Skip to content

New Documentation Update


Module 3: Remediation and Response CIS Benchmark and Custom Action

After Security Hub has detected configuration that needs attention, the next step is take action and resolve the finding. In the first half of this module, you will connect a Security Hub custom action to a provided Lambda function. This function isolates an EC2 instance from the VPC network when invoked. In the second half, you will deploy the auto remediation and response actions for the CIS AWS Foundations standard.


  1. Create a Security Hub Custom Action to Isolate an EC2 Instance – 10 min
  2. Deploy remediation playbooks for CIS Benchmarks - 15 min

Create a Security Hub Custom Action to Isolate an EC2 Instance

This section will walk you through how to create a custom action in Security Hub which will trigger an EventBridge rule. In this scenario, the EventBridge rule will invoke a Lambda function to change the security group on an EC2 instance that is associated with a Security Hub finding.

Create a Custom Action in Security Hub

  1. Navigate to the Security Hub console.

  2. In the left-hand navigation pane choose Settings.

  3. Choose the Custom actions tab.

  4. Click the Create custom action button.

  5. Enter an Action Name, Action Description, and an Action ID that are representative of an action that would isolate an EC2 instance.

    Custom Action

  6. Click Create custom action.

  7. Copy the Custom action ARN that was generated for your custom finding.

    You will need the Custom ARN in the next steps.

    Custom Action

Create Amazon EventBridge Rule to capture the Custom Action

In this section, you will define an EventBridge rule that will match events (findings) coming from Security Hub which were forwarded by the custom action you defined above.

  1. Navigate to the Amazon EventBridge Console.

  2. Click on the Create rule on the right side.

    Custom Action

  3. In the Create rule page give your rule a name and a description that represents the rule's purpose.

    Custom Action

    All Security Hub findings are sent as events to the AWS default event bus. The define pattern section allows you to identify filters to take a specific action when matched events appear.

  4. Under Define pattern, select Event pattern.

  5. Select Pre-defined pattern by service.

  6. In the drop down for Service Provider, select AWS for the service provider.

  7. In the drop down for Service Name, select or type and select Security Hub.

  8. In the drop down for Event type choose Security Hub Finding – Custom Action.

  9. Select the Specific custom action ARN(s) radio button. Enter the ARN for the custom action that you created earlier.

    Custom Action

    Note that Event Bridge automatically updates the event pattern to include your custom action ARN as a resource.

  10. Under Select targets, ensure Lambda function is populated in the top drop down and then select isolate-ec2-security-group Lambda function.

    Custom Action

    isolate-ec2-security-groups is a custom Lambda function created during the setup of this workshop.

  11. Click Create to complete creation of the Event Bridge rule.

Isolate the security group on an EC2 Instance

Now you will test the response action starting from a Security Finding for an EC2 instance.

  1. Navigate to the Security Hub Dashboard.

  2. In the left-hand navigation pane choose Findings.

  3. Add a filter for Resource Type and enter AwsEc2Instance (case sensitive).

  4. Click the title of any finding in this filtered list where the target is the type AwsEc2Instance.

  5. Expand Resources section of the finding.

  6. Click the blue link for this EC2 instance, under the heading Resource ID.

    This will open a new tab showing on the EC2 console showing only this affected EC2 instance.

  7. Click the instance record, and then click the Security tab and record the name of the current security group.

    Custom Action

  8. Go back to the Security Hub tab in your browser and click in the check box in the far left of this same finding.

  9. In the Actions drop down choose the name of your custom action to Isolate EC2 Instances.

    Custom Action

  10. Go back to the EC2 browser tab. Refresh the tab. Verify that the security group on the instance has been changed to the security team security group.

    Review the isolate-ec2-security-group Lambda function. What changes would you make for your own custom actions?

Deploy remediation playbooks for CIS Benchmarks

By creating Security Hub custom actions mapped to specific finding type and by developing a corresponding Lambda function for that custom action, you can achieve targeted, automated remediation for these findings. This allows you to decide if you want to invoke a remediation action on a specific finding. You can also use these Lambda functions as the target of fully automated remediation actions that do not require any human review.

You can read more in this blog to select specific CIS benchmark remediations or customize response actions.

Deploy remediation playbooks via CloudFormation

Before you deploy the CloudFormation template feel free to view it here.

Region Deploy
US West 2 (Oregon) Deploy CIS remediation playbook in us-west-2
US East 1 (Virgina) Deploy CIS remediation playbook in us-east1

If you are running this workshop in an AWS provided environment and it is not in one of the above regions you can still deploy the remediation template, via CloudFormation, in the region you are performing the workshop in. For Step 1, click either of the Deploy to AWS buttons above and when that takes you to the CloudFormation console you can change your region in the top right corner of the AWS console to your desired region. While you will be associated with a new region the URL for the CloudFormation template will remain populated. Once you have set your region you can proceed to step 2 to continue deployment.

  1. Click the Deploy to AWS button above, for the region you are performing the workshop in. This will automatically take you to the console to submit the template.

  2. Scroll to the bottom of the Quick create stack screen and check the box for I acknowledge that AWS CloudFormation might create IAM resources.

  3. Click Create stack.

    Please wait a moment for the creation to complete or progress to start, then proceed to Step 4.

  4. Navigate to the Resources tab of this CloudFormation stack and observe the resources created for each rule.


  5. Type "CIS28" in Search resources bar.


    Note the resources created for this remediation action are a Security Hub custom action to initiate the remediation, a Lambda function with the code to execute the response, an IAM role and permission for Lambda to assume and take the needed actions, and an EventBridge Rule that connects the custom action to the Lambda function.

  6. Navigate to the Security Hub dashboard.

  7. In the left-hand navigation pane choose Security Standards.

  8. Under CIS AWS Foundations Benchmark v1.2.0 click View results.


  9. Type "2.8" in the Filter controls bar.

    AWS KMS enables customers to rotate the backing key, which is key material stored in AWS KMS and is tied to the key ID of the CMK. It's the backing key that is used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently retains all previous backing keys so that decryption of encrypted data can take place transparently.

    We recommend that you enable CMK key rotation. Rotating encryption keys helps reduce the potential impact of a compromised key because data encrypted with a new key can't be accessed with a previous key that might have been exposed.

  10. Click the title for CIS 2.8 Ensure rotation for customer created CMKs is enabled.

  11. Click the check box to select the failed finding.

  12. Click the Actions drop down on the right side and select CIS 2.8 RR.

    Notice the list of available actions you have for CIS which were created from the template deployment.


    Choosing this action sends a copy of the finding(s) to EventBridge. The findings then trigger a matching rule in EventBridge which then initiates a Lambda. The Lambda function enables key rotation on the KMS keys that are covered by the key(s) that were selected when the Security Hub custom action was chosen.

    After the green bar has confirmed the execution of the custom check, we need to manually initiate a re-evaluation in Config in order to resolve the finding in Security Hub.

  13. Click the three vertical dots in the Investigate column to expand associated links to Config.

  14. Click the link for Config Rule which will open a new tab showing the details for the config rule related to the CIS check.


  15. In the Config Rule screen click the Actions drop down and then choose Re-evaluate. This will cause the config rule to re-run and publish updated details on compliant and noncompliant resources.

  16. Click the Security Hub browser tab to return to the filtered findings for CIS 2.8 and refresh your browser. The findings should now have a status of PASSED.


In this module you associated a custom action in Security Hub with a custom Lambda function for remediation and deployed a series of pre-build remediations for CIS Account Foundational checks. After you have successfully tested your response to CIS 2.8, you can proceed to the next module.