Today we’ll share a first look at how you can compare changes in AWS IAM access with k9 Security. Cloud teams tell us they need an easy way to understand how IAM access changes over time so they can review access periodically. Additionally, IAM access change analysis needs to integrate with common DevOps & Security automation toolsets.
We prototyped a k9diff
tool (source) to discover requirements and gather feedback on the process of comparing changes in AWS IAM. Contact us anytime at [email protected] 👋
k9 reports the effective access IAM users and roles have in an AWS account to critical AWS APIs and resources such as buckets and encryption keys. Those reports are delivered in Excel, csv, and json format. Even k9’s simplified access representations results in thousands of discrete access assessments to analyze (sample – xslx). People need some help. Fortunately, most AWS account IAM configurations are pretty stable and the csv format is straightforward to diff using command line tools.
Let’s walk through how this works.
A shell has been opened in tmp
where our k9 reports S3 bucket has been sync’d to a child directory. k9 organizes reports with this directory structure (details in kata 0):
customers/{k9_customer_id}/reports/aws/{aws_account_id}/{year}/{month}/
Each element of the key path in {braces}
is replaced with the relevant information for a given report:
k9_customer_id
: your k9 customer id, e.g.ÂC123456
aws_account_id
: the analyzed AWS account id, e.g.Â012345678912
year
: the year component of the analysis start time (UTC), e.g.Â2021
month
: the year component of the analysis start time (UTC), e.g.Â04
The k9diff
tool reports the differences between two reports using several inputs:
k9diff <report_type> <aws_account_id>
<start_date> <end_date>
Let’s work through an example for changes in IAM principal access.
Compare AWS IAM principal access changes
Let’s compare changes to what IAM users and roles can access in the k9-dev
account over the past week with this command:
k9diff principal-access-summaries 139710491120 2021-04-13 2021-04-20
k9diff
finds the csv format of the principal-access-summaries
files for those days, diffs them, and outputs a simplified list of access additions and removals:
# Format: Short IAM Principal Name, Principal Type, AWS Service, k9 capability, (optional) resource)
+AccessAnalyzerMonitorServiceRole_DKEX2XK0Y1,IAMRole,CloudTrail,read-config,
+AccessAnalyzerMonitorServiceRole_DKEX2XK0Y1,IAMRole,IAM,read-data,
-dms-vpc-role,IAMRole,EC2,administer-resource,
-dms-vpc-role,IAMRole,EC2,read-config,
-k9-dev-appeng,IAMRole,DynamoDB Streams,read-config,
-k9-dev-appeng,IAMRole,DynamoDB Streams,read-data,
-k9-dev-appeng,IAMRole,EC2,use-resource,
Lines start with +
for access addition and -
for access removal.
These changes all occurred in the k9-dev
account last week. In particular, the k9 Security engineering team experimented with the AWS Access Analyzer Policy Generator. During that work we:
- Provisioned the
AccessAnalyzerMonitorServiceRole_DKEX2XK0Y1
role - Analyzed the
k9-dev-appeng
role - Reduced
k9-dev-appeng
‘s privileges - Removed
dms-vpc-role
A list of 7 changes is much easier to review than comprehending the +4000 underlying access assessments.
Comparing resource access changes
k9diff
compares changes in access to specific resources using the resource-access-summaries
report type . You could identify access changes to S3 buckets and Encryption Keys over the past week with:
k9diff resource-access-summaries 139710491120 2021-04-13 2021-04-20
However, there were no access changes to covered resources in this account during the time frame so the results are empty.
Next Steps
k9 Security prototyped k9diff
to learn more about the problems customers encounter when comparing AWS IAM access changes and what good solutions need. For example k9diff
‘s output was simplified significantly while writing this post. But this is only a first exploration and look at the capabilities k9 is building. If you’d like to stay informed of these updates, subscribe to k9 News.
Recent Comments