SYSTEM Cited by 1 source

AWS Security Incident Response (SIR)¶

Definition¶

AWS Security Incident Response (SIR) is an AWS service that provides coordinated triage and response support for security events. It pairs customer security teams with AWS security specialists during incident response.

In cyber-resilience designs, SIR plays a role in Stage 1 (Establish the timeline) of the parallel recovery workflow — providing expert assistance for investigation timeline construction.

Verbatim from the canonicalising source:

"AWS Security Incident Response (SIR) can provide coordinated triage and response support for this stage." (Source: sources/2026-05-20-aws-cyber-resilience-on-aws-a-reference-approach-for-recovery-from-ransomware-and-destructive-events)

Role in cyber-resilience¶

SIR helps with:

Investigation timeline construction — interpreting CloudTrail, VPC Flow Logs, GuardDuty findings, Security Hub findings to identify the earliest indicator of compromise.
Threat actor attribution — when known patterns help determine what kind of adversary is involved.
Containment guidance — how to isolate affected accounts / resources without losing forensic evidence.
Recovery coordination — supporting the customer through the five-stage recovery workflow.

When SIR matters¶

SIR is a specialist service — particularly valuable when:

The customer team lacks deep AWS-security forensics expertise.
The incident is novel or sophisticated enough that pattern matching against known incidents helps.
Coordination across multiple AWS services / regions / accounts is complex.
The investigation timeline needs to be reconstructed quickly under time pressure.

Composition with the recovery workflow¶

SIR engagement typically happens early in the recovery workflow:

Stage 1 (timeline) — SIR helps construct the investigation timeline.
Stage 2 (validate) — SIR may help interpret validation results (e.g. ambiguous malware signatures).
Stage 3 (approval) — SIR may inform the approver's decision.
Stages 4–5 (rebuild + cutover) — SIR may support the cutover decisions and post-incident hardening.

Seen in¶

sources/2026-05-20-aws-cyber-resilience-on-aws-a-reference-approach-for-recovery-from-ransomware-and-destructive-events — canonical wiki reference; first wiki canonicalisation as a dedicated system page; positioned as Stage 1 expert-assistance partner.

systems/amazon-guardduty, systems/aws-cloudtrail, systems/aws-security-hub — investigation substrates SIR helps interpret.
concepts/cyber-resilience — the parent posture.
patterns/parallel-investigation-validation-rebuild — the workflow SIR supports.