{ "id": "Lyn6mdJQNSFQbHYr", "meta": { "templateCredsSetupCompleted": true }, "name": "SOC 2 Evidence Collector", "tags": [], "nodes": [ { "id": "b4dec251-3751-411d-ae2f-553ca9da5c0e", "name": "README", "type": "n8n-nodes-base.stickyNote", "position": [ 3872, 2160 ], "parameters": { "width": 444, "height": 472, "content": "## SOC 2 Evidence Collector \n### How it works\n1. **Trigger**: Runs automatically every quarter (or manually).\n2. **Collect**: Fetches active IAM User Directory via native AWS node.\n3. **Logic**: Verifies if user data was successfully retrieved.\n4. **Export**: Appends the directory to a Google Sheet.\n5. **Notify**: Sends an executive summary email to the admin.\n\n### Setup steps\n- [ ] Connect AWS Credentials (`iam:ListUsers`)\n- [ ] Connect Google Sheets Account\n- [ ] Create a Google Sheet named 'IAM Access Review'\n- [ ] Add columns: Username, User ID, ARN, Create Date, Audit Date\n- [ ] Connect Gmail account to both Email nodes\n- [ ] Update 'Send To' email addresses\n\n" }, "typeVersion": 1 }, { "id": "fc238ca2-16a6-4659-85e0-86c0d7be4ef8", "name": "Sticky Note Section 1", "type": "n8n-nodes-base.stickyNote", "position": [ 4352, 2160 ], "parameters": { "color": 7, "width": 424, "height": 480, "content": "### 1. TRIGGER & CONFIG\nSchedule \u2192 Timestamp\nInitiates the quarterly audit and tags \nthe run with a precise timestamp." }, "typeVersion": 1 }, { "id": "95833ffb-4d0a-4525-87be-34841e68e014", "name": "Sticky Note Section 2", "type": "n8n-nodes-base.stickyNote", "position": [ 4832, 2160 ], "parameters": { "color": 7, "width": 404, "height": 480, "content": "### 2. AWS IAM COLLECTION\nFetch \u2192 Format\nRetrieves the active AWS IAM User \nDirectory for User Access Reviews." }, "typeVersion": 1 }, { "id": "4467920b-13d4-4a90-88fc-8d8de13e145e", "name": "Sticky Note Section 3", "type": "n8n-nodes-base.stickyNote", "position": [ 5264, 2160 ], "parameters": { "color": 7, "width": 620, "height": 480, "content": "### 3. LOGIC & EXPORT\nBranch \u2192 Log \u2192 Aggregate\nRoutes data based on success. Appends \nto Sheets and summarizes the total count." }, "typeVersion": 1 }, { "id": "088593ca-0c72-4131-9738-be66e5018d3f", "name": "Sticky Note Section 4", "type": "n8n-nodes-base.stickyNote", "position": [ 5920, 2160 ], "parameters": { "color": 7, "width": 360, "height": 480, "content": "### 4. NOTIFICATIONS\nEmail Delivery\nSends professional alerts for both \nsuccessful audits and warnings." }, "typeVersion": 1 }, { "id": "9ee8a30b-7541-4f8b-ad69-d8dc9305adbc", "name": "Quarterly Schedule", "type": "n8n-nodes-base.scheduleTrigger", "position": [ 4416, 2384 ], "parameters": { "rule": { "interval": [ { "field": "cronExpression", "expression": "0 0 1 */3 *" } ] } }, "typeVersion": 1.2 }, { "id": "e3f876c4-8933-4a10-9dda-7a871bef448c", "name": "Set Audit Data", "type": "n8n-nodes-base.code", "position": [ 4640, 2384 ], "parameters": { "jsCode": "return {\n json: {\n auditType: 'User Access Review (UAR)',\n collectionTimestamp: new Date().toISOString()\n }\n};" }, "typeVersion": 2 }, { "id": "af226c77-16df-4767-a19d-1724aeef2632", "name": "List IAM Users", "type": "n8n-nodes-base.awsIam", "onError": "continueRegularOutput", "position": [ 4864, 2384 ], "parameters": { "requestOptions": {}, "additionalFields": {} }, "typeVersion": 1 }, { "id": "faa2591d-9d1f-46e5-ad8f-ba3a50baff43", "name": "Format User Evidence", "type": "n8n-nodes-base.code", "position": [ 5088, 2384 ], "parameters": { "jsCode": "const inputData = $input.all();\nconst auditData = $('Set Audit Data').first().json;\n\nlet users = [];\nif (inputData.length > 0 && inputData[0].json && inputData[0].json.Users) {\n users = inputData[0].json.Users;\n} else if (inputData.length > 0 && inputData[0].json && inputData[0].json.UserName) {\n users = inputData.map(item => item.json);\n}\n\nif (users.length === 0) {\n return [{ json: { username: 'NO_USERS_FOUND', auditDate: auditData.collectionTimestamp } }];\n}\n\nconst formatted = users.map(user => ({\n json: {\n username: user.UserName || 'N/A',\n userId: user.UserId || 'N/A',\n arn: user.Arn || 'N/A',\n createDate: user.CreateDate || 'N/A',\n auditDate: auditData.collectionTimestamp\n }\n}));\n\nreturn formatted;" }, "typeVersion": 2 }, { "id": "be83c2fb-d60b-4a66-86e8-8279f402e591", "name": "Users Found?", "type": "n8n-nodes-base.if", "position": [ 5312, 2384 ], "parameters": { "options": {}, "conditions": { "options": { "version": 1, "leftValue": "", "caseSensitive": true, "typeValidation": "strict" }, "combinator": "and", "conditions": [ { "id": "check", "operator": { "type": "string", "operation": "notEquals" }, "leftValue": "={{ $json.username }}", "rightValue": "NO_USERS_FOUND" } ] } }, "typeVersion": 2 }, { "id": "c6cddc58-555c-44d3-b970-3cd38b07c9f7", "name": "Export to Google Sheets", "type": "n8n-nodes-base.googleSheets", "position": [ 5536, 2288 ], "parameters": { "operation": "append", "sheetName": { "__rl": true, "mode": "name", "value": "" }, "documentId": { "__rl": true, "mode": "id", "value": "" } }, "typeVersion": 4.5 }, { "id": "a3783b1f-be0f-4993-9d8a-3f82c52d70cf", "name": "Summarize Run", "type": "n8n-nodes-base.code", "position": [ 5760, 2288 ], "parameters": { "jsCode": "const totalCount = $input.all().length;\nconst auditDate = $('Set Audit Data').first().json.collectionTimestamp;\nreturn [{ json: { totalUsers: totalCount, auditDate: auditDate.split('T')[0] } }];" }, "typeVersion": 2 }, { "id": "8fcd1f6d-8db8-4892-b1c7-1d85a720e822", "name": "Send Success Email", "type": "n8n-nodes-base.gmail", "position": [ 5984, 2288 ], "parameters": { "message": "=

AWS Access Review Complete

Hello,

Your quarterly AWS IAM User Access Review has been automatically executed and the evidence has been logged for SOC 2 compliance.

Active IAM Users Exported

{{ $json.totalUsers }}

Audit Date: {{ $json.auditDate }}

All user details have been appended to your connected Google Sheet.

Automated by n8n \u2022 SOC 2 Evidence Collector

", "options": {}, "subject": "\u2705 SOC 2 Audit: AWS Access Review Complete" }, "typeVersion": 2.2 }, { "id": "8d7beb4e-e725-47b9-bcc1-c4dd600fcb21", "name": "Send Warning Email", "type": "n8n-nodes-base.gmail", "position": [ 5984, 2480 ], "parameters": { "message": "=

\u26a0\ufe0f Audit Warning

Hello,

Your scheduled AWS IAM User Access Review just ran, but no users were found or the connection failed.

Troubleshooting Steps:

  • Check your AWS credentials in n8n.
  • Ensure the IAM user running this has the `iam:ListUsers` permission.

Please resolve this issue before your next auditor check-in.

Automated by n8n \u2022 SOC 2 Evidence Collector

", "options": {}, "subject": "\u26a0\ufe0f SOC 2 Audit Warning: No AWS Users Found" }, "typeVersion": 2.2 } ], "active": false, "settings": { "binaryMode": "separate", "executionOrder": "v1" }, "versionId": "1c42a1b2-f864-4565-8c9b-739df0df20bd", "connections": { "Users Found?": { "main": [ [ { "node": "Export to Google Sheets", "type": "main", "index": 0 } ], [ { "node": "Send Warning Email", "type": "main", "index": 0 } ] ] }, "Summarize Run": { "main": [ [ { "node": "Send Success Email", "type": "main", "index": 0 } ] ] }, "List IAM Users": { "main": [ [ { "node": "Format User Evidence", "type": "main", "index": 0 } ] ] }, "Set Audit Data": { "main": [ [ { "node": "List IAM Users", "type": "main", "index": 0 } ] ] }, "Quarterly Schedule": { "main": [ [ { "node": "Set Audit Data", "type": "main", "index": 0 } ] ] }, "Format User Evidence": { "main": [ [ { "node": "Users Found?", "type": "main", "index": 0 } ] ] }, "Export to Google Sheets": { "main": [ [ { "node": "Summarize Run", "type": "main", "index": 0 } ] ] } } }