Source: securityboulevard.com – Author: Tally Shea
Amazon Web Services (AWS) has over 200 cloud services available to help organizations innovate, build business, and secure their data. New services are released every year with new permissions to accompany (there are over 19k permissions in AWS today!) AWS releases new permissions for existing services all the time, so that 19k is always growing.
Below, we’re summarizing the service releases from this month and the new permissions you should care about most. With such a high volume of permissions it can be hard to keep track, so our team analyzes them using sensitivity criteria to identify the permissions with the greatest potential for impact.
New Services
AWS Control Catalog
Infrastructure Management
*No sensitive permissions associated with this service.
Description: Control Catalog is a repository of cost, security, compliance and other controls within AWS Control Tower. It helps organizations assess their adherence to these standards and implement appropriate security measures within their AWS environments and is accessible using the Control Catalog API.
Amazon Q
Artificial Intelligence
*Sensitive permissions to be updated.
Description: Amazon Q is a generative AI-powered assistant designed to enhance workplace productivity by leveraging the vast data and resources within an organization. It can be tailored to specific business needs, enabling employees to extract information, generate content, and automate tasks by integrating with over 40 commonly used business tools like wikis, intranets, and enterprise systems. Amazon Q is particularly useful for developers and IT professionals, providing capabilities that help in coding, testing, upgrading applications, and more.
New Services with Sensitive Permissions
AWS Deadline Cloud
Image and Media Processing
Description: AWS Deadline Cloud is a fully managed service that streamlines rendering projects, allowing customers to set up, deploy, and scale rendering pipelines quickly. It enables users in creative industries to build cloud-based render farms that scale dynamically.
Permission: AssumeFleetRoleForWorker
Description: Get credentials from the fleet role for a worker.
MITRE Mapping: Privilege Escalation
With this permission, an attacker could assume the role of a worker within a fleet, potentially gaining unauthorized access to resources, data, or services associated with that role. From there, they could steal data, further escalate privileges, or disrupt your rendering pipeline.
Permission: AssumeQueueRoleForUser
Description: Allows a user to assume a role for a queue.
MITRE Mapping: Privilege Escalation
If exploited, an attacker could assume the identity of another user within the queue, inheriting whatever access that other identity holds. This means further privilege escalation, unauthorized data access, and disruption.
Permission: AssumeQueueRoleForWorker
Description: Allows a worker to assume a queue role.
MITRE Mapping: Privilege Escalation
Similar to the previous permission, this one allows a user to assume a queue role for a worker. If abused, an attacker could masquerade as a worker within the queue, potentially gaining unauthorized access to resources or performing unauthorized actions.
Permission: CreateJob
Description: Grants permission to create a job.
MITRE Mapping: Execution
This permission enables users to create rendering jobs within the AWS Deadline service. While this permission is necessary for legitimate job submissions, it’s sensitive due to the potential for its misuse. If granted to malicious users, they could flood the queue with bogus rendering jobs for a DDoS attack or disruption of legitimate work.
Amazon Route 53 Profiles
Networking and Content Delivery
Description: Amazon Route 53 Profiles is a new AWS service designed to standardize DNS configurations across multiple Virtual Private Clouds (VPCs) within the same region and across different AWS accounts. This service allows users to create Profiles that can include a variety of DNS settings such as private hosted zones, Route 53 Resolver forwarding rules, and DNS Firewall rule groups. These Profiles can be applied to multiple VPCs and shared using AWS Resource Access Manager (RAM), facilitating consistent and secure DNS management. Once a Profile is linked to a VPC, it handles the VPC’s DNS queries according to the settings specified in the Profile.
Permission: AssociateProfile
Description: Grants permission to associate a Profile to the customer VPC.
MITRE Mapping: Lateral Movement
An attacker leveraging this permission could facilitate lateral movement throughout cloud infrastructure by associating malicious or compromised profiles to various parts of the VPC. This could allow them to extend their reach and control over additional resources or data flows.
Permission: AssociateResourceToProfile
Description: Grants permission to associate a resource, such as DNS Firewall rule group, private hosted zone, resolver rule, etc. to a specified Profile.
MITRE Mapping: Lateral Movement
This permission can be exploited to redirect traffic and resource behavior across the organization’s network. By associating critical resources like DNS settings or firewall rules to compromised or attacker-controlled profiles, an attacker can route traffic through malicious nodes or bypass security controls, moving laterally.
Permission: DisassociateProfile
Description: Grants permission to delete an association between a customer VPC and the specified Profile.
MITRE Mapping: Defensive Evasion
By disassociating profiles that enforce security measures or monitoring, an attacker could disable these protections, making their activities less visible to security teams. This would allow their activities to continue undetected.
Existing Services with New Sensitive Permissions
Service: Workspaces
Permission: AcceptAccountLinkInvitation
Description: Grants permission to accept invitations from other AWS accounts to share the same configuration for WorkSpaces BYOL.
MITRE Mapping: Initial Access
If an attacker gains access to this permission, they could link a compromised account to the infrastructure lending them access to shared resources. This access could lead them to compromise sensitive data or further escalate privileges within the account. Once this link request is accepted, there’s no undoing it.
Service: DocumentDB
Permission: CopyClusterSnapshot
Description: Grants permission to copy a new Amazon DocumentDB Elastic cluster snapshot.
MITRE Mapping: Exfiltration
If this permission were to fall into the wrong hands, and an attacker had additional access to database contents, they could make unauthorized copies of sensitive database snapshots. Depending on what’s in the database snapshot, this could mean compromised confidential information, compliance breaches, and ransom demands.
Service: BedRock
Permission: ApplyGuardrail
Grants permission to apply guardrail.
MITRE Mapping: Persistence
This permission can be exploited to establish persistence within an environment. By applying malicious guardrails, an attacker could, for example, restrict administrative actions to ensure their activity goes uninterrupted and maintain access.
Permission: DeleteGuardrail
Grants permission to delete a guardrail or its version.
MITRE Mapping: Impact
An attacker with this permission could remove the protective measures guardrails present. This could include disabling security controls for further damage, or deleting critical guardrails to disrupt business operations.
Service: RolesAnywhere
Permission: PutAttributeMapping
Grants permission to put a mapping rule into a profile.
MITRE Mapping: Privilege Escalation
This permission enables an attacker to escalate privileges by altering attribute mappings to grant themselves or others higher privileges than originally intended.
Conclusion
If you’re an AWS user, your cloud is always changing. This means a constantly evolving attack surface for you to secure. As new permissions are released for pre existing services, by default, your users gain access to that permission. If it is a sensitive permission, this can be risky. Access to sensitive permissions should be restricted to only those human and machine identities that need them.
To reduce the risk resulting from new services, your teams should update any SCPs and IAM policies used to restrict access to services your teams aren’t using.
If you’re interested in managing sensitive permissions and securing AWS services efficiently, look into our Cloud Permissions Firewall.
*** This is a Security Bloggers Network syndicated blog from Sonrai | Enterprise Cloud Security Platform authored by Tally Shea. Read the original post at: https://sonraisecurity.com/blog/april-recap-new-aws-services-and-sensitive-permissions/
Original Post URL: https://securityboulevard.com/2024/04/april-recap-new-aws-services-and-sensitive-permissions/
Category & Tags: Security Bloggers Network,Permission & Access – Security Bloggers Network,Permission & Access
