k9 Security now summarizes principals’ access to the CloudTrail APIs and reports whether principals may administer, read, or delete trails. AWS CloudTrail is a service that automatically logs activity to enable governance, compliance, operational auditing, and risk auditing. k9 Security’s daily reports now contain a summary of each principal’s access to CloudTrail.
If you’re wondering which IAM principals can administer, read, or delete the CloudTrail audit trails in your account, k9 can give you a short list to review. k9 analyzes AWS accounts to see which IAM users and roles can use CloudTrail APIs and maps each principal’s access to a k9 access capability.
Here’s an example of how CloudTrail access is summarized in the Principal Access Summary worksheet of k9-dev’s report (sample: xlsx):

This example shows the ci
IAM user and the AccountAdminAccessRole-Sandbox
role have administer-resource
and read-data
capabilities. No principals are able to delete-data
in this account even though there are principals with access to all APIs because of a Service Control Policy.
Here’s how CloudTrail’s 19 service actions are mapped to k9 access capabilities:
Action | Capability |
---|---|
AddTags | administer-resource |
CreateTrail | administer-resource |
DeleteTrail | administer-resource, delete-data |
PutEventSelectors | administer-resource |
PutInsightSelectors | administer-resource |
RemoveTags | administer-resource |
StartLogging | administer-resource |
StopLogging | administer-resource |
UpdateTrail | administer-resource |
DescribeTrails | read-data |
GetEventSelectors | read-data |
GetInsightSelectors | read-data |
GetInsightSelectors | read-data |
GetTrail | read-data |
GetTrailStatus | read-data |
ListPublicKeys | read-data |
ListTags | read-data |
ListTrails | read-data |
LookupEvents | read-data |
The CloudTrail API actions allowing creation, deletion, and configuration of audit trails are mapped to administer-resource
. The DeleteTrail
action is also mapped to the delete-data
capability because it deletes audit trail data. Actions used to list and read data from trails are mapped to the read-data
capability.
We hope k9’s new CloudTrail analysis capabilities help you identify which IAM users and roles can use administer and read audit trails in your AWS accounts. We are happy to answer any questions!
Recent Comments