New AWS Sensitive Permissions and Services

As AWS continues to evolve, new services and permissions are frequently introduced to enhance functionality and security. This blog provides a comprehensive recap of new sensitive permissions and services added in September 2024. Our intention in sharing this is to flag the most important releases to keep your eye on and update your permissions and access control policies accordingly.

Existing Services with New Sensitive Permissions

AWS Elemental MediaLive

Service Type: Content Delivery and Management

Permission: UpdateCluster

  • Action: Grants permission to update a cluster
  • Mitre Tactic: Persistence
  • Why it’s sensitive: Can change which Network the cluster uses, which could expose sensitive content or disrupt live broadcasts.

Permission: UpdateNetwork

  • Action: Grants permission to update the state of a node
  • Mitre Tactic: Persistence
  • Why it’s sensitive:  Can be used to modify the Network IPs directly, resulting in exposing a live stream to unauthorized access or opening the system to a DoS attack.

New Services

AWS Directory Service Data

Service Type: Identity and Access Management

Permission: AddGroupMember

  • Action: Grants permission to add a member to a group on a directory
  • Mitre Tactic: Privilege Escalation
  • Why it’s sensitive: Can expand access for the identity being added as permissions can be assigned via groups, resulting in unauthorized access or the ability to bypass controls.

Permission: CreateUser

  • Action: Grants permission to create a user on a directory
  • Mitre Tactic: Initial Access
  • Why it’s sensitive: Creates a new identity that can be used to sign in using the directory service and assigned permissions including administrative roles.

Permission: RemoveGroupMember

  • Action: Grants permission to remove a member from a group on a directory
  • Mitre Tactic: Defense Evasion
  • Why it’s sensitive: Can cause restrictive group policies applied at the group level to no longer apply to the user, potentially removing strict security controls for the user or resulting in unintentional downtime.

Permission: UpdateGroup

  • Action: Grants permission to update a group on a directory
  • Mitre Tactic: Lateral Movement
  • Why it’s sensitive: Changing the group scope to universal can allow users to gain expanded access to cross-domain resources.

Conclusion

If you’re an AWS user, your cloud is always changing. This means a constantly evolving attack surface for you to secure. As new permissions are released for pre-existing services, by default, your users gain access to that permission. If it is a sensitive permission, this can be risky.  Access to sensitive permissions should be restricted to only those human and machine identities that need them.

To reduce the risk resulting from new services, your teams should update any SCPs and IAM policies used to restrict access to services your teams aren’t using.

If you’re interested in managing sensitive permissions and securing AWS services efficiently, look into our Cloud Permissions Firewall.

secure sensitive permissions