Onboarding prerequisites

The only required prerequisite is enabling AWS Organizations with All Features enabled. Consolidated billing alone is not sufficient.

Note

The AWS Identity and Access Management (IAM) principal used to sign in to the delegated administrator account during enablement must have AdministratorAccess permissions. Without these permissions, the enablement process fails.

While not required, we strongly recommend enabling Amazon GuardDuty and AWS Security Hub CSPM across all accounts and active AWS Regions to get the most value from AWS Security Incident Response.

Third-party EDR integration

Security Hub CSPM can ingest findings from third-party endpoint detection and response (EDR) vendors. When ingested, these findings are auto-triaged by AWS Security Incident Response for proactive case creation. To set up a third-party EDR integration, follow the steps in the Security Hub CSPM integrations documentation.

Note

You don't need to enable Security Hub CSPM standards or controls. Only the vendor integrations are required for AWS Security Incident Response to ingest third-party findings.

Pricing: The first 10,000 Security Hub CSPM findings are free. After that, the cost is $0.00003 per finding. For more information, see Security Hub CSPM pricing.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Prepare for onboarding

Step 1: Enable AWS Security Incident Response