Now you can verify the effects of AWS IAM policy changes quickly by analyzing an AWS account’s IAM permissions on-demand with the k9 CLI‘s analyze account command. This command helps Cloud teams and consultants tighten the security policy engineering loop.

Suppose you’ve changed a security policy and want to verify the risk is remediated. Trigger an IAM permissions analysis by specifying the customer and account ids:

k9 analyze account --customer_id C123456 --account 123456789012

The command-line should respond with output like:

Starting analysis of C123456 account 123456789012 using
Started analysis for C123456 account 123456789012 with execution ID: ondemand-C123456-123456789012-2022-09-28_B4QX

The reports will be delivered to your secure inbox as usual (Kata 0: Find & Tour a k9 Access Inventory report).

Analyses can only be started by AWS IAM principals who have been authorized by your k9 Security configuration (contact [email protected] to configure). You may want to authorize your Cloud, Security, or app teams — anyone iterating on security policies.

The k9 CLI authenticates its API requests by signing the request with a principal’s AWS credentials. So obtain valid AWS credentials for an authorized principal and start an analysis whenever you need.

Tighten the security policy engineering loop

We want you to help you tighten the security policy engineering loop so you can iterate on policies quickly. Now you can verify your policies do what you think they do whenever you want by triggering an IAM permissions analysis on demand.

Download the latest k9 CLI from the releases page in GitHub. Full usage of the k9 CLI is documented in the README.

We’re happy to answer any questions, please send an email to [email protected] or open an issue on GitHub.