AWS Security ChangesHomeSearch

AWS security-ir documentation change

Service: security-ir · 2026-06-28 · Documentation low

File: security-ir/latest/userguide/contain.md

Summary

Significantly expanded documentation on containment processes, including decision-making criteria, supported actions (EC2/IAM/S3 containment), strategy development, staged approach, and incident lifecycle integration. Removed old steps for enabling containment and replaced with criteria and strategy considerations.

Security assessment

The changes provide detailed documentation about security containment features (EC2/IAM/S3 resource isolation) but don't reference any specific vulnerability, exploit, or incident. The content focuses on standard security operations and best practices for incident response.

Diff

diff --git a/security-ir/latest/userguide/contain.md b/security-ir/latest/userguide/contain.md
index 6466fa361..f887be812 100644
--- a//security-ir/latest/userguide/contain.md
+++ b//security-ir/latest/userguide/contain.md
@@ -6,0 +7,2 @@
+Containment decision-makingSupported containment actionsDeveloping your containment strategyStaged containment approachContainment and the incident lifecycle
+
@@ -9 +11,29 @@
-AWS Security Incident Response partners with you to contain events. You can configure the service to take proactive containment actions in your account in response to security findings. You can also perform containment yourself or in partnership with your third party relationships by using the [SSM documents](https://docs.aws.amazon.com/systems-manager-automation-runbooks/latest/userguide/automation-runbook-reference.html) described in [Supported Containment Actions.](https://docs.aws.amazon.com/security-ir/latest/userguide/supported-containment-actions.html)
+When AWS Security Incident Response identifies an active threat in your environment, containment is the immediate priority: stop the threat actor from causing further damage while preserving evidence for investigation. The service runs containment through reversible, automated actions that isolate compromised resources without destroying them. To enable these capabilities, you must first configure the required permissions and preferences. See [Deploy containment and EC2 Triage roles](./working-with-stacksets.html).
+
+## Containment decision-making
+
+An essential part of containment is deciding whether to shut down a system, isolate a resource from the network, revoke access, or end sessions. AWS Security Incident Response provides the containment strategy, informs you of potential impact, and guides you on implementing the solution only after you have considered and agreed to the risks involved.
+
+These decisions become easier when you have predetermined strategies and procedures. The service uses a combination of your containment preferences (configured during onboarding), the nature of the threat, and real-time analysis to determine the appropriate response.
+
+## Supported containment actions
+
+AWS Security Incident Response runs containment actions on your behalf to reduce the time a threat actor has to cause damage. All supported containment actions are reversible. The service can restore the resource to its pre-containment state after the incident is resolved. The containment actions map to three resource types:
+
+**Amazon EC2 containment** (`AWSSupport-ContainEC2Instance`) performs a reversible network containment of an Amazon Elastic Compute Cloud (Amazon EC2) instance. The instance stays running and intact, but the automation isolates it from new network activity and prevents it from communicating with resources inside or outside your Amazon VPC by replacing the instance's security groups with a restrictive containment security group. Existing tracked connections aren't shut down as a result of changing security groups. Only future traffic is blocked.
+
+**IAM containment** (`AWSSupport-ContainIAMPrincipal`) performs a reversible containment of an AWS Identity and Access Management (IAM) user or role. The principal remains in IAM, but the automation isolates it from communicating with resources in your account by attaching a deny-all policy. This effectively revokes the principal's ability to take actions while preserving it for forensic review.
+
+**Amazon S3 containment** (`AWSSupport-ContainS3Resource`) performs a reversible containment of an Amazon Simple Storage Service (Amazon S3) bucket. Objects remain in the bucket, but the automation isolates the bucket or object by modifying its access policies to deny all external access.
+
+## Developing your containment strategy
+
+Consider containment strategies for each major event type that fit within your risk appetite. Document clear criteria to help with decision-making during an event. Criteria to consider include the following:
+
+  * Potential damage to resources
+
+  * Preservation of evidence and regulatory requirements
+
+  * Service unavailability (for example, network connectivity or services provided to external parties)
+
+  * Time and resources needed to implement the strategy
@@ -11 +41 @@ AWS Security Incident Response partners with you to contain events. You can conf
-###### Important
+  * Effectiveness of the strategy (partial versus full containment)
@@ -13 +43 @@ AWS Security Incident Response partners with you to contain events. You can conf
-AWS Security Incident Response does not enable containment capabilities by default. 
+  * Permanence of the solution (reversible versus irreversible)
@@ -15 +45 @@ AWS Security Incident Response does not enable containment capabilities by defau
-Two steps are required to enable proactive containment capabilities: 
+  * Duration of the solution (emergency workaround, temporary workaround, or permanent solution)
@@ -17 +46,0 @@ Two steps are required to enable proactive containment capabilities:
-  1. **Grant the necessary permissions** to the service using IAM roles. You can create these roles individually per account or across your entire organization by working with AWS CloudFormation stacksets, which create the required roles.
@@ -19 +47,0 @@ Two steps are required to enable proactive containment capabilities:
-  2. **Define your containment preferences** per account or across your organization to authorize proactive containment actions. Account-level preferences supersede organization-level preferences. This may be done by creating an AWS Support Case (Technical: Security Incident Response Service/Other). The available containment preferences are:
@@ -21 +48,0 @@ Two steps are required to enable proactive containment capabilities:
-     * **Approval Required (default):** Do not perform proactive containment of any resource without explicit authorization on a case-by-case basis.
@@ -23 +50 @@ Two steps are required to enable proactive containment capabilities:
-     * **Contain Confirmed:** Perform proactive containment of a resource confirmed to be compromised.
+Apply security controls that lower risk and allow time to define and implement a more effective containment strategy.
@@ -25 +52 @@ Two steps are required to enable proactive containment capabilities:
-     * **Contain Suspected:** Perform proactive containment of a resource with a high likelihood of having been compromised, based on analysis performed by AWS Security Incident Response Engineering.
+## Staged containment approach
@@ -26,0 +54 @@ Two steps are required to enable proactive containment capabilities:
+AWS Security Incident Response uses a staged approach to achieve efficient and effective containment, involving short-term and long-term strategies based on the resource type. Short-term containment focuses on immediately stopping the active threat (isolating a network, revoking credentials), while long-term containment addresses the root cause to prevent recurrence after the immediate danger passes.
@@ -27,0 +56 @@ Two steps are required to enable proactive containment capabilities:
+## How containment relates to the incident lifecycle
@@ -28,0 +58 @@ Two steps are required to enable proactive containment capabilities:
+Containment sits between detection/analysis and eradication in the incident lifecycle. After automated triage identifies a confirmed or suspected threat and a case is created, the service determines whether containment action is warranted based on your preferences and the severity of the event. After a resource is contained, AWS Security Incident Response engineers continue the investigation, share findings with you, and guide you through eradication and recovery. After the incident is fully resolved, the containment actions are reversed and normal operations resume.
@@ -38 +68 @@ AI Investigative Agent
-Containment Decision-Making
+Eradicate