Unified Operations Getting started: Onboard your account to proactive security incident management - Amazon Web Services Support
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Unified Operations Getting started: Onboard your account to proactive security incident management

Unified Operations entitles you to Amazon Security Incident Response to help you quickly prepare for, respond to, and recover from security incidents, such as account takeovers, data breaches, and ransomware attacks. Amazon Security Incident Response triages findings, escalates events, and manages critical cases, while also providing access to the Amazon Customer Incident Response Team (CIRT) to investigate impacted resources. This access helps you to effectively mitigate and resolve security incidents, minimizing the impact on your operations. To onboard to this service feature, complete the following steps:

  1. Create a centralized Amazon Web Services account for Amazon Security Incident Response. This Amazon Web Services account will be used to configure all other Amazon Web Services accounts that you want monitored, to manage your incident response team, and to create and view security events. We recommend that you to align this account with the account that you use for other security services such as Amazon GuardDuty and Amazon Security Hub CSPM. You can use an Amazon Organizations management account, or an Amazon Organizations delegated administrator account as the Security Incident Response membership account. For more information, see Select a membership account in the Amazon Security Incident Response User Guide.

    1. Choose basic membership details. For more information, see Setup membership details in the Amazon Security Incident Response User Guide.

    2. Choose how you want to associate accounts with Amazon Organizations. For more information, see Associate accounts with Amazon Organizations in the Amazon Security Incident Response User Guide.

    3. (Optional) You can optionally enable proactive response and alert triaging workflow to enable within your organization to monitor and investigate alerts generated from Amazon GuardDuty and Amazon Security Hub CSPM integrations. For more information, see Setup proactive response and alert triaging workflows in the Amazon Security Incident Response User Guide.

  2. (Optional) Enable the proactive containment of a potential security incident. Amazon can perform containment actions to quickly mitigate impact, such as isolating compromised hosts or rotating credentials. To turn on this feature, you must first grant the necessary permissions to the service. To do this, deploy an Step Functions StackSet.