New AWS Services and Sensitive Permissions

New Services

Service: Amazon Q Apps

Type: Artificial Intelligence and Machine Learning

Description: As we know, Amazon Q was released in April. Amazon Q Apps is a feature within the Q Business that simplifies app creation. it allows employees to quickly and easily create generative AI-powered apps based on their company’s data without needing any prior coding experience. 

Service: AWS Support Recommendations

Type: Support and Service Management

Description: AWS Support Recommendations provides customized troubleshooting guidance for account and technical issues during the case creation process in the AWS Support Center console. This service leverages details from the case and the logged-in account to deliver specific solutions tailored to your problem.

To diagnose issues, AWS Support Recommendations queries information such as AccountID, AWS Resource identifiers, or error messages, all within the scope of approved policies and user permissions.

Existing Services with New Sensitive Permissions

EC2

DisableImageDeregistrationProtection

MITRE Tactic: Defensive Evasion

Description: Grants permission to disable deregistration protection for an Amazon Machine Image.

With this permission an attacker can deregister AMI protection and compromise the ability to launch new instances from these images. By exploiting this permission, the attacker can evade detection and prolong their presence in the compromised environment by disrupting the victim’s ability to quickly recover or investigate through instance re-launching. Once you deregister an AMI EC2 permanently deletes it.

Amazon Connect

AdminGetEmergencyAccessToken

Description: Grants permission to federate into an Amazon Connect instance (Log in for emergency access functionality in the Amazon Connect console).

MITRE Tactic: Privilege Escalation

With this permission, an attacker can masquerade as a legitimate user needing emergency access and bypass normal authentication measures and log into an Amazon Connect instance. From there they have access to whatever sensitive information is in the instance.

AWS Transfer Family

StartDirectoryListing

Description: Grants permission to initiate a list operation on a remote server using a connector.

MITRE Tactic: Discovery

With this permission, an attacker can initiate directory listing operations on servers in the AWS Transfer Family. This lists the contents of a directory and allows the attacker to discover what kinds of files are there, where they are, and other valuable information to better inform their attack.

Simple Email Service (SES)

UpdateRelay

Description: Grants permission to update a SMTP relay.

MITRE Tactic: Persistence

With this permission, an attacker can update the SMTP relay configuration to route legitimate emails through a malicious server. This could allow them to ongoingly intercept or alter email communications, facilitating phishing attacks or data theft.

Simple Email Service (SES)

CreateIngressPoint

Description: Grants permission to create an ingress point.

MITRE Tactic: Initial Access and Persistence 

With this permission, An attacker can create a new ingress point with a rule set that allows traffic from unauthorized sources. This can lead to unauthorized access and persistence within the environment.

Simple Email Service (SES)

UpdateIngressPoint

Description: Grants permission to update an ingress point.

MITRE Tactic: Persistence

With this permission, an attacker can modify an existing ingress point to include a malicious rule set that grants them ongoing access. This can be used to maintain persistence and further exacerbate damage.

Simple Email Service (SES)

StartArchiveExport

Description: Grants permission to start an archive export.

MITRE Tactic: Exfiltration

With this permission, an attacker can initiate an export of email archives containing sensitive business or customer information. This data can be exfiltrated and used for further reputational damage, ransom demands, and customer privacy breaches.

Conclusion

If you’re an AWS user, your cloud is always changing. This means a constantly evolving attack surface for you to secure. As new permissions are released for pre existing services, by default, your users gain access to that permission. If it is a sensitive permission, this can be risky.  Access to sensitive permissions should be restricted to only those human and machine identities that need them.

To reduce the risk resulting from new services, your teams should update any SCPs and IAM policies used to restrict access to services your teams aren’t using.

If you’re interested in managing sensitive permissions and securing AWS services efficiently, look into our Cloud Permissions Firewall.

secure sensitive permissions