Skip to main content
All CollectionsTemplatesBasic
Handle Wiz Alert for AWS Admin Principals Inactive Over 90 Days - Workflow Template
Handle Wiz Alert for AWS Admin Principals Inactive Over 90 Days - Workflow Template

On alert from Wiz on an AWS admin principal that is inactive over 90 days, ask a Slack channel for approval to deactivate the IAM account.

Updated over 6 months ago

The Torq workflow template, "Handle Wiz Alert for AWS Admin Principals Inactive Over 90 Days," automates the security process for dealing with inactive AWS admin accounts. Upon receiving an alert from Wiz about an AWS admin principal inactive for more than 90 days, the workflow gathers user and issue data, prompts an approval request in a designated Slack channel, and depending on approval, assigns a deny policy to deactivate the user. If permission is denied or not provided within a set time, a Jira ticket is created to handle the situation manually. In all cases, the Wiz issue is updated accordingly, ensuring adherence to security protocols and timely management of inactive accounts.

Trigger

Wiz

Use Cases

CSPM

Workflow Breakdown

  1. Verify the user is still valid in AWS

  2. Gather information on the user and issue from Wiz

  3. Provide the information to the Slack channel and ask for permissions to deactivate the user

  4. If permission is given, assign a deny all policy to the IAM user

  5. If no permission is given, open a Jira issue

  6. In all cases update the comments on the Wiz issue.

Vendors

AWS, Slack, Utils, Wiz, Jira Cloud

Workflow Output

Updated IAM deny policy on the user if approved by the Slack channel.

Did this answer your question?