As AWS continues to evolve, new services and permissions are frequently introduced to enhance functionality and security. This blog provides a comprehensive recap of new sensitive permissions and services added in October 2024. Our intention in sharing this is to flag the most important releases to keep your eye on and update your permissions and access control policies accordingly.
Existing Services with New Sensitive Permissions
Amazon OpenSearch Service
Service Type: Data and Analytics
Permission: UpdateApplication
- Action: Grants permission to update an OpenSearch Application
- Mitre Tactic: Exfiltration
- Why it’s sensitive: Updates an OpenSearch application, which can modify data sources (optional parameter). Data sources are ways to associate S3 buckets to query and analyze data in S3. Meaning, data can be exfiltrated this way.
Permission: CreateApplication
- Action: Grants permission to create an OpenSearch Application
- Mitre Tactic: Exfiltration
- Why it’s sensitive: Creates an OpenSearch application, which can set up data sources. Data sources are ways to associate S3 buckets to query and analyze data in S3. Meaning, data can be exfiltrated this way.
Amazon AppSync
Service Type: Messaging and Communication
Permission: CreateApi
- Action: Grants permission to create an API
- Mitre Tactic: Initial Access
- Why it’s sensitive: Allows creating new APIs, potentially exposing data, integrating with other services, and increasing security and cost risks if misused.
Permission: UpdateApi
- Action: Grants permission to update an API
- Mitre Tactic: Initial Access
- Why it’s sensitive: Similar to how CreateApi opens up authorized access, updating an existing API can change your auth setting to become unauthorized.
Amazon WorkMail
Service Type: Customer Engagement
Permission: DeleteIdentityCenterApplication
- Action: Grants permission to delete an Identity Center application
- Mitre Tactic: Defense Invasion
- Why it’s sensitive: Reverts to the old method of logging in, which can disrupt access management and revoke critical SSO functionality.
Amazon Connect
Service Type: Customer Engagement
Permission: AssociateAnalyticsDataSet
- Action: Grants permission to grant access and to associate a dataset with the specified AWS account
- Mitre Tactic: Exfiltration
- Why it’s sensitive: Creates a resource share to an arbitrary AWS account, granting them access to specific analytics data sets.
Amazon EC2
Service Type: Compute Services
Permission: AssociateSecurityGroupVpc
- Action: Grants permission to associate a security group with another VPC in the same Region
- Mitre Tactic: Lateral Movement
- Why it’s sensitive: Associating an existing security group with a new VPC could grant expanded inbound/outbound access to the VPC.
Amazon Managed Service for Prometheus
Service Type: Observability and Monitoring
Permission: UpdateScraper
- Action: Grants permission to update a scraper
- Mitre Tactic: Reconnaissance
- Why it’s sensitive: Modifying scraper configurations could redirect collected metrics or expand the scope of collected metrics.
New Services
Amazon Location Service Routes
Service Type: GeoSpatial Services
No sensitive permissions identified.
Amazon Location Service Maps
Service Type: GeoSpatial Services
No sensitive permissions identified.
Amazon Location Service Places
Service Type: GeoSpatial Services
No sensitive permissions identified.
Amazon OpenSearch
Service Type: Data and Analytics
No sensitive permissions identified.
Conclusion
If you’re an AWS user, your cloud is always changing. This means a constantly evolving attack surface for you to secure. As new permissions are released for pre-existing services, by default, your users gain access to that permission. If it is a sensitive permission, this can be risky. Access to sensitive permissions should be restricted to only those human and machine identities that need them.
To reduce the risk resulting from new services, your teams should update any SCPs and IAM policies used to restrict access to services your teams aren’t using.
If you’re interested in managing sensitive permissions and securing AWS services efficiently, look into our Cloud Permissions Firewall.
