Unified Operations Getting started: Onboard your account to proactive security incident management - AWS Support

Unified Operations Getting started: Onboard your account to proactive security incident management

Unified Operations entitles you to AWS Security Incident Response to help you quickly prepare for, respond to, and recover from security incidents, such as account takeovers, data breaches, and ransomware attacks. AWS Security Incident Response triages findings, escalates events, and manages critical cases, while also providing access to the AWS Customer Incident Response Team (CIRT) to investigate impacted resources. This access helps you to effectively mitigate and resolve security incidents, minimizing the impact on your operations. To onboard to this service feature, complete the following steps:

  1. Create a centralized AWS account for AWS Security Incident Response. This AWS account will be used to configure all other AWS accounts that you want monitored, to manage your incident response team, and to create and view security events. We recommend that you to align this account with the account that you use for other security services such as Amazon GuardDuty and AWS Security Hub. You can use an AWS Organizations management account, or an AWS Organizations delegated administrator account as the Security Incident Response membership account. For more information, see Select a membership account in the AWS Security Incident Response User Guide.

    1. Choose basic membership details. For more information, see Setup membership details in the AWS Security Incident Response User Guide.

    2. Choose how you want to associate accounts with AWS Organizations. For more information, see Associate accounts with AWS Organizations in the AWS Security Incident Response User Guide.

    3. (Optional) You can optionally enable proactive response and alert triaging workflow to enable within your organization to monitor and investigate alerts generated from Amazon GuardDuty and AWS Security Hub integrations. For more information, see Setup proactive response and alert triaging workflows in the AWS Security Incident Response User Guide.

  2. (Optional) Enable the proactive containment of a potential security incident. AWS can perform containment actions to quickly mitigate impact, such as isolating compromised hosts or rotating credentials. To turn on this feature, you must first grant the necessary permissions to the service. To do this, deploy an Step Functions StackSet.