AWS Security ChangesHomeSearch

AWS whitepapers documentation change

Service: whitepapers · 2026-06-19 · Documentation medium

File: whitepapers/latest/aws-security-incident-response-guide/operations.md

Summary

Removed entire content including incident response operations phases (detection, analysis, containment, eradication, recovery), their definitions, and related documentation elements.

Security assessment

Content removal doesn't indicate a security vulnerability fix. The deleted material was general incident response guidance without evidence of addressing specific vulnerabilities.

Diff

diff --git a/whitepapers/latest/aws-security-incident-response-guide/operations.md b/whitepapers/latest/aws-security-incident-response-guide/operations.md
index 80a368ef5..8b1378917 100644
--- a//whitepapers/latest/aws-security-incident-response-guide/operations.md
+++ b//whitepapers/latest/aws-security-incident-response-guide/operations.md
@@ -1 +0,0 @@
-[View a markdown version of this page](operations.md)
@@ -3,41 +1,0 @@
-[](/pdfs/security-ir/latest/userguide/sir-ug.pdf#operations "Open PDF")
-
-[Documentation](/index.html)[Security Incident Response](/security-ir/index.html)[](what-is.html)
-
-# Operations
-
-Operations is the core of performing incident response. This is where the actions of responding and remediating security incidents occur. Operations includes the following five phases: _detection_ , _analysis_ , _containment_ , _eradication_ , and _recovery_. Descriptions of these phases and the goals can be found in Table 3.
-
-_Table 3 – Operations phases_
-
-Phase  |  Goal   
----|---  
-**Detection** |  Identify a potential security event.   
-**Analysis** |  Determine if a security event is an incident and assess the scope of the incident.   
-**Containment** |  Minimize and limit the scope of the security event.   
-**Eradication** |  Remove unauthorized resources or artifacts related to the security event. Implement mitigations that caused the security incident.   
-**Recovery** |  Restore systems to a known safe state and monitor these systems to verify that the threat does not return.   
-  
-The phases should serve as guidance when you respond to and operate on security incidents in order to respond in an effective and robust way. The actual actions you take will vary depending on the incident. An incident involving ransomware, for example, will have a different set of response steps to follow than an incident involving a public Amazon S3 bucket. Additionally, these phases do not necessarily happen sequentially. After containment and eradication, you might need to return to analysis to understand if your actions were effective. 
-
-![Warning](https://d1ge0kk1l5kms0.cloudfront.net/images/G/01/webservices/console/warning.png) **Javascript is disabled or is unavailable in your browser.**
-
-To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.
-
-[Document Conventions](/general/latest/gr/docconventions.html)
-
-Summary of preparation items
-
-Detection
-
-Did this page help you? - Yes
-
-Thanks for letting us know we're doing a good job!
-
-If you've got a moment, please tell us what we did right so we can do more of it.
-
-Did this page help you? - No
-
-Thanks for letting us know this page needs work. We're sorry we let you down.
-
-If you've got a moment, please tell us how we can make the documentation better.