Splunk Tech Talks
Deep-dives for technical practitioners.

Splunk SOAR Playbook – Finding and Disabling Inactive Users on AWS

melissap
Splunk Employee
Splunk Employee

View our Security Tech Talk: Splunk SOAR Playbook – Finding and Disabling Inactive Users on AWS 

Every organization that uses AWS has a set of user accounts that grant access to resources and data. The Identity and Access Management (IAM) service is the part of AWS that keeps track of all the users, groups, roles and policies that provide that access. Because it controls permissions for all other services, IAM is probably the single most important service in AWS to focus on from a security perspective. Over time, there are often personnel changes within the organization as users change roles or leave the company. These user accounts may not get updated with the correct permissions or get deleted from IAM if the user is no longer an employee. Unused accounts that are not properly managed can end up being an entry point for malicious actors to gain access.

Our solution involves two Splunk Phantom playbooks: one to find user accounts with passwords that have not been used in a long time, and another to disable those accounts. The combination of these two playbooks will provide a semi-automated process that is repeatable and extensible. 

Tune in to this webinar to learn about:

  • The importance of regularly checking inactive user accounts within your organization
  • How to automate the process of checking for these users
  • How these Splunk Phantom playbooks work together to protect your AWS environment
melissap
Splunk Employee
Splunk Employee

Here is a question that came up in the live Tech Talk.

Q: Where can we get a list of available use cases / play books that we can refer as a start?
A: Here is our community playbook list: https://my.phantom.us/4.10/playbooks/use-cases/
melissap
Splunk Employee
Splunk Employee

Here are additional resources to continue on your journey.

1)Documentation

–Whitepaper: Getting Data Into (GDI) Splunk From AWS

–Tech Brief: Splunk and AWS

2).conf sessions

SEC1827A - Analytics based investigation and automated response with AWS + Splunk solutions

3)Splunk App for AWS

Splunkbase 

4) Blog Posts

Finding and Disabling Inactive Users on AWS