Document history

The following table describes important additions to the AWS Security Incident Response documentation, beginning January 1, 2026. For notification about updates to this documentation, you can subscribe to the RSS feed.

Change	Description	Date
Revised containment documentation	Consolidated the containment page with updated descriptions of supported containment actions, containment decision-making, strategy development, staged containment approach, and how containment relates to the incident lifecycle.	June 26, 2026
Added Deploy containment and EC2 Triage roles to Onboarding guide	Moved and rewrote the AWS CloudFormation StackSets documentation as a new onboarding step. Added a step-by-step procedure for creating a StackSet with service-managed permissions and updated the template descriptions for containment-only and containment with EC2 Triage options.	June 26, 2026
Added IAM permissions requirement for delegated administrator during enablement	Added a prerequisite specifying that the IAM principal used to sign in to the delegated administrator account must have `AdministratorAccess` permissions. Added a note at the sign-in step in the enablement procedure clarifying that insufficient permissions cause the step to fail.	June 19, 2026
Added service-linked role cleanup guidance to Cancel Membership	Added an important note clarifying that the `AWSServiceRoleForSecurityIncidentResponse` and `AWSServiceRoleForSecurityIncidentResponse_Triage` service-linked roles are not automatically deleted after membership cancellation. You must manually delete these roles from all accounts that were in scope.	June 17, 2026
Renamed Post incident report to Monthly report	Renamed the Post incident report section to Monthly report. Updated the section to clarify that reports are sent to all contacts on the Incident Response team, include delivery timing, and document the email subject line format.	May 13, 2026
Updated onboarding documentation	Updated the Enable AWS Security Incident Response topic to clarify that AWS Security Incident Response automatically creates the `AWSServiceRoleForSecurityIncidentResponse_Triage` service-linked role in the AWS Organizations management account when using the console. Added a link to instructions for enabling Security Incident Response using the API/CLI.	May 7, 2026
Added Enable Security Incident Response using the API/CLI topic	Added a new topic with step-by-step CLI instructions for enabling AWS Security Incident Response using the Delegated Administrator sign-up and management account sign-up methods.	May 7, 2026
Clarified proactive response requirements for Amazon GuardDuty and third-party findings	Clarified that Amazon GuardDuty is not required to use proactive response. AWS Security Incident Response can also monitor and investigate threat alerts from third-party threat detection tools using Security Hub CSPM integrations. Updated the section to accurately describe detection service requirements and the value of configuring findings ingestion.	May 5, 2026
Added supported operating systems for EC2 Triage	Added a list of supported operating systems for the EC2 Triage capability, including Linux distributions (Amazon Linux 2, Amazon Linux 2023, Ubuntu, RHEL, CentOS, SLES, and Debian) and Windows Server versions.	April 29, 2026
Update policy description for `AWSSecurityIncidentResponseReadOnlyAccess`	Updated policy to add `security-ir:ListInvestigations` action.	April 22, 2026
Update policy description for `AWSSecurityIncidentResponseFullAccess`	Updated policy to add AWS Organizations permissions and removed MFA condition.	April 22, 2026
Update policy description for `AWSSecurityIncidentResponseCaseFullAccess`	Updated policy to add `security-ir:ListInvestigations` and `security-ir:SendFeedback` actions and removed MFA condition.	April 22, 2026
EC2 Triage feature for AWS Security Incident Response	Added EC2 Triage capability that enables AWS Security Incident Response to collect investigative information from Amazon Elastic Compute Cloud instances using AWS Systems Manager Run Command during security investigations. Updated Detect and Analyze page to document EC2 Triage prerequisites and capabilities.	April 20, 2026
EC2 Triage feature for AWS Security Incident Response	Updated CloudFormation StackSets documentation to provide two template options: Containment only and Containment with EC2 Triage. The Containment with EC2 Triage template includes additional permissions for investigative data collection from Amazon EC2 instances.	April 20, 2026
Data collection, Regional behavior, and compliance guidance for regulated customers	Added new sections on data collection and usage, data residency and Regional behavior, and data access and permissions. Expanded the compliance validation section with shared responsibility and metadata classification guidance for customers in regulated industries.	April 17, 2026
Updated onboarding guide	Updated the onboarding guide with a new step-by-step structure, including preparation steps, prerequisites, and streamlined configuration workflows for incident response teams, case types, and tool integrations.	April 7, 2026
Update policy description for AWS Security Incident Response Triage Service Role Policy	Update policy description for AWS Security Incident Response Triage Service Role Policy to reflect changes that allow the service to improve service tuning and gather information to investigate potential incidents.	March 27, 2026
Submit metadata	Added instructions for submitting metadata through AWS Support cases.	March 27, 2026
Submit containment preferences	Added instructions for submitting containment preferences through AWS Support cases.	March 27, 2026
Containment StackSet template	Updated the containment StackSet CloudFormation template.	March 27, 2026
Clarified AWS Region considerations for delegated administrator accounts	Clarified that while you designate a delegated AWS Security Incident Response administrator account in one AWS Region during initial setup, the service provides organization-wide coverage across all supported AWS Regions.	March 20, 2026
Define containment action preferences	Updated the containment action preferences section to match current options.	March 19, 2026
Proactive Response and Alert Triaging	Removed references to proactive response and alert triaging workflow being optional.	March 3, 2026
Response Timeline	Updated response timeline to specify 15-minute SLO for case acknowledgment and 5 business days for customer response before case closure.	February 24, 2026
Communication Best Practices	Updated case closure timeline to specify 5 business days for customer response to critical information requests.	February 24, 2026
AWS CLI reference added in Interacting with Security Incident Response using AWS CloudShell	Added link to the AWS Command Line Interface Reference for AWS Security Incident Response.	February 24, 2026
RACI Matrix	Updated "Authorize CIRT containment actions" to "Authorize containment actions" in the RACI matrix.	February 13, 2026
Containment Preferences	Updated containment preference options from "No containment actions", "Containment with approval", and "Automatic containment" to "Approval Required", "Contain Confirmed", and "Contain Suspected" with revised descriptions.	February 13, 2026
Post Deployment of Security Incident Response	Added link to the AWS Security Incident Response: New Integrations and OU-Level Subscription demo.	February 4, 2026
Monitoring and Investigation	Added revised content to intro and sub sections on this page.	February 4, 2026
Detect and Analyze	Added revised content to intro and sub sections on this page.	February 4, 2026
Contain	Added revised content to this page.	February 4, 2026
AI Investigative Agent	Added Use of customer data disclaimer to this page. Disclaimer: AI Investigative Agent does not use customer data for model training, and it does not share customer data with third parties.	February 4, 2026

Earlier updates

Change	Description	Date
Cancel Membership	Updated cancel membership page to indicate that the membership and service will end immediately upon cancellation and not as the end of the billing cycle.	November 20, 2025
AWS Managed Policies	Added update cases, create case comments, list cases, list case comments to the list of actions that the service provides.	November 19, 2025
Using service-linked roles	Added update cases, create case comments, list cases, list case comments to the list of actions that the service provides.	November 19, 2025
Communication Preferences	Created and Updated Added Communications Preferences section for new feature documentation.	November 12, 2025
Onboarding Guide Addition and Updates	Created and Updated Added onboarding guide including the following sections Added Enable Security Incident Response section. Added Authorize Security Incident Response engineers to perform threat containment actions section. Added Post Deployment of Security Incident Response section. Added Update the Incident Response Teamsection. Added GuardDuty Findings and Suppression Rulessection. Added Amazon EventBridgesection. Added Integrations and External Tooling Workflowsection. Added External Tooling Workflow section. Added Appendix A: Points of Contactsection.	November 12, 2025
Compliance and Billing Lanugage Updates	Updated Removed statement that AWS Security Incident Response is not covered under any frameworks. AWS Security Incident Response is now covered under HITRUST with more to come in the future. Updated Visiblity and Control to add AWS Security Incident Response Updated Cancel Membership to clarify service billing periods. Added a video to Getting Started that provides additional context for typical tasks to begin using AWS Security Incident Response.	August 15, 2025
Updated – AWSSecurityIncidentResponseServiceRolePolicy	The policy now includes two new actions for `"organizations:DescribeAccount"`, `"organizations:ListDelegatedAdministrators"` and a new condition: `"Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } }`	TBD
Feature update: subscribing to specific organizational units (OUs) or your entire AWS organization	Help panels in the user interface have been updated to reflect an update for subscribing to specific organizational units (OUs) or your entire AWS organization. New page create for Managing membership with organizational units (OUs) Pages related to AWS Organizations updated to reflect new OU management features.	August 7, 2025
Updated service quotas	Service Quotas page updated to guide users toward the AWS General Reference Guide for AWS Security Incident Response endpoints and quotas	August 7, 2025
User feedback updates	Added hyperlinks for the service to AWS Security Incident Response Cases Update to reflect Computer Security Incident Handling Guide SP 800-61 r3 on for the Security Technical Guide	August 7, 2025
Adding page for Amazon EventBridge integration with AWS Security Incident Response.	New content section to describe how Amazon EventBridge integates in AWS Security Incident Response.	June 26, 2025
Updates to SLR adding permissions to support service entitlements.	AWSSecurityIncidentResponseTriageServiceRolePolicy has been updated to add security-ir:GetMembership, security-ir:ListMemberships, security-ir:UpdateCase, guardduty:ListFilters, guarduty:UpdateFilter, guardduty:DeleteFilter, and guardduty:GetAdministratorAccount permissions. guardduty:GetAdministratorAccount was added to facilitate management of GuardDuty Auto-Archival filters in delegated accounts.	June 02, 2025
Resource Updates.	Updated https://docs.aws.amazon.com/security-ir/latest/userguide/appendix-b-incident-response-resources.html#playbook-resources to reflect active workshops available for customers.	May 23, 2025
Service supports Japanese language.	Updated supported configurations to identify Japanese language support in Japan local time. English is supported globally.	May 13, 2025
Content updates and customer feedback.	Added a note to https://docs.aws.amazon.com/security-ir/latest/userguide/select-a-membership-account.html to reflect an additional task when using a delegated administrator account as part of setup. Updated the customer experience when working with a service generated case and Detect and Analyze. Updated account cancellation details to provide better clarity on billing implications in cancelling a membership.	9 May, 2025
Adding three new supported regions.	Added three new new regions to https://docs.aws.amazon.com/security-ir/latest/userguide/supported-configs.html. Mumbai, Paris, and São Paulo.	7 May, 2025
Updated: Updates from customer comments on docs.	Spelling and grammar errors on multiple pages correct. Updated https://docs.aws.amazon.com/en_us/security-ir/latest/userguide/organizations_permissions.html to accurately reflect security-ir as the service prefix. Added a note to https://docs.aws.amazon.com/security-ir/latest/userguide/source-containment.html regarding Route53 and DNS.	February 7, 2025
Updated: Updates from customer comments on docs.	Updated https://docs.aws.amazon.com/security-ir/latest/userguide/setup-monitoring-and-investigation-workflows.html to stackset template. Corrected entries triage.security-ir.com to triage.security-ir.amazonaws.com Added tracked connections note for AWSSupport-ContainEC2Reversible on https://docs.aws.amazon.com/security-ir/latest/userguide/contain.html. Fixed broken link on https://docs.aws.amazon.com/security-ir/latest/userguide/managing-associated-accounts.html. Added a definition for membership account at https://docs.aws.amazon.com/security-ir/latest/userguide/select-a-membership-account.html. Added a clarification note to https://docs.aws.amazon.com/en_us/security-ir/latest/userguide/using-service-linked-roles.html for AWS Organizations management accounts.	December 20, 2024
Updated: Updates from customer comments on docs.	Removed multiple duplicate AWS AWS in text. Fixed broken links on https://docs.aws.amazon.com/security-ir/latest/userguide/sir_tagging.html and https://docs.aws.amazon.com/security-ir/latest/userguide/service-name-info-in-cloudtrail.html . Updates to https://docs.aws.amazon.com/security-ir/latest/userguide/contain.html. Removed the > from first paragraph. Replaced AWSSupport-ContainEC2Reversible with AWSSupport-ContainEC2Instance. Replaced AWSSupport-ContainIAMReversible with AWSSupport-ContainIAMPrincipal. Replaced AWSSupport-ContainS3Reversible with AWSSupport-ContainS3Resource. Updated formatting on https://docs.aws.amazon.com/en_us/security-ir/latest/userguide/issues.html When telling customers to contact security incident response via a support ticket, https://docs.aws.amazon.com/security-ir/latest/userguide/understand-response-teams-and-support.html now provides options to select in the support forms. Removed CloudWatch Events and replaced with EventBridge on https://docs.aws.amazon.com/security-ir/latest/userguide/logging-and-events.html . Grammar updates on https://docs.aws.amazon.com/security-ir/latest/userguide/technique-access-containment.html . Removed publication date from https://docs.aws.amazon.com/security-ir/latest/userguide/security-incident-response-guide.html, replaced by updates in this table.	December 10, 2024
Updated: AWS managed policies and service-linked roles.	Updates to managed policies and service-linked roles.	December 1, 2024
Service Launch	Initial service docs for service launch at re:Invent 2024	December 1, 2024

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Service Quotas