How k9 simplifies AWS IAM security for the entire team

Good AWS security is too difficult and expensive.

This article will explain what k9 Security does and how k9 simplifies AWS security and makes it affordable.

The Challenge

Interviews with Cloud security specialists reveal the pain of engineering good AWS security policies and analyzing access. In this context, Cloud security specialists includes Cloud, Cloud Security, DevOps, Platform, Site Reliability, and Security Engineers.  These engineers have the practical responsibility of creating and maintaining AWS security policies, and are the Cloud security specialists.

These Cloud security specialists say AWS security policies are hard to get right and difficult to validate.

This overloads cloud security specialists, if a team has any, with an unending stream of high-stakes policy development and reviews. Rushing security policy engineering puts the organization and customers at risk. Holding up deployments for security policy engineering delays projects. This situation costs a lot and produces bad results.  And the rate of change is increasing.

Cloud teams need more scalable and efficient security policy engineering and audit processes that keep pace with continuous delivery processes using infrastructure as code.

The Solution

k9 helps Cloud teams protect data by helping them understand and improve their security policies, quickly and confidently. Right in the modern Cloud application delivery pipeline.

k9 Security does this with three key elements:

  • a higher-level language for describing principals’ access capabilities
  • infrastructure code libraries that generate policies according to best practice
  • continuous auditing of who has access to data

These elements are all integrated into the modern delivery process:

Integrate Security into Delivery Process

Figure 1. Integrate Security into Delivery Process with k9

Access Capability Model

The k9 access capability model provides the high-level language Application, Platform, and Security engineers use to discuss and engineer policies quickly and securely. No more getting lost in a forrest of thousands of API actions. k9 describes access with six capabilities: read-data, write-data, delete-data, use-resource, administer-resource, and read-config access. By defining these capabilities and mapping API actions to all applicable capabilities, k9 engineers determine who has access to what, quickly and confidently. A single API action may map to multiple access capabilities. For example AWS’ rds:DeleteDBCluster maps to administer-resource and delete-data (because it deletes the cluster’s data!).

Secure infrastructure code libraries

Cloud teams use k9 infrastructure code libraries to integrate secure policies directly into their delivery pipelines. Cloud teams express the access in terms of the k9 access capabilities and k9’s policy generators take care of the rest. Example: Terraform S3 bucket and policy generator

These libraries encapsulate expert security knowledge and make the best practice of data protection composable in existing and new pipelines. k9 focuses on strong security policies for data because that’s where the biggest risks and policy problems are.

Continuous Auditing

k9 continuously audits AWS accounts and answers the questions, “who has access to what?” and “what data is accessible by whom?” k9 delivers these answers to customers’ secure S3 inbox nightly for ingest into SIEMs or interactive analysis in Excel. Soon, customers may also opt-into accessing this information via a secure API gateway. This gateway will be usable by end customers, managed service providers, and 3rd party products incorporating k9’s analysis.

k9 Security provides Cloud, Platform, and Security engineers the language, policy management tools, and visibility they need to understand and improve security policies, quickly and confidently. These elements enable and enhance the practice of continuous delivery and infrastructure as code by integrating strong security practices directly into the delivery process. With k9, regular engineers and auditors become productive security superheroes, pipelines deliver changes, and applications operate securely.

Learn more about the value you can capture with k9 by increasing engineering efficiency and reducing risk.

Go Fast, Safely

We’d love to help you go fast, safely. Watch or schedule a demo today.

Learn how k9 can help your organization

Learn more about how k9 can help your organization manage AWS IAM better by watching or scheduling a demo.