Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

AWS privileged permissions: what cloud IAM teams need to watch


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: AWS June 2025 service updates added new privileged permissions across EC2, AWS Backup, Security Hub, and Bedrock that can alter restore approvals, connector integrity, automation rules, and security boundaries, according to Sonrai Security. The pattern is a widening cloud privilege surface where small permission changes can undermine trust boundaries faster than traditional review cycles can catch them.

NHIMG editorial — based on content published by Sonrai Security: June Recap, New AWS Services and Privileged Permissions

By the numbers:

Questions worth separating out

Q: How should cloud security teams review newly added AWS permissions?

A: They should review new AWS permissions by the control-plane outcome they can change, not just by service label.

Q: When does a cloud permission become privileged access?

A: A cloud permission becomes privileged when it can change trust, approval, or response behaviour, not merely when it can read or modify a resource.

Q: What do security teams get wrong about least privilege in cloud environments?

A: They often treat least privilege as a static entitlement problem and miss how service updates change the meaning of existing access.

Practitioner guidance

  • Review control-plane permissions by operational effect Map new AWS permissions to the security function they can change, such as approval routing, automation rules, connector destinations, or detection disablement.
  • Classify workflow-altering actions as privileged Place backup approval changes, Security Hub automation edits, and connector registration updates into the same review path as elevated administrative access.
  • Compare AI service access to human-equivalent privilege Do not allow AI-related cloud access to exceed the privilege you would tolerate for a human administrator performing the same task.

What's in the full article

Sonrai Security’s full blog post covers the operational detail this post intentionally leaves for the source:

  • Permission-by-permission breakdown of the AWS changes across EC2, Backup, Security Hub, and Bedrock
  • The vendor’s explanation of why each permission is considered privileged in the AWS control plane
  • Operational examples showing how connector updates, restore approvals, and automation rules can be misused
  • A monthly recap format you can reuse for internal cloud privilege review meetings

👉 Read Sonrai Security’s June recap of AWS privileged permission changes →

AWS privileged permissions: what cloud IAM teams need to watch?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Cloud privilege drift is now a governance problem, not just a permissions problem. Sonrai Security’s recap shows how service-level changes in AWS can alter restore approvals, security routing, and workflow enforcement without changing the core application stack. That means the control failure is often semantic, not technical: the permission still looks legitimate, but its operational effect has expanded. The practitioner conclusion is that entitlement review must track control-plane impact, not only identity scope.

A few things that frame the scale:

A question worth separating out:

Q: Who should own review of workflow-changing cloud permissions?

A: Ownership should sit with the teams that control the underlying security process, not only the cloud platform team. If a permission can alter incident routing, restore approvals, or automation rules, it needs joint accountability from IAM, PAM, and the operational security function.

👉 Read our full editorial: AWS permission changes expose new cloud privilege attack paths



   
ReplyQuote
Share: