As December 2025 comes to a close, Sonrai’s latest review of newly released AWS permissions highlights a continued expansion of cloud privilege. This month’s updates span identity, observability, AI, and managed service infrastructure, with changes across CloudWatch, CloudFront, Bedrock, EKS, SageMaker, and emerging agent-based platforms.
Together, these permissions reinforce a core reality of cloud security: privilege is no longer confined to administrator roles, but increasingly embedded in service-level actions that shape access, visibility, and execution. From redirecting logs and modifying policies to empowering agents and workflows with broad authority, each new permission subtly expands the blast radius of misuse. Security teams should remain vigilant, as these evolving privileges continue to redefine the cloud attack surface in easy-to-miss but high-impact ways.
Existing Services with New Privileged Permissions
AWS Identity and Access Management
Service Type: Identity and Access Management
Permission: iam:EnableOutboundWebIdentityFederation
- Action: Enables the outbound identity federation feature for the caller’s account
- Mitre Tactic: Persistence
- Why it’s privileged: Enables account-wide creation of web identity tokens for external services, allowing federated access outside AWS and supporting long-term persistence through external trust relationships.
Oracle Database@AWS
Service Type: Database Services
Permission: odb:UpdateOdbPeeringConnection
- Action: Grants permissions to update properties of a specified ODB Peering Connection
- Mitre Tactic: Lateral Movement
- Why it’s privileged: Allows VPC traffic that was previously unauthorized to access the ODB network
Amazon Bedrock
Service Type: Artificial Intelligence & Machine Learning
Permission: bedrock:UpdateCustomModelDeployment
- Action: Grants permissions to update an existing custom model deployment with a new custom model
- Mitre Tactic: Execution
- Why it’s privileged: Allows replacing the model backing an active deployment, enabling altered or malicious model responses during inference without changing the deployment endpoint.
Amazon CloudWatch Logs
Service Type: Observability and Monitoring
Permission: logs:UpdateScheduledQuery
- Action: Grants permissions to update a scheduled query
- Mitre Tactic: Exfiltration
- Why it’s privileged: Allows modification of scheduled queries to redirect log data to external or cross-account destinations, enabling covert exfiltration of sensitive CloudWatch logs.
Permission: logs:CreateScheduledQuery
- Action: Grants permissions to create a scheduled query
- Mitre Tactic: Exfiltration
- Why it’s privileged: Allows creation of scheduled queries that can export CloudWatch logs to external or cross-account destinations, enabling unauthorized exfiltration of sensitive log data.
Permission: logs:DeleteScheduledQuery
- Action: Grants permissions to delete a scheduled query
- Mitre Tactic: Defense Evasion
- Why it’s privileged: Allows removal of automated log analysis and export workflows, reducing visibility and disrupting downstream detection or monitoring processes.
Permission: logs:PutLogGroupDeletionProtection
- Action: Grants permissions to enable or disable deletion protection for the specified log group
- Mitre Tactic: Defense Evasion
- Why it’s privileged: Allows disabling deletion protection on critical log groups, enabling attackers to remove logs and evade detection.
Permission: logs:AssociateSourceToS3TableIntegration
- Action: Grants permissions to associate a log source to an S3 Tables integration
- Mitre Tactic: Collection
- Why it’s privileged: Allows exporting CloudWatch logs to S3 tables, increasing accessibility and potential exposure of sensitive log data.
Permission: logs:DisassociateSourceFromS3TableIntegration
- Action: Grants permissions to disassociate a log source to an S3 Tables integration
- Mitre Tactic: Defense Evasion
- Why it’s privileged: Stops export of CloudWatch logs to S3 tables, disrupting downstream analytics and reducing visibility into log data.
Amazon Elastic Container Service
Service Type: Containers and Orchestration
Permission: ecs:CreateExpressGatewayService
- Action: Grants permission to create a new Amazon ECS Express Gateway service with cluster and task definition
- Mitre Tactic: Execution
- Why it’s privileged: Allows specifying an execution role, container image, and startup commands, enabling PassRole-based privilege escalation and arbitrary code execution as the service identity.
Permission: ecs:UpdateExpressGatewayService
- Action: Grants permission to modify the parameters of an Express Gateway service
- Mitre Tactic: Execution
- Why it’s privileged: Allows updating the service’s execution role, container image, or startup commands, enabling PassRole-based privilege escalation and arbitrary code execution as the service identity.
Amazon CloudFront
Service Type: Networking and Content Delivery
Permission: cloudfront:UpdateConnectionFunction
- Action: Grants permission to update a connection function
- Mitre Tactic: Defense Evasion
- Why it’s privileged: Allows modification of connection logic to remove or weaken access checks, potentially bypassing security controls that protect CloudFront distributions.
Permission: cloudfront:UpdateTrustStore
- Action: Grants permission to update a trust store
- Mitre Tactic: Initial Access
- Why it’s privileged: Allows replacing the trusted CA bundle, enabling attacker-issued client certificates to authenticate and gain access to associated CloudFront distributions.
Amazon S3
Service Type: Storage Solutions
Permission: s3:PutBucketAbac
- Action: Grants permission to set ABAC configuration for a general purpose bucket
- Mitre Tactic: Privilege Escalation
- Why it’s privileged: Allows enabling ABAC on a bucket, which when combined with existing tag-based IAM policies can grant new access without modifying bucket or IAM policies.
Amazon Elastic Kubernetes Service
Service Type: Containers and Orchestration
Permission: eks:CreateCapability
- Action: Grants permission to create a capability for an Amazon EKS cluster
- Mitre Tactic: Lateral Movement
- Why it’s privileged: Enabling the ACK (AWS Controllers for Kubernetes) capability allows cluster users with custom resource access the ability to create & manage actual AWS resources directly from kubernetes using kubectl commands.
Permission: eks:UpdateCapability
- Action: Grants permission to update a capability for an Amazon EKS cluster
- Mitre Tactic: Privilege Escalation
- Why it’s privileged: Allows a new execution role to be specified for the ACK (AWS Controllers for Kubernetes) capability. This can expand the scope of AWS resources users with ACK capability access within the cluster can create & manage.
AWS Elemental MediaConnect
Service Type: Content Delivery and Management
Permission: mediaconnect:TakeRouterInput
- Action: Grants permission to associate a router input with a router output
- Mitre Tactic: Exfiltration
- Why it’s privileged: Allows redirecting a private stream to a public-facing output, enabling eavesdropping or unauthorized exposure of sensitive media streams.
Permission: mediaconnect:UpdateRouterNetworkInterface
- Action: Grants permission to update the configuration of a router network interface
- Mitre Tactic: Exfiltration
- Why it’s privileged: Allows removing or loosening CIDR restrictions on network interfaces, enabling unauthorized access to semi-private media streams.
Permission: mediaconnect:UpdateRouterOutput
- Action: Grants permission to update the configuration of a router output
- Mitre Tactic: Exfiltration
- Why it’s privileged: Allows moving a router output from a VPC-bound interface to a public one, enabling unauthorized access to private media streams.
Permission: mediaconnect:UpdateRouterInput
- Action: Grants permission to update the configuration of a router input
- Mitre Tactic: Exfiltration
- Why it’s privileged: Allows repointing router inputs to interfaces connected to public outputs, exposing private media streams without authorization.
Amazon Connect
Service Type: Customer Engagement
Permission: connect:StartContactMediaProcessing
- Action: Grants permission to start message processing on an ongoing contact
- Mitre Tactic: Collection
- Why it’s privileged: Routes chat messages through a Lambda function before delivery, enabling interception or collection of sensitive communications.
Permission: connect:AssociateSecurityProfiles
- Action: Grants permission to associate security profiles with an AI agent in an Amazon Connect instance
- Mitre Tactic: Privilege Escalation
- Why it’s privileged: Expands an AI agent’s access to data and contact flows, enabling access to information and capabilities not previously available.
Amazon SageMaker
Service Type: Artificial Intelligence & Machine Learning
Permission: sagemaker:UpdateMlflowApp
- Action: Grants permission to update an MLflow app
- Mitre Tactic: Collection
- Why it’s privileged: Allows changing the MLflow artifact storage location, potentially redirecting artifacts to publicly accessible S3 buckets and exposing sensitive data.
Permission: sagemaker:DeleteMlflowApp
- Action: Grants permission to delete an MLflow app
- Mitre Tactic: Impact
- Why it’s privileged: Allows deletion of the MLflow tracking server, disrupting experiment tracking, model lineage, and auditability.
Permission: sagemaker:CreatePresignedMlflowAppUrl
- Action: Grants permission to return a URL that you can use from your browser to connect to the MLflow app
- Mitre Tactic: Initial Access
- Why it’s privileged: Allows browser-based access to the MLflow tracking server via a presigned URL, enabling access without direct IAM authentication.
Amazon CloudWatch Observability Admin Service
Service Type: Observability and Monitoring
Permission: observabilityadmin:CreateTelemetryPipeline
- Action: Grants permission to create a new telemetry pipeline with the specified name and configuration
- Mitre Tactic: Collection
- Why it’s privileged: Allows use of a passed role to ingest data from S3 into CloudWatch, enabling collection of S3 data by identities that otherwise lack S3 access.
Permission: observabilityadmin:DeleteTelemetryPipeline
- Action: Grants permission to delete the telemetry pipeline with the specified ARN
- Mitre Tactic: Defense Evasion
- Why it’s privileged: Allows deletion of telemetry pipelines that ingest and normalize log data, disrupting log collection and potentially evading detection.
Permission: observabilityadmin:DeleteS3TableIntegration
- Action: Grants permission to delete the S3 table integration with the specified ARN
- Mitre Tactic: Defense Evasion
- Why it’s privileged: Stops CloudWatch from exporting logs to S3 tables, disrupting downstream analytics and reducing visibility into log data.
Permission: observabilityadmin:UpdateTelemetryPipeline
- Action: Grants permission to update the telemetry pipeline with the specified ARN
- Mitre Tactic: Defense Evasion
- Why it’s privileged: Allows modifying processors or rerouting logs to different destinations, disrupting log normalization and ingestion and potentially evading detection.
Amazon S3 Tables
Service Type: Storage Solutions
Permission: s3tables:PutTableBucketReplication
- Action: Grants permission to put table bucket replication configuration on a bucket
- Mitre Tactic: Exfiltration
- Why it’s privileged: Allows configuring cross-account replication, enabling automated copying of table data to external AWS accounts.
Permission: s3tables:PutTableRecordExpirationConfiguration
- Action: Grants permission to put table record expiration configuration on a system table
- Mitre Tactic: Impact
- Why it’s privileged: Allows expiring records in tables intended to be persistent, resulting in data loss or disruption similar to destructive lifecycle policies in S3 Buckets.
Permission: s3tables:PutTableReplication
- Action: Grants permission to put table replication configuration on a table
- Mitre Tactic: Exfiltration
- Why it’s privileged: Allows configuring cross-account replication, enabling automated copying of table data to external AWS accounts.
Amazon Bedrock AgentCore
Service Type: Artificial Intelligence & Machine Learning
Permission: bedrock-agentcore:PutResourcePolicy
- Action: Grants permission to create or update the resource-based policy for a Bedrock resource
- Mitre Tactic: Privilege Escalation
- Why it’s privileged: Allows modifying resource-based policies to grant identities access to Bedrock agent runtimes, expanding who can invoke or control agents.
Permission: bedrock-agentcore:DeletePolicy
- Action: Grants permission to delete a policy
- Mitre Tactic: Privilege Escalation
- Why it’s privileged: Allows removal of restrictive MCP policies, potentially granting agents broader access to gateway tools or protected capabilities.
Permission: bedrock-agentcore:ManageAdminPolicy
- Action: Grants permission to create or modify wildcard policies that apply to gateway resources
- Mitre Tactic: Privilege Escalation
- Why it’s privileged: Allows creation of broad allow policies in a default-deny MCP policy engine, potentially granting agents expanded access to gateway tools and protected resources.
Permission: bedrock-agentcore:ManageResourceScopedPolicy
- Action: Grants permission to create or modify policies that apply to specific gateway resources
- Mitre Tactic: Privilege Escalation
- Why it’s privileged: Allows adding allow policies in a default-deny MCP policy engine, potentially expanding agent access to specific gateway tools or protected resources.
Permission: bedrock-agentcore:UpdatePolicy
- Action: Grants permission to update an existing policy
- Mitre Tactic: Privilege Escalation
- Why it’s privileged: Allows modifying policies in a default-deny MCP policy engine to introduce allow rules, potentially expanding agent access to gateway tools or protected resources.
Permission: bedrock-agentcore:DeleteResourcePolicy
- Action: Grants permission to delete the resource-based policy for a Bedrock resource
- Mitre Tactic: Privilege Escalation
- Why it’s privileged: Allows removal of explicit deny policies, potentially granting additional identities access to Bedrock agent runtimes.
Permission: bedrock-agentcore:CreatePolicy
- Action: Grants permission to create a new policy within a policy engine
- Mitre Tactic: Privilege Escalation
- Why it’s privileged: Allows adding allow policies in a default-deny MCP policy engine, potentially expanding agent access to gateway tools or protected resources.
New Services with Privileged Permissions
Amazon EKS MCP Server
Service Type: Artificial Intelligence & Machine Learning
Permission: eks-mcp:CallPrivilegedTool
- Action: Grants permission to call privileged tools in MCP service
- Mitre Tactic: Impact
- Why it’s privileged: Allows invocation of MCP tools with write access to EKS clusters or the AWS control plane, enabling unintended or malicious changes if the tool is triggered without explicit user intent.
Amazon MWAA Serverless
Service Type: Process Automation and Integration
Permission: airflow-serverless:CreateWorkflow
- Action: Grants permission to create a new workflow
- Mitre Tactic: Execution
- Why it’s privileged: Allows creation of workflows that invoke Amazon provider operators, enabling execution of sensitive AWS control plane actions across multiple services using the workflow’s execution role.
Permission: airflow-serverless:UpdateWorkflow
- Action: Grants permission to update an existing workflow
- Mitre Tactic: Execution
- Why it’s privileged: Allows modification of workflow definitions to invoke Amazon provider operators, enabling execution of sensitive AWS control plane actions using the workflow’s execution role.
AWS Sagemaker Unified Studio MCP
Service Type: Artificial Intelligence & Machine Learning
Permission: sagemaker-unified-studio-mcp:CallPrivilegedTool
- Action: Grants permission to call privileged tools in MCP service
- Mitre Tactic: Impact
- Why it’s privileged: Allows invocation of MCP tools with write or build access to EMR and Spark environments, enabling unintended or malicious code execution if the tool is triggered without explicit user intent.
Amazon Bedrock Mantle
Service Type: Artificial Intelligence and Machine Learning
Permission: bedrock-mantle:CreateInference
- Action: Grants permission to create a chat completion inference request
- Mitre Tactic: Collection
- Why it’s privileged: Enables a mechanism for invoking models using OpenAI SDKs without needing to go through additional guardrails, potentially retrieving sensitive model data.
AWS DevOps Agent Service
Service Type: Artificial Intelligence and Machine Learning
Permission: aidevops:AssociateService
- Action: Grants permission to associate service
- Mitre Tactic: Discovery
- Why it’s privileged: Allows the agent to use a passed role to monitor the current or another AWS account, enabling discovery activities across associated accounts.
Permission: aidevops:CreateOneTimeLoginSession
- Action: Grants permission to generate secure one-time session for initiating off-console application login
- Mitre Tactic: Lateral Movement
- Why it’s privileged: Grants access to the DevOps Agent Web App, where users can interact with the privileged agent and have it perform investigations on real AWS infrastructure using its execution role.
Permission: aidevops:DeregisterService
- Action: Grants permission to deregister a service
- Mitre Tactic: Defense Evasion
- Why it’s privileged: Allows removal of integrations with security and monitoring tools, disrupting workflows that rely on third-party visibility or alerting.
Permission: aidevops:DisassociateService
- Action: Grants permission to disassociate a service
- Mitre Tactic: Defense Evasion
- Why it’s privileged: Allows removing agent monitoring from an AWS account, reducing visibility into activity and security events.
Permission: aidevops:InitiateServiceRegistration
- Action: Grants permission to initiate OAuth flow
- Mitre Tactic: Exfiltration
- Why it’s privileged: Allows setting up integrations such as Slack that can send agent activity summaries and discovery data to external or unauthorized channels.
Permission: aidevops:UpdateAssociation
- Action: Grants permission to update association
- Mitre Tactic: Privilege Escalation
- Why it’s privileged: Allows modifying association configurations in ways that can break integrations with other AWS accounts or third-party data sources, reducing visibility or disrupting security workflows.
AWS Security Agent
Service Type: Artificial Intelligence and Machine Learning
Permission: securityagent:CreateMembership
- Action: Grants permission to add a single member to an agent instance with specified role
- Mitre Tactic: Lateral Movement
- Why it’s privileged: Grants an identity center identity long-term access to the security agent web app, where users can then interact with the privileged agent and have it perform pentests on arbitrary targets and display results.
Permission: securityagent:CreateOneTimeLoginSession
- Action: Grants permission to create a one-time login session
- Mitre Tactic: Lateral Movement
- Why it’s privileged: Grants admin access to the security agent application, which uses the agent instance role to perform security agent operations and access protected resources.
Permission: securityagent:DeleteControl
- Action: Grants permission to delete a customer-managed control
- Mitre Tactic: Defense Evasion
- Why it’s privileged: Allows removal of custom controls from design and code reviews, reducing enforcement of security standards and oversight.
Permission: securityagent:ToggleManagedControl
- Action: Grants permission to toggle the status
- Mitre Tactic: Defense Evasion
- Why it’s privileged: Allows disabling managed controls used in design and code reviews, reducing security enforcement and oversight.
Permission: securityagent:UpdateControl
- Action: Grants permission to update a customer managed control
- Mitre Tactic: Defense Evasion
- Why it’s privileged: Allows modifying control requirements in ways that weaken or effectively remove security checks from design and code reviews.
AWS Transform Custom
Service Type: Migration and Transfer
No privileged permissions
Conclusion
As AWS continues to expand its portfolio of managed and AI-driven services, new privileged permissions are increasingly shaping how access, execution, and visibility are controlled in the cloud. This month’s additions show how modifying configurations, policies, and agent behaviors can quietly expand privilege, weaken safeguards, or enable data movement without ever touching traditional administrator roles. Even subtle permission changes can have an outsized impact on trust boundaries and blast radius across cloud environments.
Sonrai Security’s Cloud Permissions Firewall helps organizations stay ahead of these shifts by continuously identifying emerging privileged permissions, mapping them to MITRE ATT&CK tactics, and enforcing least privilege across cloud control planes. In an environment where new sources of privilege are introduced every month, maintaining continuous visibility and control is essential to preventing overlooked permissions from becoming attack paths.
