Kata 4: Review which IAM principals can administer or change data resources

This kata shows how to review which AWS IAM principals can administer, change, or delete data resources, then verify they need it using the k9 Principal Access Summary.

Reviewing data resource administration and change capabilities is a critical AWS access improvement step. Data is a precious organizational asset. IAM principals with excess privileges to administer or change data resources creates a latent risk of accident or abuse.

Let’s see who can administer storage resources or change data and verify they need that access.

Open the latest k9 resource access audit spreadsheet from the S3 bucket containing your reports.

Go to the Principal Access Summaries worksheet.

  1. Enable filtering for the columns in the worksheet
  2. Filter the Service Name to: RDS, the Relational Database Service
  3. Filter the ‘Access Capability’ to administer-resource and delete-data

You should now have a list of principals that looks like:

IAM Principals who can administer or delete data in RDS

These are the IAM users and roles who can:

  • create and administer RDS database clusters, instances, and other resources
  • delete data in RDS database clusters

When the Resource ARN column is blank, the IAM principal has the capability to use the service’s API generally. When the Resource ARN column is populated, the IAM principal has the capability to operate on that specific resource.

In the example above, the ci, training, and AccountAdminAccessRole-Sandbox principals have:

  1. the ability to administer RDS cluster resources and delete RDS data generally
  2. those same abilities to operate on the int-test-pg-01 RDS database cluster

k9 also reports whether principals can read or write data for each supported service (service support matrix). Start by verifying principals have only the expected and necessary access to core data services like RDS, DynamoDB, and S3, then expand to other services.

An IAM principal with AWS service administration or data change capabilities can be abused to execute many kinds of attacks in your AWS account. Reduce risk to data in your AWS account by reducing data administration and change capabilities to only what is necessary.

Review Questions

Ask these questions during your review:

Q. Should this principal have this service access capability? In this environment?

Automated delivery processes, operations teams, and security teams usually need an IAM principal with service administration capabilities. Sometimes application teams do too. The need to administer services, especially data services, usually varies by environment.

For example, you may allow application development teams to create and delete a database in a development environment. However, you probably don’t want anyone to be able to delete a production database. You could adjust identity policies to reduce unwanted privileges. You could also implement Service Control Policies that protect specific resources or deny, e.g. delete operations in the account.

Q. When was the last time the principal used the capability?

You can also use AWS Access Analyzer to identify when services and API actions were last used. k9 will integrate that capability into the product soon. We’re happy to help you to accomplish this with what you have right now.


Once you have completed this kata, you should be able to:

  • identify IAM users and roles that can administer data resources or read, write, or delete data in your AWS account
  • determine whether that IAM principal should have that level of access
  • kick off the process to remove excess privileges with strong evidence

Contact k9 Support ([email protected]) if you have questions, feedback, or would like assistance.