Skip to main content

Cloud Credentials Rotation - AWS

This Playbook is part of the AWS Enrichment and Remediation Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.9.0 and later.

AWS Credentials Rotation Playbook#

Identity Remediation#

Secure compromised accounts by taking swift action:

  • Reset Password: Resets the user password to halt any unauthorized access.

  • Access Key Deactivation: Deactivate any suspicious or known-compromised access keys.

  • Combo Action: In some cases, you may want to reset both the password and deactivate the access key for absolute security.

Role Remediation#

If a role is suspected to be compromised:

  • Deny Policy Implementation: Attach a deny-all policy to the compromised role, thus preventing it from performing any further actions.

  • Role Cloning: Before outright remediation, clone the role. This ensures that you have a backup with the same permissions, making transition smoother.


This playbook uses the following sub-playbooks, integrations, and scripts.


This playbook does not use any sub-playbooks.


This playbook does not use any integrations.


  • Set
  • GeneratePassword


  • aws-ec2-describe-iam-instance-profile-associations
  • aws-iam-list-attached-role-policies
  • aws-iam-list-role-policies
  • aws-iam-list-policy-versions
  • aws-iam-create-instance-profile
  • aws-iam-get-policy-version
  • aws-iam-create-role
  • aws-iam-attach-policy
  • aws-iam-put-role-policy
  • aws-iam-update-login-profile
  • aws-iam-update-access-key
  • aws-iam-get-instance-profile
  • aws-ec2-describe-instances
  • aws-iam-get-role-policy
  • aws-ec2-describe-regions

Playbook Inputs#

NameDescriptionDefault ValueRequired
IAMRemediationTypeThe response playbook provides the following remediation actions for IAM users:

Reset - By entering "Reset" in the input, the playbook will execute password reset.

Deactivate - By entering "Deactivate" in the input, the playbook will execute access key deactivation.

ALL - By entering "ALL" in the input, the playbook will execute both password reset and access key deactivation.
shouldCloneSAWhether to clone the compromised SA before putting a deny policy to it.
identityTypeThe type of identity involved. Usually mapped to the incident field named 'cloudidentitytype'.
newRoleNameThe new role name to assign in the clone service account flow.tempNewRoleNameOptional
newInstanceProfileNameThe new instance profile name to assign in the clone service account flow.tempNewInstanceProfileNameOptional
accessKeyIDThe access key ID.Optional
usernameThe user name.Optional
instanceIDThe instance ID.Optional
roleNameToRestrictIf provided, the role will be attached with a deny policy without the compute instance analysis flow.Optional

Playbook Outputs#

AWS.EC2.InstancesAWS EC2 instance information.unknown
AWS.IAM.InstanceProfilesAWS IAM instance profile information.unknown
AWS.IAM.Roles.AttachedPolicies.PoliciesA list of managed policy names.unknown
AWS.IAM.Roles.RoleName.PoliciesA list of policy names.unknown

Playbook Image#

Cloud Credentials Rotation - AWS