Now you can analyze IAM access to Amazon RDS database clusters with k9 Security. Amazon RDS gives you a way to operate a relational database in the cloud. AWS customers rely on RDS database clusters for critical and sensitive data. But it is difficult to understand what IAM users and roles (principals) could do with those databases, either accidentally or maliciously. Now k9 Security reports which IAM principals can administer RDS database clusters and read, write, or delete their data.
If you’re wondering which IAM principals and AWS accounts can access your RDS database clusters, k9 can give you a short list to review. k9 analyzes AWS accounts to see which IAM principals in your account can use the RDS APIs (e.g.
rds:DeleteDBCluster), and what principals can do to each of your RDS database clusters. Checking access to particular database resources is useful because IAM policies could use the Resource element to allow or deny API actions to specific resources.
k9 simplifies understanding each principal’s access to APIs and resources by mapping it to a k9 access capability such as
Reporting Access to RDS Database Clusters
k9 analyzes access to RDS APIs and database cluster resources then reports each IAM user or role’s access capabilities.
Analyze which database clusters an IAM principal can access using the k9 principal access summary:
This principal access summary shows that the
ci user can generally use the RDS APIs to
delete-data for database clusters (rows where ‘Resource ARN’ is blank).
ci user has those same permissions to the
int-test-pg-01 cluster. Importantly, no security policy prevents the
ci user from deleting the
int-test-pg-01 database cluster. (Note: Unwanted API actions can be denied for a particular resource using Service Control Policy on the account or a Permissions Boundary on the user/role.)
k9-auditor role uses the AWS Managed
SecurityAudit policy. That policy grants permission to read configuration of RDS resources. The
k9-auditor role has the
read-config capability for both the RDS APIs generally and the
Improve access to RDS database clusters roles with k9
Amazon RDS gives you a way to operate a relational database in the cloud easily. Manage risk to critical data by continuously reviewing and adjusting access to RDS database clusters and APIs with k9 Security Kata 4 – Review which principals can administer resources, write or delete data.
We hope k9’s new RDS database cluster access analysis helps you identify and remediate risks in your AWS accounts. We are happy to answer any questions!