Onboarding guide

The AWS onboarding guide walks you through prerequisites and AWS Security Incident Response onboarding and containment actions.

Important

Prerequisites

The only deployment prerequisite is enabling AWS Organizations
While not required, we recommend enabling Amazon GuardDuty and AWS Security Hub CSPMacross all accounts and active regions to maximize Security Incident Response benefits.
Review GuardDuty and Security Incident Response
Review GuardDuty best practices guide

AWS Security Hub CSPM ingests findings from 3rd party endpoint detection and response (EDR) vendors (CrowdStrike, FortinetCNAPP (Lacework) and Trend Micro, among others. If these findings are ingested into Security Hub CSPM, they will be auto-triaged by Security Incident Response for proactive case creation as well. To setup 3rd party EDR with Security Hub CSPM, follow our Detection and Analysis service documentation

To setup 3rd party EDR with Security Hub CSPM:

Navigate to the Security Hub CSPM Integrations page to validate the 3rd party integration exists
From the console, navigate to the Security Hub CSPM service page.
Choose Integrations (using Wiz.IO as an example):
Search for the vendor you would like to integrate

Note

When prompted, provide your account or subscription information. After you provide this information, Security Incident Response ingests 3rd party findings. To review pricing for the 3rd party findings ingestion, see the Integrations page in Security Hub CSPM.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Getting started

Deploy and configure Security Incident Response