k9 Security now analyzes principals’ access to the AWS Account APIs. The Account (account) APIs manage important global configurations, including what regions are enabled, contacts for the account, and even enable closing the account. k9 reports whether IAM principals may administer or read Account configurations.

Wondering which IAM principals can administer or use Account APIs? k9 can give you a short list to review. k9 analyzes AWS accounts to see which IAM users and roles can use Account APIs (e.g. account:CloseAccount), then maps each principal’s access to a k9 access capability.

Here’s an example of how Account API access is summarized in the Principal Access Summary worksheet of k9-dev’s report (sample: xlsx):

Figure 1. Analyze principals’ access to Account APIs

This excerpt shows the AdministratorAccess IAM role has full access to Account APIs. It is allowed to administer-resource, read-config, and delete-data (by closing the account). The k9-auditor role has only the read-config capability for the Account APIs, as granted by the SecurityAudit AWS Managed Policy.

The sample report documents the full mapping of service API actions to k9 access capabilities in the ‘k9 Access Capability Mapping’ worksheet.

The AWS Account API currently has 13 permissions, which k9 will now track for updates. This summary of k9’s AWS service coverage shows how Account compares to other AWS data, compute, and security APIs:

Figure 2. k9 Security service permission summary

The AWS Account API manages global configuration about your account, what regions are enabled, and enables users to close the account. Manage risk to your applications and data in your AWS account by continuously reviewing and adjusting access to Account APIs.

We hope k9’s new Account analysis capabilities help you identify which IAM users and roles can administer your AWS accounts. We are happy to answer any questions!