As July 2025 winds down, we’re back with this month’s roundup of newly released AWS privileged permissions — and this time, several new services have made their debut, each arriving with permissions that could reshape your cloud security boundaries. This month introduces fresh capabilities in Amazon Bedrock, Oracle Database@AWS, S3 Vectors, and SageMaker, all of which bring powerful automation, model deployment, and networking features — and with them, new opportunities for privilege escalation, lateral movement, and persistent access. Whether it’s launching custom runtimes, manipulating gateway roles, or altering encryption key control, these new permissions underscore the need for continuous visibility and tight governance. Dive in to see what’s new — and how to stay ahead of the risk.
New Services with Privileged Permissions
Amazon WorkSpaces Instances
Service Type: Compute Services
Permission: workspaces-instances:AssociateVolume
- Action: Grants permission to associate a workspace managed volume to a workspace managed instance in your account
- Mitre Tactic: Privilege Escalation
- Why it’s privileged: Attaches storage volumes to WorkSpaces instances, enabling access to additional or sensitive data.
Oracle Database@AWS
Service Type: Database Services
Permission: odb:CreateOdbNetwork
- Action: Grants permission to create an ODB network
- Mitre Tactic: Privilege Escalation
- Why it’s privileged: Creates ODB networks with embedded S3 access policies, enabling privilege escalation through custom configurations.
Permission: odb:CreateOdbPeeringConnection
- Action: Grants permission to create an ODB Peering Connection
- Mitre Tactic: Lateral Movement
- Why it’s privileged: Creates peering connections between ODB networks or VPCs, enabling lateral movement across environments.
Permission: odb:UpdateOdbNetwork
- Action: Grants permission to update properties of a specified ODB network
- Mitre Tactic: Privilege Escalation
- Why it’s privileged: Updates ODB network configurations, including S3 access policies, enabling privilege escalation.
Amazon S3 Vectors
Service Type: Storage Solutions
Permission: s3vectors:DeleteVectorBucketPolicy
- Action: Grants permission to delete the IAM resource policy from a specified vector bucket
- Mitre Tactic: Privilege Escalation
- Why it’s privileged: Deletes IAM policies from vector buckets, enabling privilege escalation by removing access restrictions.
Permission: s3vectors:PutVectorBucketPolicy
- Action: Grants permission to add an IAM resource policy to a specified vector bucket
- Mitre Tactic: Privilege Escalation
- Why it’s privileged: Adds IAM policies to vector buckets, enabling privilege escalation through cross-account or overly permissive access.
Amazon Bedrock AgentCore
Service Type: Artificial Intelligence & Machine Learning
Permission: bedrock-agentcore:CreateAgentRuntime
- Action: Grants permission to create a new agent runtime
- Mitre Tactic: Execution
- Why it’s privileged: Launches agent runtimes from ECR images with execution roles, enabling arbitrary code execution.
Permission: bedrock-agentcore:CreateCodeInterpreter
- Action: Grants permission to create a new custom code interpreter
- Mitre Tactic: Privilege Escalation
- Why it’s privileged: Creates custom code interpreters with execution roles, enabling privilege escalation through role-based access.
Permission: bedrock-agentcore:CreateGatewayTarget
- Action: Grants permission to create a new target in an existing gateway
- Mitre Tactic: Lateral Movement
- Why it’s privileged: Adds new gateway targets, enabling lateral movement by redirecting agent actions to additional functions or APIs.
Permission: bedrock-agentcore:SetTokenVaultCMK
- Action: Grants permission to associate a Customer Managed Key (CMK) or a Service Managed Key with a specific TokenVault
- Mitre Tactic: Impact
- Why it’s privileged: Associates a CMK with a TokenVault, enabling impact by altering encryption control or disrupting key access.
Permission: bedrock-agentcore:UpdateAgentRuntime
- Action: Grants permission to update an agent runtime
- Mitre Tactic: Execution
- Why it’s privileged: Updates agent runtimes with new container images, enabling execution of malicious code via arbitrary URIs.
Permission: bedrock-agentcore:UpdateGateway
- Action: Grants permission to update an existing gateway
- Mitre Tactic: Privilege Escalation
- Why it’s privileged: Updates gateway configurations, including execution roles, enabling privilege escalation through expanded access.
Permission: bedrock-agentcore:UpdateGatewayTarget
- Action: Grants permission to update an existing gateway target
- Mitre Tactic: Impact
- Why it’s privileged: Modifies gateway targets, enabling impact by redirecting tool invocations to malicious endpoints.
AWS Shield Network Security Director
Service Type: Security and Compliance
Permission: network-security-director:UpdateFinding
- Action: Grants permission to update the status of a security finding
- Mitre Tactic: Defense Evasion
- Why it’s privileged: Modifies network security findings, enabling impact or evasion by altering severity status or suppressing key alerts.
Existing Services with New Privileged Permissions
Amazon VPC Lattice
Service Type: Networking and Content Delivery
Permission: vpc-lattice:AssociateViaAWSService-EventsAndStates
- Action: Grants permission to associate a resource configuration through Amazon EventBridge and AWS Step Functions service networks
- Mitre Tactic: Lateral Movement
- Why it’s privileged: Allows EventBridge to associate with a VPC Lattice service network, enabling cross-service connectivity.
Amazon SageMaker
Service Type: Artificial Intelligence & Machine Learning
Permission: sagemaker:CreateHubContentPresignedUrls
- Action: Grants permission to generate S3 presigned URLs with GetObject permission for accessing model artifacts
- Mitre Tactic: Initial Access
- Why it’s privileged: Generates S3 presigned URLs for model artifacts, enabling initial and persistent external access.
Permission: sagemaker:StartSession
- Action: Grants permission to start a remote session for a SageMaker space
- Mitre Tactic: Persistence
- Why it’s privileged: Starts remote sessions in SageMaker, enabling persistent interactive access to development environments.
Amazon Bedrock
Service Type: Artificial Intelligence & Machine Learning
Permission: bedrock:CreateCustomModelDeployment
- Action: Grants permission to create a custom model deployment
- Mitre Tactic: Execution
- Why it’s privileged: Deploys custom models in Bedrock for on-demand inference, enabling execution of potentially sensitive workloads.
AWS Inspector
Service Type: Security and Compliance
Permission: inspector2:UpdateCodeSecurityScanConfiguration
- Action: Grants permission to update an existing code security scan configuration
- Mitre Tactic: Defense Evasion
- Why it’s privileged: Modifies code scan settings in Amazon Inspector, enabling defense evasion by silently disabling or narrowing security checks.
Permission: inspector2:DeleteCodeSecurityScanConfiguration
- Action: Grants permission to delete a code security scan configuration
- Mitre Tactic: Defense Evasion
- Why it’s privileged: Deletes code scan configurations in Amazon Inspector, enabling defense evasion by removing scheduled security checks.
Permission: inspector2:DeleteCodeSecurityIntegration
- Action: Grants permission to delete a code security integration
- Mitre Tactic: Defense Evasion
- Why it’s privileged: Deletes repository integrations in Amazon Inspector, enabling defense evasion by disconnecting code from security scans.
Permission: inspector2:BatchDisassociateCodeSecurityScanConfiguration
- Action: Grants permission to disassociate multiple code repositories from an Amazon Inspector code security scan configuration
- Mitre Tactic: Defense Evasion
- Why it’s privileged: Disassociates code repositories from Amazon Inspector scans, enabling defense evasion by removing security coverage.
AWS Network Firewall
Service Type: Security Services
Permission: network-firewall:UpdateAvailabilityZoneChangeProtection
- Action: Grants permission to add or remove availability zone change protection for a firewall
- Mitre Tactic: Impact
- Why it’s privileged: Controls safeguards on AZ coverage, enabling attackers to weaken or bypass Network Firewall protections.
Permission: network-firewall:DisassociateAvailabilityZones
- Action: Grants permission to disassociate availability zones to a firewall
- Mitre Tactic: Defense Evasion
- Why it’s privileged: Disables Network Firewall in specific AZs, enabling defense evasion by removing protections in targeted regions.
Conclusion
As AWS introduces new services and expands capabilities across its ecosystem, the security implications of newly released permissions continue to grow. July’s updates — from deploying arbitrary runtime containers in Bedrock to reshaping access control in ODB networks and vector buckets — highlight how privileged permissions can silently redefine control boundaries, data access, and execution pathways in your cloud environment.
Sonrai Security’s Cloud Permissions Firewall delivers the visibility and control teams need to get ahead of these risks. With automated detection of high-risk permissions, enforcement of least privilege, and cloud-native Privileged Access Management tailored for AWS, we help organizations adapt as fast as AWS evolves. Because in the cloud, new permissions arrive every month — and staying secure means staying proactive.
