k9 Security FAQ

The k9 Security FAQ answers common questions about k9.

Please contact us for additional details or questions. We’d love to discuss AWS security with you!

Does k9 Security help organizations without deep expertise in AWS security tools and services?

Yes! k9 Security is absolutely designed for organizations without deep expertise in AWS security and for organizations that need to simplify and scale out their security program.

Learn more about how k9 relates to and enhances native AWS security services.

How does k9 help Enterprises using on-premise identities and security policies managed via SSO?

k9 helps Enterprises access review for identities managed outside of AWS by simplifying several common jobs:
• Identify privileged principals easily for monitoring and alerting
• Identify unused principals for cleanup by identifying when it was last used (across console, api key, assume role)
• Report access in a form that can be joined with logs from your Identity Provider or Cloudtrail in your existing SIEM to show, e.g. what access ActiveDirectory users/groups have – happy to work with you on this.
• Identify who has access to critical or confidential data

k9 helps you answer a ‘simple’ challenging question: Who has access to APIs and our data in AWS?

k9’s answers are:
• simple for people to understand
• designed to be joined to your existing data sources and analysis workflows in Splunk, Datadog, Athena / QuickSight, etc

k9 is not trying to add another pane of glass. k9 makes your existing analysis and alerting systems better.

Can we use k9’s infrastructure code libraries independently of the SaaS monitoring service?

Yes! The k9 Terraform and CDK infrastructure code libraries are free to use and licensed as Apache2. k9 assists customer adoption of our infra code libraries, and the benefit of many years of experience helping teams migrate to and operate in AWS securely, including major banking operations.

k9 analysis services are delivered as a SaaS and procured via AWS marketplace so that you can easily add monitoring for AWS accounts as you need it – one at a time or the entire org. Add Enterprise professional services to a SaaS subscription to accelerate security architecture, policy development, or overhauling the security policies for an entire account.

Does k9 suggest improvements to existing policies? For example, AWS CloudTrail and AWS Access Analyzer helps organizations understand what AWS APIs principals are using.

No. k9 does not currently examine usage history and suggest a narrower policy.

Rather, k9 advocates application and cloud teams declaring a minimal set of intended access capabilities using the k9 infrastructure code libraries. Then the library can generate minimized policies for engineers.

k9 has explored automating policy minimization based on usage from within the k9 infrastructure libraries. However, that feature set has not been committed to the roadmap.

Does k9 analyze access to IAM roles across accounts?

Yes. k9 analyzes and reports external access across accounts to IAM roles in your AWS account. AWS Access Analyzer must be enabled in the monitored account (free).

k9 also reports internal access to IAM roles by other IAM users and roles within the account.

Details: Analyze Access to IAM roles with k9 Security