New AWS privileged permissions: what identity teams should watch

TL;DR: AWS adding privileges that can delete anomaly detectors, suppress scraper logging, and issue web identity tokens that extend machine identities beyond AWS changes both observability and access risk, according to Sonrai Security’s November 2025 review. The lesson for identity teams is that small permission shifts can materially widen the attack surface when least privilege is not continuously enforced.

NHIMG editorial — based on content published by Sonrai Security: Nov Recap: New AWS Privileged Permissions and Services

By the numbers:

• 69% of security leaders agree identity management must fundamentally shift to address agentic AI systems.

Questions worth separating out

Q: What breaks when cloud permissions can disable logging or anomaly detection?

A: Visibility breaks first, then attribution and containment.

Q: Why do short-lived identity tokens still create NHI risk?

A: Short-lived tokens still create NHI risk because they can authenticate a machine identity to downstream services and expand trust beyond the original cloud boundary.

Q: How do security teams know when cloud privilege has become excessive?

A: Excessive cloud privilege shows up when a role can alter control systems, not just access resources.

Practitioner guidance

• Inventory new cloud permissions by control impact Classify each newly introduced action by whether it can suppress logging, alter detection logic, mint identity tokens, or expand downstream trust.
• Re-certify monitoring and identity permissions together Do not separate observability entitlements from identity entitlements in reviews.
• Limit token-minting rights to narrowly defined workloads Restrict permissions that issue web identity tokens to specific workloads, accounts, and federation targets.

What's in the full article

Sonrai Security's full blog post covers the operational detail this post intentionally leaves for the source:

• The exact AWS permission names and service-by-service breakdown for November 2025
• Sonrai's mapping of each permission to MITRE ATT&CK tactics and why that mapping matters
• The specific observability and identity services affected, including the practical implications of each action
• The vendor's full explanation of how its cloud permissions controls are intended to surface these changes

👉 Read Sonrai Security's review of new AWS privileged permissions and services →

New AWS privileged permissions: what identity teams should watch?

Explore further

View Full Forum →  |  NHI Foundation Course →