Skip to main content
All CollectionsTemplatesIntermediate
Handle AWS Security Group with Open SSH Access on Orca Alert - Workflow Template
Handle AWS Security Group with Open SSH Access on Orca Alert - Workflow Template

Whenever an Orca alert is raised on an AWS security group with an open access (from the internet) to SSH, orchestrate remediation.

Updated over a week ago

This Torq workflow template provides a streamlined approach for handling AWS security group alerts when open SSH access from the internet is detected by Orca. The workflow automates the task of identifying security group details, contacting the resource owner via Slack, and if approved, removing the public SSH access while adding a corporate network range. In instances where the change is not approved, or if the owner cannot be reached, it automatically opens a Jira ticket to track the issue, ensuring compliance with security best practices and prompt remediation.

Trigger

Orca

Use Cases

CSPM

Workflow Breakdown

  1. Retrieve details on the Security Group including number of Nics using the Security Group

  2. Find the owner using the owner tag on the resource

  3. Ask security group owner if the rule allowing public SSH access can be removed

  4. If approved, remove the public SSH access and add the corporate network range

  5. If not approved, open a Jira Ticket to track issue, update Orca Ticket

Vendors

AWS, Slack, Utils, Orca, Jira Cloud

Workflow Output

Success/Failure, Jira Ticket, and Orca update

Tips

An owner tag on the security group identifies the email address of the owner. A variable for a Slack channel could also be used.","Update the trigger to match your rule that fires the alert in Orca

Did this answer your question?