AWS Security ChangesHomeSearch

AWS security-ir documentation change

Service: security-ir · 2026-06-28 · Documentation medium

File: security-ir/latest/userguide/containment-with-ec2-triage-template.md

Summary

Added detailed explanation of EC2 Triage permissions, forensic data collection capabilities, and prerequisites for using the template.

Security assessment

This change significantly expands documentation about forensic security capabilities during incident response, including volatile data collection from compromised instances. It enhances security documentation but doesn't address a specific vulnerability.

Diff

diff --git a/security-ir/latest/userguide/containment-with-ec2-triage-template.md b/security-ir/latest/userguide/containment-with-ec2-triage-template.md
index 4dc893a33..0babe9f7a 100644
--- a//security-ir/latest/userguide/containment-with-ec2-triage-template.md
+++ b//security-ir/latest/userguide/containment-with-ec2-triage-template.md
@@ -9 +9,16 @@
-This template creates the containment roles with additional permissions for EC2 Triage functionality. Use this template if you require AWS Security Incident Response to execute Systems Manager Run Command on Amazon EC2 instances during security investigations.
+Use this template if you want both containment capabilities and the ability for AWS Security Incident Response engineers to investigate running instances during an incident.
+
+This template creates everything included in the containment-only template and adds the `AWSSecurityIncidentResponseInvestigationPolicy` to the `AWSSecurityIncidentResponseContainment` role. This policy grants the following permissions:
+
+  * Describe Amazon EC2 instances and their status
+
+  * Retrieve instance profile information
+
+  * Verify Systems Manager Agent connectivity on target instances
+
+  * Execute `ssm:SendCommand` to run investigative commands on instances
+
+
+
+
+EC2 Triage allows AWS Security Incident Response engineers to collect volatile forensic data from running Amazon EC2 instances during an active security incident. This data can include running processes, network connections, logged-in users, and other operating system artifacts that would be lost if the instance were terminated or stopped.
@@ -310 +325 @@ Containment only
-Cancel Membership
+Instance prerequisites for EC2 Triage