Cloud Credentials Rotation - AWS

## **AWS Credentials Rotation Playbook** ### **Identity Remediation** Secure compromised accounts by taking swift action: - **Reset Password**: Resets the user password to halt any unauthorized access. - **Access Key Deactivation**: Deactivate any suspicious or known-compromised access keys. - **Combo Action**: In some cases, you may want to reset both the password and deactivate the access key for absolute security. ### **Role Remediation** If a role is suspected to be compromised: - **Deny Policy Implementation**: Attach a deny-all policy to the compromised role, thus preventing it from performing any further actions. - **Role Cloning**: Before outright remediation, clone the role. This ensures that you have a backup with the same permissions, making transition smoother.

AWS Enrichment and Remediation · 36 tasks · 9 inputs · 4 outputs

Inputs

  • IAMRemediationType — The response playbook provides the following remediation actions for IAM users: Reset - By entering "Reset" in the input, the playbook will execute password reset. Deactivate - By entering "Deactivate" in the input, the playbook will execute access key deactivation. ALL - By entering "ALL" in the input, the playbook will execute both password reset and access key deactivation.
  • shouldCloneSA — Whether to clone the compromised SA before putting a deny policy to it. True/False
  • identityType — The type of identity involved. Usually mapped to the incident field named 'cloudidentitytype'. e.g. USER,SERVICE_ACCOUNT,APPLICATION
  • newRoleName — The new role name to assign in the clone service account flow.
  • newInstanceProfileName — The new instance profile name to assign in the clone service account flow.
  • accessKeyID — The access key ID.
  • username — The user name.
  • instanceID — The instance ID.
  • roleNameToRestrict — If provided, the role will be attached with a deny policy without the compute instance analysis flow.

Outputs

  • AWS.EC2.Instances — AWS EC2 instance information.
  • AWS.IAM.InstanceProfiles — AWS IAM instance profile information.
  • AWS.IAM.Roles.AttachedPolicies.Policies — A list of managed policy names.
  • AWS.IAM.Roles.RoleName.Policies — A list of policy names.

Commands used

aws-ec2-describe-iam-instance-profile-associations aws-ec2-describe-instances aws-ec2-describe-regions aws-iam-attach-policy aws-iam-create-instance-profile aws-iam-create-role aws-iam-get-instance-profile aws-iam-get-policy-version aws-iam-get-role-policy aws-iam-list-attached-role-policies aws-iam-list-policy-versions aws-iam-list-role-policies aws-iam-put-role-policy aws-iam-update-access-key aws-iam-update-login-profile

Flowchart

Yes ALL Deactivate Access Key Reset Password yes ROLE USER yes yes yes Start Start Compute Compute Identity Identity Deactivate the user's access key - aws-iam-update-access-key Deactivate the user's acc... aws-iam-update-access-key Force password reset - aws-iam-update-login-profile Force password reset aws-iam-update-login-profile Describe regions - aws-ec2-describe-regions Describe regions aws-ec2-describe-regions Describe instances - aws-ec2-describe-instances Describe instances aws-ec2-describe-instances Describe IAM instance profile associations - aws-ec2-describe-iam-instance-profile-associations Describe IAM instance pro... aws-ec2-describe-iam-instance... Get instance profile - aws-iam-get-instance-profile Get instance profile aws-iam-get-instance-profile List attached role policies - aws-iam-list-attached-role-policies List attached role policies aws-iam-list-attached-role-po... List role inline-policies - aws-iam-list-role-policies List role inline-policies aws-iam-list-role-policies Create instance profile - aws-iam-create-instance-profile Create instance profile aws-iam-create-instance-profile Create role - aws-iam-create-role Create role aws-iam-create-role Clone Compromised Service Account Clone Compromised Service... Change Instance Profile IAM Role Change Instance Profile I... Attach role policy - aws-iam-attach-policy Attach role policy aws-iam-attach-policy Attach deny policy to a role - aws-iam-put-role-policy Attach deny policy to a role aws-iam-put-role-policy Should clone before putting a deny policy? Should clone before putti... Check remediation type Check remediation type Done Done Done Done ALL ALL Set attached policies ARN - Set Set attached policies ARN Set Set policies name - Set Set policies name Set Were role policies document retrieved? Were role policies docume... Get role policies - aws-iam-get-role-policy Get role policies aws-iam-get-role-policy List policy versions - aws-iam-list-policy-versions List policy versions aws-iam-list-policy-versions Get policy version - aws-iam-get-policy-version Get policy version aws-iam-get-policy-version Managed Policies Managed Policies Inline Policies Inline Policies Put role policy - aws-iam-put-role-policy Put role policy aws-iam-put-role-policy Generate a temporary password - GeneratePassword Generate a temporary pass... GeneratePassword Check identity type Check identity type Should investigate the compromised instance? Should investigate the co... Were role inline-policies retrieved? Were role inline-policies... Were role managed policies retrieved? Were role managed policie...