How k9 relates to AWS Security services

There are many AWS security services and it can be confusing to distinguish between them, know if you should adopt a service, or determine whether you have an important gap. This article explains how k9 relates to core AWS security services.

k9 does not replace or compete with any existing AWS security service. Rather, k9 helps you use AWS security services more effectively and safely.

AWS Security Services

Figure 1. Data Flow Between Core AWS Security Services

This section will briefly describe important AWS security services and how k9 relates to that service, if at all.

AWS Identity & Access Management

The AWS Identity and Access Management (IAM) service enables you to manage access to AWS services and resources securely. Using IAM, you can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources.

The k9 analysis service gathers configuration and usage information from the IAM service, synthesizes it, and reports it to you in an understandable way.  k9 infrastructure code libraries help you configure IAM security policies securely.

Key difference: AWS IAM manages and enforces security policies; k9 analyses those configurations and helps you improve them.

AWS Identity and Access Management (IAM) Access Analyzer

AWS IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity.

The k9 analysis service integrates findings from AWS IAM access analyzer and helps you identify both internal and external IAM users and roles that have access to data within your AWS account. k9 helps you clearly identify which IAM principals have access to your critical data resources, and what kind of access each principal has: read, write, administer, etc.  k9 also helps you identify when those IAM principals were last used.

Key difference: k9 identifies both internal and external access capabilities, AWS IAM Access Analyzer identifies only external access in terms of individual IAM permissions.

Note: The IAM Access Analyzer now has a Policy Validator.  The Policy Validator identifies where policies are invalid, probably overly permissive, or deviate from best practice (details).

AWS CloudTrail

CloudTrail is an AWS service that provides an audit log of important events that occur in your AWS account. The logs, called trails, record most AWS API usage that occur within your account, whether performed by an IAM principal from your AWS account, another AWS account, or by AWS.  CloudTrail provides a critical building block for many detective controls.

Currently, k9 does not integrate CloudTrail log data into its access analysis directly.  Rather, k9 determines what IAM principals could do so that you can correct misconfigurations proactively before an unintended action occurs, and then shows up in CloudTrail.

Key difference:  k9 reports what IAM principals could do rather than report what already happened.

Amazon GuardDuty

Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts, workloads, and data stored in Amazon S3.  GuardDuty consumes log information from CloudTrail and other security services to warn you of intrusions.

Key difference: k9 focuses on proactive and preventative controls that help you avoid problems rather than detect anomalies as they occur. 

AWS Security Hub

AWS Security Hub gives you a comprehensive view of your security alerts and security posture across your AWS accounts. Security Hub aggregates, organizes, and prioritizes your security alerts, or findings, from multiple AWS services, such as:

  • Amazon GuardDuty
  • Amazon Inspector
  • Amazon Macie
  • AWS Identity and Access Management Access Analyzer
  • Other AWS Security services & AWS Partner Network (APN) solutions

k9 plans to publish access analysis findings to Security Hub in the near future.

Key difference: k9 produces security findings, AWS Security Hub aggregates findings and helps you manage them to resolution. 

AWS Macie

Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect your sensitive data in AWS.  For example, Macie helps you identify S3 buckets that contain personally-identifiable information (PII) in your data. 

k9 helps you identify who has access to data resources such as S3 buckets and the data inside those resources.

Key difference: k9 tells you which IAM principals have access to the data resources (S3 buckets, RDS Clusters, SQS queues) in your account. Macie tells you if sensitive, regulated data is inside those data resources.

Amazon Inspector

Amazon Inspector is an automated security assessment service that identifies EC2 and VPC network exposure, vulnerabilities, and deviations from best practices.

k9 will analyze which IAM principals can administer EC2 and network resources in 2021q1 (k9 roadmap).

Key difference: Inspector reports on the effective access of network level access controls whereas k9 reports the effective identity access controls.

Summary

k9 analyzes security policy configuration and activity from the AWS IAM service and reports access understandably so that you can improve configurations proactively. k9 complements and is designed to work with core AWS security services.

Contact Us

Please contact us with questions or comments. We’d love to discuss AWS security with you.