k9 Security now analyzes principals’ access to the AWS Secrets Manager APIs. k9 reports whether IAM principals may administer, read, write, and delete secrets. AWS Secrets Manager helps you protect secrets needed to access your applications, services, and IT resources.
If you’re wondering which IAM principals can administer or use secrets in Secrets Manager, k9 can give you a short list to review. k9 analyzes AWS accounts to see which IAM users and roles can use Secrets Manager APIs then maps each principal’s access to a k9 access capability.
Here’s an example of how Secrets Manager access is summarized in the Principal Access Summary worksheet of k9-dev’s report (sample: xlsx):
This excerpt shows the
ci IAM user has full access to Secrets Manager APIs and is allowed to
k9-auditor role has only the
read-config capability for Secrets Manager APIs, allowing it to read secret configuration metadata.
The sample report documents the full mapping of service API actions to k9 access capabilities in the ‘k9 Access Capability Mapping’ worksheet.
The AWS Secrets Manager API currently has 22 actions, which k9 will now track for updates. This summary of k9’s AWS service coverage shows how Secrets Manager compares to other AWS data, compute, and security APIs:
AWS Secrets Manager gives you a way to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle. Manage risk to your secrets stored in Secrets Manager by continuously reviewing and adjusting access to Secrets Manager APIs.
We hope k9’s new Secrets Manager analysis capabilities help you identify which IAM users and roles can administer and access secrets in your AWS accounts. We are happy to answer any questions!