As March 2025 comes to a close, we’re back with the latest round of AWS sensitive permission updates, newly supported services, and key developments across the cloud landscape. Staying current with these changes is essential for maintaining a secure and well-governed environment—especially as new permissions continue to emerge with the potential to impact everything from data exfiltration to privilege escalation. This month, we’ve identified new sensitive permissions across services like CloudShell, Lake Formation, and Route 53, as well as notable additions in observability and networking. Read on for the full breakdown of what’s new and why it matters for your cloud security posture.
Existing Services with New Sensitive Permissions
AWS CloudShell
Service Type: Development and DevOps Tools
Permission: cloudshell:ApproveCommand
- Action: Grants permission to approve a command sent by another AWS service
- Mitre Tactic: Exfiltration
- Why it’s sensitive: Allows approval of CloudShell command execution from services like ElastiCache or DocumentDB, potentially enabling exfiltration or misuse of cached data via commands like DUMP, GET, or Pub/Sub.
Amazon CloudWatch Application Signals
Service Type: Observability and Monitoring
Permission: application-signals:Link
- Action: Grants permission to share Application Signals resources with a monitoring account
- Mitre Tactic: Reconnaissance
- Why it’s sensitive: Allows cross-account access to application performance monitoring metrics.
Amazon WorkSpaces
Service Type: Compute Services
Permission: workspaces:ModifyEndpointEncryptionMode
- Action: Grants permission to configure the specified directory between Standard TLS and FIPS
- Mitre Tactic: Defense Evasion
- Why it’s sensitive: Allows changing the encryption mode for WorkSpaces endpoints, which could downgrade from FIPS 140-2 to standard TLS, weakening compliance and security required for sensitive government workloads.
AWS CloudWatch Rum
Service Type: Observability and Monitoring
Permission: rum:PutResourcePolicy
- Action: Grants permission to attach a resource policy to an app monitor
- Mitre Tactic: Collection
- Why it’s sensitive: Allows setting resource policies for CloudWatch RUM, which could expose or share sensitive user telemetry like browser info, geolocation, and client-side errors that may reveal vulnerabilities.
Elastic Load Balancing
Service Type: Networking and Content Delivery
Permission: relasticloadbalancing:ModifyIpPools
- Action: Grants permission to modify the IP pools for a load balancer
- Mitre Tactic: Privilege Escalation
- Why it’s sensitive: Allows modification of IPAM IP address pools used by Application Load Balancers, which can impact network routing and security controls across environments.
AWS Lake Formation
Service Type: Data and Analytics
Permission: lakeformation:RegisterResourceWithPrivilegedAccess
- Action: Grants permission to register a new location to be managed by Lake Formation, with privileged access
- Mitre Tactic: Privilege Escalation
- Why it’s sensitive: Grants the calling principal full administrative access to a registered data location in Lake Formation, enabling broad control over data lake operations and potentially bypassing fine-grained access controls.
Amazon Route 53
Service Type: Networking and Content Delivery
Permission: route53-recovery-control-config:PutResourcePolicy
- Action: Grants permission to define the RAM access control policy for a cluster
- Mitre Tactic: Exfiltration
- Why it’s sensitive: Allows setting resource policies for Route 53 Recovery Control resources, enabling cross-account access that could be exploited to manipulate failover routing controls.
AWS Network Firewall
Service Type: Security Services
Permission: network-firewall:StartFlowCapture
- Action: Grants permission to start capture operation on a firewall
- Mitre Tactic: Reconnaissance
- Why it’s sensitive: Allows starting flow capture on network traffic, which could be used to analyze traffic patterns, identify resources, and uncover protocols in use—information that can aid in targeted attacks.
AWS Secrets Manager
Service Type: Security and Compliance
Permission: secretsmanager:ValidateResourcePolicy
- Action: Grants permission to validate a resource policy before attaching policy
- Mitre Tactic: Defense Evasion
- Why it’s sensitive: Used alongside PutResourcePolicy to validate resource policies in Secrets Manager, potentially exposing or enabling misconfigured policies that could allow unauthorized access to secrets.
New Services
AWS IoT Core
Service Type: Internet of Things (IoT)
No sensitive permissions identified.
Amazon GameLift Streams
Service Type: Compute Services
Permission: gameliftstreams:AssociateApplications
- Action: Grants permission to associate Applications to a StreamGroup
- Mitre Tactic: Execution
- Why it’s sensitive: Allows linking applications to GameLift stream groups, potentially enabling unauthorized application launches using allocated compute resources.
Conclusion
As AWS continues to evolve, the complexity of securing cloud environments grows alongside it. This month’s updates underscore how sensitive permissions, from network-level flow capture to encryption downgrades and cross-account resource sharing, can create serious security blind spots if not properly governed. Even newly released services like GameLift Streams come with permissions that open the door to unauthorized execution and resource use.Sonrai Security helps teams get ahead of these risks with our Cloud Permissions Firewall, built to automatically detect, restrict, and monitor sensitive permissions across AWS accounts. By enforcing least privilege and providing continuous insight into permission exposure, we empower security teams to reduce risk, stay compliant, and keep pace with AWS’s ever-expanding service landscape.
