SECOPS

Cross-account IAM grant detection with incident bridge

Flags IAM grants that hand access to a principal in another AWS account, pages PagerDuty, and spins up a Zoom incident bridge with the responders auto-invited.

CategorySecOps

Enginesim

Difficultyadvanced

Triggerevent

Steps5

Setup~25 min

How it runs

The automated pipeline, trigger to output.

TriggerAxiom IAM grant eventAxiom
LogicDetect external account principal
ActionPage security on-callPagerDuty
ActionOpen Zoom incident bridgeZoom
OutputPost bridge link to incident channelSlack

What it does

This workflow watches Axiom for IAM grants whose trust policy or principal references an external AWS account ID — a common signature of account-takeover lateral movement or data exfiltration setup. On a hit it treats the event as a potential incident: it pages on-call, opens a Zoom bridge, and posts the join link to the incident channel so responders converge fast.

When to use it

Use this when cross-account access is tightly controlled and any new external-principal grant warrants immediate eyes. It compresses the time from a suspicious grant to a live responder call from minutes to seconds.

How it works

1Axiom emits an IAM grant event and triggers the run.
2A logic step inspects the principal and trust policy for an external account ID not on the allowlist.
3On a match, PagerDuty pages the security on-call rotation.
4A Zoom meeting is created as the incident bridge.
5A Slack message posts the join link, grant details, and external account ID to the incident channel.

Set it up

What you configure once, before turning it on.

1
Connect AxiomLog streams, queries, dashboards.
2
Connect PagerDutyIncidents, on-call, escalations.
3
Connect ZoomMeetings, recordings, transcripts.
4
Connect SlackChannels, DMs, threads, mentions.
5
Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
6
Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
7
Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.

More SecOps workflows

Post-Revocation Verification and Audit Logging

After a key is revoked, it confirms the old credential actually fails, verifies the replacement works.

Page on-call when a WAF rule mass-blocks legitimate traffic

On demand or every few minutes, it detects a single Cloudflare WAF rule suddenly blocking a broad spread of ASNs and paths (a likely false-positive storm).

PII Content Scan on New Dropbox External Share

When a file gets an external Dropbox link, it reads the file content, uses an AI classifier to detect PII or secrets.

Compile a weekly WAF tuning review with trends to Confluence

Every week an agent rolls up Cloudflare WAF block clusters by rule and ASN, compares them to prior weeks for trend direction.

Sensitive Dropbox Link Owner Remediation Loop

When a newly created Dropbox shared link points to a sensitive file, this workflow DMs the file owner, gives them a deadline to justify or revoke it.

GitLab Push Secret Detection to Block and History Purge

On a GitLab push that contains a detected secret, it revokes the exposed credential, opens a tracking issue with git-history purge instructions.

Browse all SecOps →

Run it inside a business

This workflow drops into a full company template. Import the org, and this is one of the playbooks its agents run.

Finance

Research & Trading Desk

Governance-first research, execution, and risk — every trade on the audit trail.

Operations

Internal Operations

Runbooks, on-call, vendor management — disciplined and audited.

Software

Agent Hive runs Agent Hive

The team that built Agent Hive, exactly as it runs today.

Browse all business templates →Solutions by industry →

Run this workflow in your colony.

14-day trial. No DevOps. No Sales call. Provisioned in under a minute.

Join the Waitlist Browse all workflows →