Kata 0: Find & Tour a k9 Access Inventory Report

Let’s prepare for the k9 Security Katas by finding and touring a k9 resource access inventory in Excel format.

The Excel report format (sample) is very useful for both the structured and ad-hoc analysis new users perform of their accounts.

k9 Security delivers access inventory reports to the S3 bucket created during setup

k9 organizes reports in the bucket using a structure that looks like:

customers/{k9_customer_id}/reports/aws/{aws_account_id}/{year}/{month}/

Each element of the key path in {braces} is replaced with the relevant information for a given report:

  • k9_customer_id: your k9 customer id, e.g. C123456
  • aws_account_id: the analyzed AWS account id, e.g. 012345678912
  • year: the year component of the analysis start time (UTC), e.g. 2021
  • month: the year component of the analysis start time (UTC), e.g. 04

Two important things about time:

  • k9 uses UTC time for all reports
  • k9 starts analysis at UTC-7 to maximize utility for daily analysis in North & South America.

So the Excel report generated on April 9th, 2021 at 07:28 UTC is stored at:

customers/C123456/reports/aws/012345678912/2021/04/resource-access-audit.2021-04-09-0712.xlsx

Now find and open an Excel formatted report for today. 

When you open the spreadsheet, you will start at the ‘Principal Summary’ worksheet, which merely reports the number of IAM users and roles in the account:

Principal Summary – xlsx

The Excel report contains the following worksheets:

  • Principal Summary: reports aggregate statistics about IAM principals
  • Principals: Reports details of each IAM principal, when it was last used, its credentials, and tags
  • Principal Access Summary: Reports each principals access capabilities to supported AWS APIs and data resources
  • Resources: Details about each supported data resource, S3 buckets & KMS encryption keys
  • Resource Access Summaries: A resource-oriented view of what access each principal has to data resources
  • k9 Access Capability Mapping: the mapping of AWS API actions to k9 Access Capabilities used to generate the report

k9 delivers each analysis in three forms: xslx, csv, and json. These formats enable use by: people, SIEMs, and custom analysis tools.

If you have any trouble opening your reports or other questions, please contact support@k9security.io. We are happy to help.