Secure Infrastructure Code Libraries for Terraform and CDK

Built and supported by experts

Infrastructure Code Libraries

The k9 Security infrastructure code libraries are open source and freely available in the k9securityio organization on GitHub.  These libraries generate secure policies using k9’s access capability and tagging models.  Professional support for these libraries and prioritized enhancement are included when you subscribe to the k9 access analysis service.

Terraform

All k9 Security’s modules are available in the Terraform Registry.

  • terraform-local-context – A Terraform module to capture the context your team needs to manage, operate, and secure resources on any Cloud.
  • terraform-aws-s3-bucket – Provision AWS S3 buckets safely with least privilege access and comprehensive tagging using Terraform.
  • terraform-aws-kms-key – Provision AWS KMS keys safely with least privilege access and comprehensive tagging using Terraform.

 

AWS Cloud Development Kit (CDK)
The k9-cdk helps you provision best practice AWS security policies defined using the simplified k9 access capability model and safe defaults. In CDK terms, this library provides Curated (L2) constructs that wrap core CloudFormation resources (L1) to simplify security.

Currently the k9-cdk supports:

  • AWS Resources: S3 Bucket Policies, KMS Key Policies
  • Languages: TypeScript, (next) Python

The k9-cdk is distributed on:

Generate least privilege S3 bucket policy with the  terraform-aws-s3-bucket Terraform module:

Get k9 News

Get k9 Security technical articles & release updates, at most weekly.

🎉 Bonus: Get the Effective IAM for AWS eBook when you subscribe!

Subscribe

Secure Terraform Library for S3

k9 Security’s terraform-aws-s3-bucket helps you protect data by creating an AWS S3 bucket with safe defaults and a least-privilege bucket policy built on the k9 access capability model.

There are several problems engineers must solve when securing data in an S3 bucket, especially when sharing an AWS account. To secure your data, you’ll need to:

  1. configure several distinct S3 resources: the bucket, the bucket policy, ‘block public access’ configurations
  2. create security policies that allow access by authorized principals and denies everyone else
  3. adjust standard Terraform resource configurations which generally mirror AWS API defaults to current best practice
  4. capture enough context to scale security, governance, risk, and compliance activities efficiently

Configuring your intended access can be especially difficult.

But the terraform-aws-s3-bucket helps you specify your intended access easily and generates a least-privilege policy for you.

First, define who should access to the bucket as lists of AWS Principal IDs:

Define S3 bucket's authorized principals

# Define which principals may access the bucket and what capabilities they should have
# k9 access capabilities are defined at https://www.k9security.io/docs/k9-access-capability-model/  
locals {
  administrator_arns = [
    "arn:aws:iam::12345678910:user/ci"
    , "arn:aws:iam::12345678910:user/person1"
  ]
  read_config_arns = concat(local.administrator_arns, 
                            ["arn:aws:iam::12345678910:role/k9-auditor"])

  read_data_arns = [
    "arn:aws:iam::12345678910:user/person1",
    "arn:aws:iam::12345678910:role/appA",
  ]

  write_data_arns = local.read_data_arns
}

Now generate a least privilege bucket policy with the terraform-aws-s3-bucket submodule:

Define S3 bucket's authorized principals

# Define which principals may access the bucket and what capabilities they should have
# k9 access capabilities are defined at https://k9security.io/docs/k9-access-capability-model/  
locals {
  administrator_arns = [
    "arn:aws:iam::12345678910:user/ci"
    , "arn:aws:iam::12345678910:user/person1"
  ]
  read_config_arns = concat(local.administrator_arns, 
                            ["arn:aws:iam::12345678910:role/k9-auditor"])

  read_data_arns = [
    "arn:aws:iam::12345678910:user/person1",
    "arn:aws:iam::12345678910:role/appA",
  ]

  write_data_arns = local.read_data_arns
}

When you terraform apply this code, the module will generate a ~200 line bucket policy that enables the following access:

  • allow ci and person1 users to administer the bucket
  • allow k9-auditor to read the bucket’s configuration
  • allow person1 user and appA role to read and write data from the bucket
  • deny all other access; this is the tricky bit!

The policy will also enforcce encryption in transport and at rest.