Sonrai Security Releases Industry-First Risk Insights Engine 👉
Learn More
Search
Login
Free Trial Get a Demo

Interactive Product Tour

interactive tour Start a Tour Get a Demo

Interactive Product Tour

interactive tour Start a Tour Get a Demo
Blog
>
Back to Blog

August Recap: New AWS Sensitive Permissions and Services

Karen Levy
September 4, 2024
Updated : 09.06.2024
2 mins to read
August recap blog image

As AWS continues to evolve, new services and permissions are frequently introduced to enhance functionality and security. This blog provides a comprehensive recap of new sensitive permissions and services added in August 2024. Our intention in sharing this is to flag the most important releases to keep your eye on and update your permissions and access control policies accordingly.

Existing Services with New Sensitive Permissions

AWS CodePipeline

Service Type: Development & DevOps Tools

Permission: OverrideStageCondition

  • Action: Grants permission to resume the pipeline execution by overriding a condition in a stage
  • Mitre Tactic: Execution
  • Why it’s sensitive:  Users can override a lambda function’s operation condition within a pipeline. This could be used to allow deployment pipelines to continue when they would otherwise be stopped, like continuing to deploy vulnerable software after failed security scans.

Amazon Elastic Container Registry (ECR)

Service Type: Containers and Orchestration

Permission: PutAccountSetting

  • Action: Allows modification of settings for the ECR account
  • Mitre Tactic: Defense Invasion
  • Why it’s sensitive: Users can change tag mutability, automated image scanning, how scans are conducted (e.g. on push or manually), and encryption settings.

New Services

AWS Parallel Computing Services

Service Type: Compute Services

Permission: CreateComputeNodeGroup

  • Action: Grants permission to create compute node groups
  • Mitre Tactic: Execution
  • Why it’s sensitive: Users can use an API parameter in calls to this permission which override the launch template AMI. By specifying a custom (potentially malicious) AMI, an attacker could get arbitrary malicious code running within the node pool that processes jobs. 

Permission: UpdateComputeNodeGroup

  • Action: Grants permission to update compute node group properties
  • Mitre Tactic: Execution
  • Why it’s sensitive: Users can use an API parameter in calls to this permission which override the launch template AMI. By specifying a custom (potentially malicious) AMI, an attacker could get arbitrary malicious code running within the node pool that processes jobs.

New Regions

Asia Pacific (Malaysia)

  • API name: ap-southeast-5
  • Availability zones: 3

Conclusion

If you’re an AWS user, your cloud is always changing. This means a constantly evolving attack surface for you to secure. As new permissions are released for pre-existing services, by default, your users gain access to that permission. If it is a sensitive permission, this can be risky.  Access to sensitive permissions should be restricted to only those human and machine identities that need them.

To reduce the risk resulting from new services, your teams should update any SCPs and IAM policies used to restrict access to services your teams aren’t using.

If you’re interested in managing sensitive permissions and securing AWS services efficiently, look into our Cloud Permissions Firewall.

secure sensitive permissions

THE ARCHITECT

The Newsletter for Cloud Security Leaders. 1x a month.
Explore the First Cloud Permissions Firewall
Get Your Free Trial
Sonrai Main Logo

© 2024 Sonrai Security. All rights reserved

Sitemap   |   Privacy Policy  |  

Sonrai cloud security platform, products and services are covered by U.S. Patent Nos. 10,728,307 and 11,134,085, together with other domestic and international patents pending. All rights reserved.