This Torq workflow template provides a streamlined approach for handling AWS security group alerts when open SSH access from the internet is detected by Orca. The workflow automates the task of identifying security group details, contacting the resource owner via Slack, and if approved, removing the public SSH access while adding a corporate network range. In instances where the change is not approved, or if the owner cannot be reached, it automatically opens a Jira ticket to track the issue, ensuring compliance with security best practices and prompt remediation.
Trigger
Orca
Use Cases
CSPM
Workflow Breakdown
Retrieve details on the Security Group including number of Nics using the Security Group
Find the owner using the owner tag on the resource
Ask security group owner if the rule allowing public SSH access can be removed
If approved, remove the public SSH access and add the corporate network range
If not approved, open a Jira Ticket to track issue, update Orca Ticket
Vendors
AWS, Slack, Utils, Orca, Jira Cloud
Workflow Output
Success/Failure, Jira Ticket, and Orca update
Tips
An owner tag on the security group identifies the email address of the owner. A variable for a Slack channel could also be used.","Update the trigger to match your rule that fires the alert in Orca