Try in Splunk SOAR

Description

Disable a list of AWS IAM user accounts. After checking the list of accounts against an allowlist and confirming with an analyst, each account is disabled. The change can be reversed with the enable user action.

  • Type: Response
  • Product: Splunk SOAR
  • Apps: AWS IAM
  • Last Updated: 2021-11-01
  • Author: Philip Royer, Splunk
  • ID: fc0edc75-ff2b-48c0-5f6f-63da6423fd63

Associated Detections

How To Implement

This playbook works with the community playbook aws_find_inactive_users using the usernames discovered by that playbook. Change the prompt block from admin to the correct analyst user or role. You should create a custom list called aws_inactive_user_allowlist. Any user names in that list will be ignored by this playbook.

Playbooks

Required field

Reference

source | version: 1