The k9 Security team spent the summer learning about Cloud practitioners’ problems with AWS security and building solutions to those problems into k9.
We’d like to share the most important enhancements with you, starting with k9 Security services:
AWS Security Policy Overhaul
We launched the AWS security policy overhaul service to help customers rapidly secure the identities used by applications and people in your existing AWS cloud accounts to best practice and sets you up to maintain it successfully.
k9’s analysis process now handles very large AWS accounts with hundreds of IAM principals and many data sources. This helps Cloud and Security teams understand what’s possible, even in the ‘kitchen sink’ account.
Analyze access to KMS keys
k9 now reports how each KMS encryption key may be used so that engineers can identify overly accessible data quickly.
IAM role or user last used
k9 now reports when an IAM role or user was last used so you can decommission unused principals or identify unexpected use. This last used data accounts for many usage scenarios, including role assumption, console login, and API key use.
Automate Best Practices
k9 is building Terraform modules that generate resource and policy configurations aligned with best practice. These include:
- The AWS S3 buckets module, which Cloud engineers use to create a S3 secure bucket configuration and least privilege bucket policy quickly
- The context module, which helps Cloud teams capture the context they need to manage resources on any Cloud as described in the Guide to Tagging Cloud Deployments
These enhancements rolled out over the course of 2020q3 and more on the way.
k9 Security is building a knowledge base to help customers solve security problems. We hope you find these technical docs useful and are happy to answer questions.
Why good AWS security policies are difficult
Many technology teams struggle to configure AWS security as they intend. Why are good AWS security policies so difficult? explains why.
How to Organize Cloud Accounts
How to Organize Cloud Accounts for AWS, GCP, and Azure advises Cloud teams how and when to create management, fault, and security boundaries with Cloud accounts.
The guide shows how to organize a large organization’s Cloud accounts to deliver changes and operate safely.
Publish to SQS Across AWS Org Securely
Limiting access to an encrypted SQS queue to a particular AWS organizational unit (e.g.
dev) is more difficult than it sounds because KMS and SQS resource policy conditions are inconsistent.
How to share an encrypted SQS queue across an AWS Organizational Unit steps Cloud engineers through the problem to a solution that provides “just enough” access to services running in different accounts in an AWS organizational while encrypting data at rest.