Skip to main content

Workflow Template: Handle Suspicious AWS Console Logins (AWS SNS)

Check source IP of the login session, verify with user if suspicious or malicious. If acknowledged - log a ticket. Otherwise - remediate.

Updated over a month ago

The "Handle Suspicious AWS Console Logins" workflow template is designed to enhance security by automating the response to potentially malicious login attempts on AWS. It checks the source IP against VirusTotal, verifies user logins via Slack, and logs incidents in ServiceNow. If a login is deemed suspicious and unacknowledged, the workflow disables the user's access, ensuring swift remediation and protection of sensitive resources.

Take Me to the Template

Trigger

Amazon SNS

Use Cases

Suspicious User Activity

Workflow Breakdown

  1. Check Source IP of the Login in VirusTotal

  2. Verify if the login was a root or user login, if root login log a ServiceNow incident

  3. Find the user in Slack and ask to acknowledge login

  4. If acknowledged, open and automatically resolve a ServiceNow Incident

  5. If not acknowledged - disable the users login profile and access keys

  6. Open a ServiceNow incident with the details of the event

Vendors

AWS, Slack, VirusTotal, ServiceNow

Related Articles
Workflow Template: Alert on Google Login Activity Outside of Allowed Regions
Workflow Template: Slack Mention to Analyze Suspicious URLs and IPs with VirusTotal
Workflow Template: Ask Users to Confirm Failed JumpCloud Login Attempts
Workflow Template: Okta event on MFA addition with user Verification (Okta)
Workflow Template: Detect impossible travels in Okta logins
Did this answer your question?