As November 2025 comes to a close, Sonrai’s latest review of newly released AWS permissions shows a continued expansion of privileges that directly affect observability, anomaly detection, and identity-based access. This month’s updates center on Amazon Managed Service for Prometheus and AWS Security Token Service, introducing new ways to alter or disable logging pipelines, weaken anomaly detectors, and obtain identity tokens used to access external services.
These changes emphasize how even small adjustments to monitoring and identity mechanisms can have significant security implications. From suppressing key signals in Prometheus to enabling machine identities to authenticate beyond AWS, each new permission subtly shifts the trust model and opens potential paths for evasion or credential misuse. Security teams should remain vigilant, as these emerging privileges continue to evolve the cloud attack surface in meaningful ways.
Existing Services with New Privileged Permissions
Amazon Managed Service for Prometheus
Service Type: Observability and Monitoring
Permission: aps:DeleteAnomalyDetector
- Action: Grants permission to delete an anomaly detector
- Mitre Tactic: Defense Evasion
- Why it’s privileged: Allows removal of anomaly detection mechanisms, disabling monitoring and enabling attackers to hide abnormal activity.
Permission: aps:DeleteScraperLoggingConfiguration
- Action: Grants permission to delete a scraper logging configuration
- Mitre Tactic: Defense Evasion
- Why it’s privileged: Allows disabling of log forwarding to CloudWatch, reducing visibility and helping attackers evade detection.
Permission: aps:UpdateScraperLoggingConfiguration
- Action: Grants permission to update a scraper logging configuration
- Mitre Tactic: Defense Evasion
- Why it’s privileged: Enables redirecting or altering log destinations, reducing visibility or obscuring activity to evade detection.
Permission: aps:PutAnomalyDetector
- Action: Grants permission to update an anomaly detector
- Mitre Tactic: Defense Evasion
- Why it’s privileged: Allows altering detection rules or ignored values, enabling attackers to weaken or bypass anomaly detection.
AWS Security Token Service
Service Type: Identity and Access Management
Permission: sts:GetWebIdentityToken
- Action: Grants permission to obtain a short-lived, publicly verifiable JSON Web Token (JWT) that represents the calling IAM principal’s identity
- Mitre Tactic: Credential Access
- Why it’s privileged: Provides a valid identity token that can be used to authenticate to external services, enabling potential misuse of machine identities.
Conclusion
As AWS continues to enhance its observability and identity services, the introduction of new privileged permissions is reshaping how security boundaries are defined and defended. This month’s additions highlight how disabling anomaly detectors, redirecting logs, or issuing identity tokens can quickly erode visibility and expand opportunities for evasion or credential misuse. Even subtle permission changes can have an outsized impact on detection fidelity and trust across cloud and external systems.
Sonrai Security’s Cloud Permissions Firewall equips organizations to stay ahead of these shifts by continuously detecting emerging privileged permissions, aligning them to MITRE ATT&CK tactics, and enforcing least privilege at scale. In a cloud environment where new privileges appear every month, maintaining real-time visibility and control is critical to preventing gaps before they become attack paths.
