Skip to main content
All CollectionsTemplatesIntermediate
Handle Gem Alert for EC2 Instance "Write" Actions on IAM Entities - Workflow Template
Handle Gem Alert for EC2 Instance "Write" Actions on IAM Entities - Workflow Template

Creates an snapshot of each EC2 volume when a EC2InstanceWriteActionsOnIAM alert from Gem Security is triggered.

Updated over a week ago

The "Handle Gem Alert for EC2 Instance 'Write' Actions on IAM Entities" workflow template ensures immediate and conditional response to potential security incidents triggered by specific EC2 instance behaviors. When a Gem Security alert is received, the workflow automatically creates snapshots of all volumes attached to the implicated EC2 instance for potential forensic analysis. A critical aspect involves collaboration with the DevOps team via Slack to determine whether these snapshots are to be preserved. Absence of confirmation within 7 days results in the automated deletion of these snapshots, aligning with best practices for resource management and security. This workflow streamlines incident response, aids in efficient evidence preservation, and enforces organizational security protocols.

Take Me to the Template

Trigger

Gem

Use Cases

CSPM

Workflow Breakdown

  1. Get metadata for all volumes attached to the alert's EC2 Instance

  2. Take a snapshot of each volume

  3. Validate with DevOps in Slack whether or not to keep the snapshots.

  4. If the request is denied, or no approval is given within 7 days, delete all snapshots.

Vendors

AWS, Slack, Utils, Gem

Related Articles
Remediate AWS EC2 Instance with Open SSH Access from Wiz Alert - Workflow Template
Handle Gem Alert for NSG With Ingress From Any (0.0.0.0/0) - Workflow Template
Handle Panther Okta Alerts on User Action Detection - Workflow Template
Validate Gem Alert Events in Slack - Workflow Template
Handle Gem Alert for Root Usage - Workflow Template
Did this answer your question?