AWS Security Hub Integration

k9 Security Logical Integration Architecture - Security Hub — Figure 1. Logical Integration Architecture for Security Hub

You can operationalize AWS IAM monitoring by integrating k9 Security’s IAM access change analysis with AWS Security Hub. AWS Security Hub collects security data from your AWS accounts, services, and third-parties such as k9 Security so that you can check your environment against security industry standards and best practices.

k9 Security’s IAM Access Analyzer sends access analysis findings to Security Hub once you enable the integration. Then you can review and remediate those findings within Security Hub or another integrated tool.

IAM access analysis findings

k9 Security sends findings for important IAM access changes such as an IAM user or role becoming an IAM administrator:

The finding shows an IAM role that has been granted IAM administration capabilities. The finding’s description explains the implications of that change. The Notes section directs the analyst or engineer to k9 Security’s process for reviewing IAM administrators and questions to ask.

Further, each finding is classified into one or more finding types based on the MITRE ATT&CK® framework.

For example, IAM administrator added finding classifies to two types:

Software and Configuration Checks/AWS Security Best Practices
TTPs/Privilege Escalation

These finding types allow analysts to focus on particular threats.

Getting Started

To receive k9 Security’s access change notifications in Security Hub:

Enable Security Hub in each monitored AWS account
Subscribe to k9 Security in AWS Marketplace
Configure k9 Security report and notification delivery using CloudFormation
Configure k9 Security IAM access monitoring for accounts using CloudFormation
Subscribe to k9 Security findings by navigating to the k9 Security option in the Security Hub Integrations in the AWS console and clicking ‘Accept Findings’

Last update: March 28, 2024