# Getting started with Unified Operations This topic discusses the steps to onboard to AWS Unified Operations. **Contents** + [ # Unified Operations Getting started: Prerequisites ](uops-gs-prerequisites.md) + [ # Unified Operations Getting started: Onboard critical alarms to rapid incident management ](uops-gs-onboard-alarms.md) + [ # Unified Operations Getting started: How to request 5-minute incident response ](uo-gs-incident-response.md) + [ # Unified Operations Getting started: Plan for domain coverage ](uo-gs-domain-coverage.md) + [ # Unified Operations Getting started: Onboard your account to proactive security incident management ](uops-gs-proactive-sec-man.md) + [ # Unified Operations Getting started: AWS expectations from you ](uops-gs-expectations-customers.md) + [ # Unified Operations Getting started: What you can expect from AWS ](uops-gs-aws-expectations.md) # Unified Operations Getting started: Prerequisites Prerequisites The following items are required to onboard to AWS Unified Operations **A signed AWS Unified Operations contract. For more information, contact your AWS sales representative.** + Identified business needs, such as migration, modernization, events, target uptime, and so on. + A list of your workloads. + A list of your AWS accounts and associated AWS Regions. + Identified stakeholders across Application, Architecture, Operations, and Security teams. # Unified Operations Getting started: Onboard critical alarms to rapid incident management Onboard critical alarms to rapid incident management To help quickly notify you of critical incidents, complete the following steps to onboard your alarms to AWS Incident Detection and Response 1. Define and configure your critical alarms for rapid incident management. For detailed information, see [Define and configure alarms in Incident Detection and Response](https://docs.aws.amazon.com/IDR/latest/userguide/idr-gs-alarms.html) in the *Incident Detection and Response User Guide*. 1. For steps to set up alarms using Amazon CloudWatch, see [Define and configure alarms in Incident Detection and Response](https://docs.aws.amazon.com/IDR/latest/userguide/idr-gs-alarms.html) in the *Incident Detection and Response User Guide*. For AWS recommendations on critical alarm types for various AWS services, see [Incident Detection and Response (IDR)](https://repost.aws/selections/KP6FA7iQgVSVeSNq1jAcjwxg/incident-detection-and-response-idr). Contact your AWS Unified Operations team if you want AWS to automate the creation of critical AWS alarms for your tagged AWS resources. 1. To redirect or ingest critical alarms from 3rd party APM tools with [direct Amazon EventBridge integration](https://aws.amazon.com/eventbridge/integrations/), such as DataDog, NewRelic, and so on, see [Ingest alarms from APMs that have direct integration with Amazon EventBridge](https://docs.aws.amazon.com/IDR/latest/userguide/idr-gs-ingest_alarms_from_apm_to_eventbridge.html) in the *AWS Incident Detection and Response User Guide*. You must deploy a set of AWS resources (AWS Lambda and Amazon EventBridge event bus rules) to transform and redirect your alarm (event) to AWS Incident Detection and Response. Your AWS Unified Operations team can help provide the CloudFormation template to install these resources. 1. Redirect or ingest critical alarms from your custom monitoring tool through a 3rd party APM tool that doesn’t have direct integration with Amazon EventBridge. For more information, see [Use webhooks to ingest alarms from APMs without direct integration with Amazon EventBridge](https://docs.aws.amazon.com/IDR/latest/userguide/idr-ingesting-alarms-using-webhooks.html) in the *AWS Incident Detection and Response User Guide*. You must deploy a set of AWS resources (API Gateway AWS Lambda functions, and Amazon EventBridge event bus rules) to transform and redirect your alarm (event) to AWS Incident Detection and Response. Your AWS Unified Operations team can help provide the CloudFormation template to install these resources. 1. Provide workload architecture details, point of contact information and runbook information on mitigation actions for critical alarms. To do this, complete the following steps: 1. Download and complete the [AWS Incident Detection and Response Workload onboarding questionnaire](https://docs.aws.amazon.com/IDR/latest/userguide/idr-gs-questionnaire.html) for each critical workload or application and the [Alarm ingestion questionnaire](https://docs.aws.amazon.com/IDR/latest/userguide/idr-gs-questionnaire.html) related to each unique workload. The information in these questionnaires helps the AWS team develop an incident remediation runbook. This runbook enables appropriate actions to be taken to quickly troubleshoot and remediate critical alarms before they cause business downtime. For examples and sample information, see [Workload onboarding and alarm ingestion questionnaires in AWS Incident Detection and Response](https://docs.aws.amazon.com/IDR/latest/userguide/idr-gs-questionnaire.html). 1. Provide access to onboard your critical alarms to AWS Incident Detection and Response 1. Deploy the `AWSServiceRoleForHealth_EventProcessor` service-linked role (SLR) in your AWS account running the critical workload to be monitored by the AWS incident management team. For more information, see [Provision access for alert ingestion to AWS Incident Detection and Response](https://docs.aws.amazon.com/IDR/latest/userguide/idr-gs-access-prov.html). **Note** To assist your with onboarding of large AWS accounts, AWS can provide you with a AWS Command Line Interface script to fast track the provisioning of this SLR. 1. (Optional) If your alarms are in Amazon CloudWatch, make sure that the AWS Identity and Access Management user or role that's used for alarm testing (before go-live) has the `cloudwatch:SetAlarmState` IAM permission in your AWS account that's running the critical workload. This is needed for alarm testing (gameday) post onboarding. For more information, see [Test onboarded workloads in AWS Incident Detection and Response](https://docs.aws.amazon.com/IDR/latest/userguide/idr-workloads-testing.html). 1. Create a AWS Support case to subscribe a workload for rapid incident management. Note that your AWS account is automatically enabled for inbound rapid incident management, which means you can raise a case to the Unified Operations Incident Detection and Response queue through the Support Center Console, the AWS Command Line Interface, or the AWS SDK for quick action. For AWS to proactively monitor and create incidents with an outbound AWS Support case, create an AWS Support case for your critical workload. To do this, complete the following steps: 1. Sign in to the [AWS Support Center Console](https://console.aws.amazon.com/support), select **Create case**, and then select **Technical support**. 1. For **Service** select **Incident Detection and Response**. 1. For **Category** select **Onboard new workload**. 1. For **Severity** select **General guidance**. 1. Attached the Workload and Alarm questionnaires that you completed in the previous step. # Unified Operations Getting started: How to request 5-minute incident response Request 5-minute incident response AWS Unified Operations offers 5-minute incident response for your critical incidents. To request a 5-minute inbound response you can [create a support case from a support interaction](create-support-case-from-interaction.md) or use the [legacy support case creation method](case-management-legacy.md#creating-a-support-case-legacy). When you create your case, make sure that you enter the following information to ensure that your case receives a response within 5 minutes: 1. For **Case type**, choose **Technical**. 1. For **Service**, choose **AWS Incident Detection and Response**. 1. For **Category**, choose **Active Incident**. 1. For **Severity**, choose **Business-critical system down**. 1. In the **Description**, include the following information 1. Technical information + Workload name + Affected AWS Resource ARN(s) 1. Business information + Description of impact to the business + (Optional) Customer bridge details # Unified Operations Getting started: Plan for domain coverage Plan for domain coverage AWS Unified Operations provides specialized expertise through a domain-based coverage approach. Each domain is supported by a team of AWS Domain Specialists who provide the following services: + **Specialized expertise** aligned to your specific technology areas. + **Continuous coverage ** with availability through your preferred collaboration tools (Slack or Microsoft Teams) during business days. + **Proactive guidance** on architecture, best practices, and optimization opportunities. + **Enhanced incident response** through deep domain knowledge and workload familiarity. + **Consistent experience** maintained by a coordinated team rather than individuals. This approach to domain coverage enables AWS specialists to maintain deep familiarity with your critical workloads while providing comprehensive support across your technology stack. To select the domains, organizations maintain decision authority from a choice of 23 AWS Domains and consider the following factors in their decision: + Primary AWS services running critical workloads + Critical AWS service dependencies (such as Amazon EC2, Amazon EKS, or Amazon RDS) + Major upcoming events requiring 24x7 support coverage (migrations, launches) planned within 3-6 months This information, combined with guidance from your Technical Account Manager, enables precise alignment of domain expertise with your specific organizational needs, helping you maintain optimal support for mission-critical workloads. # Unified Operations Getting started: Onboard your account to proactive security incident management Onboard your account to proactive security incident management Unified Operations entitles you to AWS Security Incident Response to help you quickly prepare for, respond to, and recover from security incidents, such as account takeovers, data breaches, and ransomware attacks. AWS Security Incident Response triages findings, escalates events, and manages critical cases, while also providing access to the AWS Customer Incident Response Team (CIRT) to investigate impacted resources. This access helps you to effectively mitigate and resolve security incidents, minimizing the impact on your operations. To onboard to this service feature, complete the following steps: 1. Create a centralized AWS account for AWS Security Incident Response. This AWS account will be used to configure all other AWS accounts that you want monitored, to manage your incident response team, and to create and view security events. We recommend that you to align this account with the account that you use for other security services such as Amazon GuardDuty and AWS Security Hub CSPM. You can use an [AWS Organizations](https://docs.aws.amazon.com/whitepapers/latest/organizing-your-aws-environment/aws-organizations.html) management account, or an AWS Organizations delegated administrator account as the Security Incident Response membership account. For more information, see [Select a membership account](https://docs.aws.amazon.com/security-ir/latest/userguide/select-a-membership-account.html) in the *AWS Security Incident Response User Guide*. 1. Choose basic membership details. For more information, see [Setup membership details](https://docs.aws.amazon.com/security-ir/latest/userguide/setup-membership-details.html) in the *AWS Security Incident Response User Guide*. 1. Choose how you want to associate accounts with AWS Organizations. For more information, see [Associate accounts with AWS Organizations](https://docs.aws.amazon.com/security-ir/latest/userguide/associate-accounts-with-aws-organizations.html) in the *AWS Security Incident Response User Guide*. 1. (Optional) You can optionally enable proactive response and alert triaging workflow to enable within your organization to monitor and investigate alerts generated from Amazon GuardDuty and AWS Security Hub CSPM integrations. For more information, see [Setup proactive response and alert triaging workflows](https://docs.aws.amazon.com/security-ir/latest/userguide/setup-monitoring-and-investigation-workflows.html) in the *AWS Security Incident Response User Guide*. 1. (Optional) Enable the proactive containment of a potential security incident. AWS can perform containment actions to quickly mitigate impact, such as isolating compromised hosts or rotating credentials. To turn on this feature, you must first grant the necessary permissions to the service. To do this, deploy an [Step Functions StackSet](https://docs.aws.amazon.com/security-ir/latest/userguide/working-with-stacksets.html). # Unified Operations Getting started: AWS expectations from you AWS expectations from you For Unified Operations to deliver maximum value, we recommend the following collaborative approach: **Team engagement** + Identify subject matter experts from your team to collaborate with AWS engineers during onboarding and ongoing engagement. + Participate in initial discovery calls and subsequent meetings to share architecture details and operational requirements. + Establish regular touchpoints to review architecture updates or workload changes. **Operational integration** + Configure critical alarms in your account to enable effective incident management. + Implement recommended action items provided by AWS specialists, + Participate in gameday exercises to validate incident response processes. This collaborative framework helps you maximize the value of Unified Operations, achieve your uptime goals, mitigate operational risks, and receive comprehensive support for your mission-critical workloads. # Unified Operations Getting started: What you can expect from AWS What you can expect from AWS When you onboard to Unified Operations, you can expect the following from AWS. + Provide a team of designated AWS experts with deep technical expertise in the your workload domain and services. + Offer proactive guidance, ongoing optimization, and continuous improvement recommendations to enhance workload performance and resiliency and accelerate path to migrations and modernization. + Help provide rapid incident response, with context-aware engineers engaged within 5 minutes of a critical incident. + Offer comprehensive support throughout the application lifecycle, from design and migration to production launch and long-term operations. + Proactively monitor security threats with auto-triaging, reducing false positives, and raising incidents for potential security incidents. + Assist in trouble and joint mitigation of AWS or your identified security incident.