# Document history
The following table describes important additions to the AWS Security Incident Response documentation, beginning January 1, 2026. For notification about updates to this documentation, you can subscribe to the RSS feed.
| Change | Description | Date |
| --- |--- |--- |
| [Revised containment documentation](https://docs.aws.amazon.com/security-ir/latest/userguide/contain.html) | Consolidated the containment page with updated descriptions of supported containment actions, containment decision-making, strategy development, staged containment approach, and how containment relates to the incident lifecycle. | June 26, 2026 |
| [Added Deploy containment and EC2 Triage roles to Onboarding guide](https://docs.aws.amazon.com/security-ir/latest/userguide/working-with-stacksets.html) | Moved and rewrote the AWS CloudFormation StackSets documentation as a new onboarding step. Added a step-by-step procedure for creating a StackSet with service-managed permissions and updated the template descriptions for containment-only and containment with EC2 Triage options. | June 26, 2026 |
| [Added IAM permissions requirement for delegated administrator during enablement](https://docs.aws.amazon.com/security-ir/latest/userguide/onboarding-prerequisites.html) | Added a prerequisite specifying that the IAM principal used to sign in to the delegated administrator account must have `AdministratorAccess` permissions. Added a note at the sign-in step in the enablement procedure clarifying that insufficient permissions cause the step to fail. | June 19, 2026 |
| [Added service-linked role cleanup guidance to Cancel Membership](https://docs.aws.amazon.com/security-ir/latest/userguide/cancel-membership.html) | Added an important note clarifying that the `AWSServiceRoleForSecurityIncidentResponse` and `AWSServiceRoleForSecurityIncidentResponse_Triage` service-linked roles are not automatically deleted after membership cancellation. You must manually delete these roles from all accounts that were in scope. | June 17, 2026 |
| [Renamed Post incident report to Monthly report](https://docs.aws.amazon.com/security-ir/latest/userguide/monthly-report.html) | Renamed the Post incident report section to Monthly report. Updated the section to clarify that reports are sent to all contacts on the Incident Response team, include delivery timing, and document the email subject line format. | May 13, 2026 |
| [Updated onboarding documentation](https://docs.aws.amazon.com/security-ir/latest/userguide/deploy-configure.html) | Updated the Enable AWS Security Incident Response topic to clarify that AWS Security Incident Response automatically creates the `AWSServiceRoleForSecurityIncidentResponse_Triage` service-linked role in the AWS Organizations management account when using the console. Added a link to instructions for enabling Security Incident Response using the API/CLI. | May 7, 2026 |
| [Added Enable Security Incident Response using the API/CLI topic](https://docs.aws.amazon.com/security-ir/latest/userguide/enable-sir-cli.html) | Added a new topic with step-by-step CLI instructions for enabling AWS Security Incident Response using the Delegated Administrator sign-up and management account sign-up methods. | May 7, 2026 |
| [Clarified proactive response requirements for Amazon GuardDuty and third-party findings](https://docs.aws.amazon.com/security-ir/latest/userguide/setup-monitoring-and-investigation-workflows.html) | Clarified that Amazon GuardDuty is not required to use proactive response. AWS Security Incident Response can also monitor and investigate threat alerts from third-party threat detection tools using Security Hub CSPM integrations. Updated the section to accurately describe detection service requirements and the value of configuring findings ingestion. | May 5, 2026 |
| [Added supported operating systems for EC2 Triage](https://docs.aws.amazon.com/security-ir/latest/userguide/detect-and-analyze.html) | Added a list of supported operating systems for the EC2 Triage capability, including Linux distributions (Amazon Linux 2, Amazon Linux 2023, Ubuntu, RHEL, CentOS, SLES, and Debian) and Windows Server versions. | April 29, 2026 |
| [Update policy description for `AWSSecurityIncidentResponseReadOnlyAccess`](https://docs.aws.amazon.com/security-ir/latest/userguide/aws-managed-policies.html) | Updated policy to add `security-ir:ListInvestigations` action. | April 22, 2026 |
| [Update policy description for `AWSSecurityIncidentResponseFullAccess`](https://docs.aws.amazon.com/security-ir/latest/userguide/aws-managed-policies.html) | Updated policy to add AWS Organizations permissions and removed MFA condition. | April 22, 2026 |
| [Update policy description for `AWSSecurityIncidentResponseCaseFullAccess`](https://docs.aws.amazon.com/security-ir/latest/userguide/aws-managed-policies.html) | Updated policy to add `security-ir:ListInvestigations` and `security-ir:SendFeedback` actions and removed MFA condition. | April 22, 2026 |
| [EC2 Triage feature for AWS Security Incident Response](https://docs.aws.amazon.com/security-ir/latest/userguide/detect-and-analyze.html) | Added EC2 Triage capability that enables AWS Security Incident Response to collect investigative information from Amazon Elastic Compute Cloud instances using AWS Systems Manager Run Command during security investigations. Updated Detect and Analyze page to document EC2 Triage prerequisites and capabilities. | April 20, 2026 |
| [EC2 Triage feature for AWS Security Incident Response](https://docs.aws.amazon.com/security-ir/latest/userguide/working-with-stacksets.html) | Updated CloudFormation StackSets documentation to provide two template options: Containment only and Containment with EC2 Triage. The Containment with EC2 Triage template includes additional permissions for investigative data collection from Amazon EC2 instances. | April 20, 2026 |
| [Data collection, Regional behavior, and compliance guidance for regulated customers](https://docs.aws.amazon.com/security-ir/latest/userguide/data-collection-and-usage.html) | Added new sections on data collection and usage, data residency and Regional behavior, and data access and permissions. Expanded the compliance validation section with shared responsibility and metadata classification guidance for customers in regulated industries. | April 17, 2026 |
| [Updated onboarding guide](https://docs.aws.amazon.com/security-ir/latest/userguide/onboarding-guide.html) | Updated the onboarding guide with a new step-by-step structure, including preparation steps, prerequisites, and streamlined configuration workflows for incident response teams, case types, and tool integrations. | April 7, 2026 |
| [Update policy description for AWS Security Incident Response Triage Service Role Policy](https://docs.aws.amazon.com/security-ir/latest/userguide/aws-managed-policies.html) | Update policy description for AWS Security Incident Response Triage Service Role Policy to reflect changes that allow the service to improve service tuning and gather information to investigate potential incidents. | March 27, 2026 |
| [Submit metadata](https://docs.aws.amazon.com/security-ir/latest/userguide/appendix.html) | Added instructions for submitting metadata through AWS Support cases. | March 27, 2026 |
| [Submit containment preferences](https://docs.aws.amazon.com/security-ir/latest/userguide/submit-containment-preferences.html) | Added instructions for submitting containment preferences through AWS Support cases. | March 27, 2026 |
| [Containment StackSet template](https://docs.aws.amazon.com/security-ir/latest/userguide/working-with-stacksets.html) | Updated the containment StackSet CloudFormation template. | March 27, 2026 |
| [Clarified AWS Region considerations for delegated administrator accounts](https://docs.aws.amazon.com/security-ir/latest/userguide/considerations_important.html) | Clarified that while you designate a delegated AWS Security Incident Response administrator account in one AWS Region during initial setup, the service provides organization-wide coverage across all supported AWS Regions. | March 20, 2026 |
| [Define containment action preferences](https://docs.aws.amazon.com/security-ir/latest/userguide/define-containment-preferences.html) | Updated the containment action preferences section to match current options. | March 19, 2026 |
| [Proactive Response and Alert Triaging](https://docs.aws.amazon.com/security-ir/latest/userguide/setup-monitoring-and-investigation-workflows.html) | Removed references to proactive response and alert triaging workflow being optional. | March 3, 2026 |
| [Response Timeline](https://docs.aws.amazon.com/security-ir/latest/userguide/what-to-expect-from-aws-sir-engineers.html) | Updated response timeline to specify 15-minute SLO for case acknowledgment and 5 business days for customer response before case closure. | February 24, 2026 |
| [Communication Best Practices](https://docs.aws.amazon.com/security-ir/latest/userguide/communication-best-practices.html) | Updated case closure timeline to specify 5 business days for customer response to critical information requests. | February 24, 2026 |
| [AWS CLI reference added in Interacting with Security Incident Response using AWS CloudShell](https://docs.aws.amazon.com/security-ir/latest/userguide/cshell-examples.html) | Added link to the AWS Command Line Interface Reference for AWS Security Incident Response. | February 24, 2026 |
| [RACI Matrix](https://docs.aws.amazon.com/security-ir/latest/userguide/raci-matrix.html) | Updated "Authorize CIRT containment actions" to "Authorize containment actions" in the RACI matrix. | February 13, 2026 |
| [Containment Preferences](https://docs.aws.amazon.com/security-ir/latest/userguide/define-containment-preferences.html) | Updated containment preference options from "No containment actions", "Containment with approval", and "Automatic containment" to "Approval Required", "Contain Confirmed", and "Contain Suspected" with revised descriptions. | February 13, 2026 |
| [Post Deployment of Security Incident Response](https://docs.aws.amazon.com/security-ir/latest/userguide/post-deploy.html) | Added link to the AWS Security Incident Response: New Integrations and OU-Level Subscription demo. | February 4, 2026 |
| [Monitoring and Investigation](https://docs.aws.amazon.com/security-ir/latest/userguide/monitoring-and-investigation.html) | Added revised content to intro and sub sections on this page. | February 4, 2026 |
| [Detect and Analyze](https://docs.aws.amazon.com/security-ir/latest/userguide/detect-and-analyze.html) | Added revised content to intro and sub sections on this page. | February 4, 2026 |
| [Contain](https://docs.aws.amazon.com/security-ir/latest/userguide/contain.html) | Added revised content to this page. | February 4, 2026 |
| [AI Investigative Agent](https://docs.aws.amazon.com/security-ir/latest/userguide/ai-investigative-agent.html) | Added Use of customer data disclaimer to this page. Disclaimer: AI Investigative Agent does not use customer data for model training, and it does not share customer data with third parties. | February 4, 2026 |
**Topics**
| Change | Description | Date |
| --- | --- | --- |
| Cancel Membership | Updated [ cancel membership page to indicate that the membership and service will end immediately upon cancellation and not as the end of the billing cycle.](https://docs.aws.amazon.com//security-ir/latest/userguide/cancel-membership.html) | November 20, 2025 |
| AWS Managed Policies | Added [ update cases, create case comments, list cases, list case comments to the list of actions that the service provides.](https://docs.aws.amazon.com/security-ir/latest/userguide/aws-managed-policies.html#AWSSecurityIncidentResponseServiceRolePolicy) | November 19, 2025 |
| Using service-linked roles | Added [ update cases, create case comments, list cases, list case comments to the list of actions that the service provides.](https://docs.aws.amazon.com/security-ir/latest/userguide/using-service-linked-roles.html) | November 19, 2025 |
| Communication Preferences | Created and Updated [Added Communications Preferences section for new feature documentation.](https://docs.aws.amazon.com/security-ir/latest/userguide/communication-preferences.html) | November 12, 2025 |
| Onboarding Guide Addition and Updates | Created and Updated [Added onboarding guide including the following sections](https://docs.aws.amazon.com/security-ir/latest/userguide/onboarding-guide.html)
Added [Enable Security Incident Response](https://docs.aws.amazon.com/security-ir/latest/userguide/deploy-configure.html) section.
Added [Authorize Security Incident Response engineers to perform threat containment actions](https://docs.aws.amazon.com/security-ir/latest/userguide/authorize-security-incident-response.html) section.
Added [Post Deployment of Security Incident Response](https://docs.aws.amazon.com/security-ir/latest/userguide/post-deploy.html) section.
Added [Update the Incident Response Team](https://docs.aws.amazon.com/security-ir/latest/userguide/support-case.html)section.
Added [GuardDuty Findings and Suppression Rules](https://docs.aws.amazon.com/security-ir/latest/userguide/guard-duty.html)section.
Added [Amazon EventBridge](https://docs.aws.amazon.com/security-ir/latest/userguide/amazon-eventbridge.html)section.
Added [Integrations and External Tooling Workflow](https://docs.aws.amazon.com/security-ir/latest/userguide/integrations-external-tooling.html)section.
Added [External Tooling Workflow](https://docs.aws.amazon.com/security-ir/latest/userguide/external-tooling.html) section.
Added [Appendix A: Points of Contact](https://docs.aws.amazon.com/security-ir/latest/userguide/appendix.html)section. | November 12, 2025 |
| Compliance and Billing Lanugage Updates | Updated [Removed statement that AWS Security Incident Response is not covered under any frameworks. AWS Security Incident Response is now covered under HITRUST with more to come in the future.](https://docs.aws.amazon.com/security-ir/latest/userguide/compliance-validation.html)
Updated [Visiblity and Control](https://docs.aws.amazon.com/security-ir/latest/userguide/visibility-and-alerting.html) to add AWS Security Incident Response
Updated [Cancel Membership](https://docs.aws.amazon.com/security-ir/latest/userguide/cancel-membership.html) to clarify service billing periods.
Added a video to [Getting Started](https://docs.aws.amazon.com/security-ir/latest/userguide/getting-started.html) that provides additional context for typical tasks to begin using AWS Security Incident Response. | August 15, 2025 |
| Updated – [AWSSecurityIncidentResponseServiceRolePolicy](aws-managed-policies.md#AWSSecurityIncidentResponseServiceRolePolicy) | The policy now includes two new actions for `"organizations:DescribeAccount"`, `"organizations:ListDelegatedAdministrators"` and a new condition:
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
| TBD |
| Feature update: subscribing to specific organizational units (OUs) or your entire AWS organization | Help panels in the user interface have been updated to reflect an update for subscribing to specific organizational units (OUs) or your entire AWS organization.
New page create for [Managing membership with organizational units (OUs)](https://docs.aws.amazon.com/security-ir/latest/userguide/managing-membership-with-ou.html)
Pages related to AWS Organizations updated to reflect new OU management features. | August 7, 2025 |
| Updated service quotas | Service Quotas page updated to guide users toward the AWS General Reference Guide for [AWS Security Incident Response endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/securityir.html) | August 7, 2025 |
| User feedback updates | Added hyperlinks for the service to [AWS Security Incident Response Cases](https://docs.aws.amazon.com/security-ir/latest/userguide/cases.html)
Update to reflect Computer Security Incident Handling Guide SP 800-61 r3 on [for the Security Technical Guide](https://docs.aws.amazon.com/security-ir/latest/userguide/introduction.html) | August 7, 2025 |
| Adding page for Amazon EventBridge integration with AWS Security Incident Response. | New content section to describe how Amazon EventBridge integates in AWS Security Incident Response. | June 26, 2025 |
| Updates to SLR adding permissions to support service entitlements. | [AWSSecurityIncidentResponseTriageServiceRolePolicy](aws-managed-policies.md#AWSSecurityIncidentResponseTriageServiceRolePolicy) has been updated to add security-ir:GetMembership, security-ir:ListMemberships, security-ir:UpdateCase, guardduty:ListFilters, guarduty:UpdateFilter, guardduty:DeleteFilter, and guardduty:GetAdministratorAccount permissions. guardduty:GetAdministratorAccount was added to facilitate management of GuardDuty Auto-Archival filters in delegated accounts. | June 02, 2025 |
| Resource Updates. | Updated https://docs.aws.amazon.com/security-ir/latest/userguide/appendix-b-incident-response-resources.html\#playbook-resources to reflect active workshops available for customers. | May 23, 2025 |
| Service supports Japanese language. | Updated supported configurations to identify Japanese language support in Japan local time. English is supported globally. | May 13, 2025 |
| Content updates and customer feedback. | Added a note to https://docs.aws.amazon.com/security-ir/latest/userguide/select-a-membership-account.html to reflect an additional task when using a delegated administrator account as part of setup.
Updated the customer experience when working with a [service generated case](https://docs.aws.amazon.com/security-ir/latest/userguide/responding-to-an-aws-generated-case.html) and [Detect and Analyze](https://docs.aws.amazon.com/security-ir/latest/userguide/detect-and-analyze.html).
Updated account cancellation details to provide better clarity on billing implications in [cancelling a membership](https://docs.aws.amazon.com/security-ir/latest/userguide/cancel-membership.html). | 9 May, 2025 |
| Adding three new supported regions. | Added three new new regions to https://docs.aws.amazon.com/security-ir/latest/userguide/supported-configs.html. Mumbai, Paris, and São Paulo. | 7 May, 2025 |
| Updated: Updates from customer comments on docs. | Spelling and grammar errors on multiple pages correct.
Updated https://docs.aws.amazon.com/en\_us/security-ir/latest/userguide/organizations\_permissions.html to accurately reflect security-ir as the service prefix.
Added a note to https://docs.aws.amazon.com/security-ir/latest/userguide/source-containment.html regarding Route53 and DNS. | February 7, 2025 |
| Updated: Updates from customer comments on docs. | Updated https://docs.aws.amazon.com/security-ir/latest/userguide/setup-monitoring-and-investigation-workflows.html to stackset template.
Corrected entries triage.security-ir.com to triage.security-ir.amazonaws.com
Added tracked connections note for AWSSupport-ContainEC2Reversible on https://docs.aws.amazon.com/security-ir/latest/userguide/contain.html.
Fixed broken link on https://docs.aws.amazon.com/security-ir/latest/userguide/managing-associated-accounts.html.
Added a definition for membership account at https://docs.aws.amazon.com/security-ir/latest/userguide/select-a-membership-account.html.
Added a clarification note to https://docs.aws.amazon.com/en\_us/security-ir/latest/userguide/using-service-linked-roles.html for AWS Organizations management accounts. | December 20, 2024 |
| Updated: Updates from customer comments on docs. | Removed multiple duplicate AWS AWS in text.
Fixed broken links on https://docs.aws.amazon.com/security-ir/latest/userguide/sir\_tagging.html and https://docs.aws.amazon.com/security-ir/latest/userguide/service-name-info-in-cloudtrail.html .
Updates to https://docs.aws.amazon.com/security-ir/latest/userguide/contain.html. Removed the > from first paragraph. Replaced AWSSupport-ContainEC2Reversible with AWSSupport-ContainEC2Instance. Replaced AWSSupport-ContainIAMReversible with AWSSupport-ContainIAMPrincipal. Replaced AWSSupport-ContainS3Reversible with AWSSupport-ContainS3Resource.
Updated formatting on https://docs.aws.amazon.com/en\_us/security-ir/latest/userguide/issues.html
When telling customers to contact security incident response via a support ticket, https://docs.aws.amazon.com/security-ir/latest/userguide/understand-response-teams-and-support.html now provides options to select in the support forms.
Removed CloudWatch Events and replaced with EventBridge on https://docs.aws.amazon.com/security-ir/latest/userguide/logging-and-events.html .
Grammar updates on https://docs.aws.amazon.com/security-ir/latest/userguide/technique-access-containment.html .
Removed publication date from https://docs.aws.amazon.com/security-ir/latest/userguide/security-incident-response-guide.html, replaced by updates in this table. | December 10, 2024 |
| Updated: AWS managed policies and service-linked roles. | [Updates to managed policies and service-linked roles.](https://docs.aws.amazon.com/security-ir/latest/userguide/aws-managed-policies.html#managed-policy-updates) | December 1, 2024 |
| Service Launch | Initial service docs for service launch at re:Invent 2024 | December 1, 2024 |