Step function triggered twice

[mimzbumb]

Hi all,

We deployed the solution and noticed that the step function is triggered in a really short period (milliseconds) for the same finding.

We have a central Security Hub CSPM, and after some investigation, I noticed that the finding is being sent to EventBridge twice, once from the workload account and once from the central security account.

The finding from the workload account is:
{ "version": "0", "id": "EVENT_ID", "detail-type": "Security Hub Findings - Imported", "source": "aws.securityhub", "account": "WORKLOAD_ACCOUNT_ID", "time": "2025-11-24T13:01:31Z", "region": "eu-central-1", "resources": [ "arn:aws:securityhub:eu-west-1::product/aws/securityhub/REDACTED_FINDING_ARN" ], "detail": { "findings": [ { "ProductArn": "arn:aws:securityhub:eu-west-1::product/aws/securityhub", "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices" ], "Description": "This control checks whether server access logging is enabled for an Amazon S3 general purpose bucket. The control fails if server access logging isn't enabled. When logging is enabled, Amazon S3 delivers access logs for a source bucket to a chosen target bucket. The target bucket must be in the same AWS Region as the source bucket and must not have a default retention period configured. The target logging bucket does not need to have server access logging enabled, and you should suppress findings for this bucket.", "Compliance": { "Status": "FAILED", "SecurityControlId": "S3.9", "AssociatedStandards": [ { "StandardsId": "standards/aws-foundational-security-best-practices/v/1.0.0" } ] }, "ProductName": "Security Hub", "FirstObservedAt": "2025-11-24T13:00:50.262Z", "CreatedAt": "2025-11-24T13:00:59.379Z", "LastObservedAt": "2025-11-24T13:00:50.262Z", "CompanyName": "AWS", "FindingProviderFields": { "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices" ], "Severity": { "Normalized": 40, "Label": "MEDIUM", "Product": 40, "Original": "MEDIUM" } }, "ProductFields": { "StandardsArn": "arn:aws:securityhub:::standards/aws-foundational-security-best-practices/v/1.0.0", "StandardsSubscriptionArn": "STANDARDS_SUBSCRIPTION_ARN", "ControlId": "S3.9", "RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/S3.9/remediation", "RelatedAWSResources:0/name": "securityhub-s3-bucket-logging-enabled-686265e2", "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", "StandardsControlArn": "STANDARDS_CONTROL_ARN", "aws/securityhub/ProductName": "Security Hub", "aws/securityhub/CompanyName": "AWS", "Resources:0/Id": "WORKLOAD_S3_BUCKET_ARN", "aws/securityhub/FindingId": "WORKLOAD_FINDING_ID" }, "Remediation": { "Recommendation": { "Text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.", "Url": "https://docs.aws.amazon.com/console/securityhub/S3.9/remediation" } }, "SchemaVersion": "2018-10-08", "GeneratorId": "aws-foundational-security-best-practices/v/1.0.0/S3.9", "RecordState": "ACTIVE", "Title": "S3.9 S3 general purpose buckets should have server access logging enabled", "Workflow": { "Status": "NEW" }, "Severity": { "Normalized": 40, "Label": "MEDIUM", "Product": 40, "Original": "MEDIUM" }, "UpdatedAt": "2025-11-24T13:00:59.379Z", "WorkflowState": "NEW", "AwsAccountName": "WORKLOAD_ACCOUNT_NAME", "AwsAccountId": "WORKLOAD_ACCOUNT_ID", "Region": "eu-west-1", "Id": "WORKLOAD_FINDING_ARN", "Resources": [ { "Partition": "aws", "Type": "AwsS3Bucket", "Details": { "AwsS3Bucket": { "OwnerId": "REDACTED_OWNER_ID", "CreatedAt": "2025-11-24T12:59:58.000Z", "Name": "REDACTED_BUCKET_NAME" } }, "Region": "eu-west-1", "Id": "WORKLOAD_S3_BUCKET_ARN", "Tags": { "Project": "REDACTED", "aws:cloudformation:stack-name": "REDACTED", "backup": "true", "aws:cloudformation:stack-id": "REDACTED_STACK_ARN", "STAGE": "REDACTED", "Environment": "REDACTED", "aws:cloudformation:logical-id": "HealthLakeExportBucket", "Purpose": "REDACTED", "Name": "REDACTED_BUCKET_NAME" } } ], "ProcessedAt": "2025-11-24T13:01:19.435Z" } ] } }

And this is the finding from the Security account:

{ "version": "0", "id": "EVENT_ID", "detail-type": "Security Hub Findings - Imported", "source": "aws.securityhub", "account": "SECURITY_ACCOUNT_ID", "time": "2025-11-24T13:01:31Z", "region": "eu-central-1", "resources": [ "arn:aws:securityhub:eu-west-1::product/aws/securityhub/REDACTED_FINDING_ARN" ], "detail": { "findings": [ { "ProductArn": "arn:aws:securityhub:eu-west-1::product/aws/securityhub", "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices" ], "Description": "This control checks whether server access logging is enabled for an Amazon S3 general purpose bucket. The control fails if server access logging isn't enabled. When logging is enabled, Amazon S3 delivers access logs for a source bucket to a chosen target bucket. The target bucket must be in the same AWS Region as the source bucket and must not have a default retention period configured. The target logging bucket does not need to have server access logging enabled, and you should suppress findings for this bucket.", "Compliance": { "Status": "FAILED", "SecurityControlId": "S3.9", "AssociatedStandards": [ { "StandardsId": "standards/aws-foundational-security-best-practices/v/1.0.0" } ] }, "ProductName": "Security Hub", "FirstObservedAt": "2025-11-24T13:00:50.262Z", "CreatedAt": "2025-11-24T13:00:59.379Z", "LastObservedAt": "2025-11-24T13:00:50.262Z", "CompanyName": "AWS", "FindingProviderFields": { "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices" ], "Severity": { "Normalized": 40, "Label": "MEDIUM", "Product": 40, "Original": "MEDIUM" } }, "ProductFields": { "StandardsArn": "arn:aws:securityhub:::standards/aws-foundational-security-best-practices/v/1.0.0", "StandardsSubscriptionArn": "STANDARDS_SUBSCRIPTION_ARN", "ControlId": "S3.9", "RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/S3.9/remediation", "RelatedAWSResources:0/name": "securityhub-s3-bucket-logging-enabled-686265e2", "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", "StandardsControlArn": "STANDARDS_CONTROL_ARN", "aws/securityhub/ProductName": "Security Hub", "aws/securityhub/CompanyName": "AWS", "Resources:0/Id": "WORKLOAD_S3_BUCKET_ARN", "aws/securityhub/FindingId": "FINDING_ID" }, "Remediation": { "Recommendation": { "Text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.", "Url": "https://docs.aws.amazon.com/console/securityhub/S3.9/remediation" } }, "SchemaVersion": "2018-10-08", "GeneratorId": "aws-foundational-security-best-practices/v/1.0.0/S3.9", "RecordState": "ACTIVE", "Title": "S3.9 S3 general purpose buckets should have server access logging enabled", "Workflow": { "Status": "NEW" }, "Severity": { "Normalized": 40, "Label": "MEDIUM", "Product": 40, "Original": "MEDIUM" }, "UpdatedAt": "2025-11-24T13:00:59.379Z", "WorkflowState": "NEW", "AwsAccountName": "WORKLOAD_ACCOUNT_NAME", "AwsAccountId": "WORKLOAD_ACCOUNT_ID", "Region": "eu-west-1", "Id": "FINDING_ARN", "Resources": [ { "Partition": "aws", "Type": "AwsS3Bucket", "Details": { "AwsS3Bucket": { "OwnerId": "OWNER_ID", "CreatedAt": "2025-11-24T12:59:58.000Z", "Name": "WORKLOAD_BUCKET_NAME" } }, "Region": "eu-west-1", "Id": "WORKLOAD_S3_BUCKET_ARN", "Tags": { "Project": "REDACTED", "aws:cloudformation:stack-name": "REDACTED", "backup": "true", "aws:cloudformation:stack-id": "REDACTED_STACK_ID", "STAGE": "REDACTED", "Environment": "REDACTED", "aws:cloudformation:logical-id": "HealthLakeExportBucket", "Purpose": "REDACTED", "Name": "WORKLOAD_BUCKET_NAME" } } ], "ProcessedAt": "2025-11-24T13:01:19.435Z" } ] } }

Has anyone happened to encounter a similar pattern, and do you have any suggestions on how to solve this besides updating the EventBridge rule or the step function?

[zomer701]

hi @mimzbumb

Looking at your issue, you're experiencing duplicate Step Function executions because Security Hub findings are being sent to EventBridge from both the workload account and the central security account. This is a common pattern in centralized Security Hub architectures.

There are several potential solutions involving filters, but one of the least impactful approaches is to add account-based deduplication.

Modify the eventPattern in the Trigger class located in source/lib/ssmplaybook.ts to only process findings from workload accounts:

eventPattern: {
  // ADD THIS: Only process findings from workload accounts, not the central security account
  account: [{ 'anything-but': stack.account }], // Exclude events from the admin account itself
  ...
}

How it works:
This filter ensures that only findings originating from workload accounts trigger the Step Function
Events from the central security account (admin account) are excluded
This prevents duplicate executions while maintaining full finding visibility
This approach requires minimal code changes and effectively eliminates duplicate triggers without modifying your Step Function logic or EventBridge rules.

Hopefully this helps improve experience with the solution.

[zomer701]

@mimzbumb I forgot about the latest changes in the 3.0.0 release.
There are new SSM filter parameters — AccountFilters and AccountFilterMode, filters also support organization and tag-based filtering:
https://docs.aws.amazon.com/solutions/latest/automated-security-response-on-aws/aws-systems-manager-parameter-store.html

These parameters can help exclude events from the admin account itself or any other accounts from being processed, without needing any code or stack updates.
regards

[mimzbumb]

Hi @zomer701, thank you.

I will try to update the stack first and use the new parameters, and see if that works, but at some point, we will also want to enable the solution in the security account as well, so at some point, we will probably still need the first solution.