Views:

After identifying a potentially compromised IAM user, you can revoke the user's access permission to the associated AWS cloud account.

This task is supported by the following services:
  • AWS
Important
Important
This feature is only available for customers that have updated to the Foundation Services release, and is only applicable to IAM users whose AWS accounts have Cloud Response for AWS enabled.

Procedure

  1. After identifying the potentially compromised cloud user account, access the context or response menu and click Revoke Access Permission.
    The Revoke Access Permission Task screen appears.
  2. You can specify a description for the task to display in the Response Management app.
  3. Click Create.
  4. Monitor the task status.
    1. Go to Workflow and AutomationResponse Management .
    2. Locate the task by selecting Revoke Access Permission from the Action drop-down list.
    3. View the task status.
      • In progress (in_progress=GUID-A55897DB-3DEA-4F5C-B7F9-70B3D7FB9EDE=1=en-us=Low.jpg): Trend Vision One sent the command and is waiting for a response.
      • Successful (successful=GUID-1E31AD86-DE2E-48B5-85F7-7C78A3E8BB11=1=en-us=Low.jpg): The command was successfully executed.
      • Partially successful (partially_successful_icon=GUID-20230103030733.jpg): The task was unsuccessful on one or more IAM service
      • Unsuccessful (error=5cc21722-7ceb-480c-b9c2-a47d420cf1cc.jpg): The task was unsuccessful on all connected IAM services