Try in Splunk SOAR


Disable a list of AWS IAM user accounts. After checking the list of accounts against an allowlist and confirming with an analyst, each account is disabled. The change can be reversed with the enable user action.

  • Type: Response
  • Product: Splunk SOAR
  • Apps: AWS IAM
  • Last Updated: 2021-11-01
  • Author: Philip Royer, Splunk
  • ID: fc0edc75-ff2b-48c0-5f6f-63da6423fd63
  • Use-cases:

Associated Detections

How To Implement

This playbook works with the community playbook aws_find_inactive_users using the usernames discovered by that playbook. Change the prompt block from admin to the correct analyst user or role. You should create a custom list called aws_inactive_user_allowlist. Any user names in that list will be ignored by this playbook.

Explore Playbook


Required field

  • aws_username


source | version: 1