You can now analyze access to AWS IAM roles with k9 Security. AWS customers grant access to IAM roles to other IAM principals within the account or in other AWS accounts for many reasons. Some common reasons for granting one IAM principal access to a role are:
- allow a principal in the account to use a more (or less) privileged role for a particular operation, e.g. the
platformrole to assume the fully-privileged
adminrole for incident response
- allow a principal in another account in the AWS organization to access the account, e.g. a
cicduser in an one AWS account to assume a
deliveryrole in each of the dev, stage, and prod accounts to deliver changes
- allow a third-party access to the account to, e.g. audit its configuration, collect telemetry, or perform some other service from a user or role in their own AWS account
Access to assume a role is usually granted using an IAM role ‘trust’ resource policy. It’s easy often difficult to understand who has access to a role and easy to accidentally configure excessive access.
If you’re wondering which IAM principals and AWS accounts can access your roles, k9 can give you a short list to review. k9 analyzes AWS accounts to see which IAM principals in your account using the STS APIs (
sts:AssumeRole, etc) and maps each principal’s access to a k9 access capability.
Reporting Access to IAM Roles
k9 analyzes both internal and external access to IAM roles then reports access capabilities to IAM roles.
Analyze which roles an IAM principal can assume using the principal access summary:
This principal access summary shows that the
ci user has the:
- general capability to
write-datafor IAM resources using the
STSservice API unless prohibited by a specific trust resource policy
- specific capability to use a number of roles such as
k9-auditor, and the
Analyze access to a particular IAM role using the resource access summary view:
This resource access summary shows the
k9-dev-appeng role can be used by:
- several principals within the account:
AccountAdminAccessRole-Sandbox, and even itself
445877806042account, which is the k9 Security’s ‘Identity’ account trusted by
k9 uses multiple methods to construct this analysis.
Analyzing Within Account (Internal Access)
k9 reports access to IAM roles granted to IAM users and roles within that same AWS account using k9’s standard simulation engine. k9 limits analysis to:
- IAM roles with a resource policy that grants access to IAM principals
- at most 100 IAM roles (if you need to analyze more, please contact k9 Support)
Analyzing Cross Account (External Access)
k9 retrieves and analyzes AWS access analyzer findings to report access to roles that are externally accessible from another AWS account. Information about access to roles from other accounts is only available in k9 when AWS Access Analyzer is enabled and running in the monitored account.
Analyze and improve access to IAM roles with k9
AWS IAM’s roles and “assume role” APIs give you a way to create and share identities within and across AWS accounts. Manage risk to your AWS accounts by continuously reviewing and adjusting access to IAM roles and STS APIs (see k9 Security Kata 4).
We hope k9’s new “assume role” analysis capabilities help you identify which IAM users and roles can use IAM roles in your AWS accounts. We are happy to answer any questions!