Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

AWS privileged permissions: what IAM teams need to restrict now


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: A small set of AWS permissions, including PassRole, PutRolePolicy, AttachRolePolicy, AssumeRole, and organizations:DetachPolicy, can enable data theft, stealth escalation, logging disablement, and org-wide guardrail removal when they are over-scoped, according to Sonrai Security. The real issue is not the permission list itself, but the governance model that still treats high-impact cloud access as routine.

NHIMG editorial — based on content published by Sonrai Security: Privileged AWS permissions you should restrict immediately (Top 25 + bonus)

Questions worth separating out

Q: How should security teams restrict dangerous AWS privileged permissions?

A: Start by separating policy management, role assumption, secret retrieval, and logging controls into different administrative domains.

Q: Why do AWS privileged permissions create such a large breach blast radius?

A: Because many AWS permissions do not just expose data, they change identity reach, trust relationships, or governance visibility.

Q: What do security teams get wrong about cloud least privilege?

A: They often treat least privilege as a count of permissions instead of a map of consequences.

Practitioner guidance

  • Restrict policy-writing permissions aggressively Remove iam:PutRolePolicy, iam:AttachRolePolicy, and iam:UpdateAssumeRolePolicy from broad admin groups unless there is a documented change workflow and strong approval path.
  • Separate governance controls from runtime operations Treat organizations:DetachPolicy, organizations:UpdatePolicy, cloudtrail:DeleteTrail, and organizations:LeaveOrganization as privileged governance actions that require independent oversight.
  • Review secret and role chaining as one attack path Map every principal that can use secretsmanager:GetSecretValue, kms:Decrypt, or sts:AssumeRole, then trace where those permissions lead across accounts and services.

What's in the full article

Sonrai Security's full blog post covers the operational detail this post intentionally leaves for the source:

  • The ranked Top 25 AWS permissions with Sonrai Security's severity ordering and short risk rationales.
  • The bonus AWS Organizations permissions that affect guardrails, policy enforcement, and account containment.
  • The article's video explainers and examples of how each permission has been abused in practice.
  • The surrounding commentary on why these permissions matter for cloud privilege and least privilege programmes.

👉 Read Sonrai Security's list of privileged AWS permissions to restrict immediately →

AWS privileged permissions: what IAM teams need to restrict now?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

AWS privilege risk is fundamentally an identity governance problem, not a permissions inventory problem. The article is right to surface dangerous actions, but the deeper issue is that many cloud programmes still review identities as if access were static and low-risk by default. Once a principal can modify trust policy, attach policies, assume roles, or delete trails, the identity itself becomes a control plane. Practitioners should stop thinking in terms of permission count and start thinking in terms of identity blast radius.

A few things that frame the scale:

A question worth separating out:

Q: Who should approve AWS permissions that can remove logging or guardrails?

A: Those permissions should sit with a separate platform or security governance function, not the same team that runs day-to-day cloud operations. If an operator can disable CloudTrail, detach policies, or move accounts without independent checks, the organisation has built an escape hatch into its own control plane.

👉 Read our full editorial: Privileged AWS permissions expose the real cloud access risk



   
ReplyQuote
Share: