Skip to content

Get Access Capabilities

You can get the current mapping of the k9 Access Capabilities for each supported service's permissions using the k9 API with:

GET /access-capabilities (Try it!)

This mapping is useful for showing people how k9 has classified each permission of an AWS service and answer questions like, "what does delete-data for RDS mean?"

k9 Security classifies AWS IAM permissions to one of these six capabilities:

  • administer-resource
  • read-config
  • use-resource
  • read-data
  • write-data
  • delete-data

The response is a map of each supported AWS service's permissions keyed by the service:

{
  "Athena": {
    "administer-resource": [
      "athena:CreateDataCatalog",
      "athena:CreateWorkGroup",
      "athena:DeleteDataCatalog",
      "athena:StopQueryExecution",
      "athena:UpdateDataCatalog",
      "athena:UpdateWorkGroup"
    ],
    "read-config": [
      "..."
    ],
    "read-data": [
      "athena:GetQueryResults",
      "athena:GetQueryResultsStream"
    ],
    "write-data": [
      "..."
    ],
    "...": {},
    "CAPABILITY_N": {}
  },
  "...": { },
  "SERVICE_N": { }
}

Request Headers

Set the Content-Type header to application/json

Request Path Parameters

Not Applicable

Request Body

Not Applicable

Response

Success

When you successfully request an access capabilties map, the API will respond with:

Response Status Code: 200 (OK)

Response Body (Example): complete response json (Nov 14, 2022)


Last update: March 28, 2024