Supported Services
k9 reports access to an ever-growing set of AWS security, data, and compute services. This document helps customers understand k9’s current and planned coverage for AWS services and resources.
AWS Service Support Matrix
This service support matrix describes which AWS services k9 supports and the current level of that support to help you determine how your use cases are covered:
| Service Name | API Name(s) | Service Access | Resource Access |
|---|---|---|---|
| Account | account | ✓ | N/A |
| CloudTrail | cloudtrail | ✓ | N/A |
| Identity & Access Management (IAM) | iam | ✓ | N/A |
| Security Token Service (STS) | sts | ✓ |
✓ Access to all IAM roles with a trust policy is reported, both internal and external access (cross-account). |
| Key Management Service (KMS) | kms | ✓ | ✓ |
| Resource Access Manager | ram | ✓ | N/A |
| Secrets Manager | secretsmanager | ✓ | Possible |
| Systems Management | ssm | ✓ | Possible |
| Athena | athena | ✓ | Possible |
| Simple Storage Service (S3) | s3 | ✓ | ✓ |
| DynamoDB (DDB) DynamoDB Accelerator DynamoDB Streams |
dynamodb dax dynamodbstreams |
✓ | ✓ |
| Elastic File System | elasticfilesystem | ✓ | ✓ |
| Relational Database Service (RDS) | rds rds-data rds-db |
✓ | ✓ |
| Redshift | redshift | ✓ | Possible |
| Elastic Map Reduce (EMR) | elasticmapreduce | ✓ | Possible |
| Simple Queue Service (SQS) | sqs | ✓ | Possible |
| Kinesis Kinesis Analytics |
kinesis kinesisanalytics |
✓ | Possible |
| Elastic Container Registry (ECR) | ecr | ✓ | Possible |
| Elastic Compute Cloud (EC2) | ec2 | ✓ | N/A |
| Elastic Container Service (ECS) | ecs | ✓ | N/A |
| Elastic Kubernetes Service | eks | ✓ | N/A |
| Lambda | lambda | ✓ | Possible |
k9 analyzes access of an IAM user or role (principal) at two levels.
First, k9 reports whether an IAM principal is allowed to invoke a service’s actions irrespective of a particular resource. This is called service access. For example, an IAM role may have access to invoke S3 API write actions.
Second, k9 reports whether an IAM principal is allowed to invoke a service’s actions for a particular resource. This is called resource access. For example, an IAM role has access to invoke S3 write API actions on the sensitive-data bucket. When k9 reports resource level access, resource policies are included in the analysis of that access when the service supports resource policies (e.g. S3, KMS, SQS).
Roadmap
| Service Name | API Name(s) | Service Access | Resource Access |
|---|---|---|---|
| TBD |
Summary
The k9 service coverage matrix and roadmap helps customers understand what k9 analyzes access to now and in the near future.
If a service that is important to you is not on our roadmap, please let us know. We’d love to understand your use cases and urgency so that we can prioritize coverage on the roadmap.
Contact Us
Please contact us with questions or comments. We’d love to discuss AWS security with you.