AWS Identity and Access Management (IAM)

Integration version: 5.0

Use Cases - with Amazon Simple Storage Service (Amazon S3)

John has created an Amazon S3 bucket for the company called aws-s3-bucket.

  1. Create Users(Dev need to be able to create their data in the company bucket)
    1. Create Groups (Developers as a group)
  2. Create Policies (John need to assign permissions to the users/group)
  3. Attach Policies (John attaches a policy to the group that lets devs read,write,list objects in AWS S3)
  4. Add/remove users from group (One of the devs becomes a manager, access should be changed)

Configure AWS Identity and Access Management (IAM) integration in Google Security Operations SOAR

For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.

Integration parameters

Use the following parameters to configure the integration:

Parameter Display Name Type Default Value Is Mandatory Description
AWS Access Key ID String N/A Yes AWS Access Key ID to use in integration.
AWS Secret Key Password N/A Yes AWS Secret Key to use in integration.

Actions

Ping

Description

Test connectivity to AWS IAM with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options
is_success is_success=False
is_success is_success=True
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

if successful: print "Successfully connected to the AWS IAM server with the provided connection parameters!"

The action should fail and stop a playbook execution:

if not successful: print "Failed to connect to the AWS IAM server! Error is {0}".format(exception.stacktrace)

 General

Create a User

Description

Create a new IAM user for your AWS account. You can add multiple users at once with comma separated values. Please note that no policies will be applied at this stage.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
User Name String N/A Yes Name of the user to create. Comma separated values. Note: Username can not include spaces and must contain only alphanumeric characters and/or the following: +=.@_-. Names must be unique within an account.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options
is_success is_success=False
is_success is_success=True
JSON Result
[{
   "Arn":"arn:aws:iam::582302349248:user/ziv",
   "CreateDate":"2020-12-03T12:12:20",
   "Path":"/",
   "UserId":"AIDAYPE7MW7AFMHK4WCHS",
   "UserName":"ziv"
}]
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

  • if successful (few usernames were valid): print "Successfully added the following users to IAM: <User names>"
  • If error - users already exists: Print "Could not add the following users to IAM: <Usernames>. Names must be unique within an account.
  • If error (few usernames were invalid): Print "Could not add the following users to IAM: <Usernames>. Usernames must contain only alphanumeric characters and/or the following: +=,.@-.
  • If error (raise limitation. Max 5000 users per account): Print "Could not add the following users to IAM: <Usernames>. Reach to Users limitation in your aws account.

Note: If nothing happened: all users are invalid/exists/limit → action should failed

The action should fail and stop a playbook execution:

  • If not successful (all usernames were invalid, wrong creds, no connection, other error): print "Error executing action 'Create a User'. Reason: {exception.stacktrace}

Note: In case of all usernames were invalid, print " "Error executing action 'Create a User'. Reason: {invalid usernames}: Usernames must contain only alphanumeric characters and/or the following: +=,.@-. {existing usernames}: Names must be unique within an account.

 General

Add a User to a Group

Description

Adds the specified user to the specified IAM group. Use groups to apply the same permissions policies across multiple users at once.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Group Name String N/A Yes The name of the group to update. Note: Group names can not include spaces and must contain only alphanumeric characters and/or the following: +=.@_-.
User Name String N/A Yes The name of the user to add. Note: User names can not include spaces and must contain only alphanumeric characters and/or the following: +=.@_-. Comma separated values.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options
is_success is_success=False
is_success is_success=True
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

  • if successful: print "Successfully added the user <User name> to the IAM group: <Group name>"
  • If error - Group not exist or/and User not exist:
    group not exist: Print "Could not add <UserName> to <Group name>. The Group <group name> cannot be found.
     user not exist/both: Print "Could not add <UserName> to <Group name>. The user <user name> cannot be found.
  • If error
    User limitation - IAM user can be a member of 10 groups
     Group limitation - 5000 users can be in a group
    Print "Could not add <UserName> to <Group name> because it attempted to create resources beyond the current AWS account limits."

The action should fail and stop a playbook execution:

  • If not successful (wrong creds, no connection, other sdk error): print "Error executing action 'Add a User to a Group. Reason: {exception.stacktrace}
 General

Remove a User from a Group

Description

Adds the specified user to the specified IAM group. Use groups to apply the same permissions policies across multiple users at once.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Group Name String N/A Yes The name of the group to update. Note: Group names can not include spaces and must contain only alphanumeric characters and/or the following: +=.@_-.
User Name String N/A Yes The name of the user to remove. Note: User names can not include spaces and must contain only alphanumeric characters and/or the following: +=.@_-. Comma separated values.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options
is_success is_success=False
is_success is_success=True
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

  • if successful: print "<User name> has been removed from group: <Group name>"
  • If error - Group not exist or/and User not exist:
    group not exist: Print "Could not remove <UserName> from <Group name>. The Group <group name> cannot be found.
     user not exist/both: Print "Could not remove <UserName> from <Group name>. The user <user name> cannot be found.
  • If error
    User limitation - IAM user can be a member of 10 groups
     Group limitation - 5000 users can be in a group
    Print "Could not remove <UserName> from <Group name> because it attempted to create resources beyond the current AWS account limits."

The action should fail and stop a playbook execution:

  • If not successful (wrong creds, no connection, other sdk error): print "Error executing action 'Remove a User from a Group. Reason: {exception.stacktrace}
 General

List Users

Description

Get a list of all users in the IAM.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Max Users to Return Integer 50 No Specify how many users to return. Maximum is 1000 users. Default is 50.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options
is_success is_success=False
is_success is_success=True
JSON Result
[{
   "Arn":"arn:aws:iam::582302349248:user/ziv",
   "CreateDate":"2020-12-03T12:12:20",
   "Path":"/",
   "UserId":"AIDAYPE7MW7AFMHK4WCHS",
   "UserName":"ziv"
}]
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

if successful: print "Successfully listed available users in AWS IAM"

If no data available: Print "No users found in AWS IAM"


The action should fail and stop a playbook execution:

if not successful (wrong credentials, no connection to server, other server error, if max>10000): print "Error executing action 'List Users'. Reason: {exception.stacktrace}

 General
CSV Table

Title: IAM Users

Columns:

Username

User ID

ARN

Creation Date

 General

List Groups

Description

Get a list of all groups in the IAM.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Max Groups to Return Integer 50 No Specify how many groups to return. Maximum is 1000 groups. Default is 50.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options
is_success is_success=False
is_success is_success=True
JSON Result
[{
   "Arn":"arn:aws:iam::582302349248:group/ZivGroup",
   "CreateDate":"2020-12-05 16:18:36+00:00",
   "Path":"/",
   "GroupId":"AGPAYPE7MW7AMKCWMJPMX",
   "GroupName":"ZivGroup"
}]
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

if successful: print "Successfully listed available groups in AWS IAM"

If no data available: Print "No Groups found in AWS IAM"


The action should fail and stop a playbook execution:

if not successful (wrong credentials, no connection to server, other server error, If 'Max Groups'> 1000): print "Error executing action 'List Groups'. Reason: {exception.stacktrace}

 General
CSV Table

Title: IAM Groups

Columns:

Group name

Group ID

ARN

Creation Date

 General

Create a Policy

Description

Create an IAM customer managed policy for your AWS account. This action creates a policy version with a version identifier of v1and sets v1 as the policy's default version.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Policy Name String N/A Yes Name of the policy to create. Policy name can not include spaces and must contain only alphanumeric characters and/or the following: +=.@_-. Policy names must be unique within an account.
Policy Document String N/A Yes The JSON policy document that you want to use as the content for the new policy.
Description String N/A No Description of the policy.Typically used to store information about the permissions defined in the policy. For example, "Grants access to production DynamoDB tables." The policy description is immutable. After a value is assigned, it cannot be changed.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options
is_success is_success=False
is_success is_success=True
JSON Result
{
    "PolicyName": "S3-read-only-bucket",
    "PolicyId": "ANPAYPE7MW7AFKUDK3HD7",
    "Arn": "arn:aws:iam::582302349248:policy/S3-read-only-bucket",
    "Path": "/",
    "DefaultVersionId": "v1",
    "AttachmentCount": 0,
    "PermissionsBoundaryUsageCount": 0,
    "IsAttachable": true,
    "CreateDate": "2020-12-6T17:16:45",
    "UpdateDate": "2020-12-6T17:16:45"
}
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

  • if successful: print "<Policy name> policy was successfully created"

The action should fail and stop a playbook execution:

  • If error - Policy already exists: Print "Could not create <policy name> policy. Policy names must be unique within an account.
  • If error - policy name was invalid: Print "Could not create <policy name> policy. Policy names must contain only alphanumeric characters and/or the following: +=,.@_-.
  • If error - Policy doc was malformed : Print "Could not create <policy name> policy. The policy document was malformed.Reason: {exception.stacktrace}

if not successful (LimitExceededException, wrong creds, no connection, other error): print "Error executing action 'Create a Policy'. Reason: {exception.stacktrace}

 General

Create a Group

Description

Create a new IAM group for your AWS account. To set up a group, you need to create the group. Then give the group permissions based on the type of work that you expect the users in the group to do. Finally, add users to the group.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Group Name String N/A Yes Name of the group to create. Comma separated values. Note: Group names can not include spaces and must contain only alphanumeric characters and/or the following: +=.@_-. Names must be unique within an account.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options
is_success is_success=False
is_success is_success=True
JSON Result
[{
   "Arn":"arn:aws:iam::582302349248:group/ZivGroup",
   "CreateDate":"2020-12-05 16:18:36+00:00",
   "Path":"/",
   "GroupId":"'AGPAYPE7MW7AMKCWMJPMX",
   "GroupName":"ZivGroup"
}]
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

  • if successful (few/all group names were valid): print "Successfully added the following groups to IAM: <Group names>"
  • If error - group already exists: Print "Could not add the following groups to IAM: <Group names>. Names must be unique within an account.
  • If error (few group names were invalid): Print "Could not add the following groups to IAM: <Group names>. Group names must contain only alphanumeric characters and/or the following: +=,.@_-.
  • If error (raise limitation. Max 500 groups per account): Print "Could not add the following groups to IAM: <Group names>. Reach to Groups limitation in your aws account.


The action should fail and stop a playbook execution:

  • if not successful (all names were invalid, wrong creds, no connection, other error): print "Error executing action 'Create a Group. Reason: {exception.stacktrace}
 General

List Policies

Description

List all the managed policies that are available in your AWS account, including your own customer-defined managed policies and all AWS managed policies. You can filter the list of policies that are returned using the optional Only Attached, Scope, and Policy Usage parameters. For example, to list only the customer managed policies in your AWS account, set Scope to Local. To list only AWS managed policies, set Scope to AWS.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Only Attached Boolean No No When checked, filtering the results to only the policies that are attached to an IAM user, group or role. When unchecked, all policies will be returned.
Scope

DDL
(All, AWS, Local)

 All No The scope to use for filtering the results. To list only AWS managed policies, set Scope to AWS. To list only the customer managed policies in your AWS account, set Scope to Local. As default, all policies will be returned.
Max Policies to Return Integer 100 No Specify how many policies to return. Default is 100. Maximum is 1000.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options
is_success is_success=False
is_success is_success=True
JSON Result
[{
'PolicyName': 'string',
'PolicyId': 'string',
'Arn': 'string',
'Path': 'string',
'DefaultVersionId': 'string',
'AttachmentCount': 123,
'PermissionsBoundaryUsageCount': 123,
'IsAttachable': True|False,
'Description': 'string',
'CreateDate': "2020-12-6T17:16:45",
'UpdateDate':"2020-12-6T17:16:45"
}]
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

  • if successful: print "Successfully listed available policies in AWS IAM"
  • If 'Max Policies' value < matched policies based on the filter: Print "Successfully listed available policies in AWS IAM. Please note, there are additional policies that match the provided filter."
  • If no data: Print "No Policies were found in AWS IAM"


The action should fail and stop a playbook execution:

  • if not successful (wrong credentials, no connection to server, other server error, max>1000): print "Error executing action 'List Policies. Reason: {exception.stacktrace}
 General
CSV Table

Title: IAM Policies

Columns:

Policy Name

Policy ID

Create Date

Update Date

 General

Attach a Policy

Description

Attach the specified managed policy to an identity (user, group, role).

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Identity Type

DDL
(User, Group, Role)

 Group Yes IAM Identity type.
Identity Name String N/A Yes The name (friendly name, not ARN) of the identity to attach the policy to. Identity names can not include spaces and must contain only alphanumeric characters and/or the following: +=.@_-.
Policy Name String N/A Yes The name (friendly name, not ARN) of the policy to attach the policy to. Policy names can not include spaces and must contain only alphanumeric characters and/or the following: +=.@_-.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options
is_success is_success=False
is_success is_success=True
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

  • if successful: print "Policy was attached to <Identity Type>: <Identity Name>"

The action should fail and stop a playbook execution:

  • If error -: Print "Could not create <policy name> policy. Policy names must be unique within an account.
  • If error - identity name was invalid: Print "Could not attach <policy name> to <Identity Type>: <Identity Name>. Names must contain only alphanumeric characters and/or the following: +=,.@_-.
  • if not successful (wrong credentials, no connection to server, other server error): print "Error executing action 'Attach a Policy'. Reason: {exception.stacktrace}
 General

Disable User Access

Disable user access in AWS by adding an explicit inline deny policy.

This action only supports regular AWS users, not federated users or IAM roles.

Entities

This action runs on the User entity.

Action inputs

N/A

Action outputs

Action output type
Case wall attachment N/A
Case wall link N/A
Case wall table N/A
Enrichment table N/A
JSON result Available
Script result Available
JSON result
[
  {
    "Entity": "//iam.googleapis.com/projects/example/serviceAccounts/service-account@example.iam.gserviceaccount.com",
    "EntityResult": [
      {
        "fullResourceName": "//iam.googleapis.com/projects/example/serviceAccounts/service-account@example.iam.gserviceaccount.com",
        "activityType": "serviceAccountLastAuthentication",
        "observationPeriod": {
          "startTime": "2023-05-23T07:00:00Z",
          "endTime": "2023-08-20T07:00:00Z"
        },
        "activity": {
          "lastAuthenticatedTime": "2023-08-20T07:00:00Z",
          "serviceAccount": {
            "serviceAccountId": "example-account-id",
            "projectNumber": "example-project-id",
            "fullResourceName": "//iam.googleapis.com/projects/example/serviceAccounts/service-account@example.iam.gserviceaccount.com"
          }
        }
      }
    ]
  }
]
Script result
Script result name Value
is_success True/False
Case wall

The action provides the following output messages:

Output message Message description

Successfully added deny policy to the following users in AWS IAM: USERNAME_LIST

Action wasn't able to find the following users in AWS IAM: USERNAME_LIST

Action wasn't able to add deny policy to the following users in AWS IAM: USERNAME_LIST

 Action succeeded.
Successfully added deny policy to the following users in AWS IAM: USERNAME_LIST

Action failed.

Error prevented applying the deny policy to at least one provided user.
Error executing action "Disable User Access". Reason: ERROR_REASON

Action failed.

Check connection to the server, input parameters, or credentials.