First Look: Compare changes in AWS IAM access with k9

Today we’ll share a first look at how you can compare changes in AWS IAM access with k9 Security. Cloud teams tell us they need an easy way to understand how IAM access changes over time so they can review access periodically. Additionally, IAM access change analysis needs to integrate with common DevOps & Security automation toolsets.

We prototyped a k9diff tool (source) to discover requirements and gather feedback on the process of comparing changes in AWS IAM. Contact us anytime at [email protected] 👋

k9 reports the effective access IAM users and roles have in an AWS account to critical AWS APIs and resources such as buckets and encryption keys. Those reports are delivered in Excel, csv, and json format. Even k9’s simplified access representations results in thousands of discrete access assessments to analyze (sample – xslx). People need some help. Fortunately, most AWS account IAM configurations are pretty stable and the csv format is straightforward to diff using command line tools.

Let’s walk through how this works.

A shell has been opened in tmp where our k9 reports S3 bucket has been sync’d to a child directory. k9 organizes reports with this directory structure (details in kata 0):

customers/{k9_customer_id}/reports/aws/{aws_account_id}/{year}/{month}/

Each element of the key path in {braces} is replaced with the relevant information for a given report:

• k9_customer_id: your k9 customer id, e.g. C123456
• aws_account_id: the analyzed AWS account id, e.g. 012345678912
• year: the year component of the analysis start time (UTC), e.g. 2021
• month: the year component of the analysis start time (UTC), e.g. 04

The k9diff tool reports the differences between two reports using several inputs:

k9diff <report_type> <aws_account_id> <start_date> <end_date>

Let’s work through an example for changes in IAM principal access.

Compare AWS IAM principal access changes

Let’s compare changes to what IAM users and roles can access in the k9-dev account over the past week with this command:

k9diff principal-access-summaries 139710491120 2021-04-13 2021-04-20

k9diff finds the csv format of the principal-access-summaries files for those days, diffs them, and outputs a simplified list of access additions and removals:

# Format: Short IAM Principal Name, Principal Type, AWS Service, k9 capability, (optional) resource)
+AccessAnalyzerMonitorServiceRole_DKEX2XK0Y1,IAMRole,CloudTrail,read-config,
+AccessAnalyzerMonitorServiceRole_DKEX2XK0Y1,IAMRole,IAM,read-data,
-dms-vpc-role,IAMRole,EC2,administer-resource,
-dms-vpc-role,IAMRole,EC2,read-config,
-k9-dev-appeng,IAMRole,DynamoDB Streams,read-config,
-k9-dev-appeng,IAMRole,DynamoDB Streams,read-data,
-k9-dev-appeng,IAMRole,EC2,use-resource,

Lines start with + for access addition and - for access removal.

These changes all occurred in the k9-dev account last week. In particular, the k9 Security engineering team experimented with the AWS Access Analyzer Policy Generator. During that work we:

• Provisioned the AccessAnalyzerMonitorServiceRole_DKEX2XK0Y1 role
• Analyzed the k9-dev-appeng role
• Reduced k9-dev-appeng‘s privileges
• Removed dms-vpc-role

A list of 7 changes is much easier to review than comprehending the +4000 underlying access assessments.

Comparing resource access changes

k9diff compares changes in access to specific resources using the resource-access-summaries report type . You could identify access changes to S3 buckets and Encryption Keys over the past week with:

k9diff resource-access-summaries 139710491120 2021-04-13 2021-04-20

However, there were no access changes to covered resources in this account during the time frame so the results are empty.

Next Steps