As January 2025 comes to a close, we’re highlighting the latest updates to sensitive permissions, services, and regions from AWS. Staying informed on these changes is essential for maintaining a strong cloud security posture and ensuring that sensitive permissions are properly managed. This month’s updates include newly identified sensitive permissions across existing services and the expansion of AWS infrastructure into new regions. Here’s the breakdown:
Existing Services with New Sensitive Permissions
Amazon Neptune Analytics
Service Type: Data and Analytics
Permission: neptune-graph:StartExportTask
- Action: Grants permission to export data from an existing graph
- Mitre Tactic: Exfiltration
- Why it’s sensitive: This permission allows graph data to be exported to arbitrary S3 URIs which could expose sensitive data.
Amazon WorkSpaces Web
Service Type: Compute Services
Permission: workspaces-web:UpdateDataProtectionSettings
- Action: Grants permission to update data protection settings
- Mitre Tactic: Defense Invasion
- Why it’s sensitive: Associated data protection settings can be updated, potentially weakening security policies and exposing sensitive browsing data to unauthorized access or exfiltration.
Permission: workspaces-web:DisassociateDataProtectionSettings
- Action: Grants permission to disassociate data protection logging from web portals
- Mitre Tactic: Defense Invasion
- Why it’s sensitive: This permission allows the removal of data protection settings, potentially disabling security controls and exposing sensitive browsing data to unauthorized access or leakage.
Amazon DataSync
Service Type: Migration and Transfer
Permission: UpdateLocationFsxWindows
- Action: Grants permission to update an FSx Windows sync location
- Mitre Tactic: Exfiltration
- Why it’s sensitive: This permission allows modifying the configuration of an FSx for Windows File Server location, potentially enabling unauthorized data transfers, access changes, or exposure of sensitive file shares.
Permission: datasync:UpdateLocationEfs
- Action: Grants permission to update an EFS sync location
- Mitre Tactic: Exfiltration
- Why it’s sensitive: This permission allows modifying the configuration of an AWS DataSync location, potentially enabling unauthorized data transfers, altering security settings, or redirecting data to an unintended destination.
Permission: datasync:UpdateLocationS3
- Action: Grants permission to update an S3 sync location
- Mitre Tactic: Exfiltration
- Why it’s sensitive: : This permission allows modifying the S3 bucket location and access settings, which could enable data exfiltration, unauthorized data transfers, or exposure of sensitive data.
Permission: datasync:UpdateLocationFsxOpenZfs
- Action: Grants permission to update an FSx OpenZFS sync location
- Mitre Tactic: Exfiltration
- Why it’s sensitive: This permission allows modifying the configuration of AWS DataSync locations for Amazon FSx, which could enable unauthorized data transfers, expose sensitive file system data, or disrupt critical workflows.
Permission: datasync:UpdateLocationFsxOntap
- Action: Grants permission to update an FSx ONTAP sync location
- Mitre Tactic: Exfiltration
- Why it’s sensitive: This permission allows modifying the configuration of FSx for ONTAP locations, potentially enabling unauthorized data transfers, misconfigurations, or exfiltration of sensitive enterprise storage data.
Permission: datasync:UpdateLocationFsxLustre
- Action: Grants permission to update an FSx Lustre sync location
- Mitre Tactic: Exfiltration
- Why it’s sensitive: This permission allows modifying the configuration of an FSx for Lustre data transfer location, which could be exploited to redirect or manipulate high-performance storage data, leading to data exfiltration or corruption.
Amazon User Notifications
Service Type: Messaging and Communication
Permission: notifications:DisassociateManagedNotificationAccountContact
- Action: Grants permission to remove an Account Contact from a Managed Notification
- Mitre Tactic: Defense Invasion
- Why it’s sensitive: This permission allows the removal of an account’s designated notification contact, potentially disrupting critical security, compliance, or billing alerts and leading to missed incident responses.
Permission: notifications:PutFeatureOptInStatus
- Action: Grants permission to update the opt-in status of an AWS User Notification Service feature
- Mitre Tactic: Defense Invasion
- Why it’s sensitive: This permission allows enabling or disabling notification features, which could be exploited to suppress security alerts or exfiltrate data by redirecting critical notifications.
Permission: notifications:AssociateManagedNotificationAdditionalChannel
- Action: Grants permission to associate a Channel to a particular Managed Notification Configuration
- Mitre Tactic: Reconnaissance
- Why it’s sensitive: This permission allows adding extra notification channels, which could be exploited to redirect alerts, suppress security notifications, or exfiltrate sensitive information to unauthorized recipients.
Permission: notifications:DisableNotificationsAccessForOrganization
- Action: Grants permission to disable Service Trust for AWS User Notifications
- Mitre Tactic: Defense Evasion
- Why it’s sensitive: This permission allows disabling notifications for an entire AWS Organization, potentially silencing critical security, billing, or compliance alerts, which could enable undetected malicious activity or misconfigurations.
New Regions
Asia Pacific (Thailand)
- API name: ap-southeast-7
- Availability zones: 3
Mexico (Central)
- API name: mx-central-1
Availability zones: 3
Conclusion
As AWS continues to expand its services, regions, and permissions, the complexity of securing cloud environments increases. This month’s updates, including new sensitive permissions across Neptune, WorkSpaces Web, DataSync, and User Notifications, as well as the addition of new AWS regions, underscore the need for continuous monitoring and proactive permissions management. Without proper oversight, organizations risk data exfiltration, security control bypasses, and notification disruptions that could lead to undetected threats.
Sonrai Security understands these challenges. Our Cloud Permissions Firewall empowers security teams to automate the detection, restriction, and monitoring of sensitive permissions across AWS environments. With real-time updates and built-in security workflows, you can stay ahead of emerging risks—enforcing least privilege without disrupting business operations.
