Streamlining IAM Access Governance for MSPs: The MontyCloud DAY2 and k9 Security Integration

by | Oct 18, 2024 | Announcements, Security

Cloud deployments change rapidly and Managed Service Providers (MSPs) face a critical challenge: efficiently managing Identity and Access Management (IAM) across multiple client AWS accounts while maintaining robust security practices and expanding the value of managed services. The recent partnership between MontyCloud and k9 Security addresses this challenge head-on, offering a game-changing solution for IAM Access Governance.

The IAM Dilemma: Complexity at Scale

As an MSP, you’re well-versed in the intricacies of managing AWS environments. However, when it comes to IAM, the complexity multiplies with each client account you manage. Let’s break down the key challenges:

  • Proliferation of Permissions: As client environments grow, so does the number of IAM users, roles, policies, and their interactions. Understanding who has access to what becomes increasingly difficult.
  • Maintaining Least Privilege: Ensuring that each identity has only the permissions necessary for its function is a cornerstone of security. So is ensuring critical data is only accessible by authorized identities. But achieving this in production accounts is much easier said than done.
  • Continuous Monitoring: Security isn’t a one-time setup. It requires ongoing vigilance to detect and respond to changes in access patterns and permissions.
  • Compliance and Reporting: Many clients require detailed reports on their IAM setup for compliance purposes. Generating these reports manually for multiple accounts is time-consuming and error-prone.

To illustrate these challenges, let’s look at a typical IAM security findings report:

Figure 1. IAM Security Findings Visualization

This chart shows common IAM security issues, including:

  • Excess administrators
  • Access keys needing rotation
  • Inactive users and roles

MSPs need a comprehensive solution that can streamline IAM management for customer accounts. This is where the integration of MontyCloud DAY2 and k9 Security comes into play.

Enter MontyCloud DAY2 and k9 Security

MontyCloud DAY2 is a comprehensive cloud operations platform, while k9 Security specializes in IAM assessment and security. The integration of k9 Security’s IAM Assessment tool into MontyCloud’s DAY2 platform offers a powerful solution to access governance challenges.

Here’s how this partnership enables essential cloud access governance for MSPs:

Comprehensive Visibility

The integrated solution provides a simple, consistent view of the effective IAM configurations in your customers’ AWS accounts.

Automated Assessment

k9 Security’s IAM assessment tool automatically analyzes IAM configurations, identifying who has access to critical AWS APIs and data resources. k9 also gathers and normalizes information about which identities have credentials, when they were last used, and more.

Actionable Insights (Billable, too!)

Instead of drowning in a sea of data, use k9’s optimized processes to review the assessment and build revenue-generating IAM improvement projects that address security findings by:

  • Remediating excess admins using k9’s policy generators
  • Rotating or removing credentials
  • Implementing least privilege access to critical data sources with k9’s policy generators

These capabilities enable you to operationalize cloud access governance with your current staff. Let’s see how the IAM access governance integration for MontyCloud works.

    How It Works: The MontyCloud DAY2 and k9 Security Integration

    The integration simplifies IAM governance through a streamlined process:

    1. Deployment: MontyCloud delivers k9 Security through the IAM Governance Blueprint available on the DAY2 platform.
    2. Analysis: Upon deployment in a customer’s account, k9 Security analyzes the environment’s IAM configurations.
    3. Report Generation: k9 Security generates insightful reports (sample) based on its analysis.
    4. Secure Storage: These reports are securely stored in the project’s storage bucket within the DAY2 platform.
    5. Easy Access: Operators can download these reports directly from DAY2, providing them with comprehensive visibility into their IAM governance.
    6. Continuous Monitoring: The integration provides ongoing monitoring, allowing for real-time detection of IAM-related issues and risks.

    This process provides immediate and ongoing insights into IAM governance across your entire AWS practice , all managed through the MontyCloud DAY2 platform.

    Key Features of the Integration

    • Actionable Monitoring: Quickly identify critical risks and remediate with proven processes, turning insights into concrete security improvements.
    • Rapid Deployment: Implement k9 Security assessments quickly across multiple client accounts.
      Centralized Management: Govern multiple client accounts from a single dashboard within MontyCloud DAY2.
    • Automated Reporting: Generate client-ready reports automatically, saving time and reducing manual effort.
    • Compliance Support: Easily demonstrate adherence to security best practices with detailed reports.

    One of the key benefits of this integration is the ability to quickly identify and manage admin usage. Here’s an example of how the solution provides visibility into admin usage status:

    Figure 2. Admin Usage Status Visualization

    This chart shows the distribution of in-use and unused IAM admin identities, helping you identify potential security risks and opportunities for access cleanup.

    Let’s explore the process of reviewing IAM administrator access, a critical aspect of maintaining robust security and preventing AWS account takeovers.

    How to Review IAM Administrator Access

    Reviewing IAM administrator access is a critical process in maintaining robust cloud security and k9 makes it easy.

    A screenshot of the principals view filtered to the IAM admins. Shows 8 admin principals and the date each principal was last used.
    Figure 3. k9 Security Principals View

    Using the k9 Security reports available through the MontyCloud DAY2 platform, you can efficiently review IAM administrators across all your managed accounts:

    • Access the latest k9 resource access audit report for each account.
    • Navigate to the Principals worksheet.
    • Filter the “Principal is IAM Admin” column to TRUE.

    This filtered view provides a comprehensive list of all IAM users and roles with administrative capabilities. That’s all it takes to understand who can change the AWS account’s IAM security configurations and effectively has full control of the account.

    Key Questions to Ask During Review

    For each identified IAM administrator, consider the following questions:

    1. Should this principal have IAM administration capabilities?
      • Remember, while some roles (like automated delivery processes, operations teams, and security teams) may need these capabilities, it’s common to find excess administrators in long-lived AWS accounts due to privileges that were granted accidentally or ‘temporarily’ but then forgotten.
    2. Is this admin principal still in use?
      • Check the “Principal Last Used” column to identify potentially inactive administrators.
    3. If the admin is an IAM user, does it have any credentials? Do they need rotation?
      • Check the password and access key columns to see if the user has any credentials that need to be rotated, disabled, or removed.
    4. When was the last time this administrator actually performed IAM administration tasks?
      • You can use CloudTrail logs to verify recent IAM-related actions.

    Remediation Steps

    If you identify excess IAM administrators or those with unnecessary privileges, consider these remediation steps:

    1. Quick Fix: Deny IAM administration permissions:
      • Create a ‘Deny IAM Admin’ managed or inline policy or document using k9’s policy generators as described in Kata 1
      • Attach the ‘Deny IAM Admin’ policy to the relevant IAM roles or users.
    2. Implement Least Privilege in the Identity policy:
      • Review each identified IAM administrator’s actual usage and identity policies to determine if they require IAM administration capabilities.
      • For principals that don’t need full or even partial admin access, create custom policies with only the necessary permissions.
    3. Deactivate Unused Principals:
      • For IAM users or roles that are no longer needed, follow your organization’s deprovisioning process.
      • This may include removing the principal from all IAM groups, detaching policies, and deleting the user or role if appropriate.

    k9 has additional capabilities, beyond identifying IAM admins, that directly support IAM Security best practices identify and remediate:

    • Long-term IAM access key and password credentials
    • Unused IAM users and roles
    • Over-permissioned principals with excessive access to AWS APIs and data
    • Overly-accessible data sources that can be accessed by unintended principals; supported data sources include: S3 buckets, KMS encryption keys, DynamoDB tables, and RDS database clusters.

    By leveraging the MontyCloud DAY2 and k9 Security integration, you can automate the tedious and difficult work of IAM governance. Effectively manage risk to your applications and data in your AWS account by continuously reviewing and adjusting access to Account APIs.. This approach helps maintain a strong security posture and reduce risk across all your managed AWS accounts.

    Having examined the features and processes enabled by this integration, it’s important to consider the tangible benefits it brings to MSPs. Let’s look at the return on investment you can expect.

    The ROI for MSPs

    Implementing this solution offers tangible benefits that directly impact your bottom line:

    • Revenue Expansion: Quickly identify IAM security improvement projects, allowing you to offer additional high-value services to your clients that increase billable hours and build stronger client relationships.
    • Client Retention: Demonstrate your value through improved security posture and detailed reporting. Remove customer dependencies on additional IAM security partners.
    • Time Savings: Automate time-consuming IAM tasks, freeing up your team for higher-value activities.
    • Enhanced Security: Proactively identify and address essential cloud security risks, reducing the likelihood of security incidents without unactionable alerts.
    • Scalability: Manage more client accounts without a proportional increase in staff or resources.

    Conclusion: Transforming IAM Management

    The MontyCloud DAY2 and k9 Security integration is a significant leap forward in IAM Access Governance for MSPs. By automating assessment, providing actionable insights, and streamlining reporting, this solution allows you to offer top-tier IAM management to your clients without the traditional overhead.

    In a landscape where security is paramount and efficiency is key, this integration gives you a competitive edge. It’s not just about managing IAM; it’s about elevating your entire service offering.

    Ready to revolutionize your approach to IAM Access Governance? Contact MontyCloud to see firsthand how this integration can transform your MSP business and enhance your cloud security offerings.