Skip to main content
All CollectionsTemplatesIntermediate
Handle Orca Alert for IAM Role with Admin Permissions - Workflow Template
Handle Orca Alert for IAM Role with Admin Permissions - Workflow Template

Receive an Orca alert on excessive policies / permissions attached to an IAM Role. Update owner or channel via Slack.

Updated over a week ago

This Torq workflow template addresses alerts for IAM roles with excessive permissions, as identified by Orca Security. The workflow retrieves IAM role details and tags, notifies the owner or a designated Slack channel, and suggests remediation actions, including policy removal or role deletion. Owners can also create follow-up Jira tickets. Actions taken are updated in the Orca Security alert timeline, ensuring proper tracking and compliance with security policies.

Trigger

Orca

Optional Triggers

Webhook

Use Cases

CSPM

Workflow Breakdown

  1. Retrieve the details of the role and the tags attached to the IAM role

  2. Reach out to the owner, notify about the issue, suggest either to remove specific policies, delete the role (if not used) or open a Jira issue

  3. If the user chooses to remove policies, present a choice of currently assigned policies and remove the chosen policies

  4. Rescan the asset via Orca Security if the role is modified

  5. If the user chooses to delete the role, get explanation on why

  6. If the user chooses to follow-up later, collect an explanation and orchestrate Jira issue creation

  7. Update the comments on the Orca Security alert timeline

Vendors

AWS, Slack, Utils, Orca, Jira Cloud

Workflow Output

Success / Failure, Jira Tickets

Did this answer your question?