AWS Security ChangesHomeSearch

AWS security-ir documentation change

Service: security-ir · 2026-04-22 · Documentation low

File: security-ir/latest/userguide/working-with-stacksets.md

Summary

Removed embedded CloudFormation template and restructured documentation to reference two separate external templates (Containment only and Containment with EC2 Triage) with clearer descriptions of their security permissions and use cases.

Security assessment

This change improves security documentation by clarifying the two available CloudFormation templates for AWS Security Incident Response. It explicitly states that the 'Containment with EC2 Triage' template includes additional permissions for EC2 Triage investigations, which enables AWS Systems Manager Run Command on EC2 instances. The change removes the embedded template code and provides clearer guidance on choosing templates based on security requirements, but there's no evidence it addresses a specific security vulnerability or incident.

Diff

diff --git a/security-ir/latest/userguide/working-with-stacksets.md b/security-ir/latest/userguide/working-with-stacksets.md
index bb10aa3b9..af25bb9e8 100644
--- a//security-ir/latest/userguide/working-with-stacksets.md
+++ b//security-ir/latest/userguide/working-with-stacksets.md
@@ -9 +9 @@
-###### Important
+For specific instructions on how to create a StackSet with service-managed permissions, see [Create CloudFormation StackSets with service-managed permissions](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-getting-started-create.html) in the _AWS CloudFormation User Guide_.
@@ -11 +11 @@
-AWS Security Incident Response doesn't enable containment capabilities by default. To run these containment actions, you must grant the necessary permissions to the service using AWS Identity and Access Management roles. You can create these roles individually for each account or across your entire organization by deploying CloudFormation StackSets, The StackSets create the required roles.
+AWS Security Incident Response provides two CloudFormation templates. Both templates create the same two AWS Identity and Access Management roles, `AWSSecurityIncidentResponseContainment` and `AWSSecurityIncidentResponseContainmentExecution`. The **Containment with EC2 Triage** template adds the `AWSSecurityIncidentResponseInvestigationPolicy` to the `AWSSecurityIncidentResponseContainment` role, which grants additional permissions for EC2 Triage. Choose the template that matches your security requirements:
@@ -13 +13 @@ AWS Security Incident Response doesn't enable containment capabilities by defaul
-For specific instructions on how to create a StackSet with service-managed permissions, see [ Create CloudFormation StackSets with service-managed permissions](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-orgs-associate-stackset-with-org.html) in the _AWS CloudFormation User Guide_.
+  * [Containment only](./containment-only-template.html): Creates the minimum required permissions for containment actions.
@@ -15 +15 @@ For specific instructions on how to create a StackSet with service-managed permi
-The following are templates to create the _AWSSecurityIncidentResponseContainment_ and _AWSSecurityIncidentResponseContainmentExecution_ roles.
+  * [Containment with EC2 Triage](./containment-with-ec2-triage-template.html): Includes all containment permissions plus additional permissions for EC2 Triage. This template enables AWS Security Incident Response to execute AWS Systems Manager Run Command on your Amazon Elastic Compute Cloud instances during security investigations.
@@ -18,2 +17,0 @@ The following are templates to create the _AWSSecurityIncidentResponseContainmen
-    AWSTemplateFormatVersion: '2010-09-09'
-    Description: 'Template for production SIR containment roles'
@@ -21,256 +18,0 @@ The following are templates to create the _AWSSecurityIncidentResponseContainmen
-    Resources:
-      AWSSecurityIncidentResponseContainment:
-        Type: 'AWS::IAM::Role'
-        Properties:
-          RoleName: AWSSecurityIncidentResponseContainment
-          AssumeRolePolicyDocument:
-            {
-              'Version': '2012-10-17',
-              'Statement':
-                [
-                  {
-                    'Effect': 'Allow',
-                    'Principal': { 'Service': 'containment.security-ir.amazonaws.com' },
-                    'Action': 'sts:AssumeRole',
-                    'Condition': { 'StringEquals': { 'sts:ExternalId': !Sub '${AWS::AccountId}' } },
-                  },
-                  {
-                    'Effect': 'Allow',
-                    'Principal': { 'Service': 'containment.security-ir.amazonaws.com' },
-                    'Action': 'sts:TagSession',
-                  },
-                ],
-            }
-          Policies:
-            - PolicyName: AWSSecurityIncidentResponseContainmentPolicy
-              PolicyDocument:
-                {
-                  'Version': '2012-10-17',
-                  'Statement':
-                    [
-                      {
-                        'Effect': 'Allow',
-                        'Action': ['ssm:StartAutomationExecution'],
-                        'Resource':
-                          [
-                            !Sub 'arn:${AWS::Partition}:ssm:*:*:automation-definition/AWSSupport-ContainEC2Instance:$DEFAULT',
-                            !Sub 'arn:${AWS::Partition}:ssm:*:*:automation-definition/AWSSupport-ContainS3Resource:$DEFAULT',
-                            !Sub 'arn:${AWS::Partition}:ssm:*:*:automation-definition/AWSSupport-ContainIAMPrincipal:$DEFAULT',
-                          ],
-                      },
-                      {
-                        'Effect': 'Allow',
-                        'Action':
-                          ['ssm:DescribeInstanceInformation', 'ssm:GetAutomationExecution', 'ssm:ListCommandInvocations'],
-                        'Resource': '*',
-                      },
-                      {
-                        'Effect': 'Allow',
-                        'Action': ['iam:PassRole'],
-                        'Resource': !GetAtt AWSSecurityIncidentResponseContainmentExecution.Arn,
-                        'Condition': { 'StringEquals': { 'iam:PassedToService': 'ssm.amazonaws.com' } },
-                      },
-                    ],
-                }
-      AWSSecurityIncidentResponseContainmentExecution:
-        Type: 'AWS::IAM::Role'
-        Properties:
-          RoleName: AWSSecurityIncidentResponseContainmentExecution
-          AssumeRolePolicyDocument:
-            {
-              'Version': '2012-10-17',
-              'Statement':
-                [{ 'Effect': 'Allow', 'Principal': { 'Service': 'ssm.amazonaws.com' }, 'Action': 'sts:AssumeRole' }],
-            }
-          ManagedPolicyArns:
-            - !Sub arn:${AWS::Partition}:iam::aws:policy/SecurityAudit
-          Policies:
-            - PolicyName: AWSSecurityIncidentResponseContainmentExecutionPolicy
-              PolicyDocument:
-                {
-                  'Version': '2012-10-17',
-                  'Statement':
-                    [
-                      {
-                        'Sid': 'AllowIAMContainment',
-                        'Effect': 'Allow',
-                        'Action':
-                          [
-                            'iam:AttachRolePolicy',
-                            'iam:AttachUserPolicy',
-                            'iam:DeactivateMFADevice',
-                            'iam:DeleteLoginProfile',
-                            'iam:DeleteRolePolicy',
-                            'iam:DeleteUserPolicy',
-                            'iam:GetLoginProfile',
-                            'iam:GetPolicy',
-                            'iam:GetRole',
-                            'iam:GetRolePolicy',
-                            'iam:GetUser',
-                            'iam:GetUserPolicy',
-                            'iam:ListAccessKeys',
-                            'iam:ListAttachedRolePolicies',
-                            'iam:ListAttachedUserPolicies',
-                            'iam:ListMfaDevices',
-                            'iam:ListPolicies',
-                            'iam:ListRolePolicies',
-                            'iam:ListUserPolicies',
-                            'iam:ListVirtualMFADevices',
-                            'iam:PutRolePolicy',
-                            'iam:PutUserPolicy',
-                            'iam:TagMFADevice',
-                            'iam:TagPolicy',
-                            'iam:TagRole',
-                            'iam:TagUser',
-                            'iam:UntagMFADevice',
-                            'iam:UntagPolicy',
-                            'iam:UntagRole',
-                            'iam:UntagUser',
-                            'iam:UpdateAccessKey',
-                            'identitystore:CreateGroupMembership',
-                            'identitystore:DeleteGroupMembership',
-                            'identitystore:IsMemberInGroups',
-                            'identitystore:ListUsers',
-                            'identitystore:ListGroups',
-                            'identitystore:ListGroupMemberships',
-                          ],
-                        'Resource': '*',
-                      },
-                      {
-                        'Sid': 'AllowOrgListAccounts',
-                        'Effect': 'Allow',
-                        'Action': 'organizations:ListAccounts',
-                        'Resource': '*',
-                      },
-                      {
-                        'Sid': 'AllowSSOContainment',
-                        'Effect': 'Allow',
-                        'Action':
-                          [
-                            'sso:CreateAccountAssignment',
-                            'sso:DeleteAccountAssignment',
-                            'sso:DeleteInlinePolicyFromPermissionSet',
-                            'sso:GetInlinePolicyForPermissionSet',
-                            'sso:ListAccountAssignments',
-                            'sso:ListInstances',
-                            'sso:ListPermissionSets',
-                            'sso:ListPermissionSetsProvisionedToAccount',
-                            'sso:PutInlinePolicyToPermissionSet',
-                            'sso:TagResource',
-                            'sso:UntagResource',
-                          ],
-                        'Resource': '*',
-                      },
-                      {
-                        'Sid': 'AllowSSORead',
-                        'Effect': 'Allow',
-                        'Action': ['sso-directory:SearchUsers', 'sso-directory:DescribeUser'],
-                        'Resource': '*',
-                      },
-                      {
-                        'Sid': 'AllowS3Read',
-                        'Effect': 'Allow',
-                        'Action':
-                          [
-                            's3:GetAccountPublicAccessBlock',
-                            's3:GetBucketAcl',
-                            's3:GetBucketLocation',
-                            's3:GetBucketOwnershipControls',
-                            's3:GetBucketPolicy',
-                            's3:GetBucketPolicyStatus',
-                            's3:GetBucketPublicAccessBlock',
-                            's3:GetBucketTagging',
-                            's3:GetEncryptionConfiguration',
-                            's3:GetObject',
-                            's3:GetObjectAcl',
-                            's3:GetObjectTagging',
-                            's3:GetReplicationConfiguration',
-                            's3:ListBucket',
-                            's3express:GetBucketPolicy',
-                          ],
-                        'Resource': '*',
-                      },
-                      {
-                        'Sid': 'AllowS3Write',
-                        'Effect': 'Allow',
-                        'Action':
-                          [
-                            's3:CreateBucket',
-                            's3:DeleteBucketPolicy',
-                            's3:DeleteObjectTagging',