Step 1: Enable AWS Security Incident Response

To enable AWS Security Incident Response

1. Sign in to the AWS Management Console using your management account.

2. Open the AWS Security Incident Response console and choose Sign up.

   

3. Designate a security tooling account as the delegated administrator.

   • For guidance, see Security Reference Architecture in AWS Prescriptive Guidance and Delegated administrator.

   

4. Sign in to the delegated administrator account.

5. Enter your membership details and associate the relevant accounts.

6. For Account scope, choose to enable AWS Security Incident Response for your entire AWS organization or for specific OUs. You can select coverage at the OU level, but not at the individual account level.

7. For Proactive Response, confirm that the setting is enabled. Proactive response is on by default and creates a service-linked role that allows AWS SIRT to ingest GuardDuty findings and open proactive investigation cases when threats are detected. For more information, see Proactive response.

   Important

   The service-linked role is not automatically deployed to the management account. You must configure it manually for complete coverage. For instructions, see Setup proactive response and alert triaging workflows.

8. (Optional) Choose to pre-authorize AWS SIRT to perform containment actions on your behalf during active incidents. Supported containment actions include runbooks for compromised S3 buckets, EC2 instances, and IAM principals. If you skip this step, SIRT will provide manual guidance during investigations. For more information, see Containment actions.

9. Review the service permissions and onboarding configuration, then choose Sign up.