# Amazon Security Incident Response and Amazon Organizations
<a name="services-that-can-integrate-security-ir"></a>

Amazon Security Incident Response is a security service that provides 24/7, live, human-assisted security incident support to help customers respond rapidly to cybersecurity incidents such as credential theft and ransomware attacks. By integrating with Organizations you enable security coverage for your entire organization. For more information, see [ Managing Amazon Security Incident Response accounts with Amazon Organizations](https://docs.amazonaws.cn/security-ir/latest/userguide/security-ir-organizations.html) in the *Security Incident Response User Guide*. 

Use the following information to help you integrate Amazon Security Incident Response with Amazon Organizations.



## Service-linked roles created when you enable integration
<a name="integrate-enable-slr-security-ir"></a>

The following service-linked roles are automatically created in your organization's management account when you enable trusted access. 
+ `AWSServiceRoleForSecurityIncidentResponse` - used for creating Security Incident Response membership - your subscription to the service through Amazon Organizations.
+ `AWSServiceRoleForSecurityIncidentResponse_Triage` - used only when you enable the triage feature during sign-up.

## Service principals used by Security Incident Response
<a name="integrate-enable-svcprin-security-ir"></a>

 The service-linked roles in the previous section can be assumed only by the service principals authorized by the trust relationships defined for the role. The service-linked roles used by Security Incident Response grant access to the following service principal: 
+ `security-ir.amazonaws.com`

## Enabling trusted access to Security Incident Response
<a name="integrate-enable-ta-security-ir"></a>

Enabling trusted access to Security Incident Response allows the service to keep track of your organization's structure and ensure that all accounts in the organization have active security incident coverage. It also allows the service to use a service-linked role in member accounts for triaging capabilities when you enable the triage feature.

For information about the permissions needed to enable trusted access, see [Permissions required to enable trusted access](orgs_integrate_services.md#orgs_trusted_access_perms).

You can enable trusted access using either the Amazon Security Incident Response console or the Amazon Organizations console.

**Important**  
We strongly recommend that whenever possible, you use the Amazon Security Incident Response console or tools to enable integration with Organizations. This lets Amazon Security Incident Response perform any configuration that it requires, such as creating resources needed by the service. Proceed with these steps only if you can’t enable integration using the tools provided by Amazon Security Incident Response. For more information, see [this note](orgs_integrate_services.md#important-note-about-integration).   
If you enable trusted access by using the Amazon Security Incident Response console or tools then you don’t need to complete these steps.

Organizations automatically enables the Organizations trusted access when you use the Security Incident Response console for setup and management. If you use the Security Incident Response CLI/SDK then you have to manually enable trusted access by using the [EnableAWSServiceAccess API](https://docs.amazonaws.cn/organizations/latest/APIReference/API_EnableAWSServiceAccess.html). To learn how to enable trusted access through the Security Incident Response console, see [ Enabling trusted access for Amazon Account Management](https://docs.amazonaws.cn/security-ir/latest/userguide/using-orgs-trusted-access.html) in the *Security Incident Response User Guide*.

You can enable trusted access by using either the Amazon Organizations console, by running a Amazon CLI command, or by calling an API operation in one of the Amazon SDKs.

------
#### [ Amazon Web Services Management Console ]

**To enable trusted service access using the Organizations console**

1. Sign in to the [Amazon Organizations console](https://console.amazonaws.cn/organizations/v2). You must sign in as an IAM user, assume an IAM role, or sign in as the root user ([not recommended](https://docs.amazonaws.cn/IAM/latest/UserGuide/best-practices.html#lock-away-credentials)) in the organization’s management account.

1. In the navigation pane, choose **Services**.

1. Choose **Amazon Security Incident Response** in the list of services.

1. Choose **Enable trusted access**.

1. In the **Enable trusted access for Amazon Security Incident Response** dialog box, type **enable** to confirm, and then choose **Enable trusted access**.

1. If you are the administrator of only Amazon Organizations, tell the administrator of Amazon Security Incident Response that they can now enable that service to work with Amazon Organizations from the service console .

------
#### [ Amazon CLI, Amazon API ]

**To enable trusted service access using the OrganizationsCLI/SDK**  
Use the following Amazon CLI commands or API operations to enable trusted service access:
+ Amazon CLI: [enable-aws-service-access](https://docs.amazonaws.cn/cli/latest/reference/organizations/enable-aws-service-access.html)

  Run the following command to enable Amazon Security Incident Response as a trusted service with Organizations.

  ```
  $ aws organizations enable-aws-service-access \ 
      --service-principal security-ir.amazonaws.com
  ```

  This command produces no output when successful.
+ Amazon API: [EnableAWSServiceAccess](https://docs.amazonaws.cn/organizations/latest/APIReference/API_EnableAWSServiceAccess.html)

------

## Disabling trusted access with Security Incident Response
<a name="integrate-disable-ta-security-ir"></a>

Only an administrator in the Organizations management account can disable trusted access with Security Incident Response. 

You can only disable trusted access using the Organizations tools.

You can disable trusted access by using either the Amazon Organizations console, by running an Organizations Amazon CLI command, or by calling an Organizations API operation in one of the Amazon SDKs.

------
#### [ Amazon Web Services Management Console ]

**To disable trusted service access using the Organizations console**

1. Sign in to the [Amazon Organizations console](https://console.amazonaws.cn/organizations/v2). You must sign in as an IAM user, assume an IAM role, or sign in as the root user ([not recommended](https://docs.amazonaws.cn/IAM/latest/UserGuide/best-practices.html#lock-away-credentials)) in the organization’s management account.

1. In the navigation pane, choose **Services**.

1. Choose **Amazon Security Incident Response** in the list of services.

1. Choose **Disable trusted access**.

1. In the **Disable trusted access for Amazon Security Incident Response** dialog box, type **disable** to confirm, and then choose **Disable trusted access**.

1. If you are the administrator of only Amazon Organizations, tell the administrator of Amazon Security Incident Response that they can now disable that service from working with Amazon Organizations using the service console or tools .

------
#### [ Amazon CLI, Amazon API ]

**To disable trusted service access using the Organizations CLI/SDK**  
You can use the following Amazon CLI commands or API operations to disable trusted service access:
+ Amazon CLI: [disable-aws-service-access](https://docs.amazonaws.cn/cli/latest/reference/organizations/disable-aws-service-access.html)

  Run the following command to disable Amazon Security Incident Response as a trusted service with Organizations.

  ```
  $ aws organizations disable-aws-service-access \
      --service-principal security-ir.amazonaws.com
  ```

  This command produces no output when successful.
+ Amazon API: [DisableAWSServiceAccess](https://docs.amazonaws.cn/organizations/latest/APIReference/API_DisableAWSServiceAccess.html)

------

## Enabling a delegated administrator account for Security Incident Response
<a name="integrate-enable-da-security-ir"></a>

When you designate a member account as a delegated administrator for the organization, users and roles from that account can perform administrative actions for Security Incident Response that otherwise can be performed only by users or roles in the organization's management account. This helps you to separate management of the organization from management of Security Incident Response. For more information, see [ Managing Amazon Security Incident Response accounts with Amazon Organizations](https://docs.amazonaws.cn/security-ir/latest/userguide/security-ir-organizations.html) in the *Security Incident Response User Guide*.

**Minimum permissions**  
Only a user or role in the Organizations management account can configure a member account as a delegated administrator for Security Incident Response in the organization

To learn how to configure a delegated administrator through the Security Incident Response console, see [ Designating a delegated Security Incident Response administrator account ](https://docs.amazonaws.cn/security-ir/latest/userguide/delegated-admin-designate.html) in the *Security Incident Response User Guide*.

------
#### [ Amazon CLI, Amazon API ]

If you want to configure a delegated administrator account using the Amazon CLI or one of the Amazon SDKs, you can use the following commands:
+ Amazon CLI: 

  ```
  $ aws organizations register-delegated-administrator \
      --account-id 123456789012 \
      --service-principal security-ir.amazonaws.com
  ```
+ Amazon SDK: Call the Organizations `RegisterDelegatedAdministrator` operation and the member account's ID number and identify the account service `security-ir.amazonaws.com` as parameters. 

------

## Disabling a delegated administrator for Security Incident Response
<a name="integrate-disable-da-security-ir"></a>

**Important**  
If membership was created from the delegated administrator account, deregistering the delegated administrator is a destructive action and will cause service disruption. To re-register DA:   
Sign in to the Security Incident Response console at https://console.aws.amazon.com/security-ir/home\#/membership/settings
Cancel membership from the service console. Membership remains active until the end of billing cycle.
 Once membership is cancelled disable service access through the Organizations console, CLI or SDK. 

 Only an administrator in the Organizations management account can remove a delegated administrator for Security Incident Response. You can remove the delegated administrator using the Organizations `DeregisterDelegatedAdministrator` CLI or SDK operation.