Playbook: AWS Disable User Accounts

Description

Disable a list of AWS IAM user accounts. After checking the list of accounts against an allowlist and confirming with an analyst, each account is disabled. The change can be reversed with the enable user action.

Type: Response Date: 2021-11-01 Author: Philip Royer, Splunk ID: fc0edc75-ff2b-48c0-5f6f-63da6423fd63

Apps

AWS IAM

How To Implement

This playbook works with the community playbook aws_find_inactive_users using the usernames discovered by that playbook. Change the prompt block from admin to the correct analyst user or role. You should create a custom list called aws_inactive_user_allowlist. Any user names in that list will be ignored by this playbook.

Explore Playbook

Click the playbook screenshot to explore in more detail!

Required fields

aws_username

Reference

https://www.splunk.com/en_us/blog/security/splunk-soar-playbooks-finding-and-disabling-inactive-users-on-aws.html

source | version: 1