You can now analyze access to AWS IAM roles with k9 Security. AWS customers grant access to IAM roles to other IAM principals within the account or in other AWS accounts for many reasons. Some common reasons for granting one IAM principal access to a role are:

  • allow a principal in the account to use a more (or less) privileged role for a particular operation, e.g. the platform role to assume the fully-privileged admin role for incident response
  • allow a principal in another account in the AWS organization to access the account, e.g. a cicd user in an one AWS account to assume a delivery role in each of the dev, stage, and prod accounts to deliver changes
  • allow a third-party access to the account to, e.g. audit its configuration, collect telemetry, or perform some other service from a user or role in their own AWS account

Access to assume a role is usually granted using an IAM role ‘trust’ resource policy. It’s easy often difficult to understand who has access to a role and easy to accidentally configure excessive access.

If you’re wondering which IAM principals and AWS accounts can access your roles, k9 can give you a short list to review. k9 analyzes AWS accounts to see which IAM principals in your account using the STS APIs (sts:AssumeRole, etc) and maps each principal’s access to a k9 access capability.

Reporting Access to IAM Roles

k9 analyzes both internal and external access to IAM roles then reports access capabilities to IAM roles.

Analyze which roles an IAM principal can assume using the principal access summary:

Analyze which roles a user can assume
Analyze which roles a user can assume

This principal access summary shows that the ci user has the:

  • general capability to use-resource, read-data, and write-datafor IAM resources using the STS service API unless prohibited by a specific trust resource policy
  • specific capability to use a number of roles such as AccountAdmnAccessRole-Sandbox, k9-auditor, and the k9-backend-dev roles

Analyze access to a particular IAM role using the resource access summary view:

Analyze who can assume a role
Analyze who can assume a role

This resource access summary shows the k9-dev-appeng role can be used by:

  • several principals within the account: ci, skuenzli, training, AccountAdminAccessRole-Sandbox, and even itself
  • the 445877806042 account, which is the k9 Security’s ‘Identity’ account trusted by k9-dev-appeng

k9 uses multiple methods to construct this analysis.

Analyzing Within Account (Internal Access)

k9 reports access to IAM roles granted to IAM users and roles within that same AWS account using k9’s standard simulation engine. k9 limits analysis to:

  • IAM roles with a resource policy that grants access to IAM principals
  • at most 100 IAM roles (if you need to analyze more, please contact k9 Support)

Analyzing Cross Account (External Access)

k9 retrieves and analyzes AWS access analyzer findings to report access to roles that are externally accessible from another AWS account. Information about access to roles from other accounts is only available in k9 when AWS Access Analyzer is enabled and running in the monitored account.

Analyze and improve access to IAM roles with k9

AWS IAM’s roles and “assume role” APIs give you a way to create and share identities within and across AWS accounts. Manage risk to your AWS accounts by continuously reviewing and adjusting access to IAM roles and STS APIs (see k9 Security Kata 4).

We hope k9’s new “assume role” analysis capabilities help you identify which IAM users and roles can use IAM roles in your AWS accounts. We are happy to answer any questions!