Supported Services
k9 reports access to an ever-growing set of AWS security, data, and compute services. This document helps customers understand k9’s current and planned coverage for AWS services and resources.
AWS Service Support Matrix
| Service Name | API Name(s) | Service Access | Resource Access |
|---|---|---|---|
| CloudTrail | cloudtrail | ✓ | N/A |
| Identity & Access Management (IAM) | iam | ✓ | N/A |
| Security Token Service (STS) | sts | ✓ | ✓
Access to all IAM roles with a trust policy is reported, both internal and external access (cross-account). |
| Key Management Service (KMS) | kms | ✓ | ✓ |
| Athena | athena | ✓ | Possible |
| Simple Storage Service (S3) | s3 | ✓ | ✓ |
| DynamoDB (DDB) DynamoDB Accelerator DynamoDB Streams |
dynamodb dax dynamodbstreams |
✓ | Planned 2021q2 |
| Relational Database Service (RDS) | rds rds-data rds-db |
✓ | Planned 2021q2 |
| Redshift | redshift | ✓ | Possible |
| Elastic Map Reduce (EMR) | elasticmapreduce | ✓ | Possible |
| Simple Queue Service (SQS) | sqs | ✓ | Possible |
| Kinesis Kinesis Analytics |
kinesis kinesisanalytics |
✓ | Possible |
| Elastic Compute Cloud (EC2) | ec2 | ✓ | N/A |
| Elastic Container Service (ECS) | ecs | ✓ | N/A |
| Elastic Kubernetes Service | eks | ✓ | N/A |
| Lambda | lambda | ✓ | Planned 2021q2 |
k9 analyzes access of an IAM user or role (principal) at two levels.
First, k9 reports whether an IAM principal is allowed to invoke a service’s actions irrespective of a particular resource. This is called service access. For example, an IAM role may have access to invoke S3 API write actions.
Second, k9 reports whether an IAM principal is allowed to invoke a service’s actions for a particular resource. This is called resource access. For example, an IAM role has access to invoke S3 write API actions on the sensitive-data bucket. When k9 reports resource level access, resource policies are included in the analysis of that access when the service supports resource policies (e.g. S3, KMS, SQS).
Roadmap
k9 expands AWS service coverage regularly and plans to support support the following services soon:
| Service Name | API Name(s) | Service Access | Resource Access |
|---|---|---|---|
| Elastic Container Registry (ECR) | ecr | Planned 2021q2 | Planned 2021q2 |
Summary
The k9 service coverage matrix and roadmap helps customers understand what k9 analyzes access to now and in the near future.
If a service that is important to you is not on our roadmap, please let us know. We’d love to understand your use cases and urgency so that we can prioritize coverage on the roadmap.
Contact Us
Please contact us with questions or comments. We’d love to discuss AWS security with you.