOn": [ "orchestratorSHARROrchestratorArn0ACC7B05", "orchestratorStateMachine77C3F8FB" ], "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete", "Condition": "loadPCI321Cond" }, "PlaybookAdminStackCIS300": { "Type": "AWS::CloudFormation::Stack", "Properties": { "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "TemplateURL": { "Fn::Join": [ "", [ "https://", { "Fn::FindInMap": [ "SourceCode", "General", "S3Bucket" ] }, "-reference.s3.amazonaws.com/", { "Fn::FindInMap": [ "SourceCode", "General", "KeyPrefix" ] }, "/playbooks/CIS300Stack.template" ] ] } }, "DependsOn": [ "orchestratorSHARROrchestratorArn0ACC7B05", "orchestratorStateMachine77C3F8FB" ], "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete", "Condition": "loadCIS300Cond" }, "PlaybookAdminStackSC": { "Type": "AWS::CloudFormation::Stack", "Properties": { "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "TemplateURL": { "Fn::Join": [ "", [ "https://", { "Fn::FindInMap": [ "SourceCode", "General", "S3Bucket" ] }, "-reference.s3.amazonaws.com/", { "Fn::FindInMap": [ "SourceCode", "General", "KeyPrefix" ] }, "/playbooks/SCStack.template" ] ] } }, "DependsOn": [ "orchestratorSHARROrchestratorArn0ACC7B05", "orchestratorStateMachine77C3F8FB" ], "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete", "Condition": "loadSCCond" }, "SchedulingTable1EC09B43": { "Type": "AWS::DynamoDB::Table", "Properties": { "AttributeDefinitions": [ { "AttributeName": "AccountID-Region", "AttributeType": "S" } ], "DeletionProtectionEnabled": true, "KeySchema": [ { "AttributeName": "AccountID-Region", "KeyType": "HASH" } ], "PointInTimeRecoverySpecification": { "PointInTimeRecoveryEnabled": true }, "ProvisionedThroughput": { "ReadCapacityUnits": 5, "WriteCapacityUnits": 5 }, "SSESpecification": { "SSEEnabled": true }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "TimeToLiveSpecification": { "AttributeName": "TTL", "Enabled": true } }, "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain", "Metadata": { "guard": { "SuppressedRules": [ "DYNAMODB_BILLING_MODE_RULE", "DYNAMODB_TABLE_ENCRYPTED_KMS" ] } } }, "SchedulingTableReadScalingTarget08C43BF6": { "Type": "AWS::ApplicationAutoScaling::ScalableTarget", "Properties": { "MaxCapacity": 10, "MinCapacity": 1, "ResourceId": { "Fn::Join": [ "", [ "table/", { "Ref": "SchedulingTable1EC09B43" } ] ] }, "RoleARN": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/aws-service-role/dynamodb.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_DynamoDBTable" ] ] }, "ScalableDimension": "dynamodb:table:ReadCapacityUnits", "ServiceNamespace": "dynamodb" } }, "SchedulingTableReadScalingTargetTracking239581AF": { "Type": "AWS::ApplicationAutoScaling::ScalingPolicy", "Properties": { "PolicyName": "SolutionDeployStackSchedulingTableReadScalingTargetTracking5DD9C5B4", "PolicyType": "TargetTrackingScaling", "ScalingTargetId": { "Ref": "SchedulingTableReadScalingTarget08C43BF6" }, "TargetTrackingScalingPolicyConfiguration": { "PredefinedMetricSpecification": { "PredefinedMetricType": "DynamoDBReadCapacityUtilization" }, "TargetValue": 70 } } }, "SchedulingTableWriteScalingTargetD82A5F4D": { "Type": "AWS::ApplicationAutoScaling::ScalableTarget", "Properties": { "MaxCapacity": 10, "MinCapacity": 1, "ResourceId": { "Fn::Join": [ "", [ "table/", { "Ref": "SchedulingTable1EC09B43" } ] ] }, "RoleARN": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/aws-service-role/dynamodb.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_DynamoDBTable" ] ] }, "ScalableDimension": "dynamodb:table:WriteCapacityUnits", "ServiceNamespace": "dynamodb" } }, "SchedulingTableWriteScalingTargetTracking03361258": { "Type": "AWS::ApplicationAutoScaling::ScalingPolicy", "Properties": { "PolicyName": "SolutionDeployStackSchedulingTableWriteScalingTargetTrackingB3259845", "PolicyType": "TargetTrackingScaling", "ScalingTargetId": { "Ref": "SchedulingTableWriteScalingTargetD82A5F4D" }, "TargetTrackingScalingPolicyConfiguration": { "PredefinedMetricSpecification": { "PredefinedMetricType": "DynamoDBWriteCapacityUtilization" }, "TargetValue": 70 } } }, "SchedulingLambdaPolicyBDBE83CB": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogStream", "logs:PutLogEvents" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":logs:*:", { "Ref": "AWS::AccountId" }, ":log-group:*:log-stream:*" ] ] } }, { "Action": "logs:CreateLogGroup", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":logs:*:", { "Ref": "AWS::AccountId" }, ":log-group:*" ] ] } }, { "Action": [ "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "cloudwatch:PutMetricData", "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "SO0111-ASR_Scheduling_Lambda", "Roles": [ { "Ref": "SchedulingLambdaRoleAB00F55C" } ] } }, "SchedulingLambdaRoleAB00F55C": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "Description": "Lambda role to schedule remediations that are sent to SQS through the orchestrator", "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ] } }, "SchedulingLambdaRoleDefaultPolicy73C1B49B": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "xray:PutTraceSegments", "xray:PutTelemetryRecords" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "states:SendTaskSuccess", "states:SendTaskFailure", "states:SendTaskHeartbeat" ], "Effect": "Allow", "Resource": { "Ref": "orchestratorStateMachine77C3F8FB" } }, { "Action": [ "dynamodb:BatchGetItem", "dynamodb:Query", "dynamodb:GetItem", "dynamodb:Scan", "dynamodb:ConditionCheckItem", "dynamodb:BatchWriteItem", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:DescribeTable" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "SchedulingTable1EC09B43", "Arn" ] } ] }, { "Action": [ "dynamodb:GetRecords", "dynamodb:GetShardIterator" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "SchedulingTable1EC09B43", "Arn" ] } ] }, { "Action": [ "sqs:ReceiveMessage", "sqs:ChangeMessageVisibility", "sqs:GetQueueUrl", "sqs:DeleteMessage", "sqs:GetQueueAttributes" ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "SchedulingQueueB533E3CD", "Arn" ] } }, { "Action": "kms:Decrypt", "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "SHARRkeyE6BD0F56", "Arn" ] } } ], "Version": "2012-10-17" }, "PolicyName": "SchedulingLambdaRoleDefaultPolicy73C1B49B", "Roles": [ { "Ref": "SchedulingLambdaRoleAB00F55C" } ] } }, "schedulingLambdaTrigger24179157": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "S3Bucket": { "Fn::Join": [ "", [ "solutions-", { "Ref": "AWS::Region" } ] ] }, "S3Key": "automated-security-response-on-aws/v3.1.5/lambda/schedule_remediation-9ceafae3.zip" }, "Description": "SO0111 ASR function that schedules remediations in member accounts", "Environment": { "Variables": { "SchedulingTableName": { "Ref": "SchedulingTable1EC09B43" }, "RemediationWaitTime": "3", "POWERTOOLS_SERVICE_NAME": "schedule_remediation", "POWERTOOLS_LOG_LEVEL": "INFO", "POWERTOOLS_LOGGER_LOG_EVENT": "false", "POWERTOOLS_TRACER_CAPTURE_RESPONSE": "true", "POWERTOOLS_TRACER_CAPTURE_ERROR": "true", "AWS_ACCOUNT_ID": { "Ref": "AWS::AccountId" }, "STACK_ID": { "Ref": "AWS::StackId" } } }, "FunctionName": "SO0111-ASR-schedulingLambdaTrigger", "Handler": "schedule_remediation.lambda_handler", "Layers": [ { "Ref": "ASRLambdaLayerDAD507E4" } ], "MemorySize": 128, "ReservedConcurrentExecutions": 1, "Role": { "Fn::GetAtt": [ "SchedulingLambdaRoleAB00F55C", "Arn" ] }, "Runtime": "python3.11", "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Timeout": 10, "TracingConfig": { "Mode": "Active" } }, "DependsOn": [ "SchedulingLambdaRoleDefaultPolicy73C1B49B", "SchedulingLambdaRoleAB00F55C" ], "Metadata": { "guard": { "SuppressedRules": [ "LAMBDA_INSIDE_VPC" ] } } }, "schedulingLambdaTriggerSqsEventSourceSolutionDeployStackSchedulingQueue113A20F495C8AD0E": { "Type": "AWS::Lambda::EventSourceMapping", "Properties": { "BatchSize": 1, "EventSourceArn": { "Fn::GetAtt": [ "SchedulingQueueB533E3CD", "Arn" ] }, "FunctionName": { "Ref": "schedulingLambdaTrigger24179157" } } }, "ActionLogOrgIdLookupOrgIdLookupFunctionServiceRole93505391": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ] ] } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ] } }, "ActionLogOrgIdLookupOrgIdLookupFunctionServiceRoleDefaultPolicyB2285DD8": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "organizations:DescribeOrganization", "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "ActionLogOrgIdLookupOrgIdLookupFunctionServiceRoleDefaultPolicyB2285DD8", "Roles": [ { "Ref": "ActionLogOrgIdLookupOrgIdLookupFunctionServiceRole93505391" } ] } }, "ActionLogOrgIdLookupOrgIdLookupFunctionD828FC28": { "Type": "AWS::Lambda::Function", "Properties": { "Architectures": [ "arm64" ], "Code": { "ZipFile": "\n const {OrganizationsClient, DescribeOrganizationCommand} = require(\"@aws-sdk/client-organizations\");\n const https = require('https');\n const url = require('url');\n \n const organizationsClient = new OrganizationsClient({});\n \n exports.handler = async function (event, context) {\n console.log('Event:', JSON.stringify(event, null, 2));\n \n let responseData = {};\n let physicalResourceId;\n let responseStatus = 'FAILED';\n let reason;\n \n try {\n if (event.RequestType === 'Create' || event.RequestType === 'Update') {\n const response = await organizationsClient.send(new DescribeOrganizationCommand({}));\n const organizationId = response.Organization?.Id;\n responseData = { OrganizationId: organizationId };\n physicalResourceId = organizationId || 'org-id-not-found';\n responseStatus = 'SUCCESS';\n } else if (event.RequestType === 'Delete') {\n // Nothing to do for delete\n physicalResourceId = event.PhysicalResourceId;\n responseStatus = 'SUCCESS';\n }\n } catch (error) {\n if (error.name === \"AWSOrganizationsNotInUseException\" || error.name === \"AccessDeniedException\") {\n responseData = { OrganizationId: 'org-id-unavailable' };\n physicalResourceId = 'org-id-not-found';\n responseStatus = 'SUCCESS';\n } else {\n console.error('Error:', error);\n reason = 'Failed to retrieve Organization ID: ' + error.message;\n physicalResourceId = 'org-id-lookup-failed';\n }\n }\n \n await sendResponse(event, context, responseStatus, responseData, physicalResourceId, reason);\n };\n \n function sendResponse(event, context, responseStatus, responseData, physicalResourceId, reason) {\n return new Promise((resolve, reject) => {\n const responseBody = JSON.stringify({\n Status: responseStatus,\n Reason: reason || 'See the details in CloudWatch Log Stream: ' + context.logStreamName,\n PhysicalResourceId: physicalResourceId,\n StackId: event.StackId,\n RequestId: event.RequestId,\n LogicalResourceId: event.LogicalResourceId,\n NoEcho: false,\n Data: responseData\n });\n \n console.log('Response body:', responseBody);\n \n const parsedUrl = url.parse(event.ResponseURL);\n const options = {\n hostname: parsedUrl.hostname,\n port: 443,\n path: parsedUrl.path,\n method: 'PUT',\n headers: {\n 'content-type': '',\n 'content-length': responseBody.length\n }\n };\n \n const request = https.request(options, (response) => {\n console.log('Status code:', response.statusCode);\n console.log('Status message:', response.statusMessage);\n resolve();\n });\n \n request.on('error', (error) => {\n console.log('send(..) failed executing https.request(..): ' + error);\n reject(error);\n });\n \n request.write(responseBody);\n request.end();\n });\n }\n " }, "Handler": "index.handler", "Role": { "Fn::GetAtt": [ "ActionLogOrgIdLookupOrgIdLookupFunctionServiceRole93505391", "Arn" ] }, "Runtime": "nodejs22.x", "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Timeout": 15 }, "DependsOn": [ "ActionLogOrgIdLookupOrgIdLookupFunctionServiceRoleDefaultPolicyB2285DD8", "ActionLogOrgIdLookupOrgIdLookupFunctionServiceRole93505391" ], "Metadata": { "guard": { "SuppressedRules": [ "LAMBDA_INSIDE_VPC", "LAMBDA_CONCURRENCY_CHECK" ] } } }, "ActionLogOrgIdLookup5D912F99": { "Type": "AWS::CloudFormation::CustomResource", "Properties": { "ServiceToken": { "Fn::GetAtt": [ "ActionLogOrgIdLookupOrgIdLookupFunctionD828FC28", "Arn" ] } }, "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete" }, "ActionLogCrossAccountLogWriterRole252CB494": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:PrincipalOrgID": { "Fn::GetAtt": [ "ActionLogOrgIdLookup5D912F99", "OrganizationId" ] }, "sts:ExternalId": "ASRCrossAccountLogWriter" } }, "Effect": "Allow", "Principal": { "AWS": "*" } } ], "Version": "2012-10-17" }, "Description": "Role for cross-account access to write to CloudWatch Logs with External ID security", "RoleName": "CrossAccountLogWriterRole", "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ] }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } } }, "ActionLogCrossAccountLogWriterRoleDefaultPolicy3386E1C5": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogStream", "logs:PutLogEvents", "logs:DescribeLogStreams" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "CloudTrailEventsLogGroup94AE6D1A", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "CloudTrailEventsLogGroup94AE6D1A", "Arn" ] }, ":*" ] ] } ] }, { "Action": [ "logs:CreateLogStream", "logs:PutLogEvents" ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "CloudTrailEventsLogGroup94AE6D1A", "Arn" ] } } ], "Version": "2012-10-17" }, "PolicyName": "ActionLogCrossAccountLogWriterRoleDefaultPolicy3386E1C5", "Roles": [ { "Ref": "ActionLogCrossAccountLogWriterRole252CB494" } ] } }, "CloudTrailEventsLogGroup94AE6D1A": { "Type": "AWS::Logs::LogGroup", "Properties": { "LogGroupName": "/aws/lambda/SO0111-ASR-CloudTrailEvents", "RetentionInDays": 3653, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ] }, "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete", "Metadata": { "guard": { "SuppressedRules": [ "CLOUDWATCH_LOG_GROUP_ENCRYPTED" ] } } }, "PreProcessorConstructPreProcessorDLQC3A75225": { "Type": "AWS::SQS::Queue", "Properties": { "KmsDataKeyReusePeriodSeconds": 3600, "KmsMasterKeyId": { "Fn::GetAtt": [ "SHARRkeyE6BD0F56", "Arn" ] }, "MessageRetentionPeriod": 1209600, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ] }, "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete" }, "PreProcessorConstructPreProcessorDLQPolicy2572D35B": { "Type": "AWS::SQS::QueuePolicy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "sqs:*", "Condition": { "Bool": { "aws:SecureTransport": "false" } }, "Effect": "Deny", "Principal": { "AWS": "*" }, "Resource": { "Fn::GetAtt": [ "PreProcessorConstructPreProcessorDLQC3A75225", "Arn" ] } } ], "Version": "2012-10-17" }, "Queues": [ { "Ref": "PreProcessorConstructPreProcessorDLQC3A75225" } ] } }, "PreProcessorConstructPreProcessorQueue8068A6BD": { "Type": "AWS::SQS::Queue", "Properties": { "KmsDataKeyReusePeriodSeconds": 3600, "KmsMasterKeyId": { "Fn::GetAtt": [ "SHARRkeyE6BD0F56", "Arn" ] }, "RedrivePolicy": { "deadLetterTargetArn": { "Fn::GetAtt": [ "PreProcessorConstructPreProcessorDLQC3A75225", "Arn" ] }, "maxReceiveCount": 10 }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "VisibilityTimeout": 900 }, "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete" }, "PreProcessorConstructPreProcessorQueuePolicy245F8DE1": { "Type": "AWS::SQS::QueuePolicy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "sqs:*", "Condition": { "Bool": { "aws:SecureTransport": "false" } }, "Effect": "Deny", "Principal": { "AWS": "*" }, "Resource": { "Fn::GetAtt": [ "PreProcessorConstructPreProcessorQueue8068A6BD", "Arn" ] } }, { "Action": "sqs:SendMessage", "Effect": "Allow", "Principal": { "Service": "events.amazonaws.com" }, "Resource": "*" } ], "Version": "2012-10-17" }, "Queues": [ { "Ref": "PreProcessorConstructPreProcessorQueue8068A6BD" } ] } }, "PreProcessorConstructPreProcessorFunctionServiceRole58DC9DF7": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ] ] } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ] } }, "PreProcessorConstructPreProcessorFunctionServiceRoleDefaultPolicy05DF2207": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "xray:PutTraceSegments", "xray:PutTelemetryRecords" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "dynamodb:BatchGetItem", "dynamodb:Query", "dynamodb:GetItem", "dynamodb:Scan", "dynamodb:ConditionCheckItem", "dynamodb:BatchWriteItem", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:DescribeTable" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "ASRFindingsTable3FD52B9C", "Arn" ] } ] }, { "Action": [ "dynamodb:GetRecords", "dynamodb:GetShardIterator" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "ASRFindingsTable3FD52B9C", "Arn" ] } ] }, { "Action": [ "dynamodb:BatchGetItem", "dynamodb:Query", "dynamodb:GetItem", "dynamodb:Scan", "dynamodb:ConditionCheckItem", "dynamodb:BatchWriteItem", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:DescribeTable" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "RemediationConfigTable24F19C3B", "Arn" ] } ] }, { "Action": [ "dynamodb:GetRecords", "dynamodb:GetShardIterator" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "RemediationConfigTable24F19C3B", "Arn" ] } ] }, { "Action": [ "dynamodb:BatchGetItem", "dynamodb:Query", "dynamodb:GetItem", "dynamodb:Scan", "dynamodb:ConditionCheckItem", "dynamodb:BatchWriteItem", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:DescribeTable" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "ASRRemediationHistoryTable3CA12E73", "Arn" ] } ] }, { "Action": [ "dynamodb:GetRecords", "dynamodb:GetShardIterator" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "ASRRemediationHistoryTable3CA12E73", "Arn" ] } ] }, { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:GetParametersByPath", "ssm:PutParameter", "ssm:PutParameters", "ssm:DeleteParameter" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:*:parameter/Solutions/SO0111/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:*:parameter/ASR/Filters" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:*:parameter/ASR/Filters/*" ] ] } ] }, { "Action": "states:StartExecution", "Effect": "Allow", "Resource": { "Ref": "orchestratorStateMachine77C3F8FB" } }, { "Action": [ "organizations:ListParents", "organizations:DescribeAccount" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "sqs:ReceiveMessage", "sqs:ChangeMessageVisibility", "sqs:GetQueueUrl", "sqs:DeleteMessage", "sqs:GetQueueAttributes" ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "PreProcessorConstructPreProcessorQueue8068A6BD", "Arn" ] } }, { "Action": "kms:Decrypt", "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "SHARRkeyE6BD0F56", "Arn" ] } } ], "Version": "2012-10-17" }, "PolicyName": "PreProcessorConstructPreProcessorFunctionServiceRoleDefaultPolicy05DF2207", "Roles": [ { "Ref": "PreProcessorConstructPreProcessorFunctionServiceRole58DC9DF7" } ] } }, "PreProcessorConstructPreProcessorFunction866FBB71": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "S3Bucket": { "Fn::Join": [ "", [ "solutions-", { "Ref": "AWS::Region" } ] ] }, "S3Key": "automated-security-response-on-aws/v3.1.5/lambda/asr_lambdas-457b6b95.zip" }, "Environment": { "Variables": { "SOLUTION_TRADEMARKEDNAME": "automated-security-response-on-aws", "POWERTOOLS_LOG_LEVEL": "INFO", "FINDINGS_TABLE_ARN": { "Fn::GetAtt": [ "ASRFindingsTable3FD52B9C", "Arn" ] }, "REMEDIATION_HISTORY_TABLE_ARN": { "Fn::GetAtt": [ "ASRRemediationHistoryTable3CA12E73", "Arn" ] }, "REMEDIATION_CONFIG_TABLE_ARN": { "Fn::GetAtt": [ "RemediationConfigTable24F19C3B", "Arn" ] }, "ORCHESTRATOR_ARN": { "Ref": "orchestratorStateMachine77C3F8FB" }, "FINDINGS_TTL_DAYS": "8", "HISTORY_TTL_DAYS": "365", "AWS_ACCOUNT_ID": { "Ref": "AWS::AccountId" }, "STACK_ID": { "Ref": "AWS::StackId" } } }, "FunctionName": "SO0111-ASR-PreProcessor", "Handler": "pre-processor/preProcessor.handler", "MemorySize": 512, "ReservedConcurrentExecutions": 5, "Role": { "Fn::GetAtt": [ "PreProcessorConstructPreProcessorFunctionServiceRole58DC9DF7", "Arn" ] }, "Runtime": "nodejs22.x", "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Timeout": 900, "TracingConfig": { "Mode": "Active" } }, "DependsOn": [ "PreProcessorConstructPreProcessorFunctionServiceRoleDefaultPolicy05DF2207", "PreProcessorConstructPreProcessorFunctionServiceRole58DC9DF7" ], "Metadata": { "guard": { "SuppressedRules": [ "LAMBDA_INSIDE_VPC", "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } } }, "PreProcessorConstructPreProcessorFunctionSqsEventSourceSolutionDeployStackPreProcessorConstructPreProcessorQueue40E7D8E34D873ECA": { "Type": "AWS::Lambda::EventSourceMapping", "Properties": { "BatchSize": 10, "EventSourceArn": { "Fn::GetAtt": [ "PreProcessorConstructPreProcessorQueue8068A6BD", "Arn" ] }, "FunctionName": { "Ref": "PreProcessorConstructPreProcessorFunction866FBB71" }, "FunctionResponseTypes": [ "ReportBatchItemFailures" ], "MaximumBatchingWindowInSeconds": 5 } }, "FindingEventsTriggerEventBridgeToSQSEventsRule5599F48C": { "Type": "AWS::Events::Rule", "Properties": { "Description": "This rule captures finding events from Security Hub & Security Hub CSPM and forwards them to ASR's Pre-processor SQS Queue for further execution", "EventPattern": { "source": [ "aws.securityhub" ], "detail-type": [ "Security Hub Findings - Imported", "Findings Imported V2" ], "detail": { "findings": { "$or": [ { "SchemaVersion": [ "2018-10-08" ], "ProductArn": [ { "prefix": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":securityhub" ] ] } } ] }, { "class_name": [ "Compliance Finding" ], "class_uid": [ 2003 ], "metadata": { "product": { "uid": [ { "prefix": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":securityhub" ] ] } } ] } } } ] } } }, "Name": "SO0111_automated-security-response-on-aws_AutoTrigger", "State": "ENABLED", "Targets": [ { "Arn": { "Fn::GetAtt": [ "PreProcessorConstructPreProcessorQueue8068A6BD", "Arn" ] }, "Id": "Target0" } ] } }, "RemediationConfigPolicy4FBFA72E": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:Scan", "dynamodb:BatchWriteItem" ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "RemediationConfigTable24F19C3B", "Arn" ] } }, { "Action": "s3:GetObject", "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":s3:::solutions-reference/automated-security-response-on-aws/v3.1.5/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":s3:::solutions-reference-cn/automated-security-response-on-aws/v3.1.5/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":s3:::solutions-reference-us-gov/automated-security-response-on-aws/v3.1.5/*" ] ] } ] } ], "Version": "2012-10-17" }, "PolicyName": "SO0111-ASR_Remediation_Config", "Roles": [ { "Ref": "RemediationConfigRoleE527BA47" } ] } }, "RemediationConfigRoleE527BA47": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "Description": "Lambda role for remediation configuration table population", "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ] } }, "RemediationConfigRoleDefaultPolicy922B08B0": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "xray:PutTraceSegments", "xray:PutTelemetryRecords" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "RemediationConfigRoleDefaultPolicy922B08B0", "Roles": [ { "Ref": "RemediationConfigRoleE527BA47" } ] } }, "RemediationConfigProvider0B1658AD": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "S3Bucket": { "Fn::Join": [ "", [ "solutions-", { "Ref": "AWS::Region" } ] ] }, "S3Key": "automated-security-response-on-aws/v3.1.5/lambda/remediation_config_provider-f7600269.zip" }, "Description": "Custom resource to populate remediation configuration table", "Environment": { "Variables": { "POWERTOOLS_SERVICE_NAME": "action_target_provider", "POWERTOOLS_LOG_LEVEL": "INFO", "POWERTOOLS_LOGGER_LOG_EVENT": "false", "POWERTOOLS_TRACER_CAPTURE_RESPONSE": "true", "POWERTOOLS_TRACER_CAPTURE_ERROR": "true", "SOLUTION_ID": "SO0111", "SOLUTION_VERSION": "v3.1.5", "SOLUTION_TMN": "automated-security-response-on-aws", "REFERENCE_BUCKET_NAME": "solutions-reference", "REFERENCE_BUCKET_PARTITION": { "Ref": "AWS::Partition" }, "CUSTOM_REFERENCE_BUCKET_REGION": "", "AWS_ACCOUNT_ID": { "Ref": "AWS::AccountId" }, "STACK_ID": { "Ref": "AWS::StackId" } } }, "FunctionName": "SO0111-ASR-RemediationConfigProvider", "Handler": "remediation_config_provider.lambda_handler", "Layers": [ { "Ref": "ASRLambdaLayerDAD507E4" } ], "MemorySize": 256, "Role": { "Fn::GetAtt": [ "RemediationConfigRoleE527BA47", "Arn" ] }, "Runtime": "python3.11", "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Timeout": 300, "TracingConfig": { "Mode": "Active" } }, "DependsOn": [ "RemediationConfigRoleDefaultPolicy922B08B0", "RemediationConfigRoleE527BA47" ], "Metadata": { "guard": { "SuppressedRules": [ "LAMBDA_INSIDE_VPC", "LAMBDA_CONCURRENCY_CHECK" ] } } }, "RemediationConfigResource": { "Type": "AWS::CloudFormation::CustomResource", "Properties": { "ServiceToken": { "Fn::GetAtt": [ "RemediationConfigProvider0B1658AD", "Arn" ] }, "TableName": { "Ref": "RemediationConfigTable24F19C3B" }, "SolutionVersion": "v3.1.5" }, "DependsOn": [ "RemediationConfigTable24F19C3B" ], "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete" }, "ASRSendCloudWatchMetricsD6C71A5B": { "Type": "AWS::SSM::Parameter", "Properties": { "Description": "Flag to enable or disable sending cloudwatch metrics.", "Name": "/Solutions/SO0111/sendCloudwatchMetrics", "Tags": { "Solutions:SolutionID": "SO0111", "Solutions:SolutionName": "automated-security-response-on-aws", "Solutions:SolutionVersion": "v3.1.5" }, "Type": "String", "Value": "yes" }, "Condition": "isUsingCloudWatchMetrics" }, "ASRAlarmTopic7CEFBDF9": { "Type": "AWS::SNS::Topic", "Properties": { "DisplayName": "ASR Alarm Topic (SO0111)", "KmsMasterKeyId": { "Fn::GetAtt": [ "SHARRkeyE6BD0F56", "Arn" ] }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "TopicName": "SO0111-ASR_Alarm_Topic" }, "Condition": "isUsingCloudWatchMetricsAlarms" }, "NoRemediationErrorAlarm20FFD8DF": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "ActionsEnabled": true, "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "Remediation failed with NO_RUNBOOK result. This indicates a remediation was attempted and an ASR runbook could not be found. This can happen if the member stack is not deployed in the account & region where the finding was generated, or ASR does not support the control ID.", "AlarmName": "ASR-NoRunbook", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Id": "m1", "Label": "No Remediation", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "Outcome", "Value": "NO_RUNBOOK" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Sum" }, "ReturnData": true } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": 1, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "isUsingCloudWatchMetricsAlarms" }, "FailedAssumeRoleAlarm06397028": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "ActionsEnabled": true, "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "ASR Runbook Failed to assume role in an account. This indicates that a remediation was attempted in an account that does not have ASR deployed.", "AlarmName": "ASR-RunbookAssumeRoleFailure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Id": "m1", "Label": "Runbook Assume Role Failures", "MetricStat": { "Metric": { "MetricName": "AssumeRoleFailure", "Namespace": "ASR" }, "Period": 86400, "Stat": "Sum" }, "ReturnData": true } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": 1, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "isUsingCloudWatchMetricsAlarms" }, "PreProcessorDLQAlarm908FB774": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "ActionsEnabled": true, "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "Automated Security Response on AWS: Messages have been sent to the Pre-processor Dead Letter Queue. This indicates that the Pre-processor Lambda function failed to process Security Hub findings after multiple retry attempts.", "AlarmName": "ASR-PreProcessorDLQ", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Id": "m1", "Label": "Automated Security Response on AWS: Pre-processor DLQ Messages", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "QueueName", "Value": { "Fn::GetAtt": [ "PreProcessorConstructPreProcessorDLQC3A75225", "QueueName" ] } } ], "MetricName": "NumberOfMessagesSent", "Namespace": "AWS/SQS" }, "Period": 300, "Stat": "Sum" }, "ReturnData": true } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": 1, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "isUsingCloudWatchMetricsAlarms" }, "SynchronizationErrorAlarmD891B871": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "ActionsEnabled": true, "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "Automated Security Response on AWS: The synchronization Lambda function has failed. This indicates that the synchronization process for Security Hub findings may not be working correctly and findings displayed in the UI may contain outdated information. Please see the function's log group for more information.", "AlarmName": "ASR-SynchronizationError", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Id": "m1", "Label": "Synchronization Lambda Errors", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "FunctionName", "Value": { "Ref": "SynchronizationFindingsConstructSynchronizationFindingsLambda0E312918" } } ], "MetricName": "Errors", "Namespace": "AWS/Lambda" }, "Period": 300, "Stat": "Sum" }, "ReturnData": true } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": 1, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "isUsingCloudWatchMetricsAlarms" }, "AutoScaling1remediationfailureC7E7A88A": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for AutoScaling.1 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-AutoScaling.1-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1AutoScaling1 / (m1AutoScaling1+m2AutoScaling1)) * 100", "Id": "expr_1", "Label": "AutoScaling.1 Failure Percentage", "ReturnData": true }, { "Id": "m1AutoScaling1", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "AutoScaling.1" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2AutoScaling1", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "AutoScaling.1" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "CloudFormation1remediationfailureA49101F8": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for CloudFormation.1 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-CloudFormation.1-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1CloudFormation1 / (m1CloudFormation1+m2CloudFormation1)) * 100", "Id": "expr_1", "Label": "CloudFormation.1 Failure Percentage", "ReturnData": true }, { "Id": "m1CloudFormation1", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "CloudFormation.1" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2CloudFormation1", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "CloudFormation.1" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "CloudFront1remediationfailure98E16C0F": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for CloudFront.1 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-CloudFront.1-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1CloudFront1 / (m1CloudFront1+m2CloudFront1)) * 100", "Id": "expr_1", "Label": "CloudFront.1 Failure Percentage", "ReturnData": true }, { "Id": "m1CloudFront1", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "CloudFront.1" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2CloudFront1", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "CloudFront.1" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "CloudFront12remediationfailure4C20F867": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for CloudFront.12 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-CloudFront.12-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1CloudFront12 / (m1CloudFront12+m2CloudFront12)) * 100", "Id": "expr_1", "Label": "CloudFront.12 Failure Percentage", "ReturnData": true }, { "Id": "m1CloudFront12", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "CloudFront.12" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2CloudFront12", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "CloudFront.12" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "CloudTrail1remediationfailure5EC81199": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for CloudTrail.1 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-CloudTrail.1-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1CloudTrail1 / (m1CloudTrail1+m2CloudTrail1)) * 100", "Id": "expr_1", "Label": "CloudTrail.1 Failure Percentage", "ReturnData": true }, { "Id": "m1CloudTrail1", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "CloudTrail.1" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2CloudTrail1", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "CloudTrail.1" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "CloudTrail2remediationfailureC4D3FD6A": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for CloudTrail.2 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-CloudTrail.2-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1CloudTrail2 / (m1CloudTrail2+m2CloudTrail2)) * 100", "Id": "expr_1", "Label": "CloudTrail.2 Failure Percentage", "ReturnData": true }, { "Id": "m1CloudTrail2", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "CloudTrail.2" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2CloudTrail2", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "CloudTrail.2" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "CloudTrail3remediationfailure3F152EE6": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for CloudTrail.3 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-CloudTrail.3-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1CloudTrail3 / (m1CloudTrail3+m2CloudTrail3)) * 100", "Id": "expr_1", "Label": "CloudTrail.3 Failure Percentage", "ReturnData": true }, { "Id": "m1CloudTrail3", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "CloudTrail.3" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2CloudTrail3", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "CloudTrail.3" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "CloudTrail4remediationfailure2EEBDAC7": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for CloudTrail.4 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-CloudTrail.4-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1CloudTrail4 / (m1CloudTrail4+m2CloudTrail4)) * 100", "Id": "expr_1", "Label": "CloudTrail.4 Failure Percentage", "ReturnData": true }, { "Id": "m1CloudTrail4", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "CloudTrail.4" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2CloudTrail4", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "CloudTrail.4" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "CloudTrail5remediationfailureDD55E093": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for CloudTrail.5 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-CloudTrail.5-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1CloudTrail5 / (m1CloudTrail5+m2CloudTrail5)) * 100", "Id": "expr_1", "Label": "CloudTrail.5 Failure Percentage", "ReturnData": true }, { "Id": "m1CloudTrail5", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "CloudTrail.5" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2CloudTrail5", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "CloudTrail.5" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "CloudTrail6remediationfailureE6F95F7A": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for CloudTrail.6 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-CloudTrail.6-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1CloudTrail6 / (m1CloudTrail6+m2CloudTrail6)) * 100", "Id": "expr_1", "Label": "CloudTrail.6 Failure Percentage", "ReturnData": true }, { "Id": "m1CloudTrail6", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "CloudTrail.6" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2CloudTrail6", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "CloudTrail.6" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "CloudTrail7remediationfailureB9E46CED": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for CloudTrail.7 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-CloudTrail.7-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1CloudTrail7 / (m1CloudTrail7+m2CloudTrail7)) * 100", "Id": "expr_1", "Label": "CloudTrail.7 Failure Percentage", "ReturnData": true }, { "Id": "m1CloudTrail7", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "CloudTrail.7" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2CloudTrail7", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "CloudTrail.7" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "CloudWatch1remediationfailureA3222459": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for CloudWatch.1 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-CloudWatch.1-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1CloudWatch1 / (m1CloudWatch1+m2CloudWatch1)) * 100", "Id": "expr_1", "Label": "CloudWatch.1 Failure Percentage", "ReturnData": true }, { "Id": "m1CloudWatch1", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "CloudWatch.1" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2CloudWatch1", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "CloudWatch.1" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "CloudWatch2remediationfailureC6478DD1": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for CloudWatch.2 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-CloudWatch.2-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1CloudWatch2 / (m1CloudWatch2+m2CloudWatch2)) * 100", "Id": "expr_1", "Label": "CloudWatch.2 Failure Percentage", "ReturnData": true }, { "Id": "m1CloudWatch2", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "CloudWatch.2" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2CloudWatch2", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "CloudWatch.2" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "CloudWatch3remediationfailureE29A880E": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for CloudWatch.3 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-CloudWatch.3-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1CloudWatch3 / (m1CloudWatch3+m2CloudWatch3)) * 100", "Id": "expr_1", "Label": "CloudWatch.3 Failure Percentage", "ReturnData": true }, { "Id": "m1CloudWatch3", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "CloudWatch.3" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2CloudWatch3", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "CloudWatch.3" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "CloudWatch4remediationfailureB37F01BB": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for CloudWatch.4 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-CloudWatch.4-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1CloudWatch4 / (m1CloudWatch4+m2CloudWatch4)) * 100", "Id": "expr_1", "Label": "CloudWatch.4 Failure Percentage", "ReturnData": true }, { "Id": "m1CloudWatch4", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "CloudWatch.4" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2CloudWatch4", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "CloudWatch.4" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "CloudWatch5remediationfailure5FFB8EE6": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for CloudWatch.5 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-CloudWatch.5-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1CloudWatch5 / (m1CloudWatch5+m2CloudWatch5)) * 100", "Id": "expr_1", "Label": "CloudWatch.5 Failure Percentage", "ReturnData": true }, { "Id": "m1CloudWatch5", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "CloudWatch.5" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2CloudWatch5", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "CloudWatch.5" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "CloudWatch6remediationfailureD02B331F": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for CloudWatch.6 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-CloudWatch.6-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1CloudWatch6 / (m1CloudWatch6+m2CloudWatch6)) * 100", "Id": "expr_1", "Label": "CloudWatch.6 Failure Percentage", "ReturnData": true }, { "Id": "m1CloudWatch6", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "CloudWatch.6" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2CloudWatch6", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "CloudWatch.6" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "CloudWatch7remediationfailure01058B9A": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for CloudWatch.7 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-CloudWatch.7-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1CloudWatch7 / (m1CloudWatch7+m2CloudWatch7)) * 100", "Id": "expr_1", "Label": "CloudWatch.7 Failure Percentage", "ReturnData": true }, { "Id": "m1CloudWatch7", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "CloudWatch.7" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2CloudWatch7", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "CloudWatch.7" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "CloudWatch8remediationfailureA037492F": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for CloudWatch.8 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-CloudWatch.8-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1CloudWatch8 / (m1CloudWatch8+m2CloudWatch8)) * 100", "Id": "expr_1", "Label": "CloudWatch.8 Failure Percentage", "ReturnData": true }, { "Id": "m1CloudWatch8", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "CloudWatch.8" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2CloudWatch8", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "CloudWatch.8" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "CloudWatch9remediationfailure562F387A": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for CloudWatch.9 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-CloudWatch.9-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1CloudWatch9 / (m1CloudWatch9+m2CloudWatch9)) * 100", "Id": "expr_1", "Label": "CloudWatch.9 Failure Percentage", "ReturnData": true }, { "Id": "m1CloudWatch9", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "CloudWatch.9" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2CloudWatch9", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "CloudWatch.9" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "CloudWatch10remediationfailureA1CC894D": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for CloudWatch.10 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-CloudWatch.10-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1CloudWatch10 / (m1CloudWatch10+m2CloudWatch10)) * 100", "Id": "expr_1", "Label": "CloudWatch.10 Failure Percentage", "ReturnData": true }, { "Id": "m1CloudWatch10", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "CloudWatch.10" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2CloudWatch10", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "CloudWatch.10" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "CloudWatch11remediationfailure4111C675": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for CloudWatch.11 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-CloudWatch.11-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1CloudWatch11 / (m1CloudWatch11+m2CloudWatch11)) * 100", "Id": "expr_1", "Label": "CloudWatch.11 Failure Percentage", "ReturnData": true }, { "Id": "m1CloudWatch11", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "CloudWatch.11" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2CloudWatch11", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "CloudWatch.11" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "CloudWatch12remediationfailure8A3F8B50": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for CloudWatch.12 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-CloudWatch.12-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1CloudWatch12 / (m1CloudWatch12+m2CloudWatch12)) * 100", "Id": "expr_1", "Label": "CloudWatch.12 Failure Percentage", "ReturnData": true }, { "Id": "m1CloudWatch12", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "CloudWatch.12" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2CloudWatch12", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "CloudWatch.12" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "CloudWatch13remediationfailure36140E73": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for CloudWatch.13 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-CloudWatch.13-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1CloudWatch13 / (m1CloudWatch13+m2CloudWatch13)) * 100", "Id": "expr_1", "Label": "CloudWatch.13 Failure Percentage", "ReturnData": true }, { "Id": "m1CloudWatch13", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "CloudWatch.13" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2CloudWatch13", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "CloudWatch.13" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "CloudWatch14remediationfailure521B8DEE": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for CloudWatch.14 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-CloudWatch.14-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1CloudWatch14 / (m1CloudWatch14+m2CloudWatch14)) * 100", "Id": "expr_1", "Label": "CloudWatch.14 Failure Percentage", "ReturnData": true }, { "Id": "m1CloudWatch14", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "CloudWatch.14" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2CloudWatch14", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "CloudWatch.14" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "CodeBuild2remediationfailure64A628E5": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for CodeBuild.2 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-CodeBuild.2-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1CodeBuild2 / (m1CodeBuild2+m2CodeBuild2)) * 100", "Id": "expr_1", "Label": "CodeBuild.2 Failure Percentage", "ReturnData": true }, { "Id": "m1CodeBuild2", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "CodeBuild.2" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2CodeBuild2", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "CodeBuild.2" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "CodeBuild5remediationfailureFEE4A65E": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for CodeBuild.5 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-CodeBuild.5-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1CodeBuild5 / (m1CodeBuild5+m2CodeBuild5)) * 100", "Id": "expr_1", "Label": "CodeBuild.5 Failure Percentage", "ReturnData": true }, { "Id": "m1CodeBuild5", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "CodeBuild.5" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2CodeBuild5", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "CodeBuild.5" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "Config1remediationfailureE4D16D46": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for Config.1 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-Config.1-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1Config1 / (m1Config1+m2Config1)) * 100", "Id": "expr_1", "Label": "Config.1 Failure Percentage", "ReturnData": true }, { "Id": "m1Config1", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "Config.1" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2Config1", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "Config.1" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "EC21remediationfailureA39DC3F3": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for EC2.1 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-EC2.1-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1EC21 / (m1EC21+m2EC21)) * 100", "Id": "expr_1", "Label": "EC2.1 Failure Percentage", "ReturnData": true }, { "Id": "m1EC21", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "EC2.1" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2EC21", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "EC2.1" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "EC22remediationfailure139C6D03": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for EC2.2 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-EC2.2-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1EC22 / (m1EC22+m2EC22)) * 100", "Id": "expr_1", "Label": "EC2.2 Failure Percentage", "ReturnData": true }, { "Id": "m1EC22", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "EC2.2" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2EC22", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "EC2.2" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "EC24remediationfailure05EF2E7C": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for EC2.4 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-EC2.4-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1EC24 / (m1EC24+m2EC24)) * 100", "Id": "expr_1", "Label": "EC2.4 Failure Percentage", "ReturnData": true }, { "Id": "m1EC24", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "EC2.4" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2EC24", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "EC2.4" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "EC26remediationfailure8729950E": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for EC2.6 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-EC2.6-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1EC26 / (m1EC26+m2EC26)) * 100", "Id": "expr_1", "Label": "EC2.6 Failure Percentage", "ReturnData": true }, { "Id": "m1EC26", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "EC2.6" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2EC26", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "EC2.6" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "EC27remediationfailure27FDB86C": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for EC2.7 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-EC2.7-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1EC27 / (m1EC27+m2EC27)) * 100", "Id": "expr_1", "Label": "EC2.7 Failure Percentage", "ReturnData": true }, { "Id": "m1EC27", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "EC2.7" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2EC27", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "EC2.7" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "EC28remediationfailureEFD81795": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for EC2.8 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-EC2.8-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1EC28 / (m1EC28+m2EC28)) * 100", "Id": "expr_1", "Label": "EC2.8 Failure Percentage", "ReturnData": true }, { "Id": "m1EC28", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "EC2.8" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2EC28", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "EC2.8" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "EC213remediationfailure9DCB9763": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for EC2.13 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-EC2.13-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1EC213 / (m1EC213+m2EC213)) * 100", "Id": "expr_1", "Label": "EC2.13 Failure Percentage", "ReturnData": true }, { "Id": "m1EC213", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "EC2.13" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2EC213", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "EC2.13" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "EC214remediationfailure577055FE": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for EC2.14 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-EC2.14-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1EC214 / (m1EC214+m2EC214)) * 100", "Id": "expr_1", "Label": "EC2.14 Failure Percentage", "ReturnData": true }, { "Id": "m1EC214", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "EC2.14" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2EC214", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "EC2.14" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "EC215remediationfailure4AB5BA3A": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for EC2.15 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-EC2.15-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1EC215 / (m1EC215+m2EC215)) * 100", "Id": "expr_1", "Label": "EC2.15 Failure Percentage", "ReturnData": true }, { "Id": "m1EC215", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "EC2.15" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2EC215", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "EC2.15" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "EC218remediationfailureE48F10E6": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for EC2.18 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-EC2.18-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1EC218 / (m1EC218+m2EC218)) * 100", "Id": "expr_1", "Label": "EC2.18 Failure Percentage", "ReturnData": true }, { "Id": "m1EC218", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "EC2.18" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2EC218", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "EC2.18" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "EC219remediationfailure72615DA1": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for EC2.19 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-EC2.19-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1EC219 / (m1EC219+m2EC219)) * 100", "Id": "expr_1", "Label": "EC2.19 Failure Percentage", "ReturnData": true }, { "Id": "m1EC219", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "EC2.19" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2EC219", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "EC2.19" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "EC223remediationfailureF683E720": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for EC2.23 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-EC2.23-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1EC223 / (m1EC223+m2EC223)) * 100", "Id": "expr_1", "Label": "EC2.23 Failure Percentage", "ReturnData": true }, { "Id": "m1EC223", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "EC2.23" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2EC223", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "EC2.23" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "IAM3remediationfailure2E706636": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for IAM.3 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-IAM.3-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1IAM3 / (m1IAM3+m2IAM3)) * 100", "Id": "expr_1", "Label": "IAM.3 Failure Percentage", "ReturnData": true }, { "Id": "m1IAM3", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "IAM.3" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2IAM3", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "IAM.3" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "IAM7remediationfailure00B58B57": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for IAM.7 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-IAM.7-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1IAM7 / (m1IAM7+m2IAM7)) * 100", "Id": "expr_1", "Label": "IAM.7 Failure Percentage", "ReturnData": true }, { "Id": "m1IAM7", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "IAM.7" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2IAM7", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "IAM.7" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "IAM8remediationfailure3EA89A13": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for IAM.8 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-IAM.8-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1IAM8 / (m1IAM8+m2IAM8)) * 100", "Id": "expr_1", "Label": "IAM.8 Failure Percentage", "ReturnData": true }, { "Id": "m1IAM8", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "IAM.8" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2IAM8", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "IAM.8" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "IAM11remediationfailure9E3E82DD": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for IAM.11 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-IAM.11-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1IAM11 / (m1IAM11+m2IAM11)) * 100", "Id": "expr_1", "Label": "IAM.11 Failure Percentage", "ReturnData": true }, { "Id": "m1IAM11", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "IAM.11" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2IAM11", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "IAM.11" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "IAM12remediationfailure12CE48BC": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for IAM.12 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-IAM.12-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1IAM12 / (m1IAM12+m2IAM12)) * 100", "Id": "expr_1", "Label": "IAM.12 Failure Percentage", "ReturnData": true }, { "Id": "m1IAM12", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "IAM.12" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2IAM12", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "IAM.12" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "IAM13remediationfailureE1876212": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for IAM.13 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-IAM.13-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1IAM13 / (m1IAM13+m2IAM13)) * 100", "Id": "expr_1", "Label": "IAM.13 Failure Percentage", "ReturnData": true }, { "Id": "m1IAM13", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "IAM.13" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2IAM13", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "IAM.13" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "IAM14remediationfailure962E22F8": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for IAM.14 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-IAM.14-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1IAM14 / (m1IAM14+m2IAM14)) * 100", "Id": "expr_1", "Label": "IAM.14 Failure Percentage", "ReturnData": true }, { "Id": "m1IAM14", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "IAM.14" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2IAM14", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "IAM.14" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "IAM15remediationfailureC2E57C72": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for IAM.15 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-IAM.15-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1IAM15 / (m1IAM15+m2IAM15)) * 100", "Id": "expr_1", "Label": "IAM.15 Failure Percentage", "ReturnData": true }, { "Id": "m1IAM15", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "IAM.15" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2IAM15", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "IAM.15" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "IAM16remediationfailure7119F86F": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for IAM.16 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-IAM.16-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1IAM16 / (m1IAM16+m2IAM16)) * 100", "Id": "expr_1", "Label": "IAM.16 Failure Percentage", "ReturnData": true }, { "Id": "m1IAM16", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "IAM.16" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2IAM16", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "IAM.16" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "IAM17remediationfailure48871BBA": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for IAM.17 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-IAM.17-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1IAM17 / (m1IAM17+m2IAM17)) * 100", "Id": "expr_1", "Label": "IAM.17 Failure Percentage", "ReturnData": true }, { "Id": "m1IAM17", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "IAM.17" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2IAM17", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "IAM.17" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "IAM18remediationfailure4EE420C4": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for IAM.18 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-IAM.18-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1IAM18 / (m1IAM18+m2IAM18)) * 100", "Id": "expr_1", "Label": "IAM.18 Failure Percentage", "ReturnData": true }, { "Id": "m1IAM18", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "IAM.18" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2IAM18", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "IAM.18" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "IAM22remediationfailure81BDDC78": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for IAM.22 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-IAM.22-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1IAM22 / (m1IAM22+m2IAM22)) * 100", "Id": "expr_1", "Label": "IAM.22 Failure Percentage", "ReturnData": true }, { "Id": "m1IAM22", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "IAM.22" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2IAM22", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "IAM.22" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "KMS4remediationfailure02F98C5F": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for KMS.4 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-KMS.4-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1KMS4 / (m1KMS4+m2KMS4)) * 100", "Id": "expr_1", "Label": "KMS.4 Failure Percentage", "ReturnData": true }, { "Id": "m1KMS4", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "KMS.4" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2KMS4", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "KMS.4" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "Lambda1remediationfailure861B6E34": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for Lambda.1 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-Lambda.1-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1Lambda1 / (m1Lambda1+m2Lambda1)) * 100", "Id": "expr_1", "Label": "Lambda.1 Failure Percentage", "ReturnData": true }, { "Id": "m1Lambda1", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "Lambda.1" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2Lambda1", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "Lambda.1" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "RDS1remediationfailure3C44B261": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for RDS.1 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-RDS.1-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1RDS1 / (m1RDS1+m2RDS1)) * 100", "Id": "expr_1", "Label": "RDS.1 Failure Percentage", "ReturnData": true }, { "Id": "m1RDS1", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "RDS.1" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2RDS1", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "RDS.1" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "RDS2remediationfailure7C383121": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for RDS.2 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-RDS.2-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1RDS2 / (m1RDS2+m2RDS2)) * 100", "Id": "expr_1", "Label": "RDS.2 Failure Percentage", "ReturnData": true }, { "Id": "m1RDS2", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "RDS.2" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2RDS2", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "RDS.2" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "RDS4remediationfailure155A6D2A": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for RDS.4 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-RDS.4-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1RDS4 / (m1RDS4+m2RDS4)) * 100", "Id": "expr_1", "Label": "RDS.4 Failure Percentage", "ReturnData": true }, { "Id": "m1RDS4", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "RDS.4" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2RDS4", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "RDS.4" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "RDS5remediationfailureBB1AD637": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for RDS.5 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-RDS.5-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1RDS5 / (m1RDS5+m2RDS5)) * 100", "Id": "expr_1", "Label": "RDS.5 Failure Percentage", "ReturnData": true }, { "Id": "m1RDS5", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "RDS.5" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2RDS5", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "RDS.5" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "RDS6remediationfailureD43BC115": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for RDS.6 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-RDS.6-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1RDS6 / (m1RDS6+m2RDS6)) * 100", "Id": "expr_1", "Label": "RDS.6 Failure Percentage", "ReturnData": true }, { "Id": "m1RDS6", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "RDS.6" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2RDS6", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "RDS.6" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "RDS7remediationfailureAFFAD4B5": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for RDS.7 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-RDS.7-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1RDS7 / (m1RDS7+m2RDS7)) * 100", "Id": "expr_1", "Label": "RDS.7 Failure Percentage", "ReturnData": true }, { "Id": "m1RDS7", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "RDS.7" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2RDS7", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "RDS.7" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "RDS8remediationfailureBE84F743": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for RDS.8 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-RDS.8-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1RDS8 / (m1RDS8+m2RDS8)) * 100", "Id": "expr_1", "Label": "RDS.8 Failure Percentage", "ReturnData": true }, { "Id": "m1RDS8", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "RDS.8" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2RDS8", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "RDS.8" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "RDS13remediationfailure15C4FA2F": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for RDS.13 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-RDS.13-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1RDS13 / (m1RDS13+m2RDS13)) * 100", "Id": "expr_1", "Label": "RDS.13 Failure Percentage", "ReturnData": true }, { "Id": "m1RDS13", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "RDS.13" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2RDS13", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "RDS.13" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "RDS16remediationfailureC76518D0": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for RDS.16 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-RDS.16-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1RDS16 / (m1RDS16+m2RDS16)) * 100", "Id": "expr_1", "Label": "RDS.16 Failure Percentage", "ReturnData": true }, { "Id": "m1RDS16", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "RDS.16" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2RDS16", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "RDS.16" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "Redshift1remediationfailureA218AFB4": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for Redshift.1 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-Redshift.1-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1Redshift1 / (m1Redshift1+m2Redshift1)) * 100", "Id": "expr_1", "Label": "Redshift.1 Failure Percentage", "ReturnData": true }, { "Id": "m1Redshift1", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "Redshift.1" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2Redshift1", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "Redshift.1" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "Redshift3remediationfailureA005CBF8": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for Redshift.3 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-Redshift.3-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1Redshift3 / (m1Redshift3+m2Redshift3)) * 100", "Id": "expr_1", "Label": "Redshift.3 Failure Percentage", "ReturnData": true }, { "Id": "m1Redshift3", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "Redshift.3" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2Redshift3", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "Redshift.3" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "Redshift4remediationfailure0C7EB0E5": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for Redshift.4 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-Redshift.4-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1Redshift4 / (m1Redshift4+m2Redshift4)) * 100", "Id": "expr_1", "Label": "Redshift.4 Failure Percentage", "ReturnData": true }, { "Id": "m1Redshift4", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "Redshift.4" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2Redshift4", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "Redshift.4" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "Redshift6remediationfailure4CEC2AB4": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for Redshift.6 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-Redshift.6-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1Redshift6 / (m1Redshift6+m2Redshift6)) * 100", "Id": "expr_1", "Label": "Redshift.6 Failure Percentage", "ReturnData": true }, { "Id": "m1Redshift6", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "Redshift.6" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2Redshift6", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "Redshift.6" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "S31remediationfailureB1E0E788": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for S3.1 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-S3.1-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1S31 / (m1S31+m2S31)) * 100", "Id": "expr_1", "Label": "S3.1 Failure Percentage", "ReturnData": true }, { "Id": "m1S31", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "S3.1" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2S31", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "S3.1" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "S32remediationfailure0CB179A0": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for S3.2 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-S3.2-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1S32 / (m1S32+m2S32)) * 100", "Id": "expr_1", "Label": "S3.2 Failure Percentage", "ReturnData": true }, { "Id": "m1S32", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "S3.2" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2S32", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "S3.2" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "S33remediationfailureEBC2F987": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for S3.3 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-S3.3-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1S33 / (m1S33+m2S33)) * 100", "Id": "expr_1", "Label": "S3.3 Failure Percentage", "ReturnData": true }, { "Id": "m1S33", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "S3.3" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2S33", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "S3.3" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "S34remediationfailure91AF2287": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for S3.4 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-S3.4-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1S34 / (m1S34+m2S34)) * 100", "Id": "expr_1", "Label": "S3.4 Failure Percentage", "ReturnData": true }, { "Id": "m1S34", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "S3.4" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2S34", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "S3.4" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "S35remediationfailureCA1065E4": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for S3.5 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-S3.5-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1S35 / (m1S35+m2S35)) * 100", "Id": "expr_1", "Label": "S3.5 Failure Percentage", "ReturnData": true }, { "Id": "m1S35", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "S3.5" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2S35", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "S3.5" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "S36remediationfailure4C0080B5": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for S3.6 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-S3.6-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1S36 / (m1S36+m2S36)) * 100", "Id": "expr_1", "Label": "S3.6 Failure Percentage", "ReturnData": true }, { "Id": "m1S36", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "S3.6" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2S36", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "S3.6" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "S38remediationfailure8CD77EFB": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for S3.8 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-S3.8-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1S38 / (m1S38+m2S38)) * 100", "Id": "expr_1", "Label": "S3.8 Failure Percentage", "ReturnData": true }, { "Id": "m1S38", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "S3.8" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2S38", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "S3.8" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "S39remediationfailure46C7021F": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for S3.9 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-S3.9-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1S39 / (m1S39+m2S39)) * 100", "Id": "expr_1", "Label": "S3.9 Failure Percentage", "ReturnData": true }, { "Id": "m1S39", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "S3.9" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2S39", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "S3.9" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "S311remediationfailure33527D1F": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for S3.11 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-S3.11-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1S311 / (m1S311+m2S311)) * 100", "Id": "expr_1", "Label": "S3.11 Failure Percentage", "ReturnData": true }, { "Id": "m1S311", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "S3.11" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2S311", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "S3.11" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "S313remediationfailureC0DAC9F7": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for S3.13 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-S3.13-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1S313 / (m1S313+m2S313)) * 100", "Id": "expr_1", "Label": "S3.13 Failure Percentage", "ReturnData": true }, { "Id": "m1S313", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "S3.13" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2S313", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "S3.13" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "SecretsManager1remediationfailureA2711A50": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for SecretsManager.1 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-SecretsManager.1-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1SecretsManager1 / (m1SecretsManager1+m2SecretsManager1)) * 100", "Id": "expr_1", "Label": "SecretsManager.1 Failure Percentage", "ReturnData": true }, { "Id": "m1SecretsManager1", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "SecretsManager.1" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2SecretsManager1", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "SecretsManager.1" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "SecretsManager3remediationfailureE72F1B56": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for SecretsManager.3 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-SecretsManager.3-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1SecretsManager3 / (m1SecretsManager3+m2SecretsManager3)) * 100", "Id": "expr_1", "Label": "SecretsManager.3 Failure Percentage", "ReturnData": true }, { "Id": "m1SecretsManager3", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "SecretsManager.3" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2SecretsManager3", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "SecretsManager.3" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "SecretsManager4remediationfailure993A7849": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for SecretsManager.4 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-SecretsManager.4-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1SecretsManager4 / (m1SecretsManager4+m2SecretsManager4)) * 100", "Id": "expr_1", "Label": "SecretsManager.4 Failure Percentage", "ReturnData": true }, { "Id": "m1SecretsManager4", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "SecretsManager.4" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2SecretsManager4", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "SecretsManager.4" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "SNS1remediationfailure98EE4220": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for SNS.1 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-SNS.1-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1SNS1 / (m1SNS1+m2SNS1)) * 100", "Id": "expr_1", "Label": "SNS.1 Failure Percentage", "ReturnData": true }, { "Id": "m1SNS1", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "SNS.1" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2SNS1", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "SNS.1" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "SNS2remediationfailureC71B427E": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for SNS.2 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-SNS.2-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1SNS2 / (m1SNS2+m2SNS2)) * 100", "Id": "expr_1", "Label": "SNS.2 Failure Percentage", "ReturnData": true }, { "Id": "m1SNS2", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "SNS.2" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2SNS2", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "SNS.2" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "SQS1remediationfailureEC77DCB5": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for SQS.1 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-SQS.1-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1SQS1 / (m1SQS1+m2SQS1)) * 100", "Id": "expr_1", "Label": "SQS.1 Failure Percentage", "ReturnData": true }, { "Id": "m1SQS1", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "SQS.1" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2SQS1", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "SQS.1" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "SSM4remediationfailure020A5786": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for SSM.4 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-SSM.4-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1SSM4 / (m1SSM4+m2SSM4)) * 100", "Id": "expr_1", "Label": "SSM.4 Failure Percentage", "ReturnData": true }, { "Id": "m1SSM4", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "SSM.4" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2SSM4", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "SSM.4" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "GuardDuty1remediationfailure95EB4B34": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for GuardDuty.1 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-GuardDuty.1-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1GuardDuty1 / (m1GuardDuty1+m2GuardDuty1)) * 100", "Id": "expr_1", "Label": "GuardDuty.1 Failure Percentage", "ReturnData": true }, { "Id": "m1GuardDuty1", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "GuardDuty.1" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2GuardDuty1", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "GuardDuty.1" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "Athena4remediationfailure49AC87AE": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for Athena.4 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-Athena.4-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1Athena4 / (m1Athena4+m2Athena4)) * 100", "Id": "expr_1", "Label": "Athena.4 Failure Percentage", "ReturnData": true }, { "Id": "m1Athena4", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "Athena.4" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2Athena4", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "Athena.4" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "APIGateway1remediationfailure9061CEDD": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for APIGateway.1 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-APIGateway.1-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1APIGateway1 / (m1APIGateway1+m2APIGateway1)) * 100", "Id": "expr_1", "Label": "APIGateway.1 Failure Percentage", "ReturnData": true }, { "Id": "m1APIGateway1", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "APIGateway.1" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2APIGateway1", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "APIGateway.1" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "APIGateway5remediationfailure4708254C": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for APIGateway.5 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-APIGateway.5-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1APIGateway5 / (m1APIGateway5+m2APIGateway5)) * 100", "Id": "expr_1", "Label": "APIGateway.5 Failure Percentage", "ReturnData": true }, { "Id": "m1APIGateway5", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "APIGateway.5" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2APIGateway5", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "APIGateway.5" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "AutoScaling3remediationfailure685B64A8": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for AutoScaling.3 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-AutoScaling.3-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1AutoScaling3 / (m1AutoScaling3+m2AutoScaling3)) * 100", "Id": "expr_1", "Label": "AutoScaling.3 Failure Percentage", "ReturnData": true }, { "Id": "m1AutoScaling3", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "AutoScaling.3" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2AutoScaling3", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "AutoScaling.3" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "Autoscaling5remediationfailure49EC2C6E": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for Autoscaling.5 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-Autoscaling.5-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1Autoscaling5 / (m1Autoscaling5+m2Autoscaling5)) * 100", "Id": "expr_1", "Label": "Autoscaling.5 Failure Percentage", "ReturnData": true }, { "Id": "m1Autoscaling5", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "Autoscaling.5" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2Autoscaling5", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "Autoscaling.5" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "CloudWatch16remediationfailure009FD0F8": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for CloudWatch.16 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-CloudWatch.16-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1CloudWatch16 / (m1CloudWatch16+m2CloudWatch16)) * 100", "Id": "expr_1", "Label": "CloudWatch.16 Failure Percentage", "ReturnData": true }, { "Id": "m1CloudWatch16", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "CloudWatch.16" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2CloudWatch16", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "CloudWatch.16" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "EC210remediationfailure7C88B08D": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for EC2.10 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-EC2.10-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1EC210 / (m1EC210+m2EC210)) * 100", "Id": "expr_1", "Label": "EC2.10 Failure Percentage", "ReturnData": true }, { "Id": "m1EC210", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "EC2.10" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2EC210", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "EC2.10" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "SSM1remediationfailureD6F27915": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for SSM.1 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-SSM.1-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1SSM1 / (m1SSM1+m2SSM1)) * 100", "Id": "expr_1", "Label": "SSM.1 Failure Percentage", "ReturnData": true }, { "Id": "m1SSM1", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "SSM.1" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2SSM1", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "SSM.1" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "GuardDuty2remediationfailure520214BF": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for GuardDuty.2 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-GuardDuty.2-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1GuardDuty2 / (m1GuardDuty2+m2GuardDuty2)) * 100", "Id": "expr_1", "Label": "GuardDuty.2 Failure Percentage", "ReturnData": true }, { "Id": "m1GuardDuty2", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "GuardDuty.2" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2GuardDuty2", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "GuardDuty.2" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "GuardDuty4remediationfailureE51E53EC": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for GuardDuty.4 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-GuardDuty.4-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1GuardDuty4 / (m1GuardDuty4+m2GuardDuty4)) * 100", "Id": "expr_1", "Label": "GuardDuty.4 Failure Percentage", "ReturnData": true }, { "Id": "m1GuardDuty4", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "GuardDuty.4" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2GuardDuty4", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "GuardDuty.4" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "Macie1remediationfailure50CC251B": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for Macie.1 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-Macie.1-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1Macie1 / (m1Macie1+m2Macie1)) * 100", "Id": "expr_1", "Label": "Macie.1 Failure Percentage", "ReturnData": true }, { "Id": "m1Macie1", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "Macie.1" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2Macie1", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "Macie.1" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "DynamoDB1remediationfailureC2826724": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for DynamoDB.1 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-DynamoDB.1-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1DynamoDB1 / (m1DynamoDB1+m2DynamoDB1)) * 100", "Id": "expr_1", "Label": "DynamoDB.1 Failure Percentage", "ReturnData": true }, { "Id": "m1DynamoDB1", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "DynamoDB.1" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2DynamoDB1", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "DynamoDB.1" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "DynamoDB5remediationfailure5A9D1618": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for DynamoDB.5 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-DynamoDB.5-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1DynamoDB5 / (m1DynamoDB5+m2DynamoDB5)) * 100", "Id": "expr_1", "Label": "DynamoDB.5 Failure Percentage", "ReturnData": true }, { "Id": "m1DynamoDB5", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "DynamoDB.5" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2DynamoDB5", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "DynamoDB.5" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "DynamoDB6remediationfailureDAB6ED61": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for DynamoDB.6 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-DynamoDB.6-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1DynamoDB6 / (m1DynamoDB6+m2DynamoDB6)) * 100", "Id": "expr_1", "Label": "DynamoDB.6 Failure Percentage", "ReturnData": true }, { "Id": "m1DynamoDB6", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "DynamoDB.6" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2DynamoDB6", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "DynamoDB.6" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "ElastiCache1remediationfailureD82AA5E2": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for ElastiCache.1 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-ElastiCache.1-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1ElastiCache1 / (m1ElastiCache1+m2ElastiCache1)) * 100", "Id": "expr_1", "Label": "ElastiCache.1 Failure Percentage", "ReturnData": true }, { "Id": "m1ElastiCache1", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "ElastiCache.1" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2ElastiCache1", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "ElastiCache.1" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "ElastiCache2remediationfailureAFB8E4AE": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for ElastiCache.2 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-ElastiCache.2-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1ElastiCache2 / (m1ElastiCache2+m2ElastiCache2)) * 100", "Id": "expr_1", "Label": "ElastiCache.2 Failure Percentage", "ReturnData": true }, { "Id": "m1ElastiCache2", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "ElastiCache.2" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2ElastiCache2", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "ElastiCache.2" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "ElastiCache3remediationfailure85F41AF1": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for ElastiCache.3 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-ElastiCache.3-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1ElastiCache3 / (m1ElastiCache3+m2ElastiCache3)) * 100", "Id": "expr_1", "Label": "ElastiCache.3 Failure Percentage", "ReturnData": true }, { "Id": "m1ElastiCache3", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "ElastiCache.3" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2ElastiCache3", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "ElastiCache.3" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "ECS5remediationfailure9BD08802": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for ECS.5 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-ECS.5-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1ECS5 / (m1ECS5+m2ECS5)) * 100", "Id": "expr_1", "Label": "ECS.5 Failure Percentage", "ReturnData": true }, { "Id": "m1ECS5", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "ECS.5" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2ECS5", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "ECS.5" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "ELB1remediationfailure2CFB0757": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for ELB.1 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-ELB.1-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1ELB1 / (m1ELB1+m2ELB1)) * 100", "Id": "expr_1", "Label": "ELB.1 Failure Percentage", "ReturnData": true }, { "Id": "m1ELB1", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "ELB.1" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2ELB1", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "ELB.1" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "ECR1remediationfailureAD78C4E8": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for ECR.1 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-ECR.1-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1ECR1 / (m1ECR1+m2ECR1)) * 100", "Id": "expr_1", "Label": "ECR.1 Failure Percentage", "ReturnData": true }, { "Id": "m1ECR1", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "ECR.1" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2ECR1", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "ECR.1" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "SSM7remediationfailureBCF0D2A7": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "This alarm triggers when the percentage of remediation failures for SSM.7 reaches above the configured threshold. \n This indicates that there may be a problem remediating this control ID in your AWS environment. Check the most recent failed execution of this control's runbook in the target account to identify potential issues.", "AlarmName": "ASR-SSM.7-remediation-failure", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "Metrics": [ { "Expression": "(m1SSM7 / (m1SSM7+m2SSM7)) * 100", "Id": "expr_1", "Label": "SSM.7 Failure Percentage", "ReturnData": true }, { "Id": "m1SSM7", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "SSM.7" }, { "Name": "Outcome", "Value": "FAILED" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false }, { "Id": "m2SSM7", "MetricStat": { "Metric": { "Dimensions": [ { "Name": "ControlId", "Value": "SSM.7" }, { "Name": "Outcome", "Value": "SUCCESS" } ], "MetricName": "RemediationOutcome", "Namespace": "ASR" }, "Period": 86400, "Stat": "Average" }, "ReturnData": false } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": { "Ref": "RemediationFailureAlarmThreshold" }, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "enhancedAlarmsEnabled" }, "RemediationDashboard7EC0D4B1": { "Type": "AWS::CloudWatch::Dashboard", "Properties": { "DashboardBody": { "Fn::Join": [ "", [ "{\"start\":\"-P7D\",\"widgets\":[{\"type\":\"text\",\"width\":24,\"height\":3,\"x\":0,\"y\":0,\"properties\":{\"markdown\":\"\\n## Total Successful Remediations\\nThis widget displays the total number of successful remediations executed and total developer hours saved in the last 3 months.\\n\\nWe estimate that, on average, it takes 30 minutes of developer time to investigate & remediate a Security Hub finding. The \\\"Estimated Hours Saved\\\" widget uses this to estimate how many developer hours were saved by using ASR in the last 3 months.\\n\"}},{\"type\":\"metric\",\"width\":6,\"height\":6,\"x\":0,\"y\":3,\"properties\":{\"view\":\"singleValue\",\"title\":\"Total Successful Remediations\",\"region\":\"", { "Ref": "AWS::Region" }, "\",\"metrics\":[[\"ASR\",\"RemediationOutcome\",\"Outcome\",\"SUCCESS\",{\"label\":\"Successful Remediations\",\"period\":7776000,\"stat\":\"Sum\"}]],\"setPeriodToTimeRange\":true}},{\"type\":\"metric\",\"width\":6,\"height\":6,\"x\":6,\"y\":3,\"properties\":{\"view\":\"singleValue\",\"title\":\"Estimated Hours Saved\",\"region\":\"", { "Ref": "AWS::Region" }, "\",\"metrics\":[[{\"label\":\"Estimated Hours Saved\",\"expression\":\"(m1 * 10) / 60\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"Outcome\",\"SUCCESS\",{\"label\":\"Successful Remediations\",\"id\":\"m1\",\"visible\":false,\"period\":86400,\"stat\":\"Sum\"}]],\"setPeriodToTimeRange\":true}},{\"type\":\"text\",\"width\":24,\"height\":6,\"x\":0,\"y\":9,\"properties\":{\"markdown\":\"\\n## Remediation Failures by Type\\nThis widget displays the frequency of various remediation failures. \\n* `Lambda Error`: One or more of the solution's Lambda Functions failed to execute. See the Orchestrator step function execution for details.\\n* `Runbook Not Active`: The runbook associated with this remediation is not properly deployed in the solution's Admin and/or Member stack. Verify the solution's parameters.\\n* `No Runbook`: This indicates a remediation was attempted and an ASR runbook could not be found.\\n* `Playbook Not Enabled`: The ASR playbook associated with the finding is not enabled. Ensure that the correct playbook parameter is enabled in the Admin & Member stacks.\\n* `SSM Doc Failed`: The remediation script failed to execute. Check the Orchestrator step function to determine which account the remediation was executed in, then view the SSM automation execution history for failures.\\n\\nIf there is an increase in `NO_RUNBOOK` results, this indicates that (1) the account/region where findings are being generated does not have the member stack installed, or (2) ASR does not implement a remediation for the findings being executed. You should also verify that this is not caused by a malformed event pattern in the automatic remediation EventBridge rules.\\n\"}},{\"type\":\"metric\",\"width\":6,\"height\":6,\"x\":0,\"y\":15,\"properties\":{\"view\":\"timeSeries\",\"title\":\"Remediation Failures\",\"region\":\"", { "Ref": "AWS::Region" }, "\",\"metrics\":[[{\"label\":\"FAILURE\",\"expression\":\"SUM([m1+m2+m3+m4+m5])\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"Outcome\",\"LAMBDA_ERROR\",{\"label\":\"Lambda Error\",\"id\":\"m1\",\"visible\":false,\"period\":86400,\"stat\":\"Sum\"}],[\"ASR\",\"RemediationOutcome\",\"Outcome\",\"RUNBOOK_NOT_ACTIVE\",{\"label\":\"Runbook Not Active\",\"id\":\"m2\",\"visible\":false,\"period\":86400,\"stat\":\"Sum\"}],[\"ASR\",\"RemediationOutcome\",\"Outcome\",\"NO_RUNBOOK\",{\"label\":\"No Remediation\",\"id\":\"m3\",\"visible\":false,\"period\":86400,\"stat\":\"Sum\"}],[\"ASR\",\"RemediationOutcome\",\"Outcome\",\"PLAYBOOK_NOT_ENABLED\",{\"label\":\"Playbook Not Enabled\",\"id\":\"m4\",\"visible\":false,\"period\":86400,\"stat\":\"Sum\"}],[\"ASR\",\"RemediationOutcome\",\"Outcome\",\"FAILED\",{\"label\":\"SSM Doc Failed\",\"id\":\"m5\",\"visible\":false,\"period\":86400,\"stat\":\"Sum\"}]],\"yAxis\":{\"left\":{\"showUnits\":false}}}},{\"type\":\"metric\",\"width\":6,\"height\":6,\"x\":6,\"y\":15,\"properties\":{\"view\":\"timeSeries\",\"title\":\"Remediation Failures by Type\",\"region\":\"", { "Ref": "AWS::Region" }, "\",\"metrics\":[[\"ASR\",\"RemediationOutcome\",\"Outcome\",\"LAMBDA_ERROR\",{\"label\":\"Lambda Error\",\"period\":86400,\"stat\":\"Sum\"}],[\"ASR\",\"RemediationOutcome\",\"Outcome\",\"RUNBOOK_NOT_ACTIVE\",{\"label\":\"Runbook Not Active\",\"period\":86400,\"stat\":\"Sum\"}],[\"ASR\",\"RemediationOutcome\",\"Outcome\",\"NO_RUNBOOK\",{\"label\":\"No Remediation\",\"period\":86400,\"stat\":\"Sum\"}],[\"ASR\",\"RemediationOutcome\",\"Outcome\",\"PLAYBOOK_NOT_ENABLED\",{\"label\":\"Playbook Not Enabled\",\"period\":86400,\"stat\":\"Sum\"}],[\"ASR\",\"RemediationOutcome\",\"Outcome\",\"FAILED\",{\"label\":\"SSM Doc Failed\",\"period\":86400,\"stat\":\"Sum\"}]],\"yAxis\":{\"left\":{\"showUnits\":false}}}},{\"type\":\"metric\",\"width\":6,\"height\":6,\"x\":12,\"y\":15,\"properties\":{\"view\":\"timeSeries\",\"title\":\"Remediation Failure Rate\",\"region\":\"", { "Ref": "AWS::Region" }, "\",\"metrics\":[[{\"label\":\"Overall Failure Rate\",\"expression\":\"(failuresByType / (failuresByType + successMetric)) * 100\",\"period\":86400}],[{\"label\":\"FAILURE\",\"expression\":\"SUM([m1+m2+m3+m4+m5])\",\"period\":86400,\"visible\":false,\"id\":\"failuresByType\"}],[\"ASR\",\"RemediationOutcome\",\"Outcome\",\"LAMBDA_ERROR\",{\"label\":\"Lambda Error\",\"id\":\"m1\",\"visible\":false,\"period\":86400,\"stat\":\"Sum\"}],[\"ASR\",\"RemediationOutcome\",\"Outcome\",\"RUNBOOK_NOT_ACTIVE\",{\"label\":\"Runbook Not Active\",\"id\":\"m2\",\"visible\":false,\"period\":86400,\"stat\":\"Sum\"}],[\"ASR\",\"RemediationOutcome\",\"Outcome\",\"NO_RUNBOOK\",{\"label\":\"No Remediation\",\"id\":\"m3\",\"visible\":false,\"period\":86400,\"stat\":\"Sum\"}],[\"ASR\",\"RemediationOutcome\",\"Outcome\",\"PLAYBOOK_NOT_ENABLED\",{\"label\":\"Playbook Not Enabled\",\"id\":\"m4\",\"visible\":false,\"period\":86400,\"stat\":\"Sum\"}],[\"ASR\",\"RemediationOutcome\",\"Outcome\",\"FAILED\",{\"label\":\"SSM Doc Failed\",\"id\":\"m5\",\"visible\":false,\"period\":86400,\"stat\":\"Sum\"}],[\"ASR\",\"RemediationOutcome\",\"Outcome\",\"SUCCESS\",{\"label\":\"Successful Remediations\",\"id\":\"successMetric\",\"visible\":false,\"period\":86400,\"stat\":\"Sum\"}]],\"yAxis\":{\"left\":{\"showUnits\":false}}}},{\"type\":\"text\",\"width\":24,\"height\":3,\"x\":0,\"y\":21,\"properties\":{\"markdown\":\"\\n## Remediation Success/Failure by Control ID\\nThis widget displays the number of successful and failed remediations by Control ID. You must select \\\"Yes\\\" for EnableEnhancedCloudWatchMetrics when deploying the Admin stack to view these metrics.\\n\\nThe number of failed remediations per Control ID can inform you of frequent issues that arise when ASR attempts to remediate a specific finding in your AWS environment. If a high number of failures occur on a small subset of controls, you can investigate the issue by navigating to `Systems Manager > Automation` to search for recent executions of the control runbook associated with the failing Control ID. \\n\"}},{\"type\":\"metric\",\"width\":6,\"height\":6,\"x\":0,\"y\":24,\"properties\":{\"view\":\"bar\",\"title\":\"Successful remediations by Control Id\",\"region\":\"", { "Ref": "AWS::Region" }, "\",\"metrics\":[[{\"expression\":\"SORT(SEARCH('{ASR,ControlId,Outcome} Outcome=\\\"SUCCESS\\\"', 'Sum'), SUM, ASC)\",\"period\":86400}]],\"yAxis\":{},\"stat\":\"Sum\"}},{\"type\":\"metric\",\"width\":6,\"height\":6,\"x\":6,\"y\":24,\"properties\":{\"view\":\"bar\",\"title\":\"Failed remediations by Control Id\",\"region\":\"", { "Ref": "AWS::Region" }, "\",\"metrics\":[[{\"expression\":\"SORT(SEARCH('{ASR,ControlId,Outcome} Outcome=\\\"FAILED\\\"', 'Sum'), SUM, ASC)\",\"period\":86400}]],\"yAxis\":{},\"stat\":\"Sum\"}},{\"type\":\"metric\",\"width\":6,\"height\":6,\"x\":12,\"y\":24,\"properties\":{\"view\":\"timeSeries\",\"title\":\"Remediation Failure Rate by Control Id\",\"region\":\"", { "Ref": "AWS::Region" }, "\",\"metrics\":[[{\"label\":\"AutoScaling.1 Failure Percentage\",\"expression\":\"(m1AutoScaling1 / (m1AutoScaling1+m2AutoScaling1)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"AutoScaling.1\",\"Outcome\",\"FAILED\",{\"id\":\"m1AutoScaling1\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"AutoScaling.1\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2AutoScaling1\",\"visible\":false,\"period\":86400}],[{\"label\":\"CloudFormation.1 Failure Percentage\",\"expression\":\"(m1CloudFormation1 / (m1CloudFormation1+m2CloudFormation1)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"CloudFormation.1\",\"Outcome\",\"FAILED\",{\"id\":\"m1CloudFormation1\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"CloudFormation.1\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2CloudFormation1\",\"visible\":false,\"period\":86400}],[{\"label\":\"CloudFront.1 Failure Percentage\",\"expression\":\"(m1CloudFront1 / (m1CloudFront1+m2CloudFront1)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"CloudFront.1\",\"Outcome\",\"FAILED\",{\"id\":\"m1CloudFront1\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"CloudFront.1\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2CloudFront1\",\"visible\":false,\"period\":86400}],[{\"label\":\"CloudFront.12 Failure Percentage\",\"expression\":\"(m1CloudFront12 / (m1CloudFront12+m2CloudFront12)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"CloudFront.12\",\"Outcome\",\"FAILED\",{\"id\":\"m1CloudFront12\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"CloudFront.12\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2CloudFront12\",\"visible\":false,\"period\":86400}],[{\"label\":\"CloudTrail.1 Failure Percentage\",\"expression\":\"(m1CloudTrail1 / (m1CloudTrail1+m2CloudTrail1)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"CloudTrail.1\",\"Outcome\",\"FAILED\",{\"id\":\"m1CloudTrail1\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"CloudTrail.1\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2CloudTrail1\",\"visible\":false,\"period\":86400}],[{\"label\":\"CloudTrail.2 Failure Percentage\",\"expression\":\"(m1CloudTrail2 / (m1CloudTrail2+m2CloudTrail2)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"CloudTrail.2\",\"Outcome\",\"FAILED\",{\"id\":\"m1CloudTrail2\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"CloudTrail.2\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2CloudTrail2\",\"visible\":false,\"period\":86400}],[{\"label\":\"CloudTrail.3 Failure Percentage\",\"expression\":\"(m1CloudTrail3 / (m1CloudTrail3+m2CloudTrail3)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"CloudTrail.3\",\"Outcome\",\"FAILED\",{\"id\":\"m1CloudTrail3\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"CloudTrail.3\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2CloudTrail3\",\"visible\":false,\"period\":86400}],[{\"label\":\"CloudTrail.4 Failure Percentage\",\"expression\":\"(m1CloudTrail4 / (m1CloudTrail4+m2CloudTrail4)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"CloudTrail.4\",\"Outcome\",\"FAILED\",{\"id\":\"m1CloudTrail4\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"CloudTrail.4\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2CloudTrail4\",\"visible\":false,\"period\":86400}],[{\"label\":\"CloudTrail.5 Failure Percentage\",\"expression\":\"(m1CloudTrail5 / (m1CloudTrail5+m2CloudTrail5)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"CloudTrail.5\",\"Outcome\",\"FAILED\",{\"id\":\"m1CloudTrail5\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"CloudTrail.5\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2CloudTrail5\",\"visible\":false,\"period\":86400}],[{\"label\":\"CloudTrail.6 Failure Percentage\",\"expression\":\"(m1CloudTrail6 / (m1CloudTrail6+m2CloudTrail6)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"CloudTrail.6\",\"Outcome\",\"FAILED\",{\"id\":\"m1CloudTrail6\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"CloudTrail.6\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2CloudTrail6\",\"visible\":false,\"period\":86400}],[{\"label\":\"CloudTrail.7 Failure Percentage\",\"expression\":\"(m1CloudTrail7 / (m1CloudTrail7+m2CloudTrail7)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"CloudTrail.7\",\"Outcome\",\"FAILED\",{\"id\":\"m1CloudTrail7\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"CloudTrail.7\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2CloudTrail7\",\"visible\":false,\"period\":86400}],[{\"label\":\"CloudWatch.1 Failure Percentage\",\"expression\":\"(m1CloudWatch1 / (m1CloudWatch1+m2CloudWatch1)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"CloudWatch.1\",\"Outcome\",\"FAILED\",{\"id\":\"m1CloudWatch1\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"CloudWatch.1\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2CloudWatch1\",\"visible\":false,\"period\":86400}],[{\"label\":\"CloudWatch.2 Failure Percentage\",\"expression\":\"(m1CloudWatch2 / (m1CloudWatch2+m2CloudWatch2)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"CloudWatch.2\",\"Outcome\",\"FAILED\",{\"id\":\"m1CloudWatch2\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"CloudWatch.2\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2CloudWatch2\",\"visible\":false,\"period\":86400}],[{\"label\":\"CloudWatch.3 Failure Percentage\",\"expression\":\"(m1CloudWatch3 / (m1CloudWatch3+m2CloudWatch3)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"CloudWatch.3\",\"Outcome\",\"FAILED\",{\"id\":\"m1CloudWatch3\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"CloudWatch.3\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2CloudWatch3\",\"visible\":false,\"period\":86400}],[{\"label\":\"CloudWatch.4 Failure Percentage\",\"expression\":\"(m1CloudWatch4 / (m1CloudWatch4+m2CloudWatch4)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"CloudWatch.4\",\"Outcome\",\"FAILED\",{\"id\":\"m1CloudWatch4\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"CloudWatch.4\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2CloudWatch4\",\"visible\":false,\"period\":86400}],[{\"label\":\"CloudWatch.5 Failure Percentage\",\"expression\":\"(m1CloudWatch5 / (m1CloudWatch5+m2CloudWatch5)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"CloudWatch.5\",\"Outcome\",\"FAILED\",{\"id\":\"m1CloudWatch5\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"CloudWatch.5\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2CloudWatch5\",\"visible\":false,\"period\":86400}],[{\"label\":\"CloudWatch.6 Failure Percentage\",\"expression\":\"(m1CloudWatch6 / (m1CloudWatch6+m2CloudWatch6)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"CloudWatch.6\",\"Outcome\",\"FAILED\",{\"id\":\"m1CloudWatch6\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"CloudWatch.6\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2CloudWatch6\",\"visible\":false,\"period\":86400}],[{\"label\":\"CloudWatch.7 Failure Percentage\",\"expression\":\"(m1CloudWatch7 / (m1CloudWatch7+m2CloudWatch7)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"CloudWatch.7\",\"Outcome\",\"FAILED\",{\"id\":\"m1CloudWatch7\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"CloudWatch.7\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2CloudWatch7\",\"visible\":false,\"period\":86400}],[{\"label\":\"CloudWatch.8 Failure Percentage\",\"expression\":\"(m1CloudWatch8 / (m1CloudWatch8+m2CloudWatch8)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"CloudWatch.8\",\"Outcome\",\"FAILED\",{\"id\":\"m1CloudWatch8\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"CloudWatch.8\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2CloudWatch8\",\"visible\":false,\"period\":86400}],[{\"label\":\"CloudWatch.9 Failure Percentage\",\"expression\":\"(m1CloudWatch9 / (m1CloudWatch9+m2CloudWatch9)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"CloudWatch.9\",\"Outcome\",\"FAILED\",{\"id\":\"m1CloudWatch9\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"CloudWatch.9\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2CloudWatch9\",\"visible\":false,\"period\":86400}],[{\"label\":\"CloudWatch.10 Failure Percentage\",\"expression\":\"(m1CloudWatch10 / (m1CloudWatch10+m2CloudWatch10)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"CloudWatch.10\",\"Outcome\",\"FAILED\",{\"id\":\"m1CloudWatch10\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"CloudWatch.10\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2CloudWatch10\",\"visible\":false,\"period\":86400}],[{\"label\":\"CloudWatch.11 Failure Percentage\",\"expression\":\"(m1CloudWatch11 / (m1CloudWatch11+m2CloudWatch11)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"CloudWatch.11\",\"Outcome\",\"FAILED\",{\"id\":\"m1CloudWatch11\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"CloudWatch.11\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2CloudWatch11\",\"visible\":false,\"period\":86400}],[{\"label\":\"CloudWatch.12 Failure Percentage\",\"expression\":\"(m1CloudWatch12 / (m1CloudWatch12+m2CloudWatch12)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"CloudWatch.12\",\"Outcome\",\"FAILED\",{\"id\":\"m1CloudWatch12\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"CloudWatch.12\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2CloudWatch12\",\"visible\":false,\"period\":86400}],[{\"label\":\"CloudWatch.13 Failure Percentage\",\"expression\":\"(m1CloudWatch13 / (m1CloudWatch13+m2CloudWatch13)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"CloudWatch.13\",\"Outcome\",\"FAILED\",{\"id\":\"m1CloudWatch13\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"CloudWatch.13\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2CloudWatch13\",\"visible\":false,\"period\":86400}],[{\"label\":\"CloudWatch.14 Failure Percentage\",\"expression\":\"(m1CloudWatch14 / (m1CloudWatch14+m2CloudWatch14)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"CloudWatch.14\",\"Outcome\",\"FAILED\",{\"id\":\"m1CloudWatch14\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"CloudWatch.14\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2CloudWatch14\",\"visible\":false,\"period\":86400}],[{\"label\":\"CodeBuild.2 Failure Percentage\",\"expression\":\"(m1CodeBuild2 / (m1CodeBuild2+m2CodeBuild2)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"CodeBuild.2\",\"Outcome\",\"FAILED\",{\"id\":\"m1CodeBuild2\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"CodeBuild.2\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2CodeBuild2\",\"visible\":false,\"period\":86400}],[{\"label\":\"CodeBuild.5 Failure Percentage\",\"expression\":\"(m1CodeBuild5 / (m1CodeBuild5+m2CodeBuild5)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"CodeBuild.5\",\"Outcome\",\"FAILED\",{\"id\":\"m1CodeBuild5\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"CodeBuild.5\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2CodeBuild5\",\"visible\":false,\"period\":86400}],[{\"label\":\"Config.1 Failure Percentage\",\"expression\":\"(m1Config1 / (m1Config1+m2Config1)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"Config.1\",\"Outcome\",\"FAILED\",{\"id\":\"m1Config1\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"Config.1\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2Config1\",\"visible\":false,\"period\":86400}],[{\"label\":\"EC2.1 Failure Percentage\",\"expression\":\"(m1EC21 / (m1EC21+m2EC21)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"EC2.1\",\"Outcome\",\"FAILED\",{\"id\":\"m1EC21\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"EC2.1\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2EC21\",\"visible\":false,\"period\":86400}],[{\"label\":\"EC2.2 Failure Percentage\",\"expression\":\"(m1EC22 / (m1EC22+m2EC22)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"EC2.2\",\"Outcome\",\"FAILED\",{\"id\":\"m1EC22\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"EC2.2\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2EC22\",\"visible\":false,\"period\":86400}],[{\"label\":\"EC2.4 Failure Percentage\",\"expression\":\"(m1EC24 / (m1EC24+m2EC24)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"EC2.4\",\"Outcome\",\"FAILED\",{\"id\":\"m1EC24\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"EC2.4\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2EC24\",\"visible\":false,\"period\":86400}],[{\"label\":\"EC2.6 Failure Percentage\",\"expression\":\"(m1EC26 / (m1EC26+m2EC26)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"EC2.6\",\"Outcome\",\"FAILED\",{\"id\":\"m1EC26\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"EC2.6\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2EC26\",\"visible\":false,\"period\":86400}],[{\"label\":\"EC2.7 Failure Percentage\",\"expression\":\"(m1EC27 / (m1EC27+m2EC27)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"EC2.7\",\"Outcome\",\"FAILED\",{\"id\":\"m1EC27\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"EC2.7\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2EC27\",\"visible\":false,\"period\":86400}],[{\"label\":\"EC2.8 Failure Percentage\",\"expression\":\"(m1EC28 / (m1EC28+m2EC28)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"EC2.8\",\"Outcome\",\"FAILED\",{\"id\":\"m1EC28\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"EC2.8\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2EC28\",\"visible\":false,\"period\":86400}],[{\"label\":\"EC2.13 Failure Percentage\",\"expression\":\"(m1EC213 / (m1EC213+m2EC213)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"EC2.13\",\"Outcome\",\"FAILED\",{\"id\":\"m1EC213\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"EC2.13\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2EC213\",\"visible\":false,\"period\":86400}],[{\"label\":\"EC2.14 Failure Percentage\",\"expression\":\"(m1EC214 / (m1EC214+m2EC214)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"EC2.14\",\"Outcome\",\"FAILED\",{\"id\":\"m1EC214\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"EC2.14\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2EC214\",\"visible\":false,\"period\":86400}],[{\"label\":\"EC2.15 Failure Percentage\",\"expression\":\"(m1EC215 / (m1EC215+m2EC215)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"EC2.15\",\"Outcome\",\"FAILED\",{\"id\":\"m1EC215\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"EC2.15\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2EC215\",\"visible\":false,\"period\":86400}],[{\"label\":\"EC2.18 Failure Percentage\",\"expression\":\"(m1EC218 / (m1EC218+m2EC218)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"EC2.18\",\"Outcome\",\"FAILED\",{\"id\":\"m1EC218\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"EC2.18\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2EC218\",\"visible\":false,\"period\":86400}],[{\"label\":\"EC2.19 Failure Percentage\",\"expression\":\"(m1EC219 / (m1EC219+m2EC219)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"EC2.19\",\"Outcome\",\"FAILED\",{\"id\":\"m1EC219\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"EC2.19\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2EC219\",\"visible\":false,\"period\":86400}],[{\"label\":\"EC2.23 Failure Percentage\",\"expression\":\"(m1EC223 / (m1EC223+m2EC223)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"EC2.23\",\"Outcome\",\"FAILED\",{\"id\":\"m1EC223\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"EC2.23\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2EC223\",\"visible\":false,\"period\":86400}],[{\"label\":\"IAM.3 Failure Percentage\",\"expression\":\"(m1IAM3 / (m1IAM3+m2IAM3)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"IAM.3\",\"Outcome\",\"FAILED\",{\"id\":\"m1IAM3\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"IAM.3\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2IAM3\",\"visible\":false,\"period\":86400}],[{\"label\":\"IAM.7 Failure Percentage\",\"expression\":\"(m1IAM7 / (m1IAM7+m2IAM7)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"IAM.7\",\"Outcome\",\"FAILED\",{\"id\":\"m1IAM7\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"IAM.7\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2IAM7\",\"visible\":false,\"period\":86400}],[{\"label\":\"IAM.8 Failure Percentage\",\"expression\":\"(m1IAM8 / (m1IAM8+m2IAM8)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"IAM.8\",\"Outcome\",\"FAILED\",{\"id\":\"m1IAM8\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"IAM.8\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2IAM8\",\"visible\":false,\"period\":86400}],[{\"label\":\"IAM.11 Failure Percentage\",\"expression\":\"(m1IAM11 / (m1IAM11+m2IAM11)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"IAM.11\",\"Outcome\",\"FAILED\",{\"id\":\"m1IAM11\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"IAM.11\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2IAM11\",\"visible\":false,\"period\":86400}],[{\"label\":\"IAM.12 Failure Percentage\",\"expression\":\"(m1IAM12 / (m1IAM12+m2IAM12)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"IAM.12\",\"Outcome\",\"FAILED\",{\"id\":\"m1IAM12\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"IAM.12\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2IAM12\",\"visible\":false,\"period\":86400}],[{\"label\":\"IAM.13 Failure Percentage\",\"expression\":\"(m1IAM13 / (m1IAM13+m2IAM13)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"IAM.13\",\"Outcome\",\"FAILED\",{\"id\":\"m1IAM13\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"IAM.13\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2IAM13\",\"visible\":false,\"period\":86400}],[{\"label\":\"IAM.14 Failure Percentage\",\"expression\":\"(m1IAM14 / (m1IAM14+m2IAM14)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"IAM.14\",\"Outcome\",\"FAILED\",{\"id\":\"m1IAM14\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"IAM.14\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2IAM14\",\"visible\":false,\"period\":86400}],[{\"label\":\"IAM.15 Failure Percentage\",\"expression\":\"(m1IAM15 / (m1IAM15+m2IAM15)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"IAM.15\",\"Outcome\",\"FAILED\",{\"id\":\"m1IAM15\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"IAM.15\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2IAM15\",\"visible\":false,\"period\":86400}],[{\"label\":\"IAM.16 Failure Percentage\",\"expression\":\"(m1IAM16 / (m1IAM16+m2IAM16)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"IAM.16\",\"Outcome\",\"FAILED\",{\"id\":\"m1IAM16\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"IAM.16\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2IAM16\",\"visible\":false,\"period\":86400}],[{\"label\":\"IAM.17 Failure Percentage\",\"expression\":\"(m1IAM17 / (m1IAM17+m2IAM17)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"IAM.17\",\"Outcome\",\"FAILED\",{\"id\":\"m1IAM17\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"IAM.17\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2IAM17\",\"visible\":false,\"period\":86400}],[{\"label\":\"IAM.18 Failure Percentage\",\"expression\":\"(m1IAM18 / (m1IAM18+m2IAM18)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"IAM.18\",\"Outcome\",\"FAILED\",{\"id\":\"m1IAM18\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"IAM.18\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2IAM18\",\"visible\":false,\"period\":86400}],[{\"label\":\"IAM.22 Failure Percentage\",\"expression\":\"(m1IAM22 / (m1IAM22+m2IAM22)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"IAM.22\",\"Outcome\",\"FAILED\",{\"id\":\"m1IAM22\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"IAM.22\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2IAM22\",\"visible\":false,\"period\":86400}],[{\"label\":\"KMS.4 Failure Percentage\",\"expression\":\"(m1KMS4 / (m1KMS4+m2KMS4)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"KMS.4\",\"Outcome\",\"FAILED\",{\"id\":\"m1KMS4\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"KMS.4\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2KMS4\",\"visible\":false,\"period\":86400}],[{\"label\":\"Lambda.1 Failure Percentage\",\"expression\":\"(m1Lambda1 / (m1Lambda1+m2Lambda1)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"Lambda.1\",\"Outcome\",\"FAILED\",{\"id\":\"m1Lambda1\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"Lambda.1\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2Lambda1\",\"visible\":false,\"period\":86400}],[{\"label\":\"RDS.1 Failure Percentage\",\"expression\":\"(m1RDS1 / (m1RDS1+m2RDS1)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"RDS.1\",\"Outcome\",\"FAILED\",{\"id\":\"m1RDS1\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"RDS.1\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2RDS1\",\"visible\":false,\"period\":86400}],[{\"label\":\"RDS.2 Failure Percentage\",\"expression\":\"(m1RDS2 / (m1RDS2+m2RDS2)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"RDS.2\",\"Outcome\",\"FAILED\",{\"id\":\"m1RDS2\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"RDS.2\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2RDS2\",\"visible\":false,\"period\":86400}],[{\"label\":\"RDS.4 Failure Percentage\",\"expression\":\"(m1RDS4 / (m1RDS4+m2RDS4)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"RDS.4\",\"Outcome\",\"FAILED\",{\"id\":\"m1RDS4\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"RDS.4\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2RDS4\",\"visible\":false,\"period\":86400}],[{\"label\":\"RDS.5 Failure Percentage\",\"expression\":\"(m1RDS5 / (m1RDS5+m2RDS5)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"RDS.5\",\"Outcome\",\"FAILED\",{\"id\":\"m1RDS5\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"RDS.5\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2RDS5\",\"visible\":false,\"period\":86400}],[{\"label\":\"RDS.6 Failure Percentage\",\"expression\":\"(m1RDS6 / (m1RDS6+m2RDS6)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"RDS.6\",\"Outcome\",\"FAILED\",{\"id\":\"m1RDS6\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"RDS.6\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2RDS6\",\"visible\":false,\"period\":86400}],[{\"label\":\"RDS.7 Failure Percentage\",\"expression\":\"(m1RDS7 / (m1RDS7+m2RDS7)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"RDS.7\",\"Outcome\",\"FAILED\",{\"id\":\"m1RDS7\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"RDS.7\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2RDS7\",\"visible\":false,\"period\":86400}],[{\"label\":\"RDS.8 Failure Percentage\",\"expression\":\"(m1RDS8 / (m1RDS8+m2RDS8)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"RDS.8\",\"Outcome\",\"FAILED\",{\"id\":\"m1RDS8\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"RDS.8\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2RDS8\",\"visible\":false,\"period\":86400}],[{\"label\":\"RDS.13 Failure Percentage\",\"expression\":\"(m1RDS13 / (m1RDS13+m2RDS13)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"RDS.13\",\"Outcome\",\"FAILED\",{\"id\":\"m1RDS13\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"RDS.13\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2RDS13\",\"visible\":false,\"period\":86400}],[{\"label\":\"RDS.16 Failure Percentage\",\"expression\":\"(m1RDS16 / (m1RDS16+m2RDS16)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"RDS.16\",\"Outcome\",\"FAILED\",{\"id\":\"m1RDS16\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"RDS.16\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2RDS16\",\"visible\":false,\"period\":86400}],[{\"label\":\"Redshift.1 Failure Percentage\",\"expression\":\"(m1Redshift1 / (m1Redshift1+m2Redshift1)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"Redshift.1\",\"Outcome\",\"FAILED\",{\"id\":\"m1Redshift1\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"Redshift.1\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2Redshift1\",\"visible\":false,\"period\":86400}],[{\"label\":\"Redshift.3 Failure Percentage\",\"expression\":\"(m1Redshift3 / (m1Redshift3+m2Redshift3)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"Redshift.3\",\"Outcome\",\"FAILED\",{\"id\":\"m1Redshift3\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"Redshift.3\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2Redshift3\",\"visible\":false,\"period\":86400}],[{\"label\":\"Redshift.4 Failure Percentage\",\"expression\":\"(m1Redshift4 / (m1Redshift4+m2Redshift4)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"Redshift.4\",\"Outcome\",\"FAILED\",{\"id\":\"m1Redshift4\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"Redshift.4\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2Redshift4\",\"visible\":false,\"period\":86400}],[{\"label\":\"Redshift.6 Failure Percentage\",\"expression\":\"(m1Redshift6 / (m1Redshift6+m2Redshift6)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"Redshift.6\",\"Outcome\",\"FAILED\",{\"id\":\"m1Redshift6\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"Redshift.6\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2Redshift6\",\"visible\":false,\"period\":86400}],[{\"label\":\"S3.1 Failure Percentage\",\"expression\":\"(m1S31 / (m1S31+m2S31)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"S3.1\",\"Outcome\",\"FAILED\",{\"id\":\"m1S31\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"S3.1\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2S31\",\"visible\":false,\"period\":86400}],[{\"label\":\"S3.2 Failure Percentage\",\"expression\":\"(m1S32 / (m1S32+m2S32)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"S3.2\",\"Outcome\",\"FAILED\",{\"id\":\"m1S32\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"S3.2\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2S32\",\"visible\":false,\"period\":86400}],[{\"label\":\"S3.3 Failure Percentage\",\"expression\":\"(m1S33 / (m1S33+m2S33)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"S3.3\",\"Outcome\",\"FAILED\",{\"id\":\"m1S33\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"S3.3\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2S33\",\"visible\":false,\"period\":86400}],[{\"label\":\"S3.4 Failure Percentage\",\"expression\":\"(m1S34 / (m1S34+m2S34)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"S3.4\",\"Outcome\",\"FAILED\",{\"id\":\"m1S34\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"S3.4\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2S34\",\"visible\":false,\"period\":86400}],[{\"label\":\"S3.5 Failure Percentage\",\"expression\":\"(m1S35 / (m1S35+m2S35)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"S3.5\",\"Outcome\",\"FAILED\",{\"id\":\"m1S35\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"S3.5\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2S35\",\"visible\":false,\"period\":86400}],[{\"label\":\"S3.6 Failure Percentage\",\"expression\":\"(m1S36 / (m1S36+m2S36)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"S3.6\",\"Outcome\",\"FAILED\",{\"id\":\"m1S36\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"S3.6\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2S36\",\"visible\":false,\"period\":86400}],[{\"label\":\"S3.8 Failure Percentage\",\"expression\":\"(m1S38 / (m1S38+m2S38)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"S3.8\",\"Outcome\",\"FAILED\",{\"id\":\"m1S38\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"S3.8\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2S38\",\"visible\":false,\"period\":86400}],[{\"label\":\"S3.9 Failure Percentage\",\"expression\":\"(m1S39 / (m1S39+m2S39)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"S3.9\",\"Outcome\",\"FAILED\",{\"id\":\"m1S39\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"S3.9\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2S39\",\"visible\":false,\"period\":86400}],[{\"label\":\"S3.11 Failure Percentage\",\"expression\":\"(m1S311 / (m1S311+m2S311)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"S3.11\",\"Outcome\",\"FAILED\",{\"id\":\"m1S311\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"S3.11\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2S311\",\"visible\":false,\"period\":86400}],[{\"label\":\"S3.13 Failure Percentage\",\"expression\":\"(m1S313 / (m1S313+m2S313)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"S3.13\",\"Outcome\",\"FAILED\",{\"id\":\"m1S313\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"S3.13\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2S313\",\"visible\":false,\"period\":86400}],[{\"label\":\"SecretsManager.1 Failure Percentage\",\"expression\":\"(m1SecretsManager1 / (m1SecretsManager1+m2SecretsManager1)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"SecretsManager.1\",\"Outcome\",\"FAILED\",{\"id\":\"m1SecretsManager1\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"SecretsManager.1\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2SecretsManager1\",\"visible\":false,\"period\":86400}],[{\"label\":\"SecretsManager.3 Failure Percentage\",\"expression\":\"(m1SecretsManager3 / (m1SecretsManager3+m2SecretsManager3)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"SecretsManager.3\",\"Outcome\",\"FAILED\",{\"id\":\"m1SecretsManager3\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"SecretsManager.3\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2SecretsManager3\",\"visible\":false,\"period\":86400}],[{\"label\":\"SecretsManager.4 Failure Percentage\",\"expression\":\"(m1SecretsManager4 / (m1SecretsManager4+m2SecretsManager4)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"SecretsManager.4\",\"Outcome\",\"FAILED\",{\"id\":\"m1SecretsManager4\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"SecretsManager.4\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2SecretsManager4\",\"visible\":false,\"period\":86400}],[{\"label\":\"SNS.1 Failure Percentage\",\"expression\":\"(m1SNS1 / (m1SNS1+m2SNS1)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"SNS.1\",\"Outcome\",\"FAILED\",{\"id\":\"m1SNS1\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"SNS.1\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2SNS1\",\"visible\":false,\"period\":86400}],[{\"label\":\"SNS.2 Failure Percentage\",\"expression\":\"(m1SNS2 / (m1SNS2+m2SNS2)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"SNS.2\",\"Outcome\",\"FAILED\",{\"id\":\"m1SNS2\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"SNS.2\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2SNS2\",\"visible\":false,\"period\":86400}],[{\"label\":\"SQS.1 Failure Percentage\",\"expression\":\"(m1SQS1 / (m1SQS1+m2SQS1)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"SQS.1\",\"Outcome\",\"FAILED\",{\"id\":\"m1SQS1\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"SQS.1\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2SQS1\",\"visible\":false,\"period\":86400}],[{\"label\":\"SSM.4 Failure Percentage\",\"expression\":\"(m1SSM4 / (m1SSM4+m2SSM4)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"SSM.4\",\"Outcome\",\"FAILED\",{\"id\":\"m1SSM4\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"SSM.4\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2SSM4\",\"visible\":false,\"period\":86400}],[{\"label\":\"GuardDuty.1 Failure Percentage\",\"expression\":\"(m1GuardDuty1 / (m1GuardDuty1+m2GuardDuty1)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"GuardDuty.1\",\"Outcome\",\"FAILED\",{\"id\":\"m1GuardDuty1\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"GuardDuty.1\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2GuardDuty1\",\"visible\":false,\"period\":86400}],[{\"label\":\"Athena.4 Failure Percentage\",\"expression\":\"(m1Athena4 / (m1Athena4+m2Athena4)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"Athena.4\",\"Outcome\",\"FAILED\",{\"id\":\"m1Athena4\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"Athena.4\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2Athena4\",\"visible\":false,\"period\":86400}],[{\"label\":\"APIGateway.1 Failure Percentage\",\"expression\":\"(m1APIGateway1 / (m1APIGateway1+m2APIGateway1)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"APIGateway.1\",\"Outcome\",\"FAILED\",{\"id\":\"m1APIGateway1\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"APIGateway.1\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2APIGateway1\",\"visible\":false,\"period\":86400}],[{\"label\":\"APIGateway.5 Failure Percentage\",\"expression\":\"(m1APIGateway5 / (m1APIGateway5+m2APIGateway5)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"APIGateway.5\",\"Outcome\",\"FAILED\",{\"id\":\"m1APIGateway5\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"APIGateway.5\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2APIGateway5\",\"visible\":false,\"period\":86400}],[{\"label\":\"AutoScaling.3 Failure Percentage\",\"expression\":\"(m1AutoScaling3 / (m1AutoScaling3+m2AutoScaling3)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"AutoScaling.3\",\"Outcome\",\"FAILED\",{\"id\":\"m1AutoScaling3\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"AutoScaling.3\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2AutoScaling3\",\"visible\":false,\"period\":86400}],[{\"label\":\"Autoscaling.5 Failure Percentage\",\"expression\":\"(m1Autoscaling5 / (m1Autoscaling5+m2Autoscaling5)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"Autoscaling.5\",\"Outcome\",\"FAILED\",{\"id\":\"m1Autoscaling5\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"Autoscaling.5\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2Autoscaling5\",\"visible\":false,\"period\":86400}],[{\"label\":\"CloudWatch.16 Failure Percentage\",\"expression\":\"(m1CloudWatch16 / (m1CloudWatch16+m2CloudWatch16)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"CloudWatch.16\",\"Outcome\",\"FAILED\",{\"id\":\"m1CloudWatch16\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"CloudWatch.16\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2CloudWatch16\",\"visible\":false,\"period\":86400}],[{\"label\":\"EC2.10 Failure Percentage\",\"expression\":\"(m1EC210 / (m1EC210+m2EC210)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"EC2.10\",\"Outcome\",\"FAILED\",{\"id\":\"m1EC210\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"EC2.10\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2EC210\",\"visible\":false,\"period\":86400}],[{\"label\":\"SSM.1 Failure Percentage\",\"expression\":\"(m1SSM1 / (m1SSM1+m2SSM1)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"SSM.1\",\"Outcome\",\"FAILED\",{\"id\":\"m1SSM1\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"SSM.1\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2SSM1\",\"visible\":false,\"period\":86400}],[{\"label\":\"GuardDuty.2 Failure Percentage\",\"expression\":\"(m1GuardDuty2 / (m1GuardDuty2+m2GuardDuty2)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"GuardDuty.2\",\"Outcome\",\"FAILED\",{\"id\":\"m1GuardDuty2\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"GuardDuty.2\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2GuardDuty2\",\"visible\":false,\"period\":86400}],[{\"label\":\"GuardDuty.4 Failure Percentage\",\"expression\":\"(m1GuardDuty4 / (m1GuardDuty4+m2GuardDuty4)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"GuardDuty.4\",\"Outcome\",\"FAILED\",{\"id\":\"m1GuardDuty4\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"GuardDuty.4\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2GuardDuty4\",\"visible\":false,\"period\":86400}],[{\"label\":\"Macie.1 Failure Percentage\",\"expression\":\"(m1Macie1 / (m1Macie1+m2Macie1)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"Macie.1\",\"Outcome\",\"FAILED\",{\"id\":\"m1Macie1\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"Macie.1\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2Macie1\",\"visible\":false,\"period\":86400}],[{\"label\":\"DynamoDB.1 Failure Percentage\",\"expression\":\"(m1DynamoDB1 / (m1DynamoDB1+m2DynamoDB1)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"DynamoDB.1\",\"Outcome\",\"FAILED\",{\"id\":\"m1DynamoDB1\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"DynamoDB.1\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2DynamoDB1\",\"visible\":false,\"period\":86400}],[{\"label\":\"DynamoDB.5 Failure Percentage\",\"expression\":\"(m1DynamoDB5 / (m1DynamoDB5+m2DynamoDB5)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"DynamoDB.5\",\"Outcome\",\"FAILED\",{\"id\":\"m1DynamoDB5\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"DynamoDB.5\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2DynamoDB5\",\"visible\":false,\"period\":86400}],[{\"label\":\"DynamoDB.6 Failure Percentage\",\"expression\":\"(m1DynamoDB6 / (m1DynamoDB6+m2DynamoDB6)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"DynamoDB.6\",\"Outcome\",\"FAILED\",{\"id\":\"m1DynamoDB6\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"DynamoDB.6\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2DynamoDB6\",\"visible\":false,\"period\":86400}],[{\"label\":\"ElastiCache.1 Failure Percentage\",\"expression\":\"(m1ElastiCache1 / (m1ElastiCache1+m2ElastiCache1)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"ElastiCache.1\",\"Outcome\",\"FAILED\",{\"id\":\"m1ElastiCache1\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"ElastiCache.1\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2ElastiCache1\",\"visible\":false,\"period\":86400}],[{\"label\":\"ElastiCache.2 Failure Percentage\",\"expression\":\"(m1ElastiCache2 / (m1ElastiCache2+m2ElastiCache2)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"ElastiCache.2\",\"Outcome\",\"FAILED\",{\"id\":\"m1ElastiCache2\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"ElastiCache.2\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2ElastiCache2\",\"visible\":false,\"period\":86400}],[{\"label\":\"ElastiCache.3 Failure Percentage\",\"expression\":\"(m1ElastiCache3 / (m1ElastiCache3+m2ElastiCache3)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"ElastiCache.3\",\"Outcome\",\"FAILED\",{\"id\":\"m1ElastiCache3\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"ElastiCache.3\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2ElastiCache3\",\"visible\":false,\"period\":86400}],[{\"label\":\"ECS.5 Failure Percentage\",\"expression\":\"(m1ECS5 / (m1ECS5+m2ECS5)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"ECS.5\",\"Outcome\",\"FAILED\",{\"id\":\"m1ECS5\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"ECS.5\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2ECS5\",\"visible\":false,\"period\":86400}],[{\"label\":\"ELB.1 Failure Percentage\",\"expression\":\"(m1ELB1 / (m1ELB1+m2ELB1)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"ELB.1\",\"Outcome\",\"FAILED\",{\"id\":\"m1ELB1\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"ELB.1\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2ELB1\",\"visible\":false,\"period\":86400}],[{\"label\":\"ECR.1 Failure Percentage\",\"expression\":\"(m1ECR1 / (m1ECR1+m2ECR1)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"ECR.1\",\"Outcome\",\"FAILED\",{\"id\":\"m1ECR1\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"ECR.1\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2ECR1\",\"visible\":false,\"period\":86400}],[{\"label\":\"SSM.7 Failure Percentage\",\"expression\":\"(m1SSM7 / (m1SSM7+m2SSM7)) * 100\",\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"SSM.7\",\"Outcome\",\"FAILED\",{\"id\":\"m1SSM7\",\"visible\":false,\"period\":86400}],[\"ASR\",\"RemediationOutcome\",\"ControlId\",\"SSM.7\",\"Outcome\",\"SUCCESS\",{\"id\":\"m2SSM7\",\"visible\":false,\"period\":86400}]],\"annotations\":{\"horizontal\":[{\"value\":", { "Ref": "RemediationFailureAlarmThreshold" }, ",\"label\":\"S3.9 Failure Percentage >= threshold for 1 datapoints within 1 day\",\"color\":\"#d62728\",\"visible\":true,\"yAxis\":\"left\"}]},\"yAxis\":{}}},{\"type\":\"text\",\"width\":24,\"height\":3,\"x\":0,\"y\":30,\"properties\":{\"markdown\":\"\\n## Runbook Assume Role Failures\\nThis widget displays the frequency of the remediation lambda failing to assume the role necessary to remediate on a different account.\\n\\nThis may indicate that ASR is attempting to remediate on a spoke account that does not have ASR installed.\\n\"}},{\"type\":\"metric\",\"width\":6,\"height\":6,\"x\":0,\"y\":33,\"properties\":{\"view\":\"timeSeries\",\"title\":\"Runbook Assume Role Failures\",\"region\":\"", { "Ref": "AWS::Region" }, "\",\"metrics\":[[\"ASR\",\"AssumeRoleFailure\",{\"label\":\"Runbook Assume Role Failures\",\"period\":86400,\"stat\":\"Sum\"}]],\"annotations\":{\"horizontal\":[{\"label\":\"Runbook Assume Role Failures >= 1 for 1 datapoints within 1440 minutes\",\"value\":1,\"yAxis\":\"left\"}]},\"yAxis\":{\"left\":{\"showUnits\":false}}}},{\"type\":\"text\",\"width\":24,\"height\":3,\"x\":0,\"y\":39,\"properties\":{\"markdown\":\"\\n## Action Log\\nThis widget displays AWS resource changes that ASR has conducted in member accounts.\\n\\nThe actions shown are based on CloudTrail management events in the member accounts. Actions are only reported if the member stack is deployed with \\\"Create Action Log CloudTrail\\\" set to \\\"Yes\\\".\\n\"}},{\"type\":\"log\",\"width\":24,\"height\":8,\"x\":0,\"y\":42,\"properties\":{\"view\":\"table\",\"title\":\"CloudTrail Management Actions by ASR\",\"region\":\"", { "Ref": "AWS::Region" }, "\",\"query\":\"SOURCE '/aws/lambda/SO0111-ASR-CloudTrailEvents' | fields @timestamp, eventSource, eventName, awsRegion, recipientAccountId, resources.0.ARN, @message\\n| sort @timestamp desc\\n| limit 20\"}}]}" ] ] }, "DashboardName": "ASR-Remediation-Metrics-Dashboard" }, "Condition": "isUsingCloudWatchMetrics" }, "CognitoRiskAlarm186179D3": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "ActionsEnabled": true, "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "Alarm for the Automated Security Response on AWS Cognito User Pool: Requests that Amazon Cognito marked as risky", "AlarmName": "ASR-Cognito-Risk", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "Dimensions": [ { "Name": "UserPool", "Value": { "Fn::GetAtt": [ "WebUINestedStackNestedStackWebUINestedStackNestedStackResourceEF0A1EDB", "Outputs.SolutionDeployStackWebUINestedStackCognitoConstructASRUserPool51186313Ref" ] } } ], "EvaluationPeriods": 5, "MetricName": "Risk", "Namespace": "AWS/Cognito", "Period": 60, "Statistic": "Sum", "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": 1, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "cognitoAlarmsEnabled" }, "CognitoOverrideBlockAlarm65C6E1D5": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "ActionsEnabled": true, "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "Alarm for the Automated Security Response on AWS Cognito User Pool: Requests that Amazon Cognito blocked because of the configuration provided by the developer", "AlarmName": "ASR-Cognito-OverrideBlock", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 5, "Dimensions": [ { "Name": "UserPool", "Value": { "Fn::GetAtt": [ "WebUINestedStackNestedStackWebUINestedStackNestedStackResourceEF0A1EDB", "Outputs.SolutionDeployStackWebUINestedStackCognitoConstructASRUserPool51186313Ref" ] } } ], "EvaluationPeriods": 5, "MetricName": "OverrideBlock", "Namespace": "AWS/Cognito", "Period": 60, "Statistic": "Sum", "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": 1, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "cognitoAlarmsEnabled" }, "CognitoSignInThrottlesAlarm8626B280": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "ActionsEnabled": true, "AlarmActions": [ { "Ref": "ASRAlarmTopic7CEFBDF9" } ], "AlarmDescription": "Alarm for the Automated Security Response on AWS Cognito User Pool: Total number of throttled user authentication requests made to the Amazon Cognito user pool", "AlarmName": "ASR-Cognito-SignInThrottles", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 5, "Dimensions": [ { "Name": "UserPool", "Value": { "Fn::GetAtt": [ "WebUINestedStackNestedStackWebUINestedStackNestedStackResourceEF0A1EDB", "Outputs.SolutionDeployStackWebUINestedStackCognitoConstructASRUserPool51186313Ref" ] } } ], "EvaluationPeriods": 5, "MetricName": "SignInThrottles", "Namespace": "AWS/Cognito", "Period": 60, "Statistic": "Sum", "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.5" } ], "Threshold": 1, "TreatMissingData": "notBreaching" }, "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } }, "Condition": "cognitoAlarmsEnabled" } }, "Parameters": { "EnableEnhancedCloudWatchMetrics": { "Type": "String", "Default": "no", "AllowedValues": [ "yes", "no" ], "Description": "Enable collection of metrics per Control ID in addition to standard metrics. You must also select 'yes' for UseCloudWatchMetrics to enable enhanced metric collection. The added cost of these additional custom metrics could be up to $67.20/month." }, "ShouldDeployWebUI": { "Type": "String", "Default": "yes", "AllowedValues": [ "yes", "no" ], "Description": "Deploy the Web UI components including API Gateway, Lambda functions, and CloudFront distribution. Select \"yes\" to enable the web-based dashboard for viewing findings and remediation status." }, "AdminUserEmail": { "Type": "String", "Default": "", "Description": "Email address for the initial admin user. This user will have full administrative access to the ASR Web UI. Required when Web UI is enabled." }, "TicketGenFunctionName": { "Type": "String", "Default": "", "AllowedPattern": "^$|^([a-zA-Z0-9\\-_]{1,64})?$", "Description": "Enter the name of the Lambda function you would like to use to generate tickets when remediations are successfully completed. This function must be in the same region where you are deploying this stack. Leave this field blank if you do not want to enable ticketing. The function you provide should be implemented to create a ticket in your service of choice based on input from the Orchestrator step function. To reference or use the provided Ticket Generator function for Jira or ServiceNow, see the Blueprint stacks in the solution's implementation guide." }, "ReuseOrchestratorLogGroup": { "Type": "String", "Default": "no", "AllowedValues": [ "yes", "no" ], "Description": "Reuse existing Orchestrator Log Group? Choose \"yes\" if the log group already exists, else \"no\".\n If you are upgrading to v2.3.0+ from an earlier version choose \"no\"." }, "LoadAFSBPAdminStack": { "Type": "String", "Default": "no", "AllowedValues": [ "yes", "no" ], "Description": "Install the admin components to enable automated remediation for AFSBP controls. To activate automated remediations, ensure the corresponding EventBridge rules are enabled after deployment." }, "LoadCIS120AdminStack": { "Type": "String", "Default": "no", "AllowedValues": [ "yes", "no" ], "Description": "Install the admin components to enable automated remediation for CIS120 controls. To activate automated remediations, ensure the corresponding EventBridge rules are enabled after deployment." }, "LoadCIS140AdminStack": { "Type": "String", "Default": "no", "AllowedValues": [ "yes", "no" ], "Description": "Install the admin components to enable automated remediation for CIS140 controls. To activate automated remediations, ensure the corresponding EventBridge rules are enabled after deployment." }, "LoadNIST80053AdminStack": { "Type": "String", "Default": "no", "AllowedValues": [ "yes", "no" ], "Description": "Install the admin components to enable automated remediation for NIST80053 controls. To activate automated remediations, ensure the corresponding EventBridge rules are enabled after deployment." }, "LoadPCI321AdminStack": { "Type": "String", "Default": "no", "AllowedValues": [ "yes", "no" ], "Description": "Install the admin components to enable automated remediation for PCI321 controls. To activate automated remediations, ensure the corresponding EventBridge rules are enabled after deployment." }, "LoadCIS300AdminStack": { "Type": "String", "Default": "no", "AllowedValues": [ "yes", "no" ], "Description": "Install the admin components to enable automated remediation for CIS300 controls. To activate automated remediations, ensure the corresponding EventBridge rules are enabled after deployment." }, "LoadSCAdminStack": { "Type": "String", "Default": "yes", "AllowedValues": [ "yes", "no" ], "Description": "If the consolidated control findings feature is turned on in Security Hub, only enable the Security Control (SC) playbook. If the feature is not turned on, enable the playbooks for the security standards that are enabled in Security Hub. Enabling additional playbooks can result in reaching the quota for EventBridge Rules." }, "UseCloudWatchMetrics": { "Type": "String", "Default": "yes", "AllowedValues": [ "yes", "no" ], "Description": "Enable collection of operational metrics and create a CloudWatch dashboard to monitor solution operations" }, "UseCloudWatchMetricsAlarms": { "Type": "String", "Default": "yes", "AllowedValues": [ "yes", "no" ], "Description": "Create CloudWatch Alarms for gathered metrics" }, "RemediationFailureAlarmThreshold": { "Type": "Number", "Default": 5, "Description": "Percentage of failures in one period (1 day) to trigger the remediation failures alarm for a given control ID. E.g., to specify 20% then enter the number 20. These alarms will not be created if you select \"no\" for either of the following standardMetricParameters: UseCloudWatchMetricsAlarms, EnableEnhancedCloudWatchMetrics." } }, "Conditions": { "enhancedMetricsEnabled": { "Fn::Equals": [ { "Ref": "EnableEnhancedCloudWatchMetrics" }, "yes" ] }, "webUIEnabled": { "Fn::Equals": [ { "Ref": "ShouldDeployWebUI" }, "yes" ] }, "orchestratorTicketingEnabledConditionEE999626": { "Fn::Not": [ { "Fn::Equals": [ { "Ref": "TicketGenFunctionName" }, "" ] } ] }, "loadAFSBPCond": { "Fn::Equals": [ { "Ref": "LoadAFSBPAdminStack" }, "yes" ] }, "loadCIS120Cond": { "Fn::Equals": [ { "Ref": "LoadCIS120AdminStack" }, "yes" ] }, "loadCIS140Cond": { "Fn::Equals": [ { "Ref": "LoadCIS140AdminStack" }, "yes" ] }, "loadNIST80053Cond": { "Fn::Equals": [ { "Ref": "LoadNIST80053AdminStack" }, "yes" ] }, "loadPCI321Cond": { "Fn::Equals": [ { "Ref": "LoadPCI321AdminStack" }, "yes" ] }, "loadCIS300Cond": { "Fn::Equals": [ { "Ref": "LoadCIS300AdminStack" }, "yes" ] }, "loadSCCond": { "Fn::Equals": [ { "Ref": "LoadSCAdminStack" }, "yes" ] }, "isUsingCloudWatchMetrics": { "Fn::Equals": [ { "Ref": "UseCloudWatchMetrics" }, "yes" ] }, "isUsingCloudWatchMetricsAlarms": { "Fn::And": [ { "Condition": "isUsingCloudWatchMetrics" }, { "Fn::Equals": [ { "Ref": "UseCloudWatchMetricsAlarms" }, "yes" ] } ] }, "enhancedAlarmsEnabled": { "Fn::And": [ { "Condition": "enhancedMetricsEnabled" }, { "Condition": "isUsingCloudWatchMetricsAlarms" } ] }, "cognitoAlarmsEnabled": { "Fn::And": [ { "Condition": "isUsingCloudWatchMetricsAlarms" }, { "Condition": "webUIEnabled" } ] } }, "Rules": { "AdminUserEmailValidation": { "RuleCondition": { "Fn::Equals": [ { "Ref": "ShouldDeployWebUI" }, "yes" ] }, "Assertions": [ { "Assert": { "Fn::Not": [ { "Fn::Equals": [ { "Ref": "AdminUserEmail" }, "" ] } ] }, "AssertDescription": "AdminUserEmail is required when Web UI deployment is enabled" } ] } }, "Outputs": { "GeneratedTicketingLambdafunctionARN": { "Description": "The Lambda ARN constructed from the Ticket Generator Function Name you have provided as input to the stack. This ARN is used by the solution to plug your ticketing function into the Orchestrator step function. This field will be empty if you did not provide a ticketing Lambda Function name.", "Value": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":lambda:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":function:", { "Ref": "TicketGenFunctionName" } ] ] } }, "ASRFindingsDynamoDBTable": { "Description": "Table used to store findings that ASR supports for remediation.", "Value": { "Ref": "ASRFindingsTable3FD52B9C" } }, "RemediationConfigurationDynamoDBTable": { "Description": "Table used to control the enablement of automatic remediations for a given control.", "Value": { "Ref": "RemediationConfigTable24F19C3B" } }, "UserAccountMappingDynamoDBTable": { "Description": "Table used to store user account access permissions for Account Operator users.", "Value": { "Fn::GetAtt": [ "WebUINestedStackNestedStackWebUINestedStackNestedStackResourceEF0A1EDB", "Outputs.SolutionDeployStackWebUINestedStackUserAccountMappingTable3A0161FEArn" ] }, "Condition": "webUIEnabled" }, "WebUIURL": { "Description": "URL for the Web UI", "Value": { "Fn::Join": [ "", [ "https://", { "Fn::GetAtt": [ "WebUINestedStackNestedStackWebUINestedStackNestedStackResourceEF0A1EDB", "Outputs.SolutionDeployStackWebUINestedStackWebUIHostingWebCloudFrontDistributionB2243384DomainName" ] } ] ] }, "Condition": "webUIEnabled" }, "APIEndpoint": { "Description": "API Gateway endpoint URL", "Value": { "Fn::Join": [ "", [ "https://", { "Fn::GetAtt": [ "WebUINestedStackNestedStackWebUINestedStackNestedStackResourceEF0A1EDB", "Outputs.SolutionDeployStackWebUINestedStackApiConstructAutomatedSecurityResponseApi3A46E241Ref" ] }, ".execute-api.", { "Ref": "AWS::Region" }, ".", { "Ref": "AWS::URLSuffix" }, "/", { "Fn::GetAtt": [ "WebUINestedStackNestedStackWebUINestedStackNestedStackResourceEF0A1EDB", "Outputs.SolutionDeployStackWebUINestedStackApiConstructAutomatedSecurityResponseApiDeploymentStageprod99CF298CRef" ] }, "/" ] ] }, "Condition": "webUIEnabled" }, "UserPoolId": { "Description": "Cognito User Pool ID for the Web UI", "Value": { "Fn::GetAtt": [ "WebUINestedStackNestedStackWebUINestedStackNestedStackResourceEF0A1EDB", "Outputs.SolutionDeployStackWebUINestedStackCognitoConstructASRUserPool51186313Ref" ] }, "Condition": "webUIEnabled" } } }