AWS Security ChangesHomeSearch

AWS security-ir documentation change

Service: security-ir · 2026-06-28 · Documentation low

File: security-ir/latest/userguide/working-with-stacksets.md

Summary

Restructured documentation to focus on deploying IAM roles for containment and EC2 Triage using StackSets. Removed template details and added topic-based navigation.

Security assessment

The changes clarify deployment requirements for security incident containment roles but don't address a specific vulnerability. They add documentation about security features (IAM roles for incident response) without evidence of patching a security flaw.

Diff

diff --git a/security-ir/latest/userguide/working-with-stacksets.md b/security-ir/latest/userguide/working-with-stacksets.md
index 765c7385b..50cd90e53 100644
--- a//security-ir/latest/userguide/working-with-stacksets.md
+++ b//security-ir/latest/userguide/working-with-stacksets.md
@@ -7 +7 @@
-# Working with CloudFormation StackSets
+# Deploy containment and EC2 Triage roles
@@ -9 +9 @@
-For specific instructions on how to create a StackSet with service-managed permissions, see [Create CloudFormation StackSets with service-managed permissions](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-orgs-associate-stackset-with-org.html) in the _AWS CloudFormation User Guide_.
+AWS Security Incident Response doesn't enable containment by default. To allow the service to take containment actions on your behalf during a security incident, you must deploy AWS Identity and Access Management roles to each account in your organization where you want containment capabilities. The recommended approach is to use AWS CloudFormation StackSets with service-managed permissions, which automatically deploys the roles to all current and future accounts in your organization.
@@ -11 +11 @@ For specific instructions on how to create a StackSet with service-managed permi
-AWS Security Incident Response provides two CloudFormation templates. Both templates create the same two AWS Identity and Access Management roles, `AWSSecurityIncidentResponseContainment` and `AWSSecurityIncidentResponseContainmentExecution`. The **Containment with EC2 Triage** template adds the `AWSSecurityIncidentResponseInvestigationPolicy` to the `AWSSecurityIncidentResponseContainment` role, which grants additional permissions for EC2 Triage. Choose the template that matches your security requirements:
+###### Topics
@@ -13 +13 @@ AWS Security Incident Response provides two CloudFormation templates. Both templ
-  * [Containment only](./containment-only-template.html): Creates the minimum required permissions for containment actions.
+  * [Deploy the IAM roles with a StackSet](./deploy-iam-roles-stackset.html)
@@ -15 +15 @@ AWS Security Incident Response provides two CloudFormation templates. Both templ
-  * [Containment with EC2 Triage](./containment-with-ec2-triage-template.html): Includes all containment permissions plus additional permissions for EC2 Triage. This template enables AWS Security Incident Response to execute AWS Systems Manager Run Command on your Amazon Elastic Compute Cloud instances during security investigations.
+  * [Select a CloudFormation template for your containment roles](./cloudformation-templates.html)
@@ -20,2 +19,0 @@ AWS Security Incident Response provides two CloudFormation templates. Both templ
-For more information about EC2 Triage, see [Detect and Analyze](./detect-and-analyze.html).
-
@@ -28 +26 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please
-Closing a case
+Step 4: Integrate with your existing tools
@@ -30 +28 @@ Closing a case
-CloudFormation templates
+Deploy the IAM roles with a StackSet