Scenario: Your organization relies on the Identity and Access Management (IAM) service of AWS to keep track of all the users, groups, roles, and policies that provide access to data and resources. Over time, there are often personnel changes within the organization as users change roles or leave the company. When this happens, the user accounts may not get updated with the correct permissions or get deleted from IAM if the user is no longer an employee. You know that stale user accounts, whether they are for humans or applications, are a huge security risk for any organization. You would like to create a semi-automated process that is repeatable and extensible for deleting inactive users.
To succeed in implementing this use case, you need the following dependencies, resources, and information.
- People: Threat hunter
- Splunk Phantom
- Playbook: AWS Disable User Accounts
- Data: AWS IAM Service
How to use Splunk software for this use case
After you identify an AWS user account as a problem and decide it shouldn’t be there, this playbook will run and disable it. The playbook starts with a filter that checks the allowlist, which is a custom list containing AWS usernames that should not be disabled. Next, the playbook prompts an analyst with the names of the user accounts to be disabled. If the analyst confirms the action, the final block deletes the appropriate login profiles on the AWS console and disables the associated access keys.
If you have not already configured the AWS IAM app on Splunk Phantom and identified a list of inactive users, you will need to do so first using a separate playbook.
To use the playbook:
- In the AWS Console, navigate to the IAM service, choose Policies on the sidebar, and edit the policy used by the AWS IAM app on Splunk Phantom to include the following permissions:
- In Splunk Phantom, navigate to the Playbooks listing page and select Custom Lists on the top bar. Press +List to create a new custom list called “aws_inactive_user_allowlist”. For each trusted user account you don’t want to disable, create a new row with the username in the first column. You can leave the list empty at first while establishing a baseline.
After this playbook has been in use for a trial period, you might want to add more automated steps. For instance, a Splunk Enterprise query could reveal other accounts or resources associated with users that have left the organization or changed teams. To make this playbook more proactive, you could also connect it to a more robust process for enforcing least privilege, such as a Jira ticket that is created to exhaustively enforce least privilege any time an organizational change occurs.
These additional Splunk resources might help you understand and implement this use case: