Skip to content

Get Access Capabilities

You can get the current mapping of the k9 Access Capabilities for each supported service's permissions using the k9 API with:

GET /access-capabilities (Try it!)

This mapping is useful for showing people how k9 has classified each permission of an AWS service and answer questions like, "what does delete-data for RDS mean?"

k9 Security classifies AWS IAM permissions to one of these six capabilities:

  • administer-resource
  • read-config
  • use-resource
  • read-data
  • write-data
  • delete-data

The response is a map of each supported AWS service's permissions keyed by the service:

  "Athena": {
    "administer-resource": [
    "read-config": [
    "read-data": [
    "write-data": [
    "...": {},
    "CAPABILITY_N": {}
  "...": { },
  "SERVICE_N": { }

Request Headers

Set the Content-Type header to application/json

Request Path Parameters

Not Applicable

Request Body

Not Applicable



When you successfully request an access capabilties map, the API will respond with:

Response Status Code: 200 (OK)

Response Body (Example): complete response json (Nov 14, 2022)

Last update: May 20, 2024