Prisma Cloud Remediation - AWS Inactive Users For More Than 30 Days

To increase the security of your AWS account, it is recommended to find and remove IAM user credentials (passwords, access keys) that have not been used within a specified period of time. To remediate Prisma Cloud Alert Inactive users for more than 30 days, this playbook deactivates the user by disabling the access keys (marking them as inactive) as well as resetting the user console password.

Prisma Cloud by Palo Alto Networks · 12 tasks · 1 input · 0 outputs

Inputs

  • AutoQuarantine — if set to: - yes: access keys will be disabled and password reset - no: an analyst will be prompted for action

Commands used

aws-iam-list-access-keys-for-user aws-iam-update-access-key aws-iam-update-login-profile closeInvestigation

Flowchart

yes yes YES yes Start Start Check automatic action Check automatic action Disable access keys - aws-iam-update-access-key Disable access keys aws-iam-update-access-key Is AWS - IAM integration enabled? Is AWS - IAM integration ... Done Done Print user credential report - Print Print user credential report Print List user access keys - aws-iam-list-access-keys-for-user List user access keys aws-iam-list-access-keys-for-... Reset IAM password - aws-iam-update-login-profile Reset IAM password aws-iam-update-login-profile Close investigation - closeInvestigation Close investigation closeInvestigation Manually check if IAM user should be deactivated/deleted Manually check if IAM use... Deactivate IAM user? Deactivate IAM user? Is password enabled? Is password enabled?