AWS Security Incident Response FAQs

AWS Security Incident Response is a service that combines automated capabilities with human expertise to help you prepare for, respond to, and recover from security events. The service continuously monitors and triages security findings from Amazon GuardDuty and third-party detection tools through AWS Security Hub, automatically filtering alerts and surfacing those that require immediate attention. When specialized expertise is required, Security Incident Response gives you direct 24/7 access to the AWS Customer Incident Response Team (CIRT). This dedicated group of AWS experts can help investigate potential security events, coordinate response efforts across multiple providers, and perform containment actions on your behalf.

You can enable Security Incident Response across AWS Organizations through your management or delegated administrator account. To experience the full service, we recommend activating GuardDuty and Security Hub as well. With the appropriate services and permissions enabled, Security Incident Response can monitor, triage, and investigate security findings and proactively escalate security events that require attention from your central security teams.

If you choose to grant the necessary permissions, Security Incident Response can actively monitor and triage findings from GuardDuty and Security Hub. It employs intelligent filtering based on your specific customer information, such as known IP addresses and AWS Identity and Access Management (IAM) entities. For findings that require attention, Security Incident Response takes immediate action. It immediately creates a security case and notifies the stakeholders you've designated as part of your incident response team, minimizing risk and potential damage.

Customers can initiate security cases through the service. You can choose to handle these cases internally or receive support from the AWS CIRT, a dedicated group of security experts available 24/7 to assist with investigating, responding to, and recovering from security events..

Yes, you can cancel your service membership at any time. Visit Security Incident Response pricing for more details.