AWS security-ir documentation change
Summary
Restructured onboarding documentation with detailed prerequisites, step-by-step configuration guidance, and explicit permission requirements for AWS Security Incident Response setup.
Security assessment
The changes enhance documentation about security service configuration but show no evidence of addressing a specific vulnerability. Added content clarifies SCP requirements (security-ir:* and iam:CreateServiceLinkedRole actions), proactive response permissions (log access and alert ingestion), and containment action pre-authorization – all security features of the service.
Diff
diff --git a/security-ir/latest/userguide/deploy-configure.md b/security-ir/latest/userguide/deploy-configure.md index d9896a2cd..98b75ac72 100644 --- a//security-ir/latest/userguide/deploy-configure.md +++ b//security-ir/latest/userguide/deploy-configure.md @@ -7 +7 @@ -# Step 1: Enable AWS Security Incident Response +Before you beginSign up and choose your membership accountConfigure membership details and account scopeReview service permissions and enable proactive responseConfigure containment actions @@ -9 +9,3 @@ -The onboarding process takes approximately 10 to 15 minutes per AWS organization. For a walkthrough, see the [Getting Started video](https://docs.aws.amazon.com/security-ir/latest/userguide/getting-started.html) in the service documentation. +# Step 1: Enable and configure AWS Security Incident Response + +The onboarding process takes approximately 10 to 15 minutes per AWS organization. For a walkthrough, see the [Getting Started video](https://docs.aws.amazon.com/security-ir/latest/userguide/getting-started.html). @@ -13 +15,22 @@ The onboarding process takes approximately 10 to 15 minutes per AWS organization -The instructions in this section outline how to enable Security Incident Response and set up your team using the AWS Security Incident Response console (Step 1 and Step 2). You can also perform these steps using the API/CLI. For instructions on using the API/CLI, see [Enable Security Incident Response and configure your incident response team using the API/CLI](./enable-sir-using-cli.html). +You can also perform these steps using the API/AWS CLI. For instructions, see [Enable Security Incident Response and configure your incident response team using the API/CLI](./enable-sir-using-cli.html). + +## Before you begin + +Confirm the following before you start: + + * You have access to your AWS Organizations management account. + + * Your AWS Organizations has **All Features** enabled. Consolidated billing alone isn't sufficient. + + * Your service control policies (SCPs) don't block the creation of service-linked roles or prevent the use of AWS Security Incident Response actions. If your organization uses restrictive SCPs, verify that they allow the `security-ir:*` actions and the `iam:CreateServiceLinkedRole` action for the Security Incident Response service principal. + + * You have identified which account to use as your central membership account. This is the account where you configure membership details, manage your incident response team, and create and manage security cases. We recommend choosing an account that your incident responders already have access to, since they communicate with the Security Incident Response Engineering team and manage active cases. For guidance on structuring your security accounts, see [Security Reference Architecture](https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/welcome.html) in _AWS Prescriptive Guidance_. + + * You have sufficient IAM permissions to administer AWS Security Incident Response. For details, see [AWS Security Incident Response managed policies](https://docs.aws.amazon.com/security-ir/latest/userguide/aws-managed-policies.html). + + + + +For guidance on preparing your environment with detection services (GuardDuty, Security Hub CSPM, CloudTrail) and third-party EDR integrations, see [Onboarding prerequisites](./onboarding-prerequisites.html). + +## Sign up and choose your membership account @@ -15 +38 @@ The instructions in this section outline how to enable Security Incident Respons -###### Enable AWS Security Incident Response using the AWS Security Incident Response console + 1. Sign in to the AWS Management Console using your AWS Organizations management account, then open the [AWS Security Incident Response console](https://console.aws.amazon.com/security-ir) and choose **Sign up**. @@ -17 +40 @@ The instructions in this section outline how to enable Security Incident Respons - 1. Sign in to the AWS Management Console using your management account. + 2. Designate which account in your organization serves as the central membership account. You have two options: @@ -19 +42 @@ The instructions in this section outline how to enable Security Incident Respons - 2. Open the AWS Security Incident Response console and choose **Sign up**. + * **Use a delegated administrator account (recommended)** — Administrative tasks and case management are located in the delegated administrator account. We recommend using the same delegated administrator that you use for other AWS security and compliance services. Provide the 12-digit delegated administrator account ID, then sign in to that account to proceed. For more information, see [Considerations and recommendations](./considerations_important.html). @@ -21 +44 @@ The instructions in this section outline how to enable Security Incident Respons - + * **Use the currently signed-in account** — The current account becomes the central membership account. Individuals in your organization access the service through this account to create, access, and manage active and resolved cases. @@ -23 +46,10 @@ The instructions in this section outline how to enable Security Incident Respons - 3. Set up your central membership account. For guidance, see [Security Reference Architecture](https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/welcome.html) in _AWS Prescriptive Guidance_ and [Considerations and recommendations](./considerations_important.html) on how a delegated Security Incident Response administrator account operates. + 3. After you choose an account, sign in to it to continue with the following configuration steps. + + + + +## Configure membership details and account scope + +After you sign in to your membership account, you configure how your membership is set up and which accounts it covers. + + 1. **Select your AWS Region.** Choose the Region where your membership and cases are stored. You can't change this after initial registration. @@ -27 +59,14 @@ The instructions in this section outline how to enable Security Incident Respons -The IAM principal on the delegated administrator account must have `AdministratorAccess` permissions. If the principal has insufficient permissions (for example, `PowerUserAccess` only), this step fails. The error message might not indicate a permissions issue. +AWS Security Incident Response still monitors findings from all [supported commercial AWS Regions](https://docs.aws.amazon.com/security-ir/latest/userguide/supported-configs.html). + + 2. **Define your account scope.** Choose to enable AWS Security Incident Response for your entire AWS organization or for specific organizational units (OUs). You can select coverage at the OU level, but not at the individual account level. Your choice determines how coverage behaves over time: + + * **Full organization:** Your membership covers all member accounts in the organization. Coverage updates automatically as you add or remove accounts. + + * **Specific OUs:** Your membership covers all accounts under the selected OUs, including accounts in sub-OUs. Coverage updates automatically as you add or remove accounts from those OUs. + +To learn more about best practices for organizing accounts into OUs, see [Organizing your AWS environment using multiple accounts](https://docs.aws.amazon.com/whitepapers/latest/organizing-your-aws-environment/organizing-your-aws-environment.html). + + 3. **Provide your incident response contacts.** Supply a primary and secondary contact. These contacts are automatically included as part of your incident response team. At minimum, two contacts must exist for a membership. + + 4. **Optional settings.** You can enter a name for the membership and define tags to help track AWS costs and search for resources. + @@ -29 +73,0 @@ The IAM principal on the delegated administrator account must have `Administrato - @@ -31 +74,0 @@ The IAM principal on the delegated administrator account must have `Administrato - 4. Sign in to the delegated administrator account. @@ -33 +76 @@ The IAM principal on the delegated administrator account must have `Administrato - 5. Enter your membership details and associate the relevant accounts. +## Review service permissions and enable proactive response @@ -35 +78 @@ The IAM principal on the delegated administrator account must have `Administrato - 6. For **Account scope** , choose to enable AWS Security Incident Response for your entire AWS organization or for specific OUs. You can select coverage at the OU level, but not at the individual account level. +Before completing signup, the console displays the permissions that AWS Security Incident Response requires. By signing up, you confirm that the service can: @@ -37 +80 @@ The IAM principal on the delegated administrator account must have `Administrato - 7. **Proactive response** is on by default and creates a service-linked role that allows Security Incident Response Engineering to ingest GuardDuty findings and open proactive investigation cases when threats are detected. For more information, see [Proactive response](https://docs.aws.amazon.com/security-ir/latest/userguide/proactive-response.html). + * Create service-linked roles to access the OUs and accounts in your organization. @@ -39 +82 @@ The IAM principal on the delegated administrator account must have `Administrato -AWS Security Incident Response automatically creates the `AWSServiceRoleForSecurityIncidentResponse_Triage` service-linked role in your AWS Organizations management account and in all accounts that are in scope. + * Access and review logs (such as VPC Flow Logs, CloudTrail management events, and S3 CloudTrail events) to expedite investigation and response. @@ -41 +84 @@ AWS Security Incident Response automatically creates the `AWSServiceRoleForSecur - 8. (Optional) Choose to pre-authorize Security Incident Response Engineering to perform containment actions on your behalf during active incidents. Supported containment actions include runbooks for compromised S3 buckets, EC2 instances, and IAM principals. If you skip this step, Security Incident Response Engineering will provide manual guidance during investigations. For more information, see [Containment actions](https://docs.aws.amazon.com/security-ir/latest/userguide/containment.html). + * Ingest alerts from Amazon GuardDuty and AWS Security Hub CSPM, apply suppression rules, and automatically escalate critical findings. This includes creating suppression filters and escalation cases in your accounts. @@ -43 +85,0 @@ AWS Security Incident Response automatically creates the `AWSServiceRoleForSecur - 9. Review the service permissions and onboarding configuration, then choose **Sign up**. @@ -45 +86,0 @@ AWS Security Incident Response automatically creates the `AWSServiceRoleForSecur - @@ -47 +87,0 @@ AWS Security Incident Response automatically creates the `AWSServiceRoleForSecur - @@ -48,0 +89 @@ AWS Security Incident Response automatically creates the `AWSServiceRoleForSecur +Select the confirmation checkbox to acknowledge these permissions, then choose **Sign up**. For more information on how proactive response works, see [Proactive response](https://docs.aws.amazon.com/security-ir/latest/userguide/proactive-response.html). @@ -49,0 +91 @@ AWS Security Incident Response automatically creates the `AWSServiceRoleForSecur +## Configure containment actions @@ -50,0 +93 @@ AWS Security Incident Response automatically creates the `AWSServiceRoleForSecur +After you complete signup, you can optionally configure containment actions to pre-authorize Security Incident Response Engineering to act on your behalf during active incidents. For details on supported containment actions and how to configure them, see [Containment actions](https://docs.aws.amazon.com/security-ir/latest/userguide/containment.html).