As AWS continues to evolve, new services and permissions are frequently introduced to enhance functionality and security. This blog provides a comprehensive recap of new sensitive permissions and services added in October 2024. Our intention in sharing this is to flag the most important releases to keep your eye on and update your permissions and access control policies accordingly.
Existing Services with New Sensitive Permissions
Amazon Pinpoint SMS and Voice
Service Type: Messaging and Communication
Permission: PutResourcePolicy
- Action: Grants permission to put a resource policy
- Mitre Tactic: Persistence
- Why it’s sensitive: Unauthorized access through changes in resource policies can pose significant security risks, particularly for use cases involving one-time passwords.
Amazon RDS
Service Type: Database Services
Permission: ModifyDBClusterSnapshotAttribute
- Action: Grants permission to add an attribute and values to, or removes an attribute and values from, a manual DB cluster snapshot
- Mitre Tactic: Exfiltration
- Why it’s sensitive: Enables modification of the snapshot to allow another org to use it as part of restoration
Permission: ModifyDBSnapshotAttribute
- Action: Grants permission to add an attribute and values to, or removes an attribute and values from, a manual DB snapshot
- Mitre Tactic: Exfiltration
- Why it’s sensitive: Enables modification of the snapshot to allow another org to use it as part of restoration.
AWS IOT Core
Service Type: Internet of Things
Permission: AssociateSbomWithPackageVersion
- Action: AssociateSbomWithPackageVersion
- Mitre Tactic: Defense Evasion
- Why it’s sensitive: Allows changes to software dependencies that may introduce vulnerabilities in new package versions.
AWS Supply Chain
Service Type: Process Automation and Integration
Permission: UpdateDataIntegrationFlow
- Action: Grants permission to update the DataIntegrationFlow
- Mitre Tactic: Exfiltration
- Why it’s sensitive: Allows mapping of data sources to targets, potentially directing data to a less-secure S3 bucket.
Permission: CreateDataIntegrationFlow
- Action: Grants permission to create DataIntegrationFlow that can transform from multiple sources to one target
- Mitre Tactic: Exfiltration
- Why it’s sensitive: Allows mapping of data sources to targets, potentially directing data to a less-secure S3 bucket.
AWS Data Exchange
Service Type: Data and Analysis
Permission: CreateDataGrant
- Action: Grants permission to create a data grant
- Mitre Tactic: Exfiltration
- Why it’s sensitive: Allows the creation of a data grant, which, once accepted, provides access to read, process, or transfer data.
Why it’s sensitive: Allows mapping of data sources to targets, potentially directing data to a less-secure S3 bucket.
New Services
AWS End User Messaging Social
Service Type: Messaging and Communication
Permission: AssociateWhatsAppBusinessAccount
- Action: Grants permission to associate a WhatsApp Business Account with your AWS account
- Mitre Tactic: Persistence
- Why it’s sensitive: Associates your “AWS business account” with WhatsApp, which becomes the source for persistence and exfiltration.
Conclusion
If you’re an AWS user, your cloud is always changing. This means a constantly evolving attack surface for you to secure. As new permissions are released for pre-existing services, by default, your users gain access to that permission. If it is a sensitive permission, this can be risky. Access to sensitive permissions should be restricted to only those human and machine identities that need them.
To reduce the risk resulting from new services, your teams should update any SCPs and IAM policies used to restrict access to services your teams aren’t using.
If you’re interested in managing sensitive permissions and securing AWS services efficiently, look into our Cloud Permissions Firewall.
