AWS - Disable S3 Bucket Public Access

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Content Index

This playbook disables public access AWS S3 bucket. It is triggered by an incident in Microsoft Sentinel and perform the following actions: 1. Get the Bucket Name from incident entities. 2. Call the AWS IAM Function App Connector to disable public access of S3 bucket. 3. Add a comment to the incident with the result of the action.

Attribute Value
Type Playbook
Solution AWS_IAM
Source View on GitHub

Additional Documentation

📄 Source: Playbooks/AWS-DisableS3BucketPublicAccess/readme.md

AWS-DisableS3BucketPublicAccess

Summary

When a new Sentinel incident is created, this playbook gets triggered and performs the following actions:

  1. Get the Bucket Name from incident entities.
  2. Call the AWS IAM Function App Connector to disable public access of S3 bucket.
  3. Add a comment to the incident with the result of the action.




Prerequisites

  1. Prior to the deployment of this playbook, AWS IAM Function App Connector needs to be deployed under the same subscription.
  2. Refer to AWS IAM Function App Connector documentation to obtain AWS Access Key ID and Secret Access Key.

Deployment instructions

  1. To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard.
  2. Fill in the required parameters:
    • Playbook Name: Enter the playbook name here

Deploy to Azure Deploy to Azure

Post-Deployment instructions

a. Authorize connections for Playbook

Once deployment is complete, authorize each connection.

  1. Click the Microsoft Sentinel connection resource
  2. Click edit API connection
  3. Click Authorize
  4. Sign in
  5. Click Save
  6. Repeat steps for other connections

b. Configure Analytic Rule to trigger Playbook in Microsoft Sentinel

  1. In Microsoft sentinel, analytical rules should be configured to trigger an incident that contains Cloud Application instance. In the Entity mapping section of the analytics rule creation workflow, Cloud Application instance should be mapped to Name identifier of the Cloud Application entity type. Check the documentation to learn more about mapping entities.
  2. Configure the automation rules to trigger the playbook. Check the documentation to learn more about automation rules.

c. Assign Playbook Microsoft Sentinel Responder Role

  1. Select the Playbook (Logic App) resource
  2. Click on Identity Blade
  3. Choose System assigned tab
  4. Click on Azure role assignments
  5. Click on Add role assignments
  6. Select Scope - Resource group
  7. Select Subscription - where Playbook has been created
  8. Select Resource group - where Playbook has been created
  9. Select Role - Microsoft Sentinel Responder
  10. Click Save

References

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Playbooks · Back to AWS_IAM