Supported Services

k9 reports access to an ever-growing set of AWS security, data, and compute services. This document helps customers understand k9’s current and planned coverage for AWS services and resources.

AWS Service Support Matrix

This service support matrix describes which AWS services k9 supports and the current level of that support to help you determine how your use cases are covered:

Service Name API Name(s) Service Access Resource Access
Security Services
CloudTrail cloudtrail N/A
Identity & Access Management (IAM) iam N/A
Security Token Service (STS) sts

Access to all IAM roles with a trust policy is reported, both internal and external access (cross-account).

Key Management Service (KMS) kms
Data Services
Athena athena Possible
Simple Storage Service (S3) s3
DynamoDB (DDB)
DynamoDB Accelerator
DynamoDB Streams
dynamodb
dax
dynamodbstreams
Planned 2021q4
Relational Database Service (RDS) rds
rds-data
rds-db
Planned 2021q4
Redshift redshift Possible
Elastic Map Reduce (EMR) elasticmapreduce Possible
Simple Queue Service (SQS) sqs Possible
Kinesis
Kinesis Analytics
kinesis
kinesisanalytics
Possible
Compute Services
Elastic Compute Cloud (EC2) ec2 N/A
Elastic Container Service (ECS) ecs N/A
Elastic Kubernetes Service eks N/A
Lambda lambda Planned 2021q4

k9 analyzes access of an IAM user or role (principal) at two levels.

First, k9 reports whether an IAM principal is allowed to invoke a service’s actions irrespective of a particular resource. This is called service access.  For example, an IAM role may have access to invoke S3 API write actions.

Second, k9 reports whether an IAM principal is allowed to invoke a service’s actions for a particular resource.  This is called resource access.  For example, an IAM role has access to invoke S3 write API actions on the sensitive-data bucket. When k9 reports resource level access, resource policies are included in the analysis of that access when the service supports resource policies (e.g. S3, KMS, SQS).

Roadmap

k9 expands AWS service coverage regularly and plans to support support the following services soon:

Service Name API Name(s) Service Access Resource Access
Elastic Container Registry (ECR) ecr Planned 2021q4 Planned 2021q4

Summary

The k9 service coverage matrix and roadmap helps customers understand what k9 analyzes access to now and in the near future.

If a service that is important to you is not on our roadmap, please let us know. We’d love to understand your use cases and urgency so that we can prioritize coverage on the roadmap.

Contact Us

Please contact us with questions or comments. We’d love to discuss AWS security with you.