k9 Security now analyzes principals’ access to the AWS Systems Manager APIs (ssm). k9 reports whether IAM principals may administer, read, write, and delete Systems Manager resources. AWS Systems Manager gives you visibility and control over AWS and on-premises resources.

Wondering which IAM principals can administer or use Systems Manager APIs and resources?

k9 can give you a short list to review. k9 analyzes AWS accounts to see which IAM users and roles can use Systems Manager APIs, then maps each principal’s access to a k9 access capability.

Here’s an example of how Systems Manager access is summarized in the Principal Access Summary worksheet of k9-dev’s report (sample: xlsx):

Sample showing principals' access to Systems Manager APIs
Sample showing principals’ access to Systems Manager APIs

This excerpt shows the ci IAM user has full access to Systems Manager APIs. It is allowed to administer-resource, read-config, read-data, write-data, and delete-data. The k9-auditor role has the read-config and read-data capability for the Systems Manager APIs, as granted by the SecurityAudit AWS Managed Policy.

Normally, the k9-auditor only has access to read-config of service resources. But the SecurityAudit policy grants access to some APIs which k9 Security classifies as read-data. Those APIs reveal state about the security of the underlying managed resource which is necessary for Security auditors to do their jobs. For example, the ssm:DescribeInstancePatches API “retrieves information about the patches on the specified managed node and their state relative to the patch baseline being used for the node.” (Note: the SecurityAudit policy does not grant access to any ssm:Get* methods which would expose parameters or management documents containing secrets.)

The sample report documents the full mapping of service API actions to k9 access capabilities in the ‘k9 Access Capability Mapping’ worksheet.

The AWS Systems Manager currently has 141 actions, which k9 will now track for updates. This summary of k9’s AWS service coverage shows how Systems Manager compares to other AWS data, compute, and security APIs:

AWS Systems Manager gives you a way to automate configuration and ongoing management of your applications and resources. Manage risk to your systems management control plane and secrets stored in Systems Manager by continuously reviewing and adjusting access to Systems Manager APIs.

We hope k9’s new Systems Manager analysis capabilities help you identify which IAM users and roles can administer systems and access secrets in your AWS accounts. We are happy to answer any questions!