June Recap: New AWS Sensitive Permissions and Services
Published 08/19/2024
Originally published by Sonrai Security.
Written by Tally Shea.
As AWS continues to evolve, new services and permissions are frequently introduced to enhance functionality and security. This blog provides a comprehensive recap of new sensitive permissions and services added in June. Our intention in sharing this is to flag the most important releases to keep your eye on and update your permissions and access control policies accordingly.
Existing Services with New Sensitive Permissions
Amazon Macie
Service Type: Security and Compliance
Permission: macie2:BatchUpdateAutomatedDiscoveryAccounts
- Action: Grants permission to change the status of automated sensitive data discovery for one or more accounts in an organization.
- Mitre Tactic: Defense Evasion
- Why it’s sensitive: This permission can disable automated sensitive data discovery, impacting the detection and protection of sensitive data across accounts.
AWS Account Management
Service Type: Identity and Access Management
Permission: account:AcceptPrimaryEmailUpdate
- Action: Grants permission to accept the process to update the primary email address of an account.
- Mitre Tactic: Persistence
- Why it’s sensitive: Changing the primary email address, especially the root address of an account, can have severe impacts, providing persistence to unauthorized users.
Amazon GuardDuty
Service Type: Security and Compliance
Permission: guardduty:DeleteMalwareProtectionPlan
- Action: Grants permission to delete a Malware Protection plan.
- Mitre Tactic: Defense Evasion
- Why it’s sensitive: Deleting a Malware Protection plan removes critical security measures, making the system vulnerable to malware attacks.
Permission: guardduty:UpdateMalwareProtectionPlan
- Action: Grants permission to update a Malware Protection plan.
- Mitre Tactic: Defense Evasion
- Why it’s sensitive: Updating the Malware Protection plan can disable or weaken security settings, increasing the risk of malware infiltration.
Amazon DataZone
Service Type: Data Management
Permission: datazone:AssociateEnvironmentRole
- Action: Grants permission to associate a role in a default service blueprint environment.
- Mitre Tactic: Privilege Escalation
- Why it’s sensitive: The environment role controls read and write access for Amazon DataZone to services such as AWS Glue, Amazon S3, AWS Lake Formation, Amazon Redshift, and Amazon Athena. It also includes permissions to some infrastructure resources, making it a critical permission.
Amazon EKS
Service Type: Containers
Permission: eks:CreateAddon
- Action: Grants permission to create an Amazon EKS add-on.
- Mitre Tactic: Resource Development
- Why it’s sensitive: The creation of add-ons without explicit deny rules can lead to the introduction of potentially harmful resources.
New Services
Amazon SageMaker with MLflow
Service Type: AI and Machine Learning
Permission: sagemaker-mlflow:DeleteExperiment
- Action: Grants permission to mark an MLflow experiment for deletion.
- Mitre Tactic: Impact
- Why it’s sensitive: Deleting an experiment deletes all associated metadata, runs, metrics, params, and tags. If the experiment uses FileStore, artifacts associated with the experiment are also deleted. The deletion of an artifact in the FileStore is sensitive as the MLflow server keeps logs.
Permission: sagemaker:CreatePresignedMlflowTrackingServerUrl
- Action: Grants permission to return a URL that you can use from your browser to connect to the MLflow tracking server.
- Mitre Tactic: Initial Access
- Why it’s sensitive: This permission provides access to the MLflow tracking server, which could be leveraged for unauthorized access.
Permission: sagemaker:StopMlflowTrackingServer
- Action: Grants permission to stop an MLflow tracking server.
- Mitre Tactic: Impact
- Why it’s sensitive: Stopping the tracking server can disrupt ongoing machine learning experiments and workflows.
Permission: sagemaker:UpdateMlflowTrackingServer
- Action: Grants permission to update an MLflow tracking server.
- Mitre Tactic: Collection
- Why it’s sensitive: This permission allows changing the artifact URI to another S3 bucket. If the new S3 bucket is publicly accessible, it leads to immediate exposure of sensitive data.
Permission: sagemaker:DeleteMlflowTrackingServer
- Action: Grants permission to delete an MLflow tracking server.
- Mitre Tactic: Impact
- Why it’s sensitive: Deleting the tracking server results in the loss of logs and other critical tracking information.
AWS Mainframe Modernization Application Testing
Service Type: Development and DevOps Tools Short ID: PZ
Permission: apptest:DeleteTestCase
- Action: Grants permission to delete a test case.
- Mitre Tactic: Defense Evasion
- Why it’s sensitive: Deleting test cases can remove critical validation steps, leading to undetected issues and potential exploitation.
Permission: apptest:DeleteTestConfiguration
- Action: Grants permission to delete a test configuration.
- Mitre Tactic: Defense Evasion
- Why it’s sensitive: Deleting test configurations can disrupt testing processes and hide changes made to critical resources.
Permission: apptest:DeleteTestSuite
- Action: Grants permission to delete a test suite.
- Mitre Tactic: Defense Evasion
- Why it’s sensitive: Deleting test suites removes comprehensive testing coverage, potentially allowing vulnerabilities to go unnoticed.
Permission: apptest:UpdateTestCase
- Action: Grants permission to update a test case.
- Mitre Tactic: Defense Evasion
- Why it’s sensitive: Updating test cases can alter how resources are tested, potentially bypassing critical checks and exposing vulnerabilities.
Permission: apptest:UpdateTestConfiguration
- Action: Grants permission to update a test configuration.
- Mitre Tactic: Defense Evasion
- Why it’s sensitive: Updating test configurations determines the resources used. Altering these configurations can impact the handling of sensitive resources.
Permission: apptest:UpdateTestSuite
- Action: Grants permission to update a test suite.
- Mitre Tactic: Defense Evasion
- Why it’s sensitive: Similar to test cases, updating test suites can change the steps in a process, affecting how sensitive resources are managed and protected.
AWS Private CA Connector for SCEP
Service Type: Identity and Access Management Short ID: PY
No sensitive permissions identified.
Conclusion
If you’re an AWS user, your cloud is always changing. This means a constantly evolving attack surface for you to secure. As new permissions are released for pre existing services, by default, your users gain access to that permission. If it is a sensitive permission, this can be risky. Access to sensitive permissions should be restricted to only those human and machine identities that need them.
To reduce the risk resulting from new services, your teams should update any SCPs and IAM policies used to restrict access to services your teams aren’t using.
Related Articles:
Decoding the Volt Typhoon Attacks: In-Depth Analysis and Defense Strategies
Published: 12/17/2024
Top Threat #7 - Data Disclosure Disasters and How to Dodge Them
Published: 12/16/2024
Zero-Code Cloud: Building Secure, Automated Infrastructure Without Writing a Line
Published: 12/16/2024
Break Glass Account Management Best Practices
Published: 12/16/2024