Now you can analyze IAM access to Amazon RDS database clusters with k9 Security. Amazon RDS gives you a way to operate a relational database in the cloud. AWS customers rely on RDS database clusters for critical and sensitive data. But it is difficult to understand what IAM users and roles (principals) could do with those databases, either accidentally or maliciously. Now k9 Security reports which IAM principals can administer RDS database clusters and read, write, or delete their data.

If you’re wondering which IAM principals and AWS accounts can access your RDS database clusters, k9 can give you a short list to review. k9 analyzes AWS accounts to see which IAM principals in your account can use the RDS APIs (e.g. rds:DeleteDBCluster), and what principals can do to each of your RDS database clusters. Checking access to particular database resources is useful because IAM policies could use the Resource element to allow or deny API actions to specific resources.

k9 simplifies understanding each principal’s access to APIs and resources by mapping it to a k9 access capability such as administer-resource or delete-data.

Reporting Access to RDS Database Clusters

k9 analyzes access to RDS APIs and database cluster resources then reports each IAM user or role’s access capabilities.

Analyze which database clusters an IAM principal can access using the k9 principal access summary:

Analyze which IAM principals can access an RDS DB Cluster
Analyze which IAM principals can access an RDS DB Cluster

This principal access summary shows that the ci user can generally use the RDS APIs to administer-resource, read-config, read-data, write-data, and delete-data for database clusters (rows where ‘Resource ARN’ is blank).

The ci user has those same permissions to the int-test-pg-01 cluster. Importantly, no security policy prevents the ci user from deleting the int-test-pg-01 database cluster. (Note: Unwanted API actions can be denied for a particular resource using Service Control Policy on the account or a Permissions Boundary on the user/role.)

The k9-auditor role uses the AWS Managed SecurityAudit policy. That policy grants permission to read configuration of RDS resources. The k9-auditor role has the read-config capability for both the RDS APIs generally and the int-test-pg-01.

Improve access to RDS database clusters roles with k9

Amazon RDS gives you a way to operate a relational database in the cloud easily. Manage risk to critical data by continuously reviewing and adjusting access to RDS database clusters and APIs with k9 Security Kata 4 – Review which principals can administer resources, write or delete data.

We hope k9’s new RDS database cluster access analysis helps you identify and remediate risks in your AWS accounts. We are happy to answer any questions!