AWS IAM - Delete access keys

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

Back to Content Index

Once a new Microsoft Sentinel incident is created, this playbook gets triggered and performs the following actions: 1. Gets users from the incident. 2. Get list of access keys from these users. 3. Delete selected access keys. 4. Adds information about deleted user's access keys as a comment to the incident.

Attribute Value
Type Playbook
Solution AWS_IAM
Source View on GitHub

Logic App Connectors

This playbook uses 2 Logic App connectors / built-in actions:

Connector / Action Type Connections Actions
azuresentinel Managed 1 3
function Built-in 0 2
Action parameters (URLs, paths, function IDs)

azuresentinel (Managed)

Action Method Endpoint Other
Entities_-_Get_Accounts post /entities/account
Add_comment_to_incident_(V3)_2 post /Incidents/Comment
Add_comment_to_incident_(V3) post /Incidents/Comment

function (Built-in)

Action Method Endpoint Other
DeleteAccessKey DELETE functionId=[concat(variables('aws_iam_functionapp_id'), '/functions/DeleteAccessKey')]
ListAccessKeys GET functionId=[concat(variables('aws_iam_functionapp_id'), '/functions/ListAccessKeys')]

Additional Documentation

📄 Source: Playbooks/AWSIAM-DeleteAccessKeys/readme.md

AWSIAM-DeleteAccessKeys

Summary

When a new sentinel incident is created, this playbook gets triggered and performs the following actions:

  1. Gets users from incident.
  2. Get list of access keys from these users.
  3. Delete selected access keys.
  4. Adds information about deleted user's access keys as a comment to the incident.


Prerequisites

  1. Prior to the deployment of this playbook, AWS IAM Function App Connector needs to be deployed under the same subscription.
  2. Obtain AWS IAM API credentials. Refer to AWS IAM Function App Connector documentation.

Deployment instructions

  1. To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard.
  2. Fill in the required parameters:
    • Playbook Name: Enter the playbook name here

Deploy to Azure Deploy to Azure

Post-Deployment instructions

a. Authorize connections

Once deployment is complete, authorize each connection.

  1. Click the Microsoft Sentinel connection Microsoftresource
  2. Click edit API connection
  3. Click Authorize
  4. Sign in
  5. Click Save
  6. Repeat steps for other connections

b. Configurations in Sentinel

  1. In Microsoft sentinel, analytical rules should be configured to trigger an incident that contains user name in AWS. In the Entity maping section of the analytics rule creation workflow, user name should be mapped to Name identitfier of the Account entity type. Check the documentation to learn more about mapping entities.
  2. Configure the automation rules to trigger the playbook. Check the documentation to learn more about automation rules.

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

Back to Playbooks · Back to AWS_IAM