Skip to content

AWS Security Hub Integration

k9 Security Logical Integration Architecture - Security Hub
Figure 1. Logical Integration Architecture for Security Hub

You can operationalize AWS IAM monitoring by integrating k9 Security’s IAM access change analysis with AWS Security Hub. AWS Security Hub collects security data from your AWS accounts, services, and third-parties such as k9 Security so that you can check your environment against security industry standards and best practices.

k9 Security’s IAM Access Analyzer sends access analysis findings to Security Hub once you enable the integration. Then you can review and remediate those findings within Security Hub or another integrated tool.

IAM access analysis findings

k9 Security sends findings for important IAM access changes such as an IAM user or role becoming an IAM administrator:

k9 Security Logical Integration Architecture - Security Hub
Figure 2. New IAM administrator finding in Security Hub

The finding shows an IAM role that has been granted IAM administration capabilities. The finding’s description explains the implications of that change. The Notes section directs the analyst or engineer to k9 Security’s process for reviewing IAM administrators and questions to ask.

Further, each finding is classified into one or more finding types based on the MITRE ATT&CK® framework.

For example, IAM administrator added finding classifies to two types:

  • Software and Configuration Checks/AWS Security Best Practices
  • TTPs/Privilege Escalation

These finding types allow analysts to focus on particular threats.

Getting Started

To receive k9 Security’s access change notifications in Security Hub:

  1. Enable Security Hub in each monitored AWS account
  2. Subscribe to k9 Security in AWS Marketplace
  3. Configure k9 Security report and notification delivery using CloudFormation
  4. Configure k9 Security IAM access monitoring for accounts using CloudFormation
  5. Subscribe to k9 Security findings by navigating to the k9 Security option in the Security Hub Integrations in the AWS console and clicking ‘Accept Findings’
k9 Security Logical Integration Architecture - Security Hub
Figure 3. Accept k9 Security findings in Security Hub integrations

Last update: September 16, 2024