AWS Security ChangesHomeSearch

AWS security-ir high security documentation change

Service: security-ir · 2026-02-16 · Security-related high

File: security-ir/latest/userguide/define-containment-preferences.md

Summary

Updated containment options terminology and descriptions: Changed from 'No containment actions/Containment with approval/Automatic containment' to 'Approval required/Contain confirmed/Contain suspected' with revised operational guidance

Security assessment

Directly modifies security incident response procedures by refining containment authorization levels. Changes default behavior to require explicit approval and defines proactive containment thresholds (confirmed/suspected compromises), impacting security operations.

Diff

diff --git a/security-ir/latest/userguide/define-containment-preferences.md b/security-ir/latest/userguide/define-containment-preferences.md
index 409f80d79..118b87390 100644
--- a//security-ir/latest/userguide/define-containment-preferences.md
+++ b//security-ir/latest/userguide/define-containment-preferences.md
@@ -17 +17 @@ To authorize Security Incident Response engineers to perform containment actions
-**Containment Options:**
+**Containment options:**
@@ -19 +19 @@ To authorize Security Incident Response engineers to perform containment actions
-  * **No containment actions** (default) - Security Incident Response engineers will not perform any containment actions on your behalf.
+  * **Approval required** (default): Do not perform proactive containment of any resource without explicit authorization on a case-by-case basis.
@@ -21 +21 @@ To authorize Security Incident Response engineers to perform containment actions
-  * **Containment with approval** \- Security Incident Response engineers will request your approval before executing containment actions.
+  * **Contain confirmed** : Perform proactive containment of a resource confirmed to be compromised.
@@ -23 +23 @@ To authorize Security Incident Response engineers to perform containment actions
-  * **Automatic containment** \- Security Incident Response engineers can execute containment actions immediately without prior approval during active incidents.
+  * **Contain suspected** : Perform proactive containment of a resource with a high likelihood of having been compromised, based on analysis performed by AWS Security Incident Response engineering.