MontyCloud Blog

MontyCloud | k9 Security | AWS IAM Access Governance

Written by Nikhil Babu | Nov 6, 2024 8:51:27 PM

For Managed Service Providers (MSPs), managing Identity and Access Management (IAM) across multiple Amazon AWS customer accounts presents a unique set of challenges. The complexity of maintaining secure, compliant environments multiplies with each cloud account you manage.

This is where the powerful combination of k9 Security and MontyCloud DAY2 transforms how MSPs approach IAM governance. 

 

 

In this blog we share our approach to simplifying AWS IAM Governance so MSPs can spend their valuable time in optimizing their customer environments and save the time and efforts involved in doing undifferentiated heavy lifting involved in the traditional approaches to access management.

K9 Security, a specialized cloud access management solution, is now integrated seamlessly with MontyCloud's DAY2 platform - a No-Code Autonomous CloudOps Platform that empowers MSPs to efficiently manage multiple customer environments while gaining comprehensive insights into inventory, security, compliance, and costs. This integration enables MSPs to deliver superior IAM governance services without increasing operational overhead. 

 

Managing AWS IAM roles and permissions: a critical challenge for MSPs 

For MSPs, getting IAM security right across multiple customer accounts is particularly challenging. Understanding which applications and people have access to specific data and resources becomes exponentially complex when managing numerous AWS Cloud environments.

Often, security teams are stretched thin, struggling to: 

  • Learn about each customer’s unique cloud environment 
  • Architect appropriate security models at scale 
  • Acquire and implement the necessary security building blocks
  • Maintain consistent governance across all managed accounts 

Identity and Access Management frequently takes a backseat during the early stages of cloud adoption. Users and roles receive access as needed to enable rapid building and innovation, but comprehensive IAM access monitoring and governance strategies are rarely implemented at the beginning of a customer’s cloud journey. 

When working with AWS, the Identity and Access Management (IAM) service is critical for controlling resource access and permissions. However, managing IAM roles and permissions across multiple customer accounts creates several significant challenges: 

  1. Overly Permissive Access: IAM roles with excessive permissions can expose customer cloud environments to unnecessary risks, including data breaches, accidental modifications, or malicious activities. 
  2. Insufficient Access: Conversely, overly restricted IAM roles can prevent users or applications from performing necessary tasks, leading to operational disruptions and customer dissatisfaction. 
  3. Outdated or Unused Permissions: As customer cloud environments evolve, IAM role permissions often become outdated or unnecessary. Regular reviews across multiple cloud accounts become increasingly complex. 
  4. Cross-Account Access Challenges: Managing permissions across different AWS accounts requires careful configuration to prevent unauthorized access while maintaining operational efficiency. Without this, it can lead to significant impacts such as increased security vulnerabilities, operational inefficiencies, and complexities in managing permissions as environments evolve.
  5. Lack of Visibility and Auditing: MSPs need clear visibility into who has access to all client resources, along with detailed audit trails. Without this, they risk compliance issues, security blind spots, and challenges in investigating incidents effectively. 

How does IAM Access Governance Solution by k9 Security relate to AWS IAM Access Analyzer? 

While AWS IAM Access Analyzer provides basic monitoring of external access to AWS resources, the k9 Security and MontyCloud DAY2 integration offers MSPs a more comprehensive solution tailored to their unique needs. 

AWS IAM Access Analyzer focuses primarily on: 

  • Scanning resources and policies for external access 
  • Reporting specific IAM permissions for external principals 
  • Basic policy validation 

AWS IAM Access Governance by k9 Security from DAY2 enhances these capabilities with: 

Comprehensive Multi-Account Visibility:
  1. Centralized view of access permissions across all customer AWS accounts 
  2. Clear visualization of access patterns and potential risks 
  3. Simplified reporting for client reviews and compliance requirements 

Proactive Risk Management: 

  1. Continuous monitoring across all managed environments 
  2. Real-time alerts for potential security issues 
  3. Early detection of permission drift and access anomalies 
MSP-Focused Actionable Recommendations: 
  1. Specific remediation steps tailored to managed services environments 
  2. Automated policy generation for common use cases 
  3. Scalable solutions for managing multiple customer accounts 

Figure 1. Surfaced IAM Security Findings by Type 

 

K9 Security's differentiated value for MSPs 

K9 Security builds upon AWS IAM Access Analyzer's foundation with features specifically designed for managed service providers: 

  • Simplified Access Model: A portable, cloud-agnostic capability model optimized for efficient review by MSP teams 
  • Risk-Based Analysis: Quick identification of privileged IAM principals and excessive access to critical data resources 
  • Scalable Security: Removes the need for dedicated security experts, enabling MSPs to scale their security offerings efficiently 

 

MontyCloud DAY2 and k9 Security integration: enhancing MSP operations 

The integration of k9 Security into MontyCloud DAY2 addresses specific MSP challenges in brownfield environments, providing: 

  • Deep visibility into effective IAM access across multiple customer accounts 
  • Streamlined deployment and management processes 
  • Consolidated reporting and monitoring capabilities 

This integration empowers MSPs to: 

  • Efficiently identify and monitor privileged principals across all managed accounts 
  • Streamline cleanup of unused principals through automated last-use detection 
  • Generate comprehensive reports that integrate with existing security tools 
  • Maintain clear visibility into critical data access across all customer cloud environments 

 

Implementation and Access 

MontyCloud delivers k9 Security through the IAM Governance Blueprint on the DAY2 platform, offering: 

  • Rapid deployment across multiple customer cloud accounts 
  • Automated analysis and report generation 
  • Secure storage of assessment results 
  • Easy access to comprehensive reports through the DAY2 interface 

 

Accessing IAM Audit Reports 

The integration provides MSPs with immediate access to valuable insights: 

  • Rapid initial analysis (minutes for small accounts, up to an hour for large environments) 
  • Daily automated assessments 
  • On-demand report generation capabilities 
  • Centralized access through the MontyCloud DAY2 platform 

 

Key Processes for MSPs 

Scale cloud access governance efficiently across multiple customer’s using optimized processes: 

  • Comprehensive access inventory review for AWS data & security services 
  • Privileged IAM user and role identification 
  • Unused credential detection and management 
  • Critical data store and encryption key access review 
  • Standardized access control implementation 

 

Principal Access Review Process 

K9 Security's resource access inventory provides clear visibility into data access patterns: 

  • Detailed principal identification and classification 
  • Service-level access capability mapping 
  • Resource-specific permission analysis 
  • Simplified access review workflows 

Easily view who has access to what data in AWS, and what kind of access they have, in terms everyone can understand.  

K9 Security analyses each AWS IAM user and role (IAM principal) in your AWS account and reports what access capability each principal has to supported services and resources. Each row in the principal access summary report contains:  

  • Principal name  
  • Principal unique identifier (ARN)  
  • Principal Type  
  • AWS Service Name  
  • Principal’s Access Capability to that service or resource 

You can see this information by opening the latest k9 Security resource access audit spreadsheet and navigating to the Principal Access Summaries worksheet. Once there, filter by Principal Name e.g., AccountAdminAccessRole-Sandbox. 

 

Accessing IAM Audit Reports 

Figure 2. Principal Access Summary for a Privileged role by k9 Security.

The excerpt in Figure 2 shows that the AccountAdminAccessRole-Sandbox IAM role has full access to the CloudTrail, IAM, and KMS services. That role has the capability to administer-resource, read-config, read-data, write-data, and delete-data in each of those services.  

At the bottom of Figure 2, you can also see that the role has those same capabilities for a KMS encryption key whose ARN ends in 9738. K9 Security also tells you who has access to specific resources such as KMS encryption keys and S3 buckets. K9 Security reports effective access net of all relevant identity, resource, permissions boundary, and (when available) service control policies. 

You can now execute simple, periodic reviews of the principal access summaries to verify each IAM user or role has the expected level of access. 

 

K9 Security IAM Audit Reports in visual representation

Figure 3. Assessment of Admin Privileges for IAM Principals

 

Figure 4. Assessment of resource types and associated IAM resources

 

Here’s another excerpt showing AccountAdminAccessRole-Sandbox has full access to the AWS S3 API and a couple buckets: 

Figure 5. Admin with privileged access to data in S3

 

When a principal has few access capabilities to an API or resource, that is reflected accordingly. Here is an excerpt of the k9-auditor ‘s access to S3: 

Figure 6. Audit-level access to read configurations in S3

 

The k9-auditor role used to analyze AWS accounts has the capability to read configurations (read-config) about S3 buckets, and nothing more. 

Review principal access summaries periodically to verify each IAM user or role has the expected, and least number of privileges to perform the business function.

 

Final thoughts

The MontyCloud DAY2 and k9 Security integration transforms how MSPs approach IAM governance by providing: 

  • Operational Efficiency: Streamlined management of multiple customer’s cloud environments 
  • Enhanced Security: Comprehensive visibility and control across all accounts 
  • Business Growth: New revenue opportunities through expanded security services 
  • Customer Satisfaction: Improved security posture and compliance reporting 
  • Scalable Solutions: Efficient management of growing customer portfolios 

 

Get sstarted with IAM Governance from MontyCloud DAY2 

Transform your MSP's approach to IAM governance with a solution designed for scalability, security and efficiency. Whether you're managing a handful of customer’s or hundreds of AWS accounts, our integrated solution makes access governance simpler, more secure, and cost-effective. 

Ready to enhance your security service offerings? Request a demo here with the MontyCloud team today and discover how this integration can transform your MSP business.