This guide is the first step of a larger process to enable auto remediations. After completing the steps on this page, you will be instructed to return to the Enable an Auto Remediation in Workbench guide to finish your setup.

This guide helps you set up your AWS GuardDuty device so that you can enable the Deactivate Access Keys auto remediation in Workbench. During the setup process, you will grant Expel all necessary permissions for the remediation to work.

How It Works

If our SOC identifies a long-term access key that must be deactivated in order to mitigate the risk of a data breach, Workbench completes the action automatically. You have the option to restrict these actions to specific access keys by configuring an allow or deny list (the access keys must first be added as context, and then the list can be configured in Workbench; see Step 3).

Quick Links

Setup includes the following steps (select any step for detailed instructions):

1. Log in to Workbench.

2. Navigate to Organization Settings > Security Devices.

3. Next to the name of your AWS GuardDuty device, in the dropdown, select Edit.

4. In the Edit Security Device window, find the Role ARN that you configured during AWS GuardDuty onboarding.

5. Copy and save the role name, which is usually the last portion of the Role ARN field after the forward slash (for example, ExpelServiceRole, ExpelGuarddutyAssumeRole, or ExpelRole).

   

6. Close the Edit Security Device window.

Step 2: Add Permissions to the Existing Expel Policy in the AWS Console

1. Log in to the AWS IAM console.

2. Navigate to Roles.

3. On the Roles screen, find and open the role whose name you saved in the previous step.

   

4. Find and open the attached policy that was configured during onboarding (for example, ExpelGuardDutyConnectorPolicy or ExpelAPIPolicy).

5. Add the following permissions to the "Resource": "*" section:

   • iam:List*

   • iam:Get*

   • iam:UpdateAccessKey

   Note

   If CloudFormation manages this policy, edit this policy at the source of truth so the edits aren’t accidentally overwritten later.

   

6. Save the policy.

7. Repeat both steps of the process for each of your configured AWS GuardDuty devices.

Step 3: Update Your Context

If you do not want to specify any access keys for a "do not deactivate" or "always deactivate" list, and instead wish for Expel to automatically deactivate all identified access keys, skip to Step 4.

Working with your engagement manager, prepare to create an allow or deny list by adding access keys as context for your environment. You will then be able to select those access keys as "Never deactivate" or "Always deactivate" assets when you enable the auto remediation in Workbench.

Note

If our SOC identifies an access key that must be deactivated and you have created either an allow ("Always deactivate") or deny ("Never deactivate") list in Workbench, any access keys falling outside of those parameters are assigned to you as actions rather than being deactivated automatically.

Step 4: Return to the Main Setup Guide

Your AWS GuardDuty device is now ready for the Deactivate Access Keys auto remediation. You should now do one of the following:

• If you do not need to set up any other devices for this auto remediation, you can return to the Enable an Auto Remediation in Workbench guide to finish Step 2 of the process.
• If you need to set up additional devices for this auto remediation, or wish to use this device with multiple auto remediations, be sure to complete those setup guides as well before returning to the Enable an Auto Remediation in Workbench guide to finish Step 2 of the process. Make sure to follow the setup guide that is specific to your auto remediation, as device setup instructions are unique to each auto remediation and device.