AWS security-ir documentation change
Summary
Updated documentation for AWS Security Incident Response containment actions, clarifying options and adding prerequisite about deploying a CloudFormation StackSet for IAM roles.
Security assessment
The changes clarify containment action preferences (e.g., changing 'automatic containment' to 'Contain suspected') and explicitly state that deploying a CloudFormation StackSet to create required IAM roles is a prerequisite. This enhances documentation about security incident response features but does not indicate a fix for a specific security issue.
Diff
diff --git a/security-ir/latest/userguide/define-containment-preferences.md b/security-ir/latest/userguide/define-containment-preferences.md index cfdae256d..784380331 100644 --- a//security-ir/latest/userguide/define-containment-preferences.md +++ b//security-ir/latest/userguide/define-containment-preferences.md @@ -7 +7 @@ -Containment actions enable Security Incident Response to execute rapid response measures during an active security incident, such as isolating compromised hosts or rotating credentials. These actions help quickly mitigate the impact of security incidents in your environment. +Containment actions enable AWS Security Incident Response to execute rapid response measures during an active security incident. These actions help quickly mitigate the impact of security incidents in your environment. @@ -13 +13 @@ Security Incident Response doesn't enable containment capabilities by default. Y -To authorize Security Incident Response engineers to perform containment actions on your behalf, you must define your organization or account-level containment preferences. Account-level preferences supersede organization-level preferences. +To authorize AWS Security Incident Response engineers to perform containment actions on your behalf, in addition to deploying an [AWS CloudFormation StackSet](https://docs.aws.amazon.com/security-ir/latest/userguide/working-with-stacksets.html) that creates the required IAM roles, you must define your organization or account-level containment preferences. Account-level preferences supersede organization-level preferences. @@ -36 +36 @@ To define containment preferences: - * Your preferred containment option (no containment, containment with approval, or automatic containment) + * Your preferred containment option (Approval required, Contain confirmed, or Contain suspected). @@ -45 +45 @@ To define containment preferences: -After configured, Security Incident Response executes the authorized containment actions during active security incidents to help protect your environment. +When configured, AWS Security Incident Response executes the authorized containment actions during active security incidents to help protect your environment.