AWS privileged permissions: what IAM teams need to watch now

TL;DR: New AWS permissions across IoT, Glue, GuardDuty, Directory Service, Prometheus, Clean Rooms, QuickSight, and EVS can alter encryption, access scope, detections, and workload exposure in ways that materially change cloud trust boundaries, according to Sonrai Security. The governance problem is not just new permissions, but how quickly existing least-privilege models become stale when platform change outpaces review.

NHIMG editorial — based on content published by Sonrai Security: Sept Recap, new AWS privileged permissions and regions

By the numbers:

• Only 13% of organisations feel extremely prepared for the reality of agentic AI despite the majority racing toward autonomous adoption.
• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases.

Questions worth separating out

Q: How should IAM teams handle newly released cloud permissions that can change trust boundaries?

A: Treat each new permission as a governance event, not just a release note.

Q: Why do privileged cloud permissions create risk even when they do not expose data directly?

A: Because many of the most dangerous actions operate on the control plane.

Q: What do security teams get wrong about least privilege in rapidly changing cloud platforms?

A: They often treat least privilege as a stable state rather than a moving target.

Practitioner guidance

• Classify new cloud permissions by control-plane impact Sort each newly released AWS action by whether it can change encryption, access scope, detection settings, or network reach.
• Reassess IAM role inheritance after each AWS service update Map which service roles, operator roles, and automation roles would gain the new actions by default.
• Place detection-bypass permissions under separate approval Treat actions that can update GuardDuty trusted or threat entity sets as sensitive security controls.

What's in the full article

Sonrai Security's full blog post covers the operational detail this post intentionally leaves for the source:

• Permission-by-permission AWS breakdown for IoT, Glue, GuardDuty, Directory Service, Prometheus, Clean Rooms, QuickSight, and EVS.
• Why each new action is privileged, including the specific impact or evasion path it can create in real environments.
• The exact cloud services and access boundaries affected when these permissions are inherited by existing roles.
• Sonrai Security's roundup structure for tracking new AWS release surface across the month.

👉 Read Sonrai Security's analysis of new AWS privileged permissions and regions →

AWS privileged permissions: what IAM teams need to watch now?

Explore further

View Full Forum →  |  NHI Foundation Course →