Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Preferences
Contact Us
Feedback
AWS Documentation
Create an AWS Account
Containment - AWS Security Incident Response User Guide

Containment

PDF

One definition of containment, as it relates to incident response, is the process or implementation of a strategy during the handling of a security event that acts to minimize the scope of the security event and contain the effects of unauthorized usage within the environment.

A containment strategy depends on a myriad of factors and can be different from one organization to another in terms of application of containment tactics, timing, and purpose. The NIST SP 800-61 Computer Security Incident Handling Guide outlines several criteria for determining the appropriate containment strategy, which includes:

  • Potential damage to and theft of resources

  • Need for evidence preservation

  • Service availability (network connectivity, services provided to external parties)

  • Time and resources needed to implement the strategy

  • Effectiveness of the strategy (partial or full containment)

  • Duration of the solution (emergency workaround to be removed in four hours, temporary workaround to be removed in two weeks, permanent solution)

Regarding services on AWS, however, the fundamental containment steps can be distilled down to three categories:

  • Source containment – Use filtering and routing to prevent access from a certain source.

  • Technique and access containment – Remove access to prevent unauthorized access to the affected resources.

  • Destination containment – Use filtering and routing to prevent access to a target resource.

Previous topic:

Develop narratives

Need help?

PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.