AWS Security ChangesHomeSearch

AWS security-ir documentation change

Service: security-ir · 2026-05-07 · Documentation low

File: security-ir/latest/userguide/setup-monitoring-and-investigation-workflows.md

Summary

Updated requirements for threat detection sources, clarified that GuardDuty is optional but Security Hub CSPM is required for functionality, reorganized support information, and emphasized service-linked role creation requirements.

Security assessment

Clarifies security dependencies (GuardDuty/Security Hub CSPM) for proper threat monitoring. No evidence of addressing a specific vulnerability, but improves documentation of security feature requirements.

Diff

diff --git a/security-ir/latest/userguide/setup-monitoring-and-investigation-workflows.md b/security-ir/latest/userguide/setup-monitoring-and-investigation-workflows.md
index 565e9dc49..f9ddc9b53 100644
--- a//security-ir/latest/userguide/setup-monitoring-and-investigation-workflows.md
+++ b//security-ir/latest/userguide/setup-monitoring-and-investigation-workflows.md
@@ -9 +9 @@
-AWS Security Incident Response monitors and investigates threat alerts generated from Amazon GuardDuty and Security Hub CSPM integrations. To use this feature, [Amazon GuardDuty must be enabled](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_settingup.html). AWS Security Incident Response triages low-priority alerts with service automation so your team can focus on the most critical issues. For additional information on how AWS Security Incident Response works with Amazon GuardDuty and AWS Security Hub CSPM, please review the [ Detect and Analyze](https://docs.aws.amazon.com/security-ir/latest/userguide/detect-and-analyze.html) section of the user guide.
+AWS Security Incident Response monitors and investigates threat alerts generated from Amazon GuardDuty and third-party threat detection tools using Security Hub CSPM integrations. AWS Security Incident Response automatically triages all supported alerts so your team can focus on the most critical issues.
@@ -11 +11 @@ AWS Security Incident Response monitors and investigates threat alerts generated
-If you experience onboarding issues, then [ create an AWS Support case](https://docs.aws.amazon.com/awssupport/latest/user/case-management.html#creating-a-support-case) for additional assistance. Make sure to include details including the AWS account ID and any errors you may have seen during the setup process. 
+###### Important
@@ -13,3 +13 @@ If you experience onboarding issues, then [ create an AWS Support case](https://
-###### Note
-
-If you have questions about Amazon GuardDuty suppression rules, alert triaging configurations, or proactive response workflows, you can create an AWS supported case with the case type **Investigations and Inquiries** to consult with the AWS Security Incident Response team. For more information, see [Create an AWS supported case](./create-an-aws-supported-case.html). 
+AWS Security Incident Response doesn't require you to enable Amazon GuardDuty. However, the proactive response feature relies on receiving threat findings from detection services. If you don't have Amazon GuardDuty or Security Hub CSPM configured to ingest findings, AWS Security Incident Response won't have alerts to monitor and investigate, which limits the value of this feature.
@@ -17 +15 @@ If you have questions about Amazon GuardDuty suppression rules, alert triaging c
-This feature enables AWS Security Incident Response to monitor and investigate findings across all covered accounts and active supported AWS Regions in your organization. To facilitate this functionality, AWS Security Incident Response automatically creates a service-linked role in all covered member accounts within your AWS Organizations. However, for the management account, you must manually create the service-linked role to enable monitoring.
+AWS Security Incident Response monitors and investigates findings across all covered accounts and active supported AWS Regions in your organization. To facilitate this functionality, AWS Security Incident Response automatically creates a service-linked role in all covered member accounts within your AWS Organizations. However, for the management account, you must manually create the service-linked role to enable monitoring.
@@ -20,0 +19,6 @@ _AWS Security Incident Response can't create the service-linked role in the mana
+If you experience onboarding issues or need help enabling Amazon GuardDuty or Security Hub CSPM, [create an AWS Support case](https://docs.aws.amazon.com/awssupport/latest/user/case-management.html#creating-a-support-case) for assistance.
+
+###### Note
+
+If you have questions about Amazon GuardDuty suppression rules, alert triaging configurations, or proactive response workflows, you can create an AWS supported case with the case type **Investigations and Inquiries** to consult with the AWS Security Incident Response team. For more information, see [Create an AWS supported case](./create-an-aws-supported-case.html).
+