AWS security-ir documentation change
Summary
Restructured the deployment guide into a step-by-step process, added details about the service-linked role for proactive response, and included optional pre-authorization of containment actions.
Security assessment
The changes provide more detailed instructions for setting up the Security Incident Response service, including important notes about the service-linked role and containment actions. This is documentation for a security feature but does not address a specific security issue.
Diff
diff --git a/security-ir/latest/userguide/deploy-configure.md b/security-ir/latest/userguide/deploy-configure.md index 2497a899f..4052b2aef 100644 --- a//security-ir/latest/userguide/deploy-configure.md +++ b//security-ir/latest/userguide/deploy-configure.md @@ -5 +5 @@ -# Deploy and configure Security Incident Response +# Step 1: Enable AWS Security Incident Response @@ -7 +7 @@ - 1. Choose **Sign up** +The onboarding process takes approximately 10 to 15 minutes per AWS organization. For a walkthrough, see the [Getting Started video](https://docs.aws.amazon.com/security-ir/latest/userguide/getting-started.html) in the service documentation. @@ -9 +9,5 @@ - +###### To enable AWS Security Incident Response + + 1. Sign in to the AWS Management Console using your management account. + + 2. Open the AWS Security Incident Response console and choose **Sign up**. @@ -11 +15 @@ - 2. Select a **security tooling** account as Delegated Administrator from the Management Account. + @@ -13 +17 @@ - * [Security Reference Architecture](https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/introduction.html) + 3. Designate a security tooling account as the delegated administrator. @@ -15 +19 @@ - * [Delegated Administrator documentation](https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/security-tooling.html) + * For guidance, see [Security Reference Architecture](https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/welcome.html) in _AWS Prescriptive Guidance_ and [Delegated administrator](https://docs.aws.amazon.com/security-ir/latest/userguide/delegated-admin.html). @@ -19 +23,15 @@ - 3. Log into the delegated administrator account + 4. Sign in to the delegated administrator account. + + 5. Enter your membership details and associate the relevant accounts. + + 6. For **Account scope** , choose to enable AWS Security Incident Response for your entire AWS organization or for specific OUs. You can select coverage at the OU level, but not at the individual account level. + + 7. For **Proactive Response** , confirm that the setting is enabled. Proactive response is on by default and creates a service-linked role that allows AWS SIRT to ingest GuardDuty findings and open proactive investigation cases when threats are detected. For more information, see [Proactive response](https://docs.aws.amazon.com/security-ir/latest/userguide/proactive-response.html). + +###### Important + +The service-linked role is not automatically deployed to the management account. You must configure it manually for complete coverage. For instructions, see [Setup proactive response and alert triaging workflows](./setup-monitoring-and-investigation-workflows.html). + + 8. (Optional) Choose to pre-authorize AWS SIRT to perform containment actions on your behalf during active incidents. Supported containment actions include runbooks for compromised S3 buckets, EC2 instances, and IAM principals. If you skip this step, SIRT will provide manual guidance during investigations. For more information, see [Containment actions](https://docs.aws.amazon.com/security-ir/latest/userguide/containment.html). + + 9. Review the service permissions and onboarding configuration, then choose **Sign up**. @@ -21 +39 @@ - 4. Enter membership details and associate accounts + @@ -23 +41 @@ - + @@ -34 +52 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please -Onboarding Guide +Onboarding prerequisites @@ -36 +54 @@ Onboarding Guide -Authorize monitoring and containment actions +Step 2: Configure your incident response team