This workflow template responds to AWS SNS events triggered by the addition of a specific Key:Value tag to an EC2 instance, implementing isolation measures for enhanced security. Upon event detection, the workflow obtains instance details, checks for the presence of an Isolation Security Group within the VPC, and creates one if needed. Then, it applies the security group to the instance, disassociates any existing IAM Instance Profile, and associates a predefined Isolation IAM Instance Profile. This automated process is essential for Cloud Security Posture Management (CSPM).

Trigger

Amazon SNS

Use Cases

CSPM

Workflow Breakdown

Receive an event from AWS SNS based on a specific Key:Value tag
Get Instance Details and find the VPC
Check if an Isolation Security Group exists, if not create a new Security Group
Apply the Isolation Security Group on the instance
Check for an IAM Instance Profile on the Instance, if one exists disassociate it
Apply an Isolation IAM Instance Profile on the instance

Vendors

AWS, Utils

Workflow Output

Isolate the EC2 Instance

Tips

Setup the SNS event using the EventBridge rule to send events on addition of specific tags to EC2 Instances

Handle AWS Security Group with Open SSH Access on Orca Alert - Workflow Template

Remediate AWS EC2 Instance with Open SSH Access from Wiz Alert - Workflow Template

Search for Unused or Inactive Roles in AWS IAM - Workflow Template

Find AWS Instance Information by Private IP Address in Wiz - Workflow Template

Handle Gem Alert for EC2 Instance "Write" Actions on IAM Entities - Workflow Template