AWS Security ChangesHomeSearch

AWS security-ir documentation change

Service: security-ir · 2026-04-22 · Documentation low

File: security-ir/latest/userguide/detect-and-analyze.md

Summary

Added documentation for EC2 Triage feature enabling AWS Security Incident Response to collect investigative data from EC2 instances using Systems Manager Run Command during security investigations. Also fixed formatting and link references.

Security assessment

The change introduces a new security investigation capability (EC2 Triage) that allows responders to execute commands on EC2 instances to gather forensic data. This enhances security investigation capabilities but does not indicate a specific security vulnerability being addressed. The change documents a security feature for incident response.

Diff

diff --git a/security-ir/latest/userguide/detect-and-analyze.md b/security-ir/latest/userguide/detect-and-analyze.md
index 2ce0019cf..2689259b5 100644
--- a//security-ir/latest/userguide/detect-and-analyze.md
+++ b//security-ir/latest/userguide/detect-and-analyze.md
@@ -29 +29 @@ _AWS Security Hub CSPM_
-Security Hub CSPM can ingest security findings from several AWS services and supported third-party security solutions. These integrations can help AWS Security Incident Response monitor and investigate findings coming from other detection tools. 
+AWS Security Hub CSPM can ingest security findings from several AWS services and supported third-party security solutions. These integrations can help AWS Security Incident Response monitor and investigate findings coming from other detection tools. 
@@ -37 +37 @@ AWS Security Incident Response can monitor and investigate findings from the fol
-  * [_CrowdStrike – CrowdStrike Falcon_](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-partner-providers.html#integration-crowdstrike-falcon)
+  * [CrowdStrike – CrowdStrike Falcon](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-partner-providers.html#integration-crowdstrike-falcon)
@@ -39 +39 @@ AWS Security Incident Response can monitor and investigate findings from the fol
-  * [ _Lacework – Lacework_](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-partner-providers.html#integration-lacework)
+  * [Lacework – Lacework](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-partner-providers.html#integration-lacework)
@@ -41 +41 @@ AWS Security Incident Response can monitor and investigate findings from the fol
-  * [ _Trend Micro – Cloud One_](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-partner-providers.html#integration-trend-micro)
+  * [Trend Micro – Cloud One](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-partner-providers.html#integration-trend-micro)
@@ -50 +50 @@ By enabling these integrations, you can significantly enhance the scope and effe
-If "Proactive Response" is enabled <https://docs.aws.amazon.com/security-ir/latest/userguide/setup-monitoring-and-investigation-workflows.html> AWS Security Incident Response ingests findings from Amazon GuardDuty and AWS Security Hub CSPM through Amazon EventBridge rules that are deployed to your accounts during onboarding. 
+With [Proactive Response](./setup-monitoring-and-investigation-workflows.html), AWS Security Incident Response ingests findings from Amazon GuardDuty and AWS Security Hub CSPM through Amazon EventBridge rules that are deployed to your accounts during onboarding. 
@@ -69,0 +70,4 @@ AWS Security Incident Response Engineering conducts a hands-on security investig
+As part of a security investigation, AWS Security Incident Response can also collect investigative information from within Amazon Elastic Compute Cloud instances using EC2 Triage. When enabled, this capability allows AWS Security Incident Response responders to execute AWS Systems Manager Run Command on Amazon EC2 instances to gather investigative data, inspect running processes, and analyze system state — without requiring direct access to the instance. 
+
+To use EC2 Triage, you must deploy the **Containment with EC2 Triage** CloudFormation template to your accounts. For more information, see [Working with CloudFormation StackSets](./working-with-stacksets.html). The target Amazon EC2 instances must have [SSM Agent](https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent.html) installed and running, and must be online and managed by AWS Systems Manager. For setup information, see [Setting up Systems Manager for Amazon EC2 instances](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-setting-up-ec2.html). 
+