As December 2024 comes to a close, we’re surfacing the latest updates to sensitive permissions and services from AWS. Keeping up with these changes is necessary for maintaining a strong cloud security posture and ensuring that sensitive permissions are managed with care. This month’s updates feature new sensitive permissions across existing services and several new AWS services that introduce potential risk vectors. Here’s the breakdown:
Existing Services with New Sensitive Permissions
AWS Access Analyzer
Service Type: Security and Compliance
Permission: access-analyzer: UpdateAnalyzer
- Action: Grants permission to modify an analyzer’s configuration.
- Mitre Tactic: Defense Evasion
- Why it’s sensitive: This permission allows changing excluded accounts, enabling malicious actors to evade detection by the access analyzer.
Amazon GameLift
Service Type: Gaming
Permission: gamelift: CreateContainerFleet
- Action: Grants permission to create a fleet of containerized game servers. This permission includes the ability to define InstanceInboundPermissions, controlling inbound ports and IP ranges for the fleet.
- Mitre Tactic: Persistence
- Why it’s sensitive: Allows definition of inbound ports and IP ranges for container fleets, which could expose game servers to unauthorized access if misconfigured.
Permission: gamelift: UpdateContainerFleet
- Action: Grants permission to update inbound connection configurations for container fleets, including changes to ports and IP ranges.
- Mitre Tactic: Persistence
- Why it’s sensitive: Misconfiguration or misuse could lead to unauthorized network access. It could be exploited to modify network settings, potentially exposing resources to malicious actors.
Amazon SageMaker
Service Type: Machine Learning
Permission: sagemaker: CreatePartnerAppPresignedUrl
- Action: Grants permission to generate presigned URLs for accessing SageMaker Partner AI apps.
- Mitre Tactic: Initial Access
- Why it’s sensitive: Presigned URLs bypass standard authentication mechanisms, granting external access to specific resources. This can expose sensitive applications or data if URLs are intercepted or misused.
Amazon DataZone
Service Type: Data Management
Permission: datazone: CreateConnection
- Action: Grants permission to establish connections between DataZone environments and external resources.
- Mitre Tactic: Exfiltration
- Why it’s sensitive: Enables linking of external resources, which could be leveraged for unauthorized data exfiltration.
Permission: datazone: UpdateConnection
- Action: Grants permission to update existing connections to external resources.
- Mitre Tactic: Exfiltration
- Why it’s sensitive: : Modifying connections could enable data exfiltration to unauthorized locations.
AWS Glue
Service Type: Data Integration
Permission: glue: CreateIntegration
- Action: Grants permission to create integrations for Zero-ETL data pipelines.
- Mitre Tactic: Persistence
- Why it’s sensitive: Can facilitate unauthorized data transfer between resources through misconfigured pipelines.
Amazon QBusiness
Service Type: Business Applications
Permission: qbusiness: AssociatePermission
- Action: Associates a resource-based policy statement with the application.
- Mitre Tactic: Persistence
- Why it’s sensitive: Enables cross-account roles to gain permissions for resources within the application, facilitating persistent access.
Permission: qbusiness: CreateDataAccessor
- Action: Creates a data accessor for the application.
- Mitre Tactic: Persistence
- Why it’s sensitive: Allows external IAM roles to access data, introducing an initial access risk.
Permission: qbusiness: UpdateDataAccessor
- Action: Updates data accessors within the application.
- Mitre Tactic: Privilege Escalation
- Why it’s sensitive: Enables expansion of existing permissions, potentially escalating access rights.
AWS Network Manager
Service Type: Networking
Permission: networkmanager: CreateDirectConnectGatewayAttachment
- Action: Grants permission to create a Direct Connect gateway attachment.
- Mitre Tactic: Lateral Movement
- Why it’s sensitive: Facilitates connections between cloud and on-premises networks, potentially enabling unauthorized lateral movement.
Permission: networkmanager: UpdateConnection
- Action: Grants permission to update existing network connections.
- Mitre Tactic: Privilege Escalation
- Why it’s sensitive: Misuse could expand permissions or network configurations, introducing security vulnerabilities.
Permission: networkmanager: DeleteConnection
- Action: Grants permission to delete network connections.
- Mitre Tactic: Defense Evasion
- Why it’s sensitive: Could disrupt monitoring or security controls by removing established network pathways.
Amazon Omics
Service Type: Health Data Management
Permission: omics: PutS3AccessPolicy
- Action: Grants permission to modify S3 bucket access policies.
- Mitre Tactic: Privilege Escalation
- Why it’s sensitive: Could enable unauthorized access to sensitive health data stored in S3 buckets.
Permission: omics: UpdateSequenceStore
- Action: Grants permission to modify sequence store configurations, including associated S3 buckets.
- Mitre Tactic: Privilege Escalationn
- Why it’s sensitive: Could redirect data storage to unauthorized locations or expose data to unauthorized users.
Amazon CloudFront
Service Type: Content Delivery
Permission: cloudfront: UpdateVpcOrigin
- Action: Grants permission to modify VPC origin configurations for CloudFront.
- Mitre Tactic: Defense Evasion
- Why it’s sensitive: Could downgrade SSL protocols, exposing connections to interception or man-in-the-middle attacks.
AWS Config
Service Type: Configuration Management
Permission: config: PutServiceLinkedConfigurationRecorder
- Action: Grants permission to create or update resource tracking configurations.
- Mitre Tactic: Defense Evasion
- Why it’s sensitive: Could be used to exclude specific resource types from compliance checks, hiding misconfigurations.
Permission: config: DisassociateResourceTypes
- Action: Grants permission to remove resource types from tracking by the configuration recorder.
- Mitre Tactic: Defense Evasion
- Why it’s sensitive: Could prevent monitoring of critical resources, allowing unauthorized changes to go undetected.
Permission: config: DeleteServiceLinkedConfigurationRecorder
- Action: Grants permission to delete the service-linked configuration recorder.
- Mitre Tactic: Defense Evasion
- Why it’s sensitive: Stops collection of information for an existing service but does not delete previously recorded data. This would prevent rules for resources of that service from detecting intentional misconfiguration of resources.
AWS Migration Hub
Service Type: Migration
Permission: mgh: AcceptConnection
- Action: Grants permission to accept connections initiated by external accounts.
- Mitre Tactic: Initial Access
- Why it’s sensitive: Could enable unauthorized cross-account access to resources.
Permission: mgh: BatchAssociateIamRoleWithConnection
- Action: Grants permission to associate IAM roles with connections in bulk.
- Mitre Tactic: Privilege Escalation
- Why it’s sensitive: Misuse of this permission could grant overly broad privileges to unauthorized users.
Permission: mgh: AssociateAutomationUnitRole
- Action: Grants permission to associate an IAM role to an automation unit.
- Mitre Tactic: Privilege Escalation
- Why it’s sensitive: The automation unit requires the associated role to execute tasks. Misuse of this permission could allow unauthorized actions to be performed using the automation unit’s privileges. Learn more.
Amazon EC2
Service Type: Compute
Permission: ec2: ModifyVpcBlockPublicAccessExclusion
- Action: Modifies exclusion lists for VPC public access.
- Mitre Tactic: Defense Evasion
- Why it’s sensitive: Can enable inbound traffic by modifying access configurations.
Permission: ec2: CreateVpcBlockPublicAccessExclusion
- Action: Creates an exclusion list for blocked VPC public access.
- Mitre Tactic: Defense Evasion
- Why it’s sensitive: Bypasses account-level public access blocks, potentially exposing resources to external threats.
Permission: ec2: ModifyVpcBlockPublicAccessOptions
- Action: Modifies VPC public access settings.
- Mitre Tactic: Defense Evasion
- Why it’s sensitive: Could disable public access blocks, allowing unauthorized communication.
Amazon Re:Post
Service Type: Collaboration and Knowledge Sharing
Permission: repostspace: BatchAddRole
- Action: Grants permission to add a role to users and groups in a private Re:Post in your account.
- Mitre Tactic: Privilege Escalation
- Why it’s sensitive: This permission has the same effect as RegisterAdmin when the role is ADMINISTRATOR, enabling the assignment of additional permissions to users and groups through predefined roles.
Permission: repostspace: BatchRemoveRole
- Action: Grants permission to remove a role from users and groups in a private Re:Post in your account.
- Mitre Tactic: Privilege Escalation
- Why it’s sensitive: This permission has the same effect as DeregisterAdmin when the role is ADMINISTRATOR, allowing for the removal of critical permissions from users or groups.
AWS Wisdom
Service Type: Artificial Intelligence and Knowledge Management
Permission: wisdom: DeleteAIGuardrailVersion
- Action: Grants permission to delete an AI guardrail version.
- Mitre Tactic: Impact
- Why it’s sensitive: AI guardrails safeguard responses by filtering harmful or inappropriate content, limiting sensitive personal information, and reducing hallucinations. Deleting these settings could lead to the release of inappropriate or harmful information.
Permission: wisdom: UpdateAIGuardrail
- Action: Grants permission to update information about an AI guardrail.
- Mitre Tactic: Impact
- Why it’s sensitive: Updating guardrails could loosen safeguards, increasing the likelihood of inappropriate or harmful content being generated.
Permission: wisdom: DeleteAIGuardrail
- Action: Grants permission to delete an AI guardrail.
- Mitre Tactic: Impact
- Why it’s sensitive: Deleting guardrails removes critical protections, potentially allowing harmful or inappropriate responses.
Permission: wisdom: CreateAIGuardrail
- Action: Grants permission to create an AI guardrail.
- Mitre Tactic: Impact
- Why it’s sensitive: Guardrails define what is blocked, and any gaps in their creation could allow harmful inputs to generate malicious or inappropriate outputs.
Amazon QApps
Service Type: Application Managementn
Permission: qapps: UpdateQAppPermissions
- Action: Grants permission to update Q App sharing permissions in the Q Business application environment.
- Mitre Tactic: Privilege Escalation
- Why it’s sensitive: Controls read and write access to QApps on a per-principal basis. This can be used to both grant and remove access to the app, potentially escalating privileges.
AWS Chatbot
Service Type: Communication and Automation
Permission: chatbot: AssociateToConfiguration
- Action: Grants permission to associate a resource with a configuration.
- Mitre Tactic: Persistence
- Why it’s sensitive: When a custom action is associated with a chat configuration, anyone with access to the Slack/Teams chat can invoke the custom action (AWS CLI command or Lambda function) using the IAM Role assigned to the configuration, creating a mechanism for persistent access to CLI commands or Lambda functions.
Permission: chatbot: UpdateCustomAction
- Action: Grants permission to update a custom action.
- Mitre Tactic: Persistence
- Why it’s sensitive: This permission allows changes to the behavior (e.g., Lambda function run or AWS CLI command executed) when a user in the chat channel clicks on a predefined button. These actions are executed using the IAM Role assigned to the configuration, enabling persistent access to CLI commands or Lambda functions.
Amazon S3 Express
Service Type: Storage Solutions
Permission: s3express: PutLifecycleConfiguration
- Action: Grants permission to create a new lifecycle configuration for the directory bucket or replace an existing lifecycle configuration.
- Mitre Tactic: Impact
- Why it’s sensitive: Similar to s3:PutLifecycleConfiguration, this permission provides a mechanism to delete large amounts of data through expiration lifecycles, which might otherwise be difficult to remove.
CleanRooms (AWS Clean Rooms ML Models)
Service Type: Machine Learning
Permission: cleanrooms: PassCollaboration
- Action: Grants permission for cross-account collaboration in ML models.
- Mitre Tactic: Persistence
- Why it’s sensitive: Enables unauthorized cross-account access to collaborative models.
Permission: cleanrooms: PassMembership
- Action: Grants permission for membership access to Clean Rooms ML models.
- Mitre Tactic: Persistence
- Why it’s sensitive: Cross-account memberships could facilitate persistent unauthorized access.
Amazon CloudWatch Logs
Service Type: Logging and Monitoring
Permission: logs: DeleteIntegration
- Action: Grants permission to delete the integration.
- Mitre Tactic: Defense Evasion
- Why it’s sensitive: Disabling integrations with OpenSearch-powered log analytics can hinder detection of unusual network traffic patterns, automated threat identification based on WAF logs, and other critical analytics functions. Learn more.
AWS VPC Lattice
Service Type: Networking
Permission: vpc-lattice: UpdateResourceConfiguration
- Action: Grants permission to update a resource configuration.
- Mitre Tactic: Persistence
- Why it’s sensitive: Allows changes to settings such as allowAssociationToShareableServiceNetwork, which broadens resource sharing, and resourceConfigurationDefinition, which can alter key configurations, potentially creating persistent unauthorized access.
AWS Lake Formation
Service Type: Data Governance
Permission: lakeformation: UpdateLFTagExpression
- Action: Grants permission to update a Lake Formation expression.
- Mitre Tactic: Privilege Escalation
- Why it’s sensitive: Modifying expression contents can expand the level of access granted by permissions, potentially broadening access to sensitive resources.
New Services
AWS Partner Central Selling
Service Type: Subscription Management
No sensitive permissions identified.
AWS Billing and Cost Management Pricing Calculator
Service Type: Subscription Management
No sensitive permissions identified.
AWS PrivateLink
Service Type: Networking and Content Delivery
Permission: vpce: CreateVpcEndpointService
- Action: Grants permission to create new PrivateLink services.
- Mitre Tactic: Persistence
- Why it’s sensitive: Could expose internal services to unauthorized external access if misconfigured.
Amazon CloudWatch Observability Admin Service
Service Type: Observability and Monitoring
No sensitive permissions identified.
Amazon SageMaker Data Science Assistant
Service Type: Artificial Intelligence and Machine Learning
No sensitive permissions identified.
Amazon AI Operations
Service Type: Observability and Monitoring
Permission: aiops: DeleteAnomalyDetector
- Action: Grants permission to delete anomaly detection models.
- Mitre Tactic: Defense Evasion
- Why it’s sensitive: Disabling anomaly detection could conceal malicious activity.
Permission: aiops: DeleteAlarms
- Action: Grants permission to delete alarm configurations.
- Mitre Tactic: Defense Evasion
- Why it’s sensitive: Disabling alarms could prevent detection of unusual or unauthorized activities.
Permission: aiops: DisableAlarmActions
- Action: Disables alarm actions across collections.
- Mitre Tactic: Defense Evasion
- Why it’s sensitive: Could prevent detection of anomalies or breaches.
Permission: aiops: DeleteInsightRules
- Action: Grants permission to delete insight rules
- Mitre Tactic: Defense Evasion
- Why it’s sensitive: Prevents visibility into operational anomalies.
Amazon Aurora DSQL
Service Type: Database Services
No sensitive permissions identified.
Amazon S3 Tables
Service Type: Storage Solutions
Permission: s3tables: PutTableBucketPolicy
- Action: Grants permission to create or update table bucket policies.
- Mitre Tactic: Defense Evasion
- Why it’s sensitive: Could enable unauthorized changes to access control policies for sensitive data.
Permission: s3tables: DeleteTableBucketPolicy
- Action: Deletes policies associated with table buckets.
- Mitre Tactic: Impact
- Why it’s sensitive: Could leave sensitive data unprotected.
Permission: s3tables: DeleteTablePolicy
- Action: Deletes policies on S3 tables.
- Mitre Tactic: Impact
- Why it’s sensitive: Exposes sensitive table data by removing security controls.
AWS Backup Search
Service Type: Archival Backup and Recovery
No sensitive permissions identified.
AWS Security Incident Response
Service Type: Security and Compliance
Permission: security-ir: CancelMembership
- Action: Grants permission to cancel organization-wide incident response membership.
- Mitre Tactic: Defense Evasion
- Why it’s sensitive: Disabling incident response capabilities could allow malicious activities to go undetected.
Permission: security-ir: UpdateMembership
- Action: Grants permission to modify memberships, including adding or removing team members.
- Mitre Tactic: Defense Evasion
- Why it’s sensitive: Allows unauthorized email addresses to receive incident response details or prevent legitimate notifications.
AWS NetworkFlowMonitor
Service Type: Monitoring
Permission: networkflowmonitor: DeleteMonitor
- Action: Grants permission to delete monitoring configurations.
- Mitre Tactic: Defense Evasion
- Why it’s sensitive: Disabling monitoring could conceal unauthorized data exfiltration or lateral movement activities.
Permission: networkflowmonitor: UpdateMonitor
- Action: Grants permission to modify existing monitoring configurations.
- Mitre Tactic: Defense Evasion
- Why it’s sensitive: Changes to monitoring configurations could exclude critical resources, enabling malicious activities to evade detection.
Conclusion
December often sees a flurry of updates as AWS wraps up major announcements from re:Invent and finalizes development goals for the year. This month’s recap reflects the sheer scale of innovation and the critical need for cloud security vigilance.
As AWS continues to expand its services and permissions, the complexity of managing cloud security grows alongside it. This month’s updates, including sensitive permissions in AI Operations and new risks associated with AWS Security Incident Response, highlight the critical need for proactive permissions management. Without careful oversight, organizations may unintentionally expose themselves to significant security vulnerabilities.
Managing permissions in this changing environment is challenging, and Sonrai Security recognizes this. Our Cloud Permissions Firewall empowers teams to automate the detection, restriction, and monitoring of sensitive permissions across AWS environments. With real-time updates and streamlined workflows, you can ensure that new permissions are addressed proactively, reducing risk without disrupting operations.
