Skip to main content
All CollectionsTemplatesIntermediate
Remediate AWS EC2 Instance with Open SSH Access from Wiz Alert - Workflow Template
Remediate AWS EC2 Instance with Open SSH Access from Wiz Alert - Workflow Template

Whenever an alert is raised on an AWS EC2 Instance having an open access (from the internet) for SSH, orchestrate remediation.

Updated over a week ago

This Torq workflow template is designed for Cloud Security Posture Management (CSPM). It automates the remediation process of AWS EC2 instances with open SSH access detected by Wiz. The workflow retrieves instance and security details, identifies the instance owner via Slack, offers the owner options to stop the instance or modify the security group to restrict SSH access, and if needed, opens a security ticket in Jira. This ensures immediate response to potential vulnerabilities, maintaining strong security compliance.

Trigger

Wiz

Use Cases

CSPM

Workflow Breakdown

  1. Retrieve instance details including tags and security group information

  2. Find the user or channel in Slack

  3. Reach out to the instance owner, ask if it could either be stopped or its Security Group - modified

  4. If the user approves - modify the security group restricting SSH access and add corp access

  5. If the user approves - stop the instance

  6. If the user doesn't approve either option - open a security ticket in Jira

  7. Update the handling status in Wiz and via Slack. Update notes on the Wiz issue.

Vendors

AWS, Slack, Utils, Wiz, Jira Cloud

Workflow Output

Success/Failure, Jira Ticket and Slack message updates

Tips

Setup Wiz to send alerts for \"Linux VM instance with wide SSH exposure\" to the Torq webhook

Did this answer your question?