Go Fast, Safely

k9 Security helps engineers understand and improve AWS security policies so that you can protect your data, quickly and confidently.

k9 does this by simplifying the complex AWS security model and reducing the time and effort to improve policies with easy-to-use policy generation libraries, actionable analysis, and professional support.

The Nature of The Problem

DevOps practices help your organization deliver changes to customers quickly, at high throughput, with lower risk — hypothetically. However, application decomposition and increasing rates of change mean the old security and risk management practices don’t scale. Here are just a few of the challenges you are likely facing:

The Rate Of Change With Applications Is Rapid

It’s difficult if not impossible to keep up with the volume of change happening within the company, especially new applications that use new Cloud services.

Manual policy development and inspection simply

Does. Not. Scale.

Cloud IAM Systems Are Complex In Many Ways

Cloud IAM systems are very complex, difficult to validate, and risky to test.

Even your Cloud Security Engineer has trouble working out what access capabilities a given policy allows in your universe and interactions with other applications and new capabilities launched by AWS.

Summarizing Access Control Problems Is Hard

It’s difficult to summarize access control problems for your own direct analysis let alone in a way that you can easily share with your own team or other teams.

Modeling thousands of AWS API actions and their effects from scratch wastes your time.

We know you have questions coming at you all day from teams trying to get their applications deployed and that they don’t know as much about AWS Cloud Security as maybe they should. They may even think security is someone else’s job (yours?).

We also know that you want to reduce chaos and urgent work that disrupts building your platform or puts you in the news.

k9 was built to help you and your platform’s users collaborateship safely and sleep well.

Practice Safe DevOps

k9 is like having an AWS Security expert integrated into your delivery workflow, providing deep and tireless security expertise, the visibility you need, and advising you about the actual security of your resources.

Platform and Application teams deliver more securely with k9

  • Declare your intended access and verify it happened with a consistent access capability language
  • Answer ‘simple’ questions with very complex answers like “who has access to what data, compute resources, and APIs?” and helping you understand the risk of that access

  • Scale application and platform security review processes out to the people who know the domain best and are responsible for the application, but are not experts in AWS.

  • Adopt easy to use, secure resource and security policy management libraries (Terraform) in automated delivery pipelines
  • Say “yes, here’s how” to application teams while effectively managing access control risk with a minimum of effort – during normal business hours.

  • Find access control problems on the Cloud platform quickly and offer quick-to-implement solutions.

  • Address the ‘open secret’ that automation’s power is often ahead of the access controls – can the CI/CD system or an engineer destroy production accidentally or maliciously?

Accelerate application and infrastructure delivery and improve security.

Simplify the Complex AWS Access Control Model

k9 reports what access each application and person has to each Cloud resource in language everyone can understand.

This accurate, automated analysis eliminates the need for mind-bending IAM thought experiments and tedious, time consuming manual report generation.

Use this same language to configure k9 infrastructure code libraries to generate least privilege policies.

Examples

  • the ci user has administer-resource, delete-data, read-data for all resources (should it? what about the prod DB?)
  • the security-audit role has read-data for all resources
  • the ecommerce-web role has write-data and read-data for only the orders bucket

Robust Policy Automation

Improve your security policies by using k9's infrastructure automation libraries to specify your intended access clearly and let k9 take care of generating a least privilege security policy.  See k9 Security's Terraform libraries on GitHub.

Least privilege access policy? ✓ Done.

Code review? ✓ Done.

Simple Daily Reporting

k9 assesses your entire AWS IAM ecosystem nightly, and publishes a report to your own secure inbox in S3. 

Pivot, filter, slice, and dice with tools and data you already use.

Load the JSON format into your SIEM for monitoring. Use the Excel format (sample) for quick, interactive analysis.

Certified 3rd party access audit? ✓ Done.

Need to know when a principal was last used? ✓ Done.

Who has access to what data?

How k9 Works

The k9 access inventory generation process pulls data from the AWS IAM and data services for your account and summarizes it once you’ve provided k9 access (sample report in xlsx). The inventory process enumerates IAM entities and assess access to resource types supported by k9.  The assessment process uses the IAM policy simulation API to ask AWS who has access to what, which is really the only way to be sure about such things.  This description glosses over a lot of detail, particularly that this assessment process requires deep knowledge of the AWS security model, careful data modeling, and usually requires a large number of queries to the IAM service, even when highly optimized (don’t worry: AWS IAM API usage is free).

The inventory generation process runs at least once per 24 hour period in which there are changes to IAM or resources. The inventory process generates a report that is encrypted with the customer’s KMS encryption key and stored in an internal k9-managed S3 bucket.  This report is then to a customer-managed Secure Inbox implemented using an S3 bucket and KMS.

k9 summarizes each IAM user or role’s provisioned access to AWS resources into a small number of access capabilities:

  • administer-resource
  • use-resource
  • read-data
  • write-data
  • delete-data
  • unclassified-access

Certain actions may classify to multiple capabilities. For example, the rds:DeleteDBCluster action classifies to both delete-data and administer-resource because deleting the DB cluster deletes both the DB instances and the cluster’s data volume. Quick question: who can delete your production data?

Interested in learning more about how k9 works? Check out our How k9 Works page.

Getting Started

Our simple setup process will have you up and improving quickly (days, not weeks).

 

create account

Whether a limited trial, or full account, our signup process is straightforward and simple.

configure access

Configure k9 access to your company AWS IAM by our simple process. 

Assess

Daily assessments of your accounts are delivered to your secure inbox (S3 bucket).

Improve Policies

Use k9 access reports,  automation libraries, and pro support to improve security.

Ready To Take Control Of AWS IAM?