Subscribe to the Non-Human & AI Identity Journal

Forums
The Non-Human & AI ...
Workload Identity M...
AWS privileged perm...
 
Notifications
Clear all

AWS privileged permissions: what IAM teams need to watch

 
    Last Post
  RSS

 NHI Mgmt Group
(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 8151
Topic starter 25/06/2026 12:55 am  

TL;DR: AWS added privileged permissions across Clean Rooms, SES, Bedrock, Batch, WorkSpaces, and SSO that can redirect data access, weaken monitoring, extend sessions, or run arbitrary workloads, according to Sonrai Security. The finding shows how cloud privilege growth turns least privilege into a moving target for IAM and PAM teams.

NHIMG editorial — based on content published by Sonrai Security: August Recap: New AWS Privileged Permissions

Questions worth separating out

Q: How should teams classify AWS permissions that change monitoring or session behaviour?

A: Treat them as trust-changing controls, not ordinary workload permissions.

Q: Why do newly released cloud permissions create least privilege risk?

A: Because existing roles can become over-privileged without any explicit role change.

Q: How do security teams know whether a cloud privilege is high risk?

A: Look for permissions that modify a control plane object rather than a business record.

Practitioner guidance

  • Reclassify privileged AWS actions by control-plane effect Map every new permission to the exact object it can change, such as telemetry rules, session settings, guardrails, or data-source references.
  • Review roles whenever AWS releases new service privileges Build a release-triggered recertification step for cloud roles so newly added actions are evaluated before they inherit standing access.
  • Isolate session-shaping permissions from routine admin access Put permissions that extend sessions, change trusted device status, or alter login configuration into separate administrative paths with tighter approval.

What's in the full article

Sonrai Security's full blog post covers the operational detail this post intentionally leaves for the source:

  • A service-by-service breakdown of each new AWS privileged permission and the exact privilege category it affects.
  • The article's MITRE tactic mapping for each permission, useful for teams building detection or review logic.
  • The practical rationale Sonrai assigns to each permission, which helps cloud teams translate the analysis into internal policy.
  • The full roundup format for August's AWS changes, which makes it easier to spot recurring privilege patterns across services.

👉 Read Sonrai Security's analysis of August AWS privileged permissions and cloud access risk →

AWS privileged permissions: what IAM teams need to watch?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
Topic Tags
sonrai-security cloud-permissions least-privilege privileged-access-management aws-security
Forum Jump:
  Previous Topic
Next Topic  
Related Topics
Topic Tags:  sonrai-security (31) , cloud-permissions (5) , least-privilege (439) , privileged-access-management (109) , aws-security (11) ,
Share:

#1 Authority in NHI Education, Research and Advisory, empowering organizations to tackle the critical risks posed by Non-Human Identities (NHIs), including AI Agents.

Get in Touch

Quick Links

Legal & Policies

©2025 NHIMG. All right reserved.