Amazon Security Incident Response and Amazon Organizations
Amazon Security Incident Response is a security service that provides 24/7, live, human-assisted security incident support to help customers respond rapidly to cybersecurity incidents such as credential theft and ransomware attacks. By integrating with Organizations you enable security coverage for your entire organization. For more information, see Managing Amazon Security Incident Response accounts with Amazon Organizations in the Security Incident Response User Guide.
Use the following information to help you integrate Amazon Security Incident Response with Amazon Organizations.
Service-linked roles created when you enable integration
The following service-linked roles are automatically created in your organization's management account when you enable trusted access.
-
AWSServiceRoleForSecurityIncidentResponse- used for creating Security Incident Response membership - your subscription to the service through Amazon Organizations. -
AWSServiceRoleForSecurityIncidentResponse_Triage- used only when you enable the triage feature during sign-up.
Service principals used by Security Incident Response
The service-linked roles in the previous section can be assumed only by the service principals authorized by the trust relationships defined for the role. The service-linked roles used by Security Incident Response grant access to the following service principal:
-
security-ir.amazonaws.com
Enabling trusted access to Security Incident Response
Enabling trusted access to Security Incident Response allows the service to keep track of your organization's structure and ensure that all accounts in the organization have active security incident coverage. It also allows the service to use a service-linked role in member accounts for triaging capabilities when you enable the triage feature.
For information about the permissions needed to enable trusted access, see Permissions required to enable trusted access.
You can enable trusted access using either the Amazon Security Incident Response console or the Amazon Organizations console.
Important
We strongly recommend that whenever possible, you use the Amazon Security Incident Response console or tools to enable integration with Organizations. This lets Amazon Security Incident Response perform any configuration that it requires, such as creating resources needed by the service. Proceed with these steps only if you can’t enable integration using the tools provided by Amazon Security Incident Response. For more information, see this note.
If you enable trusted access by using the Amazon Security Incident Response console or tools then you don’t need to complete these steps.
Organizations automatically enables the Organizations trusted access when you use the Security Incident Response console for setup and management. If you use the Security Incident Response CLI/SDK then you have to manually enable trusted access by using the EnableAWSServiceAccess API. To learn how to enable trusted access through the Security Incident Response console, see Enabling trusted access for Amazon Account Management in the Security Incident Response User Guide.
You can enable trusted access by using either the Amazon Organizations console, by running a Amazon CLI command, or by calling an API operation in one of the Amazon SDKs.
Disabling trusted access with Security Incident Response
Only an administrator in the Organizations management account can disable trusted access with Security Incident Response.
You can only disable trusted access using the Organizations tools.
You can disable trusted access by using either the Amazon Organizations console, by running an Organizations Amazon CLI command, or by calling an Organizations API operation in one of the Amazon SDKs.
Enabling a delegated administrator account for Security Incident Response
When you designate a member account as a delegated administrator for the organization, users and roles from that account can perform administrative actions for Security Incident Response that otherwise can be performed only by users or roles in the organization's management account. This helps you to separate management of the organization from management of Security Incident Response. For more information, see Managing Amazon Security Incident Response accounts with Amazon Organizations in the Security Incident Response User Guide.
Minimum permissions
Only a user or role in the Organizations management account can configure a member account as a delegated administrator for Security Incident Response in the organization
To learn how to configure a delegated administrator through the Security Incident Response console, see Designating a delegated Security Incident Response administrator account in the Security Incident Response User Guide.
Disabling a delegated administrator for Security Incident Response
Important
If membership was created from the delegated administrator account, deregistering the delegated administrator is a destructive action and will cause service disruption. To re-register DA:
Sign in to the Security Incident Response console at https://console.aws.amazon.com/security-ir/home#/membership/settings
Cancel membership from the service console. Membership remains active until the end of billing cycle.
Once membership is cancelled disable service access through the Organizations console, CLI or SDK.
Only an administrator in the Organizations management account can remove a delegated
administrator for Security Incident Response. You can remove the delegated administrator using the Organizations DeregisterDelegatedAdministrator
CLI or SDK operation.