k9 Security now summarizes principals’ access to the Elastic Compute Cloud (EC2) APIs. k9 reports whether IAM principals may administer EC2 compute, network, and storage configurations and use or destroy those resources. Amazon EC2 is a web service that provides secure, resizable compute capacity in the cloud.

If you’re wondering which IAM principals can administer, use, or delete EC2 resources, k9 can give you a short list to review. EC2’s large API manages the compute, network, and storage operations required by virtual machines. k9 analyzes AWS accounts to see which IAM users and roles can use EC2 APIs and maps each principal’s access to a k9 access capability.

Here’s an example of how EC2 access is summarized in the Principal Access Summary worksheet of k9-dev’s report (sample: xlsx):

k9 Principal Access Summary for EC2

This excerpt shows the ci IAM user has full access to EC2 APIs: administer-resource, read-config, use-resource, write-data, and delete-data. The k9-auditor role has only the read-config capability for EC2 APIs, allowing it to read EC2 configuration metadata.

k9 models starting, restarting, or stopping compute instances (VMs) as use-resource:

Mapping of EC2 API actions to use-resource

The delete-data capability covers deleting EC2 data volumes, snapshots, and keypairs:

Mapping of EC2 API actions to delete-data

The sample report documents the full mapping of service API actions to k9 access capabilities in the ‘k9 Access Capability Mapping’ worksheet.

The Amazon EC2 API currently has 437 actions, which k9 will now track for updates. This summary of k9’s AWS service coverage shows how EC2 compares to other AWS data, compute, and security APIs:

k9 AWS Service Analysis Summary

AWS EC2 gives you operate applications at any scale, securely and reliably. Manage risk to your applications running on EC2 by continuously reviewing and adjusting access to EC2 instances, security groups, volumes, and the EC2 compute APIs.

We hope k9’s new EC2 analysis capabilities help you identify which IAM users and roles can administer EC2 and run compute instances and modify firewalls in your AWS accounts. We are happy to answer any questions!