New AWS Services and Sensitive Permissions
New Services
Service: Amazon Q Apps
Type: Artificial Intelligence and Machine Learning
Description: As we know, Amazon Q was released in April. Amazon Q Apps is a feature within the Q Business that simplifies app creation. it allows employees to quickly and easily create generative AI-powered apps based on their company’s data without needing any prior coding experience.
Service: AWS Support Recommendations
Type: Support and Service Management
Description: AWS Support Recommendations provides customized troubleshooting guidance for account and technical issues during the case creation process in the AWS Support Center console. This service leverages details from the case and the logged-in account to deliver specific solutions tailored to your problem.
To diagnose issues, AWS Support Recommendations queries information such as AccountID, AWS Resource identifiers, or error messages, all within the scope of approved policies and user permissions.
Existing Services with New Sensitive Permissions
EC2
DisableImageDeregistrationProtection
MITRE Tactic: Defensive Evasion
Description: Grants permission to disable deregistration protection for an Amazon Machine Image.
With this permission an attacker can deregister AMI protection and compromise the ability to launch new instances from these images. By exploiting this permission, the attacker can evade detection and prolong their presence in the compromised environment by disrupting the victim’s ability to quickly recover or investigate through instance re-launching. Once you deregister an AMI EC2 permanently deletes it.
Amazon Connect
AdminGetEmergencyAccessToken
Description: Grants permission to federate into an Amazon Connect instance (Log in for emergency access functionality in the Amazon Connect console).
MITRE Tactic: Privilege Escalation
With this permission, an attacker can masquerade as a legitimate user needing emergency access and bypass normal authentication measures and log into an Amazon Connect instance. From there they have access to whatever sensitive information is in the instance.
AWS Transfer Family
StartDirectoryListing
Description: Grants permission to initiate a list operation on a remote server using a connector.
MITRE Tactic: Discovery
With this permission, an attacker can initiate directory listing operations on servers in the AWS Transfer Family. This lists the contents of a directory and allows the attacker to discover what kinds of files are there, where they are, and other valuable information to better inform their attack.
Simple Email Service (SES)
UpdateRelay
Description: Grants permission to update a SMTP relay.
MITRE Tactic: Persistence
With this permission, an attacker can update the SMTP relay configuration to route legitimate emails through a malicious server. This could allow them to ongoingly intercept or alter email communications, facilitating phishing attacks or data theft.
Simple Email Service (SES)
CreateIngressPoint
Description: Grants permission to create an ingress point.
MITRE Tactic: Initial Access and Persistence
With this permission, An attacker can create a new ingress point with a rule set that allows traffic from unauthorized sources. This can lead to unauthorized access and persistence within the environment.
Simple Email Service (SES)
UpdateIngressPoint
Description: Grants permission to update an ingress point.
MITRE Tactic: Persistence
With this permission, an attacker can modify an existing ingress point to include a malicious rule set that grants them ongoing access. This can be used to maintain persistence and further exacerbate damage.
Simple Email Service (SES)
StartArchiveExport
Description: Grants permission to start an archive export.
MITRE Tactic: Exfiltration
With this permission, an attacker can initiate an export of email archives containing sensitive business or customer information. This data can be exfiltrated and used for further reputational damage, ransom demands, and customer privacy breaches.
Conclusion
If you’re an AWS user, your cloud is always changing. This means a constantly evolving attack surface for you to secure. As new permissions are released for pre existing services, by default, your users gain access to that permission. If it is a sensitive permission, this can be risky. Access to sensitive permissions should be restricted to only those human and machine identities that need them.
To reduce the risk resulting from new services, your teams should update any SCPs and IAM policies used to restrict access to services your teams aren’t using.
If you’re interested in managing sensitive permissions and securing AWS services efficiently, look into our Cloud Permissions Firewall.
