Working with CloudFormation StackSets

For specific instructions on how to create a StackSet with service-managed permissions, see Create CloudFormation StackSets with service-managed permissions in the AWS CloudFormation User Guide.

AWS Security Incident Response provides two CloudFormation templates. Both templates create the same two AWS Identity and Access Management roles, AWSSecurityIncidentResponseContainment and AWSSecurityIncidentResponseContainmentExecution. The Containment with EC2 Triage template adds the AWSSecurityIncidentResponseInvestigationPolicy to the AWSSecurityIncidentResponseContainment role, which grants additional permissions for EC2 Triage. Choose the template that matches your security requirements:

Containment only: Creates the minimum required permissions for containment actions.
Containment with EC2 Triage: Includes all containment permissions plus additional permissions for EC2 Triage. This template enables AWS Security Incident Response to execute AWS Systems Manager Run Command on your Amazon Elastic Compute Cloud instances during security investigations.

For more information about EC2 Triage, see Detect and Analyze.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Closing a case

CloudFormation templates