Skip to main content
All CollectionsTemplatesIntermediate
Handle Gem Alert for EC2 Instance "Write" Actions on IAM Entities - Workflow Template
Handle Gem Alert for EC2 Instance "Write" Actions on IAM Entities - Workflow Template

Creates an snapshot of each EC2 volume when a EC2InstanceWriteActionsOnIAM alert from Gem Security is triggered.

Updated over 7 months ago

The "Handle Gem Alert for EC2 Instance 'Write' Actions on IAM Entities" workflow template ensures immediate and conditional response to potential security incidents triggered by specific EC2 instance behaviors. When a Gem Security alert is received, the workflow automatically creates snapshots of all volumes attached to the implicated EC2 instance for potential forensic analysis. A critical aspect involves collaboration with the DevOps team via Slack to determine whether these snapshots are to be preserved. Absence of confirmation within 7 days results in the automated deletion of these snapshots, aligning with best practices for resource management and security. This workflow streamlines incident response, aids in efficient evidence preservation, and enforces organizational security protocols.

Trigger

Gem

Use Cases

CSPM

Workflow Breakdown

  1. Get metadata for all volumes attached to the alert's EC2 Instance

  2. Take a snapshot of each volume

  3. Validate with DevOps in Slack whether or not to keep the snapshots.

  4. If the request is denied, or no approval is given within 7 days, delete all snapshots.

Vendors

AWS, Slack, Utils, Gem

Did this answer your question?