Now you can analyze IAM access to DynamoDB tables with k9 Security. Amazon DynamoDB is a fully managed database designed to run applications at any scale. AWS customers rely on DynamoDB for business critical data. But it is difficult to understand what IAM users and roles (principals) could do with DynamoDB tables, either accidentally or maliciously. Now k9 Security reports which IAM principals can administer DynamoDB tables and read, write, or delete their data.

If you’re wondering which IAM principals can access your DynamoDB tables, k9 can give you a short list to review. k9 analyzes IAM configurations in AWS accounts. k9 already reports which IAM principals in your account can use the DynamoDB APIs (e.g. dynamodb:DeleteTable). Now k9 also reports what principals can do to each of your DynamoDB tables. Checking access to particular data resources is useful because IAM policies could use the Resource element to allow or deny API actions to specific resources.

k9 simplifies understanding each principal’s access to APIs and resources by mapping it to a k9 access capability such as administer-resource or delete-data.

Reporting Access to DynamoDB tables

k9 analyzes access to DynamoDB APIs and table resources then reports each IAM user or role’s access capabilities.

Analyze which tables an IAM principal can access using the k9 principal access summary:

Example Principal Access Summary table listing the principal name, principal type and their access capabilities to DynamoDB APIs and specific tables
Review IAM principals’ access to DynamoDB APIs and tables

This principal access summary shows that the AWSReservedSSO_AdministratorAccess role can use the DynamoDB APIs to administer-resource, read-config, read-data, write-data, and delete-data (rows where ‘Resource ARN’ is blank).

The admin role has those same permissions to the TerraformStateLock table. Importantly, there is no security policy preventing the admin role from deleting the TerraformStateLock table. (Note: Unwanted API actions for a particular resource could be denied using Service Control Policy on the account or Permissions Boundary on the user/role.)

The k9-auditor role uses the AWS Managed SecurityAudit policy. That policy grants permission to read configuration of DynamoDB resources. The principal access summary shows the k9-auditor role has read-config capabilities for both the DynamoDB APIs generally and several tables.

If you want to see who has access to a specific table, use the k9 resource access summary. This shows who has access to the customer-account-configs-dev table:

Example Resource Access Summary table listing DynamoDB tables and what access capabilities each principal has
Review which IAM principals can access a DynamoDB table

The resource access summary enables data owners to understand who has access to their data quickly and verify access is correct (k9 Security Kata 4).

Review and right-size access to DynamoDB tables with k9

Amazon DynamoDB gives you a way to manage unlimited data in the cloud easily. Manage risk to critical data by continuously reviewing and adjusting access to DynamoDB tables and APIs.

We hope k9’s new DynamoDB table analysis helps you identify and remediate risks in your AWS accounts. We are happy to answer any questions!