This Torq workflow template addresses alerts for IAM roles with excessive permissions, as identified by Orca Security. The workflow retrieves IAM role details and tags, notifies the owner or a designated Slack channel, and suggests remediation actions, including policy removal or role deletion. Owners can also create follow-up Jira tickets. Actions taken are updated in the Orca Security alert timeline, ensuring proper tracking and compliance with security policies.
Trigger
Orca
Optional Triggers
Webhook
Use Cases
CSPM
Workflow Breakdown
Retrieve the details of the role and the tags attached to the IAM role
Reach out to the owner, notify about the issue, suggest either to remove specific policies, delete the role (if not used) or open a Jira issue
If the user chooses to remove policies, present a choice of currently assigned policies and remove the chosen policies
Rescan the asset via Orca Security if the role is modified
If the user chooses to delete the role, get explanation on why
If the user chooses to follow-up later, collect an explanation and orchestrate Jira issue creation
Update the comments on the Orca Security alert timeline
Vendors
AWS, Slack, Utils, Orca, Jira Cloud
Workflow Output
Success / Failure, Jira Tickets