Splunk Tech Talks
Deep-dives for technical practitioners.

Splunk SOAR Playbook – Finding and Disabling Inactive Users on AWS

melissap
Splunk Employee
Splunk Employee

View our Security Tech Talk: Splunk SOAR Playbook – Finding and Disabling Inactive Users on AWS 

Every organization that uses AWS has a set of user accounts that grant access to resources and data. The Identity and Access Management (IAM) service is the part of AWS that keeps track of all the users, groups, roles and policies that provide that access. Because it controls permissions for all other services, IAM is probably the single most important service in AWS to focus on from a security perspective. Over time, there are often personnel changes within the organization as users change roles or leave the company. These user accounts may not get updated with the correct permissions or get deleted from IAM if the user is no longer an employee. Unused accounts that are not properly managed can end up being an entry point for malicious actors to gain access.

Our solution involves two Splunk Phantom playbooks: one to find user accounts with passwords that have not been used in a long time, and another to disable those accounts. The combination of these two playbooks will provide a semi-automated process that is repeatable and extensible. 

Tune in to this webinar to learn about:

  • The importance of regularly checking inactive user accounts within your organization
  • How to automate the process of checking for these users
  • How these Splunk Phantom playbooks work together to protect your AWS environment