New AWS Sensitive Permissions and Services

As AWS continues to evolve, new services and permissions are frequently introduced to enhance functionality and security. This blog provides a comprehensive recap of new sensitive permissions and services added in October 2024. Our intention in sharing this is to flag the most important releases to keep your eye on and update your permissions and access control policies accordingly.

Existing Services with New Sensitive Permissions

Amazon Pinpoint SMS and Voice

Service Type: Messaging and Communication

Permission: PutResourcePolicy

  • Action: Grants permission to put a resource policy
  • Mitre Tactic: Persistence
  • Why it’s sensitive: Unauthorized access through changes in resource policies can pose significant security risks, particularly for use cases involving one-time passwords.

Amazon RDS

Service Type: Database Services

Permission: ModifyDBClusterSnapshotAttribute

  • Action: Grants permission to add an attribute and values to, or removes an attribute and values from, a manual DB cluster snapshot
  • Mitre Tactic: Exfiltration
  • Why it’s sensitive: Enables modification of the snapshot to allow another org to use it as part of restoration

Permission: ModifyDBSnapshotAttribute

  • Action: Grants permission to add an attribute and values to, or removes an attribute and values from, a manual DB snapshot
  • Mitre Tactic: Exfiltration
  • Why it’s sensitive: Enables modification of the snapshot to allow another org to use it as part of restoration.

AWS IOT Core

Service Type: Internet of Things

Permission: AssociateSbomWithPackageVersion

  • Action: AssociateSbomWithPackageVersion
  • Mitre Tactic: Defense Evasion
  • Why it’s sensitive: Allows changes to software dependencies that may introduce vulnerabilities in new package versions.

AWS Supply Chain

Service Type: Process Automation and Integration

Permission: UpdateDataIntegrationFlow

  • Action: Grants permission to update the DataIntegrationFlow
  • Mitre Tactic: Exfiltration
  • Why it’s sensitive: Allows mapping of data sources to targets, potentially directing data to a less-secure S3 bucket.

Permission: CreateDataIntegrationFlow

  • Action: Grants permission to create DataIntegrationFlow that can transform from multiple sources to one target
  • Mitre Tactic: Exfiltration
  • Why it’s sensitive: Allows mapping of data sources to targets, potentially directing data to a less-secure S3 bucket.

AWS Data Exchange

Service Type: Data and Analysis

Permission: CreateDataGrant

  • Action: Grants permission to create a data grant
  • Mitre Tactic: Exfiltration
  • Why it’s sensitive: Allows the creation of a data grant, which, once accepted, provides access to read, process, or transfer data.

Why it’s sensitive: Allows mapping of data sources to targets, potentially directing data to a less-secure S3 bucket.

New Services

AWS End User Messaging Social

Service Type: Messaging and Communication

Permission: AssociateWhatsAppBusinessAccount

  • Action: Grants permission to associate a WhatsApp Business Account with your AWS account
  • Mitre Tactic: Persistence
  • Why it’s sensitive: Associates your “AWS business account” with WhatsApp, which becomes the source for persistence and exfiltration.

Conclusion

If you’re an AWS user, your cloud is always changing. This means a constantly evolving attack surface for you to secure. As new permissions are released for pre-existing services, by default, your users gain access to that permission. If it is a sensitive permission, this can be risky.  Access to sensitive permissions should be restricted to only those human and machine identities that need them.

To reduce the risk resulting from new services, your teams should update any SCPs and IAM policies used to restrict access to services your teams aren’t using.

If you’re interested in managing sensitive permissions and securing AWS services efficiently, look into our Cloud Permissions Firewall.

secure sensitive permissions