AutomationFlowsAI & RAG › Automated AWS IAM Key Compromise Response with Slack & Claude AI

Automated AWS IAM Key Compromise Response with Slack & Claude AI

ByNiranjan G @niranjan on n8n.io

This n8n workflow provides a secure, enterprise-grade response system for AWS IAM access key compromises with built-in form submission and human approval mechanisms. When an AWS access key is suspected to be compromised, this workflow enables rapid containment through a secure…

Event trigger★★★★★ complexityAI-powered40 nodesHTTP RequestAgentSlackAnthropic ChatAws IamForm Trigger
AI & RAG Trigger: Event Nodes: 40 Complexity: ★★★★★ AI nodes: yes Added:

This workflow corresponds to n8n.io template #5123 — we link there as the canonical source.

This workflow follows the Agent → Form Trigger recipe pattern — see all workflows that pair these two integrations.

The workflow JSON

Copy or download the full n8n JSON below. Paste it into a new n8n workflow, add your credentials, activate. Full import guide →

Download .json
{
  "meta": {
    "templateCredsSetupCompleted": true
  },
  "nodes": [
    {
      "id": "d5fa0dbd-41d5-402c-1234-1234567890",
      "name": "\ud83d\udd11 Fetch User Access Keys",
      "type": "n8n-nodes-base.httpRequest",
      "position": [
        -1480,
        380
      ],
      "parameters": {
        "url": "https://iam.amazonaws.com",
        "method": "POST",
        "options": {},
        "sendBody": true,
        "contentType": "form-urlencoded",
        "authentication": "predefinedCredentialType",
        "bodyParameters": {
          "parameters": [
            {
              "name": "Action",
              "value": "ListAccessKeys"
            },
            {
              "name": "Version",
              "value": "2010-05-08"
            },
            {
              "name": "UserName",
              "value": "={{ $json.UserName }}"
            }
          ]
        },
        "nodeCredentialType": "aws"
      },
      "credentials": {
        "aws": {
          "name": "<your credential>"
        }
      },
      "typeVersion": 4.1
    },
    {
      "id": "02461671-e2a2-4424-bfe8-fd74afc460c5",
      "name": "\ud83d\udcca Parse Access Key Response",
      "type": "n8n-nodes-base.code",
      "position": [
        -1260,
        380
      ],
      "parameters": {
        "jsCode": "const result = {};\nlet counter = 1;\n\nfor (const item of items) {\n  try {\n    const response = item.json.body || item.json;\n    const metadata = response?.ListAccessKeysResponse?.ListAccessKeysResult?.AccessKeyMetadata || [];\n\n    for (const key of metadata) {\n      const keyLabel = `AccessKey${counter}`;\n      result[keyLabel] = {\n        [`AccessKeyId${counter}`]: key.AccessKeyId,\n        [`UserName${counter}`]: key.UserName,\n        Status: key.Status,\n        [`CreateDate${counter}`]: new Date(key.CreateDate * 1000).toISOString()\n      };\n      counter++;\n    }\n  } catch (error) {\n    console.error('Error processing access keys:', error);\n  }\n}\n\nreturn [{ json: result }];\n"
      },
      "typeVersion": 2
    },
    {
      "id": "83640bea-3b16-4173-a486-bcbfe9cffddd",
      "name": "\ud83d\udeab Deactivate Compromised Key",
      "type": "n8n-nodes-base.httpRequest",
      "onError": "continueRegularOutput",
      "position": [
        -180,
        900
      ],
      "parameters": {
        "url": "https://iam.amazonaws.com",
        "method": "POST",
        "options": {},
        "sendBody": true,
        "contentType": "form-urlencoded",
        "authentication": "predefinedCredentialType",
        "bodyParameters": {
          "parameters": [
            {
              "name": "Action",
              "value": "UpdateAccessKey"
            },
            {
              "name": "Version",
              "value": "2010-05-08"
            },
            {
              "name": "UserName",
              "value": "={{ $json.UserName }}"
            },
            {
              "name": "AccessKeyId",
              "value": "={{ $json.AccessKeyId }}"
            },
            {
              "name": "Status",
              "value": "Inactive"
            }
          ]
        },
        "nodeCredentialType": "aws"
      },
      "credentials": {
        "aws": {
          "name": "<your credential>"
        }
      },
      "typeVersion": 4.1
    },
    {
      "id": "d671f4f7-759f-4bd6-abc1-abc1234567",
      "name": "\ud83d\udcdc Audit Inline Policies",
      "type": "n8n-nodes-base.httpRequest",
      "onError": "continueRegularOutput",
      "position": [
        -160,
        1320
      ],
      "parameters": {
        "url": "https://iam.amazonaws.com",
        "method": "POST",
        "options": {},
        "sendBody": true,
        "contentType": "form-urlencoded",
        "authentication": "predefinedCredentialType",
        "bodyParameters": {
          "parameters": [
            {
              "name": "Action",
              "value": "ListUserPolicies"
            },
            {
              "name": "Version",
              "value": "2010-05-08"
            },
            {
              "name": "UserName",
              "value": "={{ $json.UserName }}"
            }
          ]
        },
        "nodeCredentialType": "aws"
      },
      "credentials": {
        "aws": {
          "name": "<your credential>"
        }
      },
      "typeVersion": 4.2
    },
    {
      "id": "6e6a912f-d043-44c0-abc1-abc123456789",
      "name": "\ud83d\udd0d Audit Attached Policies",
      "type": "n8n-nodes-base.httpRequest",
      "position": [
        -160,
        1680
      ],
      "parameters": {
        "url": "https://iam.amazonaws.com",
        "method": "POST",
        "options": {},
        "sendBody": true,
        "contentType": "form-urlencoded",
        "authentication": "predefinedCredentialType",
        "bodyParameters": {
          "parameters": [
            {
              "name": "Action",
              "value": "ListAttachedUserPolicies"
            },
            {
              "name": "Version",
              "value": "2010-05-08"
            },
            {
              "name": "UserName",
              "value": "={{ $json.UserName }}"
            }
          ]
        },
        "nodeCredentialType": "aws"
      },
      "credentials": {
        "aws": {
          "name": "<your credential>"
        }
      },
      "typeVersion": 4.2
    },
    {
      "id": "9fc7c861-a714-4b24-b19d-7d163c8e6a4d",
      "name": "\ud83d\udee1\ufe0f Generate Invalidation Policy",
      "type": "n8n-nodes-base.httpRequest",
      "onError": "continueRegularOutput",
      "position": [
        -200,
        480
      ],
      "parameters": {
        "url": "https://iam.amazonaws.com",
        "method": "POST",
        "options": {},
        "sendBody": true,
        "contentType": "form-urlencoded",
        "authentication": "predefinedCredentialType",
        "bodyParameters": {
          "parameters": [
            {
              "name": "Action",
              "value": "CreatePolicy"
            },
            {
              "name": "PolicyDocument",
              "value": "={\n  \"Version\": \"2012-10-17\",\n  \"Statement\": [{\n    \"Sid\": \"DenyExpiredSessions\",\n    \"Effect\": \"Deny\",\n    \"Action\": \"*\",\n    \"Resource\": \"*\",\n    \"Condition\": {\n      \"DateLessThan\": {\n        \"aws:TokenIssueTime\": \"{{ $now.minus({ days: 3 }).toISO() }}\"\n      }\n    }\n  }]\n}\n"
            },
            {
              "name": "PolicyName",
              "value": "=Invalidating-Temporary-Security-Credentials-{{ $now.toFormat('yyyy-MM-dd') + '-' + Math.random().toString(36).substring(2, 8).toUpperCase() }}"
            },
            {
              "name": "Version",
              "value": "2010-05-08"
            }
          ]
        },
        "nodeCredentialType": "aws"
      },
      "credentials": {
        "aws": {
          "name": "<your credential>"
        }
      },
      "typeVersion": 4.2
    },
    {
      "id": "df0f64b3-95cf-48ef-b2a9-fe035d3e14ad",
      "name": "\ud83d\udd17 Apply Security Policy",
      "type": "n8n-nodes-base.httpRequest",
      "onError": "continueRegularOutput",
      "position": [
        340,
        60
      ],
      "parameters": {
        "url": "https://iam.amazonaws.com",
        "method": "POST",
        "options": {},
        "sendBody": true,
        "contentType": "form-urlencoded",
        "authentication": "predefinedCredentialType",
        "bodyParameters": {
          "parameters": [
            {
              "name": "Action",
              "value": "AttachUserPolicy"
            },
            {
              "name": "PolicyArn",
              "value": "={{ $json.CreatePolicyResponse.CreatePolicyResult.Policy.Arn }}"
            },
            {
              "name": "Version",
              "value": "2010-05-08"
            },
            {
              "name": "UserName",
              "value": "={{ $('\u2705 Approved Compromise Data').item.json.UserName }}"
            }
          ]
        },
        "nodeCredentialType": "aws"
      },
      "credentials": {
        "aws": {
          "name": "<your credential>"
        }
      },
      "typeVersion": 4.2
    },
    {
      "id": "c4ec2ef4-7db8-4189-877b-abc1234567890",
      "name": "\ud83d\udce4 Extract Inline Policy Names",
      "type": "n8n-nodes-base.splitOut",
      "onError": "continueRegularOutput",
      "position": [
        60,
        1320
      ],
      "parameters": {
        "options": {},
        "fieldToSplitOut": "ListUserPoliciesResponse.ListUserPoliciesResult.PolicyNames"
      },
      "typeVersion": 1
    },
    {
      "id": "07ab67a9-146d-4576-8afa-a128cf62974f",
      "name": "\ud83d\udd04 Batch Process Inline Policies",
      "type": "n8n-nodes-base.splitInBatches",
      "position": [
        280,
        1320
      ],
      "parameters": {
        "options": {}
      },
      "typeVersion": 3
    },
    {
      "id": "ff91b356-3771-463f-8593-82a0396c6514",
      "name": "\ud83d\udd04 Batch Process Attached Policies",
      "type": "n8n-nodes-base.splitInBatches",
      "position": [
        280,
        1700
      ],
      "parameters": {
        "options": {}
      },
      "typeVersion": 3
    },
    {
      "id": "e1344921-481a-467b-9240-72b80e8f8ef9",
      "name": "\ud83d\udce4 Extract Attached Policy List",
      "type": "n8n-nodes-base.splitOut",
      "position": [
        60,
        1680
      ],
      "parameters": {
        "options": {},
        "fieldToSplitOut": "ListAttachedUserPoliciesResponse.ListAttachedUserPoliciesResult.AttachedPolicies"
      },
      "typeVersion": 1
    },
    {
      "id": "c884daa9-f96f-40c7-8fd0-3a00612bf431",
      "name": "\ud83e\udd16 AI Security Analysis",
      "type": "@n8n/n8n-nodes-langchain.agent",
      "onError": "continueRegularOutput",
      "position": [
        2400,
        980
      ],
      "parameters": {
        "text": "={{ JSON.stringify($json.data, null, 2) }}",
        "options": {
          "systemMessage": "# AWS Key Compromise Response Summary Prompt\n\nYou are an AWS security analyst. Your task is to analyze the key compromise response actions and provide a simple, clear summary of what happened and the current security status.\n\n## Instructions\n\nFollow these instructions precisely:\n\n### 1. Analysis Output Format\n\nOutput your analysis wrapped exactly between these tags, inside a fenced code block:\n```\n...your simple analysis here...\n```\n\n### 2. Keep It Simple - Focus Only On:\n\n#### Key Compromise Response Summary\n- **What happened**: Brief description of the compromise\n- **Actions taken**: Key deactivation, policy creation, and attachment status\n- **Current status**: Whether the response was successful\n- **Risk level**: Simple HIGH/MEDIUM/LOW assessment\n\n#### Essential Details Only\n- **User affected**: Username and access key ID\n- **Response actions**: What automated actions were completed\n- **Security status**: Current protection level after response\n- **Next steps**: 1-2 simple recommendations if needed\n\n### 3. Policy Analysis Guidelines\n\n**Ignore all policy version metadata** fields \u2014 if you see `versionId`, `isDefault`, `createDate`, or the `\"Version\"` field inside `decodedPolicy`, do **not** mention or interpret these as security findings; focus **only** on the actual policy statements and actions.\n\n### 4. Slack-Compatible Report\n\nAfter the fenced code block, output a Slack-compatible report using **ONLY** the following supported Slack Markdown formats:\n\n#### Supported Slack Markdown Elements:\n- **Bold text:** `*bold text*` (asterisks)\n- **Italic text:** `_italic text_` (underscores)\n- **Strikethrough:** `~strikethrough~` (tildes)\n- **Inline code:** `code` (single backticks)\n- **Code blocks:** ``` (three backticks)\n- **Block quotes:** `> quoted text` (greater than symbol)\n- **Bulleted lists:** `* item` or `\u2022 item` (asterisk or bullet)\n- **Ordered lists:** `1. item` (number and period)\n- **Links:** `<https://example.com|Link Text>` (angle brackets with pipe)\n\n#### Slack Report Format:\n\n\ud83d\udea8 *AWS Key Compromise Response Summary*\n\n\ud83d\udc64 *Affected User*\n\u2022 User: username\n\u2022 Access Key: AKIA...\n\n\u2705 *Response Actions Completed*\n\u2022 \ud83d\udeab Access key deactivated\n\u2022 \ud83d\udee1\ufe0f Security policy applied\n\u2022 \u23f0 Temporary credentials invalidated\n\n\ud83d\udcca *Current Status*\n\u2022 Response: Successful/Failed\n\u2022 Risk Level: HIGH/MEDIUM/LOW\n\u2022 Account Secured: Yes/No\n\n\ud83d\udca1 *Next Steps*\n\u2022 [1-2 simple recommendations or \"No further action needed\"]\n\n\ud83d\udcc5 *Incident Date*\n\u2022 YYYY-MM-DD\n\n_Automated security response completed_\n\n### 5. Simple Guidelines\n\n**Keep it simple:**\n\u2022 Use clear, non-technical language\n\u2022 Focus on what happened and current status\n\u2022 Avoid complex security jargon\n\u2022 Provide actionable next steps only if needed\n\u2022 Keep the summary under 200 words\n\n### 6. What to Look For in the Data\n\n- **User information**: Username and access key ID\n- **Key deactivation**: Whether the access key was successfully disabled\n- **Policy creation**: Whether security policies were created and attached\n- **Response status**: Overall success or failure of the automated response\n\nThis prompt is designed to provide simple, clear summaries of AWS key compromise response actions for business stakeholders."
        },
        "promptType": "define"
      },
      "typeVersion": 2
    },
    {
      "id": "3eae5e83-a978-44eb-814e-ca97d32bcde0",
      "name": "\ud83d\udd00 Merge Response Data",
      "type": "n8n-nodes-base.merge",
      "position": [
        1940,
        920
      ],
      "parameters": {
        "numberInputs": 6
      },
      "typeVersion": 3.2
    },
    {
      "id": "45f1ed8f-e1cd-45ff-a70b-96e4ffa5dbb4",
      "name": "\ud83d\udce6 Aggregate Final Results",
      "type": "n8n-nodes-base.aggregate",
      "position": [
        2180,
        980
      ],
      "parameters": {
        "options": {},
        "aggregate": "aggregateAllItemData"
      },
      "typeVersion": 1
    },
    {
      "id": "9880aa6e-5475-467f-9281-64c42b3d7898",
      "name": "\ud83d\udccb Fetch Policy Metadata",
      "type": "n8n-nodes-base.httpRequest",
      "position": [
        500,
        1760
      ],
      "parameters": {
        "url": "https://iam.amazonaws.com",
        "method": "POST",
        "options": {},
        "sendBody": true,
        "contentType": "form-urlencoded",
        "authentication": "predefinedCredentialType",
        "bodyParameters": {
          "parameters": [
            {
              "name": "Action",
              "value": "GetPolicy"
            },
            {
              "name": "Version",
              "value": "=2010-05-08"
            },
            {
              "name": "PolicyArn",
              "value": "={{ $json.PolicyArn }}"
            }
          ]
        },
        "nodeCredentialType": "aws"
      },
      "credentials": {
        "aws": {
          "name": "<your credential>"
        }
      },
      "typeVersion": 4.2
    },
    {
      "id": "fa82af49-be87-4579-a6fc-68b14e16b1aa",
      "name": "\ud83d\udcc4 Retrieve Policy Document",
      "type": "n8n-nodes-base.httpRequest",
      "position": [
        720,
        1760
      ],
      "parameters": {
        "url": "https://iam.amazonaws.com",
        "method": "POST",
        "options": {},
        "sendBody": true,
        "contentType": "form-urlencoded",
        "authentication": "predefinedCredentialType",
        "bodyParameters": {
          "parameters": [
            {
              "name": "Action",
              "value": "GetPolicyVersion"
            },
            {
              "name": "Version",
              "value": "2010-05-08"
            },
            {
              "name": "=PolicyArn",
              "value": "={{ $json.GetPolicyResponse.GetPolicyResult.Policy.Arn }}"
            },
            {
              "name": "=VersionId",
              "value": "={{ $json.GetPolicyResponse.GetPolicyResult.Policy.DefaultVersionId }}"
            }
          ]
        },
        "nodeCredentialType": "aws"
      },
      "credentials": {
        "aws": {
          "name": "<your credential>"
        }
      },
      "typeVersion": 4.2
    },
    {
      "id": "b1abafca-5443-4dc5-992e-7210296b27ca",
      "name": "\ud83d\udcdc Retrieve Inline Policy Details",
      "type": "n8n-nodes-base.httpRequest",
      "position": [
        520,
        1360
      ],
      "parameters": {
        "url": "https://iam.amazonaws.com",
        "method": "POST",
        "options": {},
        "sendBody": true,
        "contentType": "form-urlencoded",
        "authentication": "predefinedCredentialType",
        "bodyParameters": {
          "parameters": [
            {
              "name": "Action",
              "value": "GetUserPolicy"
            },
            {
              "name": "Version",
              "value": "2010-05-08"
            },
            {
              "name": "UserName",
              "value": "={{ $('\ud83d\udcdd Secure Form: Key Compromise Input').item.json.Username }}"
            },
            {
              "name": "=PolicyName",
              "value": "={{ $json[\"ListUserPoliciesResponse.ListUserPoliciesResult.PolicyNames\"] }}"
            }
          ]
        },
        "nodeCredentialType": "aws"
      },
      "credentials": {
        "aws": {
          "name": "<your credential>"
        }
      },
      "typeVersion": 4.2
    },
    {
      "id": "68ad6474-1a28-4c1d-9708-911e3475da7d",
      "name": "\ud83d\udd13 Parse Inline Policy JSON",
      "type": "n8n-nodes-base.code",
      "position": [
        720,
        1360
      ],
      "parameters": {
        "jsCode": "// Sample input (you'll usually get this from n8n's input)\nconst inputItems = $input.all();\n\nconst decodedPolicies = inputItems.map(item => {\n  const encoded = item.json?.GetUserPolicyResponse?.GetUserPolicyResult?.PolicyDocument;\n  let decoded = null;\n  let parsed = null;\n\n  try {\n    decoded = decodeURIComponent(encoded);\n    parsed = JSON.parse(decoded);\n  } catch (e) {\n    // Fallback if decoding or parsing fails\n    parsed = { error: 'Invalid or undecodable policy document' };\n  }\n\n  return {\n    json: {\n      user: item.json?.GetUserPolicyResponse?.GetUserPolicyResult?.UserName || 'unknown',\n      policyName: item.json?.GetUserPolicyResponse?.GetUserPolicyResult?.PolicyName || 'unknown',\n      decodedPolicy: parsed\n    }\n  };\n});\n\nreturn decodedPolicies;\n"
      },
      "typeVersion": 2
    },
    {
      "id": "d3cf69d7-15ba-4ec9-b463-6223ed3959eb",
      "name": "\ud83d\udd13 Parse Attached Policy JSON",
      "type": "n8n-nodes-base.code",
      "position": [
        900,
        1760
      ],
      "parameters": {
        "jsCode": "const inputItems = $input.all();\n\nconst decodedPolicies = inputItems.map(item => {\n  const encoded = item.json?.GetPolicyVersionResponse?.GetPolicyVersionResult?.PolicyVersion?.Document;\n  let decoded = null;\n  let parsed = null;\n\n  try {\n    decoded = decodeURIComponent(encoded);\n    parsed = JSON.parse(decoded);\n  } catch (e) {\n    parsed = { error: 'Invalid or undecodable policy document' };\n  }\n\n  return {\n    json: {\n      versionId: item.json?.GetPolicyVersionResponse?.GetPolicyVersionResult?.PolicyVersion?.VersionId || 'unknown',\n      isDefault: item.json?.GetPolicyVersionResponse?.GetPolicyVersionResult?.PolicyVersion?.IsDefaultVersion || false,\n      createDate: item.json?.GetPolicyVersionResponse?.GetPolicyVersionResult?.PolicyVersion?.CreateDate || null,\n      decodedPolicy: parsed\n    }\n  };\n});\n\nreturn decodedPolicies;\n"
      },
      "typeVersion": 2
    },
    {
      "id": "9b3a898c-70be-4fb1-905d-e29a92e89772",
      "name": "\u26a1 Inline Policy Router",
      "type": "n8n-nodes-base.noOp",
      "position": [
        920,
        1360
      ],
      "parameters": {},
      "typeVersion": 1
    },
    {
      "id": "9402330b-7f94-4fbc-ba49-38e668e59abe",
      "name": "\u26a1 Attached Policy Router",
      "type": "n8n-nodes-base.noOp",
      "position": [
        1100,
        1760
      ],
      "parameters": {},
      "typeVersion": 1
    },
    {
      "id": "0d40fba1-568e-41db-8d58-170df5f0a927",
      "name": "\ud83d\udcac Notify Security Team",
      "type": "n8n-nodes-base.slack",
      "position": [
        2760,
        980
      ],
      "parameters": {
        "text": "=\ud83d\udeab AWS Key Compromise Summary\n\n {{ $json.output }}",
        "select": "channel",
        "channelId": {
          "__rl": true,
          "mode": "id",
          "value": "ABC1234567890"
        },
        "otherOptions": {}
      },
      "credentials": {
        "slackApi": {
          "name": "<your credential>"
        }
      },
      "typeVersion": 2.3
    },
    {
      "id": "89b5bf1b-081c-46e9-b634-eb4e95a6e2a9",
      "name": "\ud83e\udde0 Claude AI Engine",
      "type": "@n8n/n8n-nodes-langchain.lmChatAnthropic",
      "position": [
        2420,
        1200
      ],
      "parameters": {
        "model": {
          "__rl": true,
          "mode": "list",
          "value": "claude-3-7-sonnet-20250219",
          "cachedResultName": "Claude Sonnet 3.7"
        },
        "options": {}
      },
      "credentials": {
        "anthropicApi": {
          "name": "<your credential>"
        }
      },
      "typeVersion": 1.3
    },
    {
      "id": "bec15d6b-2869-4784-b55d-c1cb8a1644d9",
      "name": "Sticky Note",
      "type": "n8n-nodes-base.stickyNote",
      "position": [
        -420,
        1600
      ],
      "parameters": {
        "width": 1840,
        "height": 400,
        "content": "## \ud83d\udd04 Process Each Attached Policy"
      },
      "typeVersion": 1
    },
    {
      "id": "06904eef-ed07-4b84-a4b9-c5f9defb384d",
      "name": "Sticky Note1",
      "type": "n8n-nodes-base.stickyNote",
      "position": [
        -420,
        1180
      ],
      "parameters": {
        "width": 1840,
        "height": 400,
        "content": "## \ud83d\udd04 Process Each Inline Policy"
      },
      "typeVersion": 1
    },
    {
      "id": "ca8a044a-211a-4548-86e6-f2ae758b97f1",
      "name": "Sticky Note2",
      "type": "n8n-nodes-base.stickyNote",
      "position": [
        -420,
        760
      ],
      "parameters": {
        "width": 1840,
        "height": 400,
        "content": "## \ud83d\udeab Disable Compromised Key"
      },
      "typeVersion": 1
    },
    {
      "id": "22145ce8-1fcb-4e7d-977a-5e3758a4b635",
      "name": "Sticky Note3",
      "type": "n8n-nodes-base.stickyNote",
      "position": [
        -420,
        340
      ],
      "parameters": {
        "width": 1840,
        "height": 400,
        "content": "## \ud83d\udee0 Create Security Policy [Invalidating-Temporary-Security-Credentials]"
      },
      "typeVersion": 1
    },
    {
      "id": "f4100d07-40db-41da-a60c-3770fc8dbba3",
      "name": "Sticky Note4",
      "type": "n8n-nodes-base.stickyNote",
      "position": [
        -420,
        -80
      ],
      "parameters": {
        "width": 1840,
        "height": 400,
        "content": "## \ud83d\udd17 Attach Security Policy [Invalidating-Temporary-Security-Credentials]]"
      },
      "typeVersion": 1
    },
    {
      "id": "b0bac576-f2ab-4d58-b1f6-1fb70a620649",
      "name": "Sticky Note5",
      "type": "n8n-nodes-base.stickyNote",
      "position": [
        1700,
        700
      ],
      "parameters": {
        "color": 5,
        "width": 1320,
        "height": 740,
        "content": "## \ud83e\udd16 Generate Security Report"
      },
      "typeVersion": 1
    },
    {
      "id": "489444dd-c8ab-444e-ac11-aef48061650b",
      "name": "Sticky Note6",
      "type": "n8n-nodes-base.stickyNote",
      "position": [
        -2260,
        780
      ],
      "parameters": {
        "color": 3,
        "width": 720,
        "height": 400,
        "content": "# \u270f\ufe0f Manual Entry: UserName & AccessKeyId"
      },
      "typeVersion": 1
    },
    {
      "id": "3f524117-9a16-4e3c-9c9b-b365af4d51c7",
      "name": "Sticky Note7",
      "type": "n8n-nodes-base.stickyNote",
      "position": [
        -2080,
        240
      ],
      "parameters": {
        "width": 1360,
        "height": 400,
        "content": "## \ud83d\udd0d Retrieve IAM Key Info"
      },
      "typeVersion": 1
    },
    {
      "id": "e3bf53dd-84dd-48aa-af4a-0352e30ea4ba",
      "name": "\ud83d\udd0d AWS IAM Service",
      "type": "n8n-nodes-base.awsIam",
      "position": [
        -1700,
        380
      ],
      "parameters": {
        "returnAll": true,
        "requestOptions": {},
        "additionalFields": {}
      },
      "credentials": {
        "aws": {
          "name": "<your credential>"
        }
      },
      "typeVersion": 1
    },
    {
      "id": "4be7829d-c736-4125-aaa6-f75118e98c17",
      "name": "\ud83d\udd14 Request Human Approval",
      "type": "n8n-nodes-base.slack",
      "position": [
        -1320,
        940
      ],
      "parameters": {
        "user": {
          "__rl": true,
          "mode": "id",
          "value": "ABC1234567890"
        },
        "message": "=\ud83d\udee1\ufe0f Approval Request: AWS IAM Key Compromise Response\n\nUser: {{ $json.UserName }}\nAccess Key ID: {{ $json.AccessKeyId }}\nDate: {{ $json.Date }}\n\nPlease review and approve the remediation action.",
        "options": {},
        "operation": "sendAndWait"
      },
      "credentials": {
        "slackApi": {
          "name": "<your credential>"
        }
      },
      "typeVersion": 2.3,
      "alwaysOutputData": true
    },
    {
      "id": "1db4a332-df13-494b-87e6-1226f8d89b3f",
      "name": "Sticky Note8",
      "type": "n8n-nodes-base.stickyNote",
      "position": [
        -1480,
        780
      ],
      "parameters": {
        "color": 4,
        "width": 420,
        "height": 400,
        "content": "# \u270f\ufe0f Human in the loop\n## Wait for approval or human input before continuing"
      },
      "typeVersion": 1
    },
    {
      "id": "296666c1-c6dd-451e-b9d6-a799634ac9ae",
      "name": "\u2705 Approved Compromise Data",
      "type": "n8n-nodes-base.set",
      "position": [
        -880,
        940
      ],
      "parameters": {
        "options": {},
        "assignments": {
          "assignments": [
            {
              "id": "ad40b317-c48b-4814-b06b-6aced6ab5174",
              "name": "UserName",
              "type": "string",
              "value": "={{ $('\ud83d\udcdd Secure Form: Key Compromise Input').item.json.Username }}"
            },
            {
              "id": "a5b68025-b2cc-42d6-aae8-527bd46dad41",
              "name": "AccessKeyId",
              "type": "string",
              "value": "={{ $('\ud83d\udcdd Secure Form: Key Compromise Input').item.json.AccessKeyID }}"
            },
            {
              "id": "23551fee-041c-4822-9957-da228b721bc1",
              "name": "Date",
              "type": "string",
              "value": "={{ new Date().toISOString().split(\"T\")[0] }}"
            }
          ]
        }
      },
      "typeVersion": 3.4
    },
    {
      "id": "95eb48d4-ef3f-410b-b2d8-815e9083e5e4",
      "name": "Sticky Note9",
      "type": "n8n-nodes-base.stickyNote",
      "position": [
        -1020,
        780
      ],
      "parameters": {
        "color": 4,
        "width": 420,
        "height": 400,
        "content": "# \u270f\ufe0f Selected UserName & AccessKeyId"
      },
      "typeVersion": 1
    },
    {
      "id": "2b792970-ebae-4e60-86b3-1780c45948e5",
      "name": "\ud83d\udd27 Process Form Submission",
      "type": "n8n-nodes-base.set",
      "position": [
        -1820,
        940
      ],
      "parameters": {
        "options": {},
        "assignments": {
          "assignments": [
            {
              "id": "ad40b317-c48b-4814-b06b-6aced6ab5174",
              "name": "UserName",
              "type": "string",
              "value": "={{ $json.Username }}"
            },
            {
              "id": "a5b68025-b2cc-42d6-aae8-527bd46dad41",
              "name": "AccessKeyId",
              "type": "string",
              "value": "={{ $json.AccessKeyID }}"
            },
            {
              "id": "23551fee-041c-4822-9957-da228b721bc1",
              "name": "Date",
              "type": "string",
              "value": "={{ new Date().toISOString().split(\"T\")[0] }}"
            }
          ]
        }
      },
      "typeVersion": 3.4
    },
    {
      "id": "987b3736-c325-4fe5-8d70-f14b9f5955d8",
      "name": "\ud83d\udd0d Manual Key Lookup Trigger",
      "type": "n8n-nodes-base.manualTrigger",
      "position": [
        -1920,
        380
      ],
      "parameters": {},
      "typeVersion": 1
    },
    {
      "id": "97bb3007-1143-4a13-9adf-811e1268db4f",
      "name": "\ud83d\udcdd Secure Form: Key Compromise Input",
      "type": "n8n-nodes-base.formTrigger",
      "position": [
        -2100,
        940
      ],
      "parameters": {
        "options": {},
        "formTitle": "\ud83d\udea8 Automated AWS IAM Key Compromise Response Input",
        "formFields": {
          "values": [
            {
              "fieldLabel": "Username",
              "requiredField": true
            },
            {
              "fieldLabel": "AccessKeyID",
              "requiredField": true
            }
          ]
        },
        "authentication": "basicAuth"
      },
      "credentials": {
        "httpBasicAuth": {
          "name": "<your credential>"
        }
      },
      "typeVersion": 2.2
    },
    {
      "id": "33cd00aa-6027-4b3b-b373-c802ac6bf17d",
      "name": "\u26a1 No Operation, do nothing",
      "type": "n8n-nodes-base.noOp",
      "position": [
        -1040,
        380
      ],
      "parameters": {},
      "typeVersion": 1
    }
  ],
  "connections": {
    "\ud83d\udd0d AWS IAM Service": {
      "main": [
        [
          {
            "node": "\ud83d\udd11 Fetch User Access Keys",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "\ud83e\udde0 Claude AI Engine": {
      "ai_languageModel": [
        [
          {
            "node": "\ud83e\udd16 AI Security Analysis",
            "type": "ai_languageModel",
            "index": 0
          }
        ]
      ]
    },
    "\u26a1 Inline Policy Router": {
      "main": [
        [
          {
            "node": "\ud83d\udd04 Batch Process Inline Policies",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "\ud83d\udd00 Merge Response Data": {
      "main": [
        [
          {
            "node": "\ud83d\udce6 Aggregate Final Results",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "\ud83e\udd16 AI Security Analysis": {
      "main": [
        [
          {
            "node": "\ud83d\udcac Notify Security Team",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "\u26a1 Attached Policy Router": {
      "main": [
        [
          {
            "node": "\ud83d\udd04 Batch Process Attached Policies",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "\ud83d\udccb Fetch Policy Metadata": {
      "main": [
        [
          {
            "node": "\ud83d\udcc4 Retrieve Policy Document",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "\ud83d\udcdc Audit Inline Policies": {
      "main": [
        [
          {
            "node": "\ud83d\udce4 Extract Inline Policy Names",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "\ud83d\udd17 Apply Security Policy": {
      "main": [
        [
          {
            "node": "\ud83d\udd00 Merge Response Data",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "\ud83d\udd11 Fetch User Access Keys": {
      "main": [
        [
          {
            "node": "\ud83d\udcca Parse Access Key Response",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "\ud83d\udd14 Request Human Approval": {
      "main": [
        [
          {
            "node": "\u2705 Approved Compromise Data",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "\u2705 Approved Compromise Data": {
      "main": [
        [
          {
            "node": "\ud83d\udee1\ufe0f Generate Invalidation Policy",
            "type": "main",
            "index": 0
          },
          {
            "node": "\ud83d\udeab Deactivate Compromised Key",
            "type": "main",
            "index": 0
          },
          {
            "node": "\ud83d\udd00 Merge Response Data",
            "type": "main",
            "index": 3
          },
          {
            "node": "\ud83d\udcdc Audit Inline Policies",
            "type": "main",
            "index": 0
          },
          {
            "node": "\ud83d\udd0d Audit Attached Policies",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "\ud83d\udce6 Aggregate Final Results": {
      "main": [
        [
          {
            "node": "\ud83e\udd16 AI Security Analysis",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "\ud83d\udd0d Audit Attached Policies": {
      "main": [
        [
          {
            "node": "\ud83d\udce4 Extract Attached Policy List",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "\ud83d\udd27 Process Form Submission": {
      "main": [
        [
          {
            "node": "\ud83d\udd14 Request Human Approval",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "\ud83d\udcc4 Retrieve Policy Document": {
      "main": [
        [
          {
            "node": "\ud83d\udd13 Parse Attached Policy JSON",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "\ud83d\udd13 Parse Inline Policy JSON": {
      "main": [
        [
          {
            "node": "\u26a1 Inline Policy Router",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "\ud83d\udcca Parse Access Key Response": {
      "main": [
        [
          {
            "node": "\u26a1 No Operation, do nothing",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "\ud83d\udd0d Manual Key Lookup Trigger": {
      "main": [
        [
          {
            "node": "\ud83d\udd0d AWS IAM Service",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "\ud83d\udd13 Parse Attached Policy JSON": {
      "main": [
        [
          {
            "node": "\u26a1 Attached Policy Router",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "\ud83d\udeab Deactivate Compromised Key": {
      "main": [
        [
          {
            "node": "\ud83d\udd00 Merge Response Data",
            "type": "main",
            "index": 2
          }
        ]
      ]
    },
    "\ud83d\udce4 Extract Inline Policy Names": {
      "main": [
        [
          {
            "node": "\ud83d\udd04 Batch Process Inline Policies",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "\ud83d\udce4 Extract Attached Policy List": {
      "main": [
        [
          {
            "node": "\ud83d\udd04 Batch Process Attached Policies",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "\ud83d\udd04 Batch Process Inline Policies": {
      "main": [
        [
          {
            "node": "\ud83d\udd00 Merge Response Data",
            "type": "main",
            "index": 4
          }
        ],
        [
          {
            "node": "\ud83d\udcdc Retrieve Inline Policy Details",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "\ud83d\udcdc Retrieve Inline Policy Details": {
      "main": [
        [
          {
            "node": "\ud83d\udd13 Parse Inline Policy JSON",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "\ud83d\udd04 Batch Process Attached Policies": {
      "main": [
        [
          {
            "node": "\ud83d\udd00 Merge Response Data",
            "type": "main",
            "index": 5
          }
        ],
        [
          {
            "node": "\ud83d\udccb Fetch Policy Metadata",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "\ud83d\udee1\ufe0f Generate Invalidation Policy": {
      "main": [
        [
          {
            "node": "\ud83d\udd17 Apply Security Policy",
            "type": "main",
            "index": 0
          },
          {
            "node": "\ud83d\udd00 Merge Response Data",
            "type": "main",
            "index": 1
          }
        ]
      ]
    },
    "\ud83d\udcdd Secure Form: Key Compromise Input": {
      "main": [
        [
          {
            "node": "\ud83d\udd27 Process Form Submission",
            "type": "main",
            "index": 0
          }
        ]
      ]
    }
  }
}

Credentials you'll need

Each integration node will prompt for credentials when you import. We strip credential IDs before publishing — you'll add your own.

Pro

For the full experience including quality scoring and batch install features for each workflow upgrade to Pro

About this workflow

This n8n workflow provides a secure, enterprise-grade response system for AWS IAM access key compromises with built-in form submission and human approval mechanisms. When an AWS access key is suspected to be compromised, this workflow enables rapid containment through a secure…

Source: https://n8n.io/workflows/5123/ — original creator credit. Request a take-down →

More AI & RAG workflows → · Browse all categories →

Related workflows

Workflows that share integrations, category, or trigger type with this one. All free to copy and import.

AI & RAG

This workflow collects tour details via an n8n form, analyzes your website’s brand voice with Anthropic Claude, researches real SEO keywords and Google “People Also Ask” questions with DataForSEO, the

Form Trigger, Agent, Anthropic Chat +3
AI & RAG

Content - Newsletter Agent. Uses formTrigger, chainLlm, outputParserStructured, httpRequest. Event-driven trigger; 91 nodes.

Form Trigger, Chain Llm, Output Parser Structured +8
AI & RAG

Content - Newsletter Agent. Uses formTrigger, chainLlm, outputParserStructured, httpRequest. Event-driven trigger; 87 nodes.

Form Trigger, Chain Llm, Output Parser Structured +7
AI & RAG

This workflow contains community nodes that are only compatible with the self-hosted version of n8n.

Form Trigger, Google Sheets, HTTP Request +3
AI & RAG

This workflow is designed for marketers, founders, agencies, and product teams who want to understand how real customers talk about a product category, market, or problem space.

Reddit, Agent, Output Parser Structured +3