k9 Security now analyzes principals’ access to the AWS Resource Access Manager APIs. k9 reports whether IAM principals may administer or read Resource Access Manager sharing configurations. AWS Resource Access Manager helps you share AWS network and data resources across accounts.

Wondering which IAM principals can administer or use Resource Access Manager APIs?

k9 can give you a short list to review. k9 analyzes AWS accounts to see which IAM users and roles can use Resource Access Manager APIs, then maps each principal’s access to a k9 access capability.

Here’s an example of how Resource Access Manager access is summarized in the Principal Access Summary worksheet of k9-dev’s report (sample: xlsx):

Sample showing principals' access to Resource Access Manager APIs
Sample showing principals’ access to Resource Access Manager APIs

This excerpt shows the ci IAM user has full access to Resource Access Manager APIs. It is allowed to administer-resource and read-config. The k9-auditor role has the read-config capability for the Resource Access Manager APIs, as granted by the SecurityAudit AWS Managed Policy.

The sample report documents the full mapping of service API actions to k9 access capabilities in the ‘k9 Access Capability Mapping’ worksheet.

The AWS Resource Access Manager API currently has 25 permissions, which k9 will now track for updates. This summary of k9’s AWS service coverage shows how Resource Access Manager compares to other AWS data, compute, and security APIs:

AWS Resource Access Manager enables you to share network, data, security, and more resources from 20 AWS services across your AWS accounts and organizations (incl VPC, EC2, Aurora, and Certificate Authority). Manage risk to your network and data shared by continuously reviewing and adjusting access to Resource Access Manager APIs.

We hope k9’s new Resource Access Manager analysis capabilities help you identify which IAM users and roles can share resources in your AWS accounts. We are happy to answer any questions!