AWS Disable User Accounts
Description
Disable a list of AWS IAM user accounts. After checking the list of accounts against an allowlist and confirming with an analyst, each account is disabled. The change can be reversed with the enable user
action.
- Type: Response
- Product: Splunk SOAR
- Apps: AWS IAM
- Last Updated: 2021-11-01
- Author: Philip Royer, Splunk
- ID: fc0edc75-ff2b-48c0-5f6f-63da6423fd63
Associated Detections
How To Implement
This playbook works with the community playbook aws_find_inactive_users using the usernames discovered by that playbook. Change the prompt block from admin to the correct analyst user or role. You should create a custom list called aws_inactive_user_allowlist. Any user names in that list will be ignored by this playbook.
Explore Playbook
Required field
- aws_username
Reference
source | version: 1