Skip to main content

AWS IAM User Access Investigation - Remediation

This Playbook is part of the Core - Investigation and Response Pack.#


Use Cloud IAM User Access Investigation instead.

Deprecated. Use Cloud IAM User Access Investigation instead. Respond to Cortex XDR Cloud alerts where an AWS IAM user`s access key is used suspiciously to access the cloud environment. The following alerts are supported for AWS environments.

  • Penetration testing tool attempt
  • Penetration testing tool activity
  • Suspicious API call from a Tor exit node This is a beta playbook, which lets you implement and test pre-release software. Although AWS is supported, we are working towards multi-cloud support. As the playbook is beta, it might contain bugs. Updates to the playbook during the beta phase might include non-backward compatible features. We encourage your feedback on the quality and usability of the content to help us identify and fix issues, so we can continually improve the content.


This playbook uses the following sub-playbooks, integrations, and scripts.


  • Block Indicators - Generic v2


This playbook does not use any integrations.


This playbook does not use any scripts.


  • aws-iam-get-user-login-profile
  • aws-iam-delete-login-profile
  • setIndicators
  • aws-iam-update-access-key

Playbook Inputs#

NameDescriptionDefault ValueRequired
userNameThe name of the user whose key you want to update.Optional
accessKeyIdThe access key ID of the secret access key you want to update.Optional
AutoDeleteProfileWhether to automatically delete the user login profile, if it exists (True/False).Optional
IPThe IP address to block using the playbook.Optional
AutoBlockIPWhether to initiate the block IP playbook automatically (True/False).FalseOptional
IndicatorTagThe Tag name for bad reputation IP addresses investigated in the incident.
Use it when the EDL service is configured to add indicators to block in PANW PAN-OS.
If indicator verdict (Malicious/Bad) is used to add indicators to Cortex XSIAM EDL, you don't need to use the tag. Indicators are set as malicious, automatically in the incident.
DAGDetermines whether Palo Alto Networks Panorama or Firewall Dynamic Address Groups are used.
Specify the Dynamic Address Group tag name for IP handling.

Playbook Outputs#

There are no outputs for this playbook.

Playbook Image#

AWS IAM User Access Investigation - Remediation