New AWS Services and Sensitive Permissions

aws

Amazon Web Services (AWS) has over 200 cloud services available to help organizations innovate, build business, and secure their data. New services are released every year with new permissions to accompany (there are over 19k permissions in AWS today!) AWS releases new permissions for existing services all the time, so that 19k is always growing. 

Below, we’re summarizing the service releases from this month and the new permissions you should care about most. With such a high volume of permissions it can be hard to keep track, so our team analyzes them using sensitivity criteria to identify the permissions with the greatest potential for impact.

Read the guide, ‘Powerful Cloud Permissions You Should Know’ for examples of sensitive permissions across AWS, Azure, and GCP. 

New Services

AWS Control Catalog

Infrastructure Management

*No sensitive permissions associated with this service.

Description: Control Catalog is a repository of cost, security, compliance and other controls within AWS Control Tower. It helps organizations assess their adherence to these standards and implement appropriate security measures within their AWS environments and is accessible using the Control Catalog API.

Amazon Q

Artificial Intelligence

Description: Amazon Q is a generative AI-powered assistant designed to enhance workplace and development productivity by leveraging internal data. Amazon Q for Business can be tailored to specific business needs, enabling employees to extract information, generate content, and automate tasks by integrating with over 40 commonly used business tools like wikis, intranets, and enterprise systems. Amazon Q for Developers is particularly useful for developers and IT professionals, by supporting code generation, testing, debugging, and security through natural language inputs.

New Services with Sensitive Permissions

AWS Deadline Cloud

Image and Media Processing

Description: AWS Deadline Cloud is a fully managed service that streamlines rendering projects, allowing customers to set up, deploy, and scale rendering pipelines quickly. It enables users in creative industries to build cloud-based render farms that scale dynamically.

Permission: AssumeFleetRoleForWorker

Description: Get credentials from the fleet role for a worker.

MITRE Mapping: Privilege Escalation

With this permission, an attacker could assume the role of a worker within a fleet, potentially gaining unauthorized access to resources, data, or services associated with that role. From there, they could steal data, further escalate privileges, or disrupt your rendering pipeline. 

Permission: AssumeQueueRoleForUser

Description: Allows a user to assume a role for a queue.

MITRE Mapping: Privilege Escalation

If exploited, an attacker could assume the identity of another user within the queue, inheriting whatever access that other identity holds. This means further privilege escalation, unauthorized data access, and disruption.

Permission: AssumeQueueRoleForWorker

Description: Allows a worker to assume a queue role.

MITRE Mapping: Privilege Escalation

Similar to the previous permission, this one allows a user to assume a queue role for a worker. If abused, an attacker could masquerade as a worker within the queue, potentially gaining unauthorized access to resources or performing unauthorized actions.

Permission: CreateJob

Description: Grants permission to create a job.

MITRE Mapping: Execution

This permission enables users to create rendering jobs within the AWS Deadline service. While this permission is necessary for legitimate job submissions, it’s sensitive due to the potential for its misuse. If granted to malicious users, they could flood the queue with bogus rendering jobs for a DDoS attack or disruption of legitimate work. 

Amazon Route 53 Profiles

Networking and Content Delivery

Description: Amazon Route 53 Profiles is a new AWS service designed to standardize DNS configurations across multiple Virtual Private Clouds (VPCs) within the same region and across different AWS accounts. This service allows users to create Profiles that can include a variety of DNS settings such as private hosted zones, Route 53 Resolver forwarding rules, and DNS Firewall rule groups. These Profiles can be applied to multiple VPCs and shared using AWS Resource Access Manager (RAM), facilitating consistent and secure DNS management. Once a Profile is linked to a VPC, it handles the VPC’s DNS queries according to the settings specified in the Profile. 

Permission: AssociateProfile

Description: Grants permission to associate a Profile to the customer VPC.

MITRE Mapping: Lateral Movement

An attacker leveraging this permission could facilitate lateral movement throughout cloud infrastructure by associating malicious or compromised profiles to various parts of the VPC. This could allow them to extend their reach and control over additional resources or data flows.

Permission: AssociateResourceToProfile

Description: Grants permission to associate a resource, such as DNS Firewall rule group, private hosted zone, resolver rule, etc. to a specified Profile.

MITRE Mapping: Lateral Movement

This permission can be exploited to redirect traffic and resource behavior across the organization’s network. By associating critical resources like DNS settings or firewall rules to compromised or attacker-controlled profiles, an attacker can route traffic through malicious nodes or bypass security controls, moving laterally.

Permission: DisassociateProfile

Description: Grants permission to delete an association between a customer VPC and the specified Profile.

MITRE Mapping: Defensive Evasion

By disassociating profiles that enforce security measures or monitoring, an attacker could disable these protections, making their activities less visible to security teams. This would allow their activities to continue undetected.

Existing Services with New Sensitive Permissions

Service: Workspaces

Permission: AcceptAccountLinkInvitation

Description: Grants permission to accept invitations from other AWS accounts to share the same configuration for WorkSpaces BYOL.

MITRE Mapping: Initial Access

If an attacker gains access to this permission, they could link a compromised account to the infrastructure lending them access to shared resources. This access could lead them to compromise sensitive data or further escalate privileges within the account. Once this link request is accepted, there’s no undoing it.

Service: DocumentDB

Permission: CopyClusterSnapshot

Description: Grants permission to copy a new Amazon DocumentDB Elastic cluster snapshot.

MITRE Mapping: Exfiltration

If this permission were to fall into the wrong hands, and an attacker had additional access to database contents, they could make unauthorized copies of sensitive database snapshots. Depending on what’s in the database snapshot, this could mean compromised confidential information, compliance breaches, and ransom demands.

Service: BedRock

Permission: ApplyGuardrail

Grants permission to apply guardrail.

MITRE Mapping: Persistence

This permission can be exploited to establish persistence within an environment. By applying malicious guardrails, an attacker could, for example, restrict administrative actions to ensure their activity goes uninterrupted and maintain access.

Permission: DeleteGuardrail

Grants permission to delete a guardrail or its version.

MITRE Mapping: Impact

An attacker with this permission could remove the protective measures guardrails present. This could include disabling security controls for further damage, or deleting critical guardrails to disrupt business operations.

Service: RolesAnywhere

Permission: PutAttributeMapping

Grants permission to put a mapping rule into a profile.

MITRE Mapping: Privilege Escalation

This permission enables an attacker to escalate privileges by altering attribute mappings to grant themselves or others higher privileges than originally intended. 

Conclusion

If you’re an AWS user, your cloud is always changing. This means a constantly evolving attack surface for you to secure. As new permissions are released for pre existing services, by default, your users gain access to that permission. If it is a sensitive permission, this can be risky.  Access to sensitive permissions should be restricted to only those human and machine identities that need them.

To reduce the risk resulting from new services, your teams should update any SCPs and IAM policies used to restrict access to services your teams aren’t using.
If you’re interested in managing sensitive permissions and securing AWS services efficiently, look into our Cloud Permissions Firewall.

secure sensitive permissionssecure sensitive permissions