Supported Services

k9 reports access to an ever-growing set of AWS security, data, and compute services. This document helps customers understand k9’s current and planned coverage for AWS services and resources.

AWS Service Support Matrix

This service support matrix describes which AWS services k9 supports and the current level of that support to help you determine how your use cases are covered:

Service Name	API Name(s)	Service Access	Resource Access
Security Services
CloudTrail	cloudtrail	✓	N/A
Identity & Access Management (IAM)	iam	✓	N/A
Security Token Service (STS)	sts	✓	✓ Access to all IAM roles with a trust policy is reported, both internal and external access (cross-account).
Key Management Service (KMS)	kms	✓	✓
Resource Access Manager	ram	✓	N/A
Secrets Manager	secretsmanager	✓	Possible
Management Services
Systems Management	ssm	✓	Possible
Data Services
Athena	athena	✓	Possible
Simple Storage Service (S3)	s3	✓	✓
DynamoDB (DDB) DynamoDB Accelerator DynamoDB Streams	dynamodb dax dynamodbstreams	✓	✓
Relational Database Service (RDS)	rds rds-data rds-db	✓	✓
Redshift	redshift	✓	Possible
Elastic Map Reduce (EMR)	elasticmapreduce	✓	Possible
Simple Queue Service (SQS)	sqs	✓	Possible
Kinesis Kinesis Analytics	kinesis kinesisanalytics	✓	Possible
Elastic Container Registry (ECR)	ecr	✓	Planned 2022
Compute Services
Elastic Compute Cloud (EC2)	ec2	✓	N/A
Elastic Container Service (ECS)	ecs	✓	N/A
Elastic Kubernetes Service	eks	✓	N/A
Lambda	lambda	✓	Possible

k9 analyzes access of an IAM user or role (principal) at two levels.

First, k9 reports whether an IAM principal is allowed to invoke a service’s actions irrespective of a particular resource. This is called service access. For example, an IAM role may have access to invoke S3 API write actions.

Second, k9 reports whether an IAM principal is allowed to invoke a service’s actions for a particular resource. This is called resource access. For example, an IAM role has access to invoke S3 write API actions on the sensitive-data bucket. When k9 reports resource level access, resource policies are included in the analysis of that access when the service supports resource policies (e.g. S3, KMS, SQS).

Roadmap

k9 expands AWS service coverage regularly and plans to support support the following services soon:

Service Name	API Name(s)	Service Access	Resource Access
Cognito Federated Identities	cognito-identity	Planned 2023q1	N/A
Cognito User Pools	cognito-idp	Planned 2023q1	N/A
Cognito Sync	cognito-sync	Planned 2023q1	N/A

Summary

The k9 service coverage matrix and roadmap helps customers understand what k9 analyzes access to now and in the near future.

If a service that is important to you is not on our roadmap, please let us know. We’d love to understand your use cases and urgency so that we can prioritize coverage on the roadmap.

Contact Us

Please contact us with questions or comments. We’d love to discuss AWS security with you.