AWS privileged permissions: what IAM teams need to restrict now

TL;DR: A small set of AWS permissions, including PassRole, PutRolePolicy, AttachRolePolicy, AssumeRole, and organizations:DetachPolicy, can enable data theft, stealth escalation, logging disablement, and org-wide guardrail removal when they are over-scoped, according to Sonrai Security. The real issue is not the permission list itself, but the governance model that still treats high-impact cloud access as routine.

NHIMG editorial — based on content published by Sonrai Security: Privileged AWS permissions you should restrict immediately (Top 25 + bonus)

Questions worth separating out

Q: How should security teams restrict dangerous AWS privileged permissions?

A: Start by separating policy management, role assumption, secret retrieval, and logging controls into different administrative domains.

Q: Why do AWS privileged permissions create such a large breach blast radius?

A: Because many AWS permissions do not just expose data, they change identity reach, trust relationships, or governance visibility.

Q: What do security teams get wrong about cloud least privilege?

A: They often treat least privilege as a count of permissions instead of a map of consequences.

Practitioner guidance

• Restrict policy-writing permissions aggressively Remove iam:PutRolePolicy, iam:AttachRolePolicy, and iam:UpdateAssumeRolePolicy from broad admin groups unless there is a documented change workflow and strong approval path.
• Separate governance controls from runtime operations Treat organizations:DetachPolicy, organizations:UpdatePolicy, cloudtrail:DeleteTrail, and organizations:LeaveOrganization as privileged governance actions that require independent oversight.
• Review secret and role chaining as one attack path Map every principal that can use secretsmanager:GetSecretValue, kms:Decrypt, or sts:AssumeRole, then trace where those permissions lead across accounts and services.

What's in the full article

Sonrai Security's full blog post covers the operational detail this post intentionally leaves for the source:

• The ranked Top 25 AWS permissions with Sonrai Security's severity ordering and short risk rationales.
• The bonus AWS Organizations permissions that affect guardrails, policy enforcement, and account containment.
• The article's video explainers and examples of how each permission has been abused in practice.
• The surrounding commentary on why these permissions matter for cloud privilege and least privilege programmes.

👉 Read Sonrai Security's list of privileged AWS permissions to restrict immediately →

AWS privileged permissions: what IAM teams need to restrict now?

Explore further

View Full Forum →  |  NHI Foundation Course →