Skip to main content

Cloud Response - AWS

This Playbook is part of the AWS Enrichment and Remediation Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

This playbook provides response actions to AWS. The following are available for execution automatically/manually:

  • Resource remediation:
    • Terminate the instance
    • Stop the instance
  • Identity remediation:
    • Delete the user
    • Revoke the user's credentials
  • Access key remediation:
    • Disable the access key
    • Delete the access key
  • Block indicators


This playbook uses the following sub-playbooks, integrations, and scripts.


  • Block IP - Generic v3


This playbook does not use any integrations.


  • Set


  • aws-iam-delete-login-profile
  • aws-iam-delete-user
  • aws-iam-update-access-key
  • aws-ec2-stop-instances
  • aws-iam-delete-access-key
  • aws-ec2-terminate-instances

Playbook Inputs#

NameDescriptionDefault ValueRequired
accessKeyRemediationTypeChoose the remediation type for the user's access key.
Disable - for disabling the user's access key.
Delete - for the user's access key deletion.
userRemediationTypeChoose the remediation type for the user involved.
Delete - for the user deletion.
Revoke - for revoking the user's credentials.
resourceRemediationTypeChoose the remediation type for the instances created.
Stop - for stopping the instances.
Terminate - for terminating the instances.
autoResourceRemediationWhether to execute the resource remediation flow automatically.FalseOptional
autoUserRemediationWhether to execute the user remediation flow automatically.FalseOptional
autoAccessKeyRemediationWhether to execute the access key remediation flow automatically.FalseOptional
autoBlockIndicatorsWhether to block the indicators automatically.FalseOptional
resourceNameThe resource name to take action on.Optional
regionThe resource's region.Optional
usernameThe username to take action on.Optional
accessKeyIdThe user's access key ID.Optional
sourceIPThe source IP address of the attacker.Optional

Playbook Outputs#

There are no outputs for this playbook.

Playbook Image#

Cloud Response - AWS