New AWS Sensitive Permissions and Services
As AWS continues to evolve, new services and permissions are frequently introduced to enhance functionality and security. This blog provides a comprehensive recap of new sensitive permissions and services added in August 2024. Our intention in sharing this is to flag the most important releases to keep your eye on and update your permissions and access control policies accordingly.
AWS CodePipeline
Service Type: Development & DevOps Tools
Permission: OverrideStageCondition
- Action: Grants permission to resume the pipeline execution by overriding a condition in a stage
- Mitre Tactic: Execution
- Why it’s sensitive: Users can override a lambda function’s operation condition within a pipeline. This could be used to allow deployment pipelines to continue when they would otherwise be stopped, like continuing to deploy vulnerable software after failed security scans.
Amazon Elastic Container Registry (ECR)
Service Type: Containers and Orchestration
Permission: PutAccountSetting
- Action: Allows modification of settings for the ECR account
- Mitre Tactic: Defense Invasion
- Why it’s sensitive: Users can change tag mutability, automated image scanning, how scans are conducted (e.g. on push or manually), and encryption settings.
New Services
AWS Parallel Computing Services
Service Type: Compute Services
Permission: CreateComputeNodeGroup
- Action: Grants permission to create compute node groups
- Mitre Tactic: Execution
- Why it’s sensitive: Users can use an API parameter in calls to this permission which override the launch template AMI. By specifying a custom (potentially malicious) AMI, an attacker could get arbitrary malicious code running within the node pool that processes jobs.
Permission: UpdateComputeNodeGroup
- Action: Grants permission to update compute node group properties
- Mitre Tactic: Execution
- Why it’s sensitive: Users can use an API parameter in calls to this permission which override the launch template AMI. By specifying a custom (potentially malicious) AMI, an attacker could get arbitrary malicious code running within the node pool that processes jobs.
New Regions
Asia Pacific (Malaysia)
- API name: ap-southeast-5
- Availability zones: 3
Conclusion
If you’re an AWS user, your cloud is always changing. This means a constantly evolving attack surface for you to secure. As new permissions are released for pre-existing services, by default, your users gain access to that permission. If it is a sensitive permission, this can be risky. Access to sensitive permissions should be restricted to only those human and machine identities that need them.
To reduce the risk resulting from new services, your teams should update any SCPs and IAM policies used to restrict access to services your teams aren’t using.
If you’re interested in managing sensitive permissions and securing AWS services efficiently, look into our Cloud Permissions Firewall.