# Step 1: Enable AWS Security Incident Response Step 1: Enable AWS Security Incident Response The onboarding process takes approximately 10 to 15 minutes per AWS organization. For a walkthrough, see the [Getting Started video](https://docs.aws.amazon.com/security-ir/latest/userguide/getting-started.html) in the service documentation. **To enable AWS Security Incident Response** 1. Sign in to the AWS Management Console using your management account. 1. Open the AWS Security Incident Response console and choose **Sign up**. ![\[AWS Security Incident Response sign-up page with the Sign up button.\]](http://docs.aws.amazon.com/security-ir/latest/userguide/images/AWS_Security_incident_Response.png) 1. Designate a security tooling account as the delegated administrator. + For guidance, see [Security Reference Architecture](https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/welcome.html) in *AWS Prescriptive Guidance* and [Delegated administrator](https://docs.aws.amazon.com/security-ir/latest/userguide/delegated-admin.html). ![\[Set up central membership account page for selecting a delegated administrator account.\]](http://docs.aws.amazon.com/security-ir/latest/userguide/images/Set_Up_Central_Membership_Account.png) 1. Sign in to the delegated administrator account. 1. Enter your membership details and associate the relevant accounts. 1. For **Account scope**, choose to enable AWS Security Incident Response for your entire AWS organization or for specific OUs. You can select coverage at the OU level, but not at the individual account level. 1. For **Proactive Response**, confirm that the setting is enabled. Proactive response is on by default and creates a service-linked role that allows AWS SIRT to ingest GuardDuty findings and open proactive investigation cases when threats are detected. For more information, see [Proactive response](https://docs.aws.amazon.com/security-ir/latest/userguide/proactive-response.html). **Important** The service-linked role is not automatically deployed to the management account. You must configure it manually for complete coverage. For instructions, see [Setup proactive response and alert triaging workflows](setup-monitoring-and-investigation-workflows.md). 1. (Optional) Choose to pre-authorize AWS SIRT to perform containment actions on your behalf during active incidents. Supported containment actions include runbooks for compromised S3 buckets, EC2 instances, and IAM principals. If you skip this step, SIRT will provide manual guidance during investigations. For more information, see [Containment actions](https://docs.aws.amazon.com/security-ir/latest/userguide/containment.html). 1. Review the service permissions and onboarding configuration, then choose **Sign up**. ![\[Review service permissions screen showing the permissions that AWS Security Incident Response requires to monitor findings.\]](http://docs.aws.amazon.com/security-ir/latest/userguide/images/Review_Service_Permissions.png) ![\[Sign up confirmation screen for enabling proactive response monitoring.\]](http://docs.aws.amazon.com/security-ir/latest/userguide/images/Review_and_Sign_Up.png)