Skip to main content

Cloud Credentials Rotation - Generic

This Playbook is part of the Common Playbooks Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.9.0 and later.

Cloud Credentials Rotation - Generic#

This comprehensive playbook combines the remediation steps from AWS, Azure, and GCP sub-playbooks into a single, cohesive guide. Regardless of which Cloud Service Provider (CSP) you're working with, this playbook will direct you to the relevant steps, ensuring swift and effective response.

The primary objective is to offer an efficient way to address compromised credentials across different cloud platforms. By consolidating the key steps from AWS, Azure, and GCP, it minimizes the time spent searching for platform-specific procedures and accelerates the remediation process, ensuring the highest level of security for your cloud environments.

Integrations for Each Sub-Playbook#

In order to seamlessly execute the actions mentioned in each sub-playbook, specific integrations are essential. These integrations facilitate the automated tasks and processes that the playbook carries out. Here are the required integrations for each sub-playbook:

AWS Sub-Playbook:#

  1. AWS - IAM: Used to manage AWS Identity and Access Management.
  2. AWS - EC2: Essential for managing Amazon Elastic Compute Cloud (EC2) instances.

GCP Sub-Playbook:#

  1. Google Workspace Admin: Manages users, groups, and other entities within Google Workspace.
  2. GCP-IAM: Ensures management and control of GCP's Identity and Access Management.

Azure Sub-Playbook:#

  1. Microsoft Graph Users: Manages users and related entities in Microsoft Graph.
  2. Microsoft Graph Applications: Manages applications within Microsoft Graph.


This playbook uses the following sub-playbooks, integrations, and scripts.


  • Cloud Credentials Rotation - GCP
  • Cloud Credentials Rotation - AWS
  • Cloud Credentials Rotation - Azure


This playbook does not use any integrations.


This playbook does not use any scripts.


This playbook does not use any commands.

Playbook Inputs#

NameDescriptionDefault ValueRequired
RemediationTypeThe response playbook provides the following remediation actions using AWS, MSGraph Users, GCP and GSuite Admin:

Reset: By entering "Reset" in the input, the playbook will execute password reset.
Supports: AWS, MSGraph Users, GCP and GSuite Admin.

Revoke: By entering "Revoke" in the input, the GCP will revoke the access key, GSuite Admin will revoke the access token and the MSGraph Users will revoke the session.
Supports: GCP, GSuite Admin and MSGraph Users.

Deactivate - By entering "Deactivate" in the input, the playbook will execute access key deactivation.
Supports: AWS.

ALL: By entering "ALL" in the input, the playbook will execute the all remediation actions provided for each CSP.
shouldCloneSAWhether to clone the compromised SA before putting a deny policy to it.
Supports: AWS.
GCP-userIDIdentifies the user in the API request. The value can be the user's primary email address, alias email address, or unique user ID.Optional
GCP-clientIDThe client ID.Optional
GCP-zoneThe name of the zone.
GCP-SAEmailThe service account email.Optional
Azure-AppIDThis is the unique application (client) ID of the application.Optional
Azure-ObjectIDThis is the unique ID of the service principal object associated with the application.Optional
Azure-userIDThe user ID or user principal name.Optional
AWS-instanceIDThe instance ID.Optional
AWS-userIDThe user name.Optional
AWS-accessKeyIDThe access key ID.Optional
AWS-newRoleNameThe name of the new role to create if the analyst decides to clone the service account.Optional
AWS-newInstanceProfileNameThe name of the new instance profile to create if the analyst decides to clone the service account.Optional
AWS-roleNameToRestrictIf provided, the role will be attached with a deny policy without the compute instance analysis flow.Optional
cloudProviderThe CSP that triggered the alert. Usually mapped to incident field named 'cloudprovider'.
identityTypeThe type of identity involved. Usually mapped to incident field named 'cloudidentitytype'.
GCP-cloudProjectThe project that the alert was triggered on.Optional

Playbook Outputs#

MSGraphUserThe Microsoft Graph Users information.unknown
MSGraphApplicationThe Microsoft Graph Application information.unknown
GoogleCloudCompute.InstancesGoogle Cloud Compute instance information.unknown
GCPIAM.ServiceAccountKeyThe service account keys.unknown
GCPIAM.ServiceAccountThe service account information.unknown
AWS.EC2.InstancesAWS EC2 instance information.unknown
AWS.IAM.InstanceProfilesAWS IAM instance profile information.unknown
AWS.IAM.Roles.AttachedPolicies.PoliciesA list of managed policy names.unknown
AWS.IAM.Roles.RoleName.PoliciesA list of policy names.unknown

Playbook Image#

Cloud Credentials Rotation - Generic