Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

New AWS privileged permissions: what identity teams should watch


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: AWS adding privileges that can delete anomaly detectors, suppress scraper logging, and issue web identity tokens that extend machine identities beyond AWS changes both observability and access risk, according to Sonrai Security’s November 2025 review. The lesson for identity teams is that small permission shifts can materially widen the attack surface when least privilege is not continuously enforced.

NHIMG editorial — based on content published by Sonrai Security: Nov Recap: New AWS Privileged Permissions and Services

By the numbers:

Questions worth separating out

Q: What breaks when cloud permissions can disable logging or anomaly detection?

A: Visibility breaks first, then attribution and containment.

Q: Why do short-lived identity tokens still create NHI risk?

A: Short-lived tokens still create NHI risk because they can authenticate a machine identity to downstream services and expand trust beyond the original cloud boundary.

Q: How do security teams know when cloud privilege has become excessive?

A: Excessive cloud privilege shows up when a role can alter control systems, not just access resources.

Practitioner guidance

  • Inventory new cloud permissions by control impact Classify each newly introduced action by whether it can suppress logging, alter detection logic, mint identity tokens, or expand downstream trust.
  • Re-certify monitoring and identity permissions together Do not separate observability entitlements from identity entitlements in reviews.
  • Limit token-minting rights to narrowly defined workloads Restrict permissions that issue web identity tokens to specific workloads, accounts, and federation targets.

What's in the full article

Sonrai Security's full blog post covers the operational detail this post intentionally leaves for the source:

  • The exact AWS permission names and service-by-service breakdown for November 2025
  • Sonrai's mapping of each permission to MITRE ATT&CK tactics and why that mapping matters
  • The specific observability and identity services affected, including the practical implications of each action
  • The vendor's full explanation of how its cloud permissions controls are intended to surface these changes

👉 Read Sonrai Security's review of new AWS privileged permissions and services →

New AWS privileged permissions: what identity teams should watch?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Cloud privilege changes are governance events, not admin updates. When a cloud provider adds permissions that can suppress telemetry or issue identity tokens, it changes the control assumptions behind least privilege and monitoring. The security boundary is no longer just the workload or role, but the set of actions that can reshape visibility and trust. Practitioners should treat every new privileged permission as a blast-radius change, not a routine product note.

A few things that frame the scale:

  • From our research: 69% of security leaders agree identity management must fundamentally shift to address agentic AI systems, according to The 2026 Infrastructure Identity Survey.
  • The same survey reports that 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job.

A question worth separating out:

Q: Who should own review of monitoring and token-issuing privileges?

A: Ownership should sit with the identity and cloud governance functions together, because the permissions affect both access design and visibility design. Security operations can flag the risk, but IAM, PAM, and cloud platform owners must jointly approve the entitlement, define its purpose, and recertify it on a regular basis.

👉 Read our full editorial: AWS privilege changes expose gaps in cloud identity governance



   
ReplyQuote
Share: