k9 Security now analyzes principals’ access to the AWS Secrets Manager APIs. k9 reports whether IAM principals may administer, read, write, and delete secrets. AWS Secrets Manager helps you protect secrets needed to access your applications, services, and IT resources.

If you’re wondering which IAM principals can administer or use secrets in Secrets Manager, k9 can give you a short list to review. k9 analyzes AWS accounts to see which IAM users and roles can use Secrets Manager APIs then maps each principal’s access to a k9 access capability.

Here’s an example of how Secrets Manager access is summarized in the Principal Access Summary worksheet of k9-dev’s report (sample: xlsx):

Sample showing principals' access to Secrets Manager APIs
Sample showing principals’ access to Secrets Manager APIs

This excerpt shows the ci IAM user has full access to Secrets Manager APIs and is allowed to administer-resource, read-config, read-data, write-data, and delete-data. The k9-auditor role has only the read-config capability for Secrets Manager APIs, allowing it to read secret configuration metadata.

The sample report documents the full mapping of service API actions to k9 access capabilities in the ‘k9 Access Capability Mapping’ worksheet.

The AWS Secrets Manager API currently has 22 actions, which k9 will now track for updates. This summary of k9’s AWS service coverage shows how Secrets Manager compares to other AWS data, compute, and security APIs:

k9 API coverage statistics
k9 API coverage statistics

AWS Secrets Manager gives you a way to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle. Manage risk to your secrets stored in Secrets Manager by continuously reviewing and adjusting access to Secrets Manager APIs.

We hope k9’s new Secrets Manager analysis capabilities help you identify which IAM users and roles can administer and access secrets in your AWS accounts. We are happy to answer any questions!