k9 Security now summarizes principals’ access to the CloudTrail APIs and reports whether principals may administer, read, or delete trails. AWS CloudTrail is a service that automatically logs activity to enable governance, compliance, operational auditing, and risk auditing. k9 Security’s daily reports now contain a summary of each principal’s access to CloudTrail.
If you’re wondering which IAM principals can administer, read, or delete the CloudTrail audit trails in your account, k9 can give you a short list to review. k9 analyzes AWS accounts to see which IAM users and roles can use CloudTrail APIs and maps each principal’s access to a k9 access capability.
Here’s an example of how CloudTrail access is summarized in the Principal Access Summary worksheet of k9-dev’s report (sample: xlsx):
This example shows the ci IAM user and the AccountAdminAccessRole-Sandbox role have administer-resource and read-datacapabilities. No principals are able to delete-data in this account even though there are principals with access to all APIs because of a Service Control Policy.
Here’s how CloudTrail’s 19 service actions are mapped to k9 access capabilities:
| Action | Capability |
|---|---|
| AddTags | administer-resource |
| CreateTrail | administer-resource |
| DeleteTrail | administer-resource, delete-data |
| PutEventSelectors | administer-resource |
| PutInsightSelectors | administer-resource |
| RemoveTags | administer-resource |
| StartLogging | administer-resource |
| StopLogging | administer-resource |
| UpdateTrail | administer-resource |
| DescribeTrails | read-data |
| GetEventSelectors | read-data |
| GetInsightSelectors | read-data |
| GetInsightSelectors | read-data |
| GetTrail | read-data |
| GetTrailStatus | read-data |
| ListPublicKeys | read-data |
| ListTags | read-data |
| ListTrails | read-data |
| LookupEvents | read-data |
The CloudTrail API actions allowing creation, deletion, and configuration of audit trails are mapped to administer-resource. The DeleteTrail action is also mapped to the delete-data capability because it deletes audit trail data. Actions used to list and read data from trails are mapped to the read-data capability.
We hope k9’s new CloudTrail analysis capabilities help you identify which IAM users and roles can use administer and read audit trails in your AWS accounts. We are happy to answer any questions!
Recent Comments