The Torq workflow template, "Handle Wiz Alert for AWS Admin Principals Inactive Over 90 Days," automates the security process for dealing with inactive AWS admin accounts. Upon receiving an alert from Wiz about an AWS admin principal inactive for more than 90 days, the workflow gathers user and issue data, prompts an approval request in a designated Slack channel, and depending on approval, assigns a deny policy to deactivate the user. If permission is denied or not provided within a set time, a Jira ticket is created to handle the situation manually. In all cases, the Wiz issue is updated accordingly, ensuring adherence to security protocols and timely management of inactive accounts.
Trigger
Wiz
Use Cases
CSPM
Workflow Breakdown
Verify the user is still valid in AWS
Gather information on the user and issue from Wiz
Provide the information to the Slack channel and ask for permissions to deactivate the user
If permission is given, assign a deny all policy to the IAM user
If no permission is given, open a Jira issue
In all cases update the comments on the Wiz issue.
Vendors
AWS, Slack, Utils, Wiz, Jira Cloud
Workflow Output
Updated IAM deny policy on the user if approved by the Slack channel.