Now you can analyze IAM access to DynamoDB tables with k9 Security. Amazon DynamoDB is a fully managed database designed to run applications at any scale. AWS customers rely on DynamoDB for business critical data. But it is difficult to understand what IAM users and roles (principals) could do with DynamoDB tables, either accidentally or maliciously. Now k9 Security reports which IAM principals can administer DynamoDB tables and read, write, or delete their data.
If you’re wondering which IAM principals can access your DynamoDB tables, k9 can give you a short list to review. k9 analyzes IAM configurations in AWS accounts. k9 already reports which IAM principals in your account can use the DynamoDB APIs (e.g.
dynamodb:DeleteTable). Now k9 also reports what principals can do to each of your DynamoDB tables. Checking access to particular data resources is useful because IAM policies could use the Resource element to allow or deny API actions to specific resources.
k9 simplifies understanding each principal’s access to APIs and resources by mapping it to a k9 access capability such as
Reporting Access to DynamoDB tables
k9 analyzes access to DynamoDB APIs and table resources then reports each IAM user or role’s access capabilities.
Analyze which tables an IAM principal can access using the k9 principal access summary:
This principal access summary shows that the
AWSReservedSSO_AdministratorAccess role can use the DynamoDB APIs to
delete-data (rows where ‘Resource ARN’ is blank).
The admin role has those same permissions to the
TerraformStateLock table. Importantly, there is no security policy preventing the admin role from deleting the
TerraformStateLock table. (Note: Unwanted API actions for a particular resource could be denied using Service Control Policy on the account or Permissions Boundary on the user/role.)
k9-auditor role uses the AWS Managed
SecurityAudit policy. That policy grants permission to read configuration of DynamoDB resources. The principal access summary shows the
k9-auditor role has
read-config capabilities for both the DynamoDB APIs generally and several tables.
If you want to see who has access to a specific table, use the k9 resource access summary. This shows who has access to the
The resource access summary enables data owners to understand who has access to their data quickly and verify access is correct (k9 Security Kata 4).
Review and right-size access to DynamoDB tables with k9
Amazon DynamoDB gives you a way to manage unlimited data in the cloud easily. Manage risk to critical data by continuously reviewing and adjusting access to DynamoDB tables and APIs.
We hope k9’s new DynamoDB table analysis helps you identify and remediate risks in your AWS accounts. We are happy to answer any questions!