AWS Security ChangesHomeSearch

AWS security-ir documentation change

Service: security-ir · 2026-07-04 · Documentation low

File: security-ir/latest/userguide/onboarding-prerequisites.md

Summary

Restructured prerequisites documentation to emphasize detection services requirements, clarified GuardDuty/Security Hub necessity, added CloudTrail requirement, and specified limitations on pre-onboarding findings

Security assessment

The changes emphasize security best practices (enabling GuardDuty/Security Hub/CloudTrail) but don't address a specific vulnerability. They clarify operational requirements for effective threat detection without evidence of patching a security flaw.

Diff

diff --git a/security-ir/latest/userguide/onboarding-prerequisites.md b/security-ir/latest/userguide/onboarding-prerequisites.md
index 65eded2c8..8a4e29854 100644
--- a//security-ir/latest/userguide/onboarding-prerequisites.md
+++ b//security-ir/latest/userguide/onboarding-prerequisites.md
@@ -7 +7 @@
-Third-party EDR integration
+Detection servicesFindings created before onboarding
@@ -17 +17 @@ The AWS Identity and Access Management (IAM) principal used to sign in to the de
-While not required, we strongly recommend enabling [Amazon GuardDuty](https://docs.aws.amazon.com/guardduty/latest/ug/what-is-guardduty.html) and [AWS Security Hub CSPM](https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html) across all accounts and active AWS Regions to get the most value from AWS Security Incident Response. 
+## Detection services
@@ -19 +19 @@ While not required, we strongly recommend enabling [Amazon GuardDuty](https://do
-  * [GuardDuty and AWS Security Incident Response](https://docs.aws.amazon.com/security-ir/latest/userguide/guardduty.html)
+While not required, we strongly recommend enabling Amazon GuardDuty and AWS Security Hub CSPM across all accounts and active AWS Regions. These detection services provide the signal that AWS Security Incident Response monitors on your behalf. Without them, there are no findings to ingest and no data to triage proactively. It then becomes your responsibility to detect issues and raise them through a case. Additionally, the ability to investigate and assist is significantly reduced without detection tool data, since these tools are critical to understanding what's happening in your accounts. 
@@ -21 +21 @@ While not required, we strongly recommend enabling [Amazon GuardDuty](https://do
-  * [GuardDuty best practices](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_best_practices.html)
+We also strongly recommend enabling AWS CloudTrail logging across all accounts. During investigations, the Security Incident Response Engineering team relies on CloudTrail data to analyze activity, trace actions, and identify anomalous patterns in your accounts. Without CloudTrail logs available, the ability to conduct thorough investigations is limited. 
@@ -22,0 +23 @@ While not required, we strongly recommend enabling [Amazon GuardDuty](https://do
+You don't need to enable GuardDuty or Security Hub CSPM before activating AWS Security Incident Response. You can enable these detection services at any time after onboarding, and AWS Security Incident Response begins ingesting findings as soon as they're available. 
@@ -23,0 +25 @@ While not required, we strongly recommend enabling [Amazon GuardDuty](https://do
+###### Note
@@ -24,0 +27 @@ While not required, we strongly recommend enabling [Amazon GuardDuty](https://do
+AWS Security Incident Response only triages threat detection findings. Security posture or compliance findings (such as misconfiguration alerts or benchmark violations) aren't triaged because they represent a state about your environment rather than an active threat requiring investigation. 
@@ -26 +29 @@ While not required, we strongly recommend enabling [Amazon GuardDuty](https://do
-## Third-party EDR integration
+### GuardDuty and AWS Security Incident Response
@@ -28 +31 @@ While not required, we strongly recommend enabling [Amazon GuardDuty](https://do
-Security Hub CSPM can ingest findings from third-party endpoint detection and response (EDR) vendors. When ingested, these findings are auto-triaged by AWS Security Incident Response for proactive case creation. To set up a third-party EDR integration, follow the steps in the [Security Hub CSPM integrations documentation](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-partner-providers.html). 
+We recommend enabling GuardDuty in all accounts and all AWS Regions, including Regions where you have no active workloads. Attackers commonly target unused Regions and dormant accounts to spin up expensive resources or gain lateral access without being detected. A common misconception is that you only need to monitor the Regions and production accounts you actively use. However, this is a key vector that attackers exploit. 
@@ -30 +33 @@ Security Hub CSPM can ingest findings from third-party endpoint detection and re
-![AWS Security Hub CSPM console](/images/security-ir/latest/userguide/images/thirdpartyintegration.png)
+GuardDuty doesn't incur charges in Regions with no activity, so enabling it everywhere carries no cost penalty for quiet Regions. If unauthorized activity occurs in an unused Region, GuardDuty gives immediate visibility to act on your behalf. 
@@ -32 +35,11 @@ Security Hub CSPM can ingest findings from third-party endpoint detection and re
-###### Note
+To enable GuardDuty across your organization, see [Setting up GuardDuty](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_settingup.html). 
+
+### Third-party integration
+
+You don't need to enable Security Hub CSPM standards or controls for AWS Security Incident Response. Security Hub CSPM is used only as a conduit to ingest findings from third-party endpoint detection and response (EDR) vendors. The controls and standards are optional from the AWS Security Incident Response perspective, though you can keep them enabled if they provide value for your own compliance and posture management needs. 
+
+When third-party findings are ingested through Security Hub CSPM, AWS Security Incident Response auto-triages them for proactive case creation. To set up a third-party EDR integration, follow the steps in the [Security Hub CSPM integrations documentation](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-partner-providers.html). 
+
+For supported third-party tools, see [Detect and analyze](https://docs.aws.amazon.com/security-ir/latest/userguide/detect-and-analyze.html). If your third-party tool integrates with Security Hub CSPM but isn't listed, AWS Security Incident Response can still ingest those findings on a best-effort basis while support is evaluated. To discuss support for additional tools, open an AWS Support case or contact your TAM. 
+
+## Findings created before onboarding
@@ -34 +47 @@ Security Hub CSPM can ingest findings from third-party endpoint detection and re
-You don't need to enable Security Hub CSPM standards or controls. Only the vendor integrations are required for AWS Security Incident Response to ingest third-party findings. 
+###### Important
@@ -36 +49 @@ You don't need to enable Security Hub CSPM standards or controls. Only the vendo
-**Pricing** : The first 10,000 Security Hub CSPM findings are free. After that, the cost is $0.00003 per finding. For more information, see [Security Hub CSPM pricing](https://aws.amazon.com/security-hub/pricing/). 
+AWS Security Incident Response can only ingest findings generated after you complete onboarding. Findings that were created before activation are not retroactively ingested. If you have existing findings you want investigated, raise them through a case after onboarding is complete. 
@@ -46 +59 @@ Prepare for onboarding
-Step 1: Enable AWS Security Incident Response
+Step 1: Enable and configure