AWS Disable User Accounts

Description

Disable a list of AWS IAM user accounts. After checking the list of accounts against an allowlist and confirming with an analyst, each account is disabled. The change can be reversed with the enable user action.

Type: Response
Product: Splunk SOAR
Apps: AWS IAM
Last Updated: 2021-11-01
Author: Philip Royer, Splunk
ID: fc0edc75-ff2b-48c0-5f6f-63da6423fd63
Use-cases:

Associated Detections

How To Implement

This playbook works with the community playbook aws_find_inactive_users using the usernames discovered by that playbook. Change the prompt block from admin to the correct analyst user or role. You should create a custom list called aws_inactive_user_allowlist. Any user names in that list will be ignored by this playbook.

Explore Playbook

Required field

aws_username

Reference

https://www.splunk.com/en_us/blog/security/splunk-soar-playbooks-finding-and-disabling-inactive-users-on-aws.html

source | version: 1

Twitter Facebook LinkedIn

AWS Disable User Accounts

Description

Associated Detections

How To Implement

Explore Playbook

Required field

Reference

You May Also Enjoy

Headless Browser Mockbin or Mocky Request

Headless Browser Usage

Windows Find Interesting ACL with FindInterestingDomainAcl

Windows Get Local Admin with FindLocalAdminAccess