Operationalize AWS IAM with Security Hub

Operationalize AWS IAM monitoring by integrating k9 Security’s IAM access change analysis with AWS Security Hub. AWS Security Hub collects security data from your AWS accounts, services, and third-parties such as k9 Security so that you can check your environment against security industry standards and best practices.

k9 Security’s IAM Access Analyzer now sends access analysis findings to Security Hub once you enable integration. Then you can review and remediate those findings within Security Hub or another integrated tool.

How k9 Security sends IAM access analysis findings to Security Hub

Block Diagram: k9 analyzes IAM access to APIs and resources in the customer's monitored account. Then it sends findings to Security Hub in the customer's Security account. k9 also delivers reports to the Security account and sends email notification to the customer team.
How k9 Security analyzes IAM and sends findings to AWS Security Hub

Security Hub tracks potential security issues as findings. k9 Security sends findings for important IAM access changes such as an IAM user or role becoming an IAM administrator.

Security Hub Finding: IAM admin added
k9 Security Finding: IAM administrator added

The preceding image shows a finding an IAM role that has been granted IAM administration capabilities. The finding’s description explains the implications of that change. The Notes section directs the analyst or engineer to k9 Security’s process for reviewing IAM administrators and questions to ask.

Further, each finding is classified into one or more finding types based on the MITRE ATT&CK® framework.

For example, IAM administrator added finding classifies to two types:

  • Software and Configuration Checks/AWS Security Best Practices
  • TTPs/Privilege Escalation

These finding types allow analysts to focus on particular threats.

Enable k9 Security integration with Security Hub

To receive k9 Security’s access change notifications in Security Hub:

  1. Enable Security Hub in each monitored AWS account
  2. Subscribe to k9 Security in AWS Marketplace
  3. Configure k9 Security report and notification delivery using CloudFormation
  4. Configure k9 Security IAM access monitoring for accounts using CloudFormation
  5. Subscribe to k9 Security findings by navigating to the k9 Security option in the Security Hub Integrations in the AWS console and clicking ‘Accept Findings’
Accept k9 Security findings in Security Hub integrations
Accept k9 Security findings in Security Hub integrations

This guide walks you through the subscription and configuration steps. Initial configuration usually takes less than one hour. We are happy to help ([email protected]).