Configure Simple Response for AWS IAM: Disable User

Configure an AWS IAM: Disable User simple response to disable the Amazon Web Services (AWS) IAM access key of a user that is the victim of an incident automatically.

Typical use cases for this response include:

  • Stopping the use of leaked credentials
  • Minimizing damage from a compromised user
  • Implementing an incident response plan involving "disable and then investigate." For example, after Alert Logic detects use of known malware such as ransomware, you can disable the user automatically, investigate, and then re-enable the user after remediation.

Complete the following steps to successfully configure this simple response:

  1. (Optional) Create an exclusion list
  2. Choose the response
  3. Connect to AWS
  4. (Optional) Apply exclusions
  5. Choose when to respond

(Optional) Create an exclusion list

If you want your automation to exclude specific users, the users must be defined in one or more exclusion lists. For example, you can create a list of users in your security team to prevent them from being locked out. During the simple response creation process, a step is available to apply exclusion lists to your automation. If a list you want to apply does not exist already, use the instructions in Exclusions to create it now.

Choose the response

In the Alert Logic console, click the navigation menu icon (), click Respond, click Automated Response, and then click Simple Responses. Click the add icon (), and then, under AWS IAM: Disable User, click START.

Connect to AWS

This response requires an AWS IAM Role connection that grants Alert Logic access to manage users in AWS. In the Connect step, name your response and connect to AWS as follows.

To connect to AWS:

  1. In Response Name, enter a descriptive name for your simple response (example: "Disable AWS User").
  2. If you already have an AWS IAM Role connection that grants Alert Logic permission to perform this response, leave Use an existing connection selected, and then select the connection in Connection. You can use the search bar to help you find the connection.
  3. If you do not have an AWS IAM Role connection that grants Alert Logic permission to perform this response, click Create a connection, and then complete the instructions in Create an AWS IAM Role connection to set it up.
  4. In Expiration in Seconds, enter the number of seconds before you want Alert Logic to reenable the user, or keep the default value of 0 if you do not want the response to expire.
  5. Click TEST to perform a dry run that checks the configuration without performing the response. After a few moments, results appear in a message.
    • If the result is Succeeded, continue to the next step in this procedure.
    • If the result is Failed, use the listed errors to assist with troubleshooting. If necessary, you can click Edit connection above AWS IAM Role Connection, and then use the information in Create an AWS IAM Role connection to check and fix the connection
  6. If you want the simple response to be active, leave Response is active turned on. Turn it off if you want to save the configuration but not activate the response yet.
  7. Click NEXT to continue to the (Optional) Apply exclusions step.

Create an AWS IAM Role connection

An AWS IAM Role connection securely stores reusable credential information for integrations with AWS. To create the connection, Alert Logic requires the ARN for the AWS IAM role that grants access to manage users in your AWS account.

Alert Logic provides the following steps to help you create the connection. For further questions about the steps performed in the AWS console, or if your interface looks different, contact AWS support, or refer to the vendor documentation listed in the technical reference section.

  1. Create an IAM policy in the AWS console
  2. Create an IAM role in the AWS console
  3. Create the connection in the Alert Logic console

Create an IAM policy in the AWS console

The first step in the AWS console is to create an IAM policy that grants access for Alert Logic to manage AWS users.

The policy document you use in this procedure grants access for Alert Logic to perform these actions only:

  • Perform policy simulation to help produce better error messages if the policy is not implemented correctly
  • Manage IAM users, which includes disabling or enabling user accounts but not adding or deleting them

To create an IAM policy to manage AWS users:

  1. In your AWS account where you want Alert Logic to run automated responses, go to https://console.aws.amazon.com/iamv2/home?#/policies/.
  2. From the IAM Management Console, click Create Policy.
  3. Click the JSON tab.
  4. Copy the contents of the policy document iam-policy-user.txt and replace the text in the policy editor.
  5. Click Next: Tags.
  6. Click Next: Review.
  7. On the Review Policy page, type a Policy Name and optional Description for the policy.

Create an IAM role in the AWS console

The next step in the AWS console is to create a role that uses the IAM policy you created.

To create an IAM role in the AWS console:

  1. In your AWS account where you want Alert Logic to run automated responses, go to https://console.aws.amazon.com/iamv2/home#/roles/.
  2. Click Create role.
  3. On the Create role page, click Another AWS Account.
  4. Enter the Account ID: 246648824489.
  5. Click Next: Permissions.
  6. From the list of policies, locate the previously created policy. You can use the Filter Policies option and select Customer managed to help locate the policy.
  7. Select the check box next to the matching policy.
  8. Click Next: Tags.
  9. Click Next: Review.
  10. Type a Role Name and optional Role description, and then click Create Role.
  11. Click the policy name in the green bar at the top of the screen (“The role … has been created.”).
  12. Copy the Role ARN to a text editor for later.
In step 4, the Account ID is different from the main Alert Logic account ID, which you may have used in other AWS role integrations.

Create the connection in the Alert Logic console

Next, go back to the Create a Simple Response page to enter information in the Connect step that grants Alert Logic access to manage users in AWS.

To create the AWS connection in the Alert Logic console:

  1. In Connection Name, type a descriptive name for the connectionfor example, "AWS IAM Role Connection for Managing Users".
  2. In AWS IAM Role ARN, paste the Role ARN that you noted in Create an IAM role in the AWS console.
  3. Click SAVE.

(Optional) Apply exclusions

If you want to exclude users from the response, in Exclusion List(s), select one or more lists that define the exclusions. You can create exclusion lists from the Exclusions page if necessary, and then come back. For more information, see Exclusions.

After you choose one or more lists, or if you want to skip this step, click NEXT.

Choose when to respond

In the last step, choose whether to request approval before Alert Logic runs the response each time. Alert Logic sends the request by email and the Alert Logic Mobile App. You can request approval from multiple users, such as members of your security team. The first user to answer determines whether the response is approved or rejected. Subsequent users who respond receive a message stating that the inquiry was responded to already.

In this step you also choose the incident analytics that you want to trigger the response. You can respond to incidents generated from all analytics that Alert Logic recommends as triggers, or you can choose specific analytics.

To choose when to respond:

  1. If you do not want to require approval, click Do not require approval.
  2. If you want to require approval, click Send approval request, and then select one or more approval recipients in User(s). You can use the search bar to help you find names and email addresses.
    To improve traceability of approvals, Alert Logic recommends that you choose individuals not a distribution list.
  3. If you want to disable users detected in incidents generated from all analytics that Alert Logic recommends as triggers for this response, leave Respond to all recommended analytics selected. An example of a recommended analytic for this response is "Office 365 Security & Compliance Alert: Ransomware Activity for {victim_username}."
  4. If you prefer to choose from a list of all analytics available for this response type, click Choose analytics, and then select one or more analytics to use as triggers for the response.
    To learn more about a specific analytic, you can find it in the Threat Intelligence Center. For more information, see Threat Intelligence Center.

Technical reference

Simple Response Name

AWS IAM: Disable User

Vendor documentation