Dec Recap: New AWS Privileged Permissions and Services
As December 2025 comes to a close, Sonrai’s latest review of newly released AWS permissions highlights a continued expansion of cloud privilege.
Dec Recap: New AWS Privileged Permissions and Services
As December 2025 comes to a close, Sonrai’s latest review of newly released AWS permissions highlights a continued expansion of cloud privilege. This month’s updates span identity, observability, AI, and managed service infrastructure, with changes across CloudWatch, CloudFront, Bedrock, EKS, SageMaker, and emerging agent-based platforms.
Together, these permissions reinforce a core reality of cloud security: privilege is no longer confined to administrator roles, but increasingly embedded in service-level actions that shape access, visibility, and execution. From redirecting logs and modifying policies to empowering agents and workflows with broad authority, each new permission subtly expands the blast radius of misuse. Security teams should remain vigilant, as these evolving privileges continue to redefine the cloud attack surface in easy-to-miss but high-impact ways.
Existing Services with New Privileged Permissions
AWS Identity and Access Management
Service Type: Identity and Access Management
Permission: iam:EnableOutboundWebIdentityFederation
Action: Enables the outbound identity federation feature for the caller’s account
Mitre Tactic: Persistence
Why it’s privileged: Enables account-wide creation of web identity tokens for external services, allowing federated access outside AWS and supporting long-term persistence through external trust relationships.
Oracle Database@AWS
Service Type: Database Services
Permission: odb:UpdateOdbPeeringConnection
Action: Grants permissions to update properties of a specified ODB Peering Connection
Mitre Tactic: Lateral Movement
Why it’s privileged: Allows VPC traffic that was previously unauthorized to access the ODB network
Amazon Bedrock
Service Type: Artificial Intelligence & Machine Learning
Permission: bedrock:UpdateCustomModelDeployment
Action: Grants permissions to update an existing custom model deployment with a new custom model
Mitre Tactic: Execution
Why it’s privileged: Allows replacing the model backing an active deployment, enabling altered or malicious model responses during inference without changing the deployment endpoint.
Amazon CloudWatch Logs
Service Type: Observability and Monitoring
Permission: logs:UpdateScheduledQuery
Action: Grants permissions to update a scheduled query
Mitre Tactic: Exfiltration
Why it’s privileged: Allows modification of scheduled queries to redirect log data to external or cross-account destinations, enabling covert exfiltration of sensitive CloudWatch logs.
Permission: logs:CreateScheduledQuery
Action: Grants permissions to create a scheduled query
Mitre Tactic: Exfiltration
Why it’s privileged: Allows creation of scheduled queries that can export CloudWatch logs to external or cross-account destinations, enabling unauthorized exfiltration of sensitive log data.
Permission: logs:DeleteScheduledQuery
Action: Grants permissions to delete a scheduled query
Mitre Tactic: Defense Evasion
Why it’s privileged: Allows removal of automated log analysis and export workflows, reducing visibility and disrupting downstream detection or monitoring processes.
Permission: logs:PutLogGroupDeletionProtection
Action: Grants permissions to enable or disable deletion protection for the specified log group
Mitre Tactic: Defense Evasion
Why it’s privileged: Allows disabling deletion protection on critical log groups, enabling attackers to remove logs and evade detection.
Permission: logs:AssociateSourceToS3TableIntegration
Action: Grants permissions to associate a log source to an S3 Tables integration
Mitre Tactic: Collection
Why it’s privileged: Allows exporting CloudWatch logs to S3 tables, increasing accessibility and potential exposure of sensitive log data.
Permission: logs:DisassociateSourceFromS3TableIntegration
Action: Grants permissions to disassociate a log source to an S3 Tables integration
Mitre Tactic: Defense Evasion
Why it’s privileged: Stops export of CloudWatch logs to S3 tables, disrupting downstream analytics and reducing visibility into log data.
Amazon Elastic Container Service
Service Type: Containers and Orchestration
Permission: ecs:CreateExpressGatewayService
Action: Grants permission to create a new Amazon ECS Express Gateway service with cluster and task definition
Mitre Tactic: Execution
Why it’s privileged: Allows specifying an execution role, container image, and startup commands, enabling PassRole-based privilege escalation and arbitrary code execution as the service identity.
Permission: ecs:UpdateExpressGatewayService
Action: Grants permission to modify the parameters of an Express Gateway service
Mitre Tactic: Execution
Why it’s privileged: Allows updating the service’s execution role, container image, or startup commands, enabling PassRole-based privilege escalation and arbitrary code execution as the service identity.
Amazon CloudFront
Service Type: Networking and Content Delivery
Permission: cloudfront:UpdateConnectionFunction
Action: Grants permission to update a connection function
Mitre Tactic: Defense Evasion
Why it’s privileged: Allows modification of connection logic to remove or weaken access checks, potentially bypassing security controls that protect CloudFront distributions.
Permission: cloudfront:UpdateTrustStore
Action: Grants permission to update a trust store
Mitre Tactic: Initial Access
Why it’s privileged: Allows replacing the trusted CA bundle, enabling attacker-issued client certificates to authenticate and gain access to associated CloudFront distributions.
Amazon S3
Service Type: Storage Solutions
Permission: s3:PutBucketAbac
Action: Grants permission to set ABAC configuration for a general purpose bucket
Mitre Tactic: Privilege Escalation
Why it’s privileged: Allows enabling ABAC on a bucket, which when combined with existing tag-based IAM policies can grant new access without modifying bucket or IAM policies.
Amazon Elastic Kubernetes Service
Service Type: Containers and Orchestration
Permission: eks:CreateCapability
Action: Grants permission to create a capability for an Amazon EKS cluster
Mitre Tactic: Lateral Movement
Why it’s privileged: Enabling the ACK (AWS Controllers for Kubernetes) capability allows cluster users with custom resource access the ability to create & manage actual AWS resources directly from kubernetes using kubectl commands.
Permission: eks:UpdateCapability
Action: Grants permission to update a capability for an Amazon EKS cluster
Mitre Tactic: Privilege Escalation
Why it’s privileged: Allows a new execution role to be specified for the ACK (AWS Controllers for Kubernetes) capability. This can expand the scope of AWS resources users with ACK capability access within the cluster can create & manage.
AWS Elemental MediaConnect
Service Type: Content Delivery and Management
Permission: mediaconnect:TakeRouterInput
Action: Grants permission to associate a router input with a router output
Mitre Tactic: Exfiltration
Why it’s privileged: Allows redirecting a private stream to a public-facing output, enabling eavesdropping or unauthorized exposure of sensitive media streams.
Permission: mediaconnect:UpdateRouterNetworkInterface
Action: Grants permission to update the configuration of a router network interface
Mitre Tactic: Exfiltration
Why it’s privileged: Allows removing or loosening CIDR restrictions on network interfaces, enabling unauthorized access to semi-private media streams.
Permission: mediaconnect:UpdateRouterOutput
Action: Grants permission to update the configuration of a router output
Mitre Tactic: Exfiltration
Why it’s privileged: Allows moving a router output from a VPC-bound interface to a public one, enabling unauthorized access to private media streams.
Permission: mediaconnect:UpdateRouterInput
Action: Grants permission to update the configuration of a router input
Mitre Tactic: Exfiltration
Why it’s privileged: Allows repointing router inputs to interfaces connected to public outputs, exposing private media streams without authorization.
Amazon Connect
Service Type: Customer Engagement
Permission: connect:StartContactMediaProcessing
Action: Grants permission to start message processing on an ongoing contact
Mitre Tactic: Collection
Why it’s privileged: Routes chat messages through a Lambda function before delivery, enabling interception or collection of sensitive communications.
Permission: connect:AssociateSecurityProfiles
Action: Grants permission to associate security profiles with an AI agent in an Amazon Connect instance
Mitre Tactic: Privilege Escalation
Why it’s privileged: Expands an AI agent’s access to data and contact flows, enabling access to information and capabilities not previously available.
Amazon SageMaker
Service Type: Artificial Intelligence & Machine Learning
Permission: sagemaker:UpdateMlflowApp
Action: Grants permission to update an MLflow app
Mitre Tactic: Collection
Why it’s privileged: Allows changing the MLflow artifact storage location, potentially redirecting artifacts to publicly accessible S3 buckets and exposing sensitive data.
Permission: sagemaker:DeleteMlflowApp
Action: Grants permission to delete an MLflow app
Mitre Tactic: Impact
Why it’s privileged: Allows deletion of the MLflow tracking server, disrupting experiment tracking, model lineage, and auditability.
Permission: sagemaker:CreatePresignedMlflowAppUrl
Action: Grants permission to return a URL that you can use from your browser to connect to the MLflow app
Mitre Tactic: Initial Access
Why it’s privileged: Allows browser-based access to the MLflow tracking server via a presigned URL, enabling access without direct IAM authentication.
Amazon CloudWatch Observability Admin Service
Service Type: Observability and Monitoring
Permission: observabilityadmin:CreateTelemetryPipeline
Action: Grants permission to create a new telemetry pipeline with the specified name and configuration
Mitre Tactic: Collection
Why it’s privileged: Allows use of a passed role to ingest data from S3 into CloudWatch, enabling collection of S3 data by identities that otherwise lack S3 access.
Permission: observabilityadmin:DeleteTelemetryPipeline
Action: Grants permission to delete the telemetry pipeline with the specified ARN
Mitre Tactic: Defense Evasion
Why it’s privileged: Allows deletion of telemetry pipelines that ingest and normalize log data, disrupting log collection and potentially evading detection.
Permission: observabilityadmin:DeleteS3TableIntegration
Action: Grants permission to delete the S3 table integration with the specified ARN
Mitre Tactic: Defense Evasion
Why it’s privileged: Stops CloudWatch from exporting logs to S3 tables, disrupting downstream analytics and reducing visibility into log data.
Permission: observabilityadmin:UpdateTelemetryPipeline
Action: Grants permission to update the telemetry pipeline with the specified ARN
Mitre Tactic: Defense Evasion
Why it’s privileged: Allows modifying processors or rerouting logs to different destinations, disrupting log normalization and ingestion and potentially evading detection.
Amazon S3 Tables
Service Type: Storage Solutions
Permission: s3tables:PutTableBucketReplication
Action: Grants permission to put table bucket replication configuration on a bucket
Mitre Tactic: Exfiltration
Why it’s privileged: Allows configuring cross-account replication, enabling automated copying of table data to external AWS accounts.
Permission: s3tables:PutTableRecordExpirationConfiguration
Action: Grants permission to put table record expiration configuration on a system table
Mitre Tactic: Impact
Why it’s privileged: Allows expiring records in tables intended to be persistent, resulting in data loss or disruption similar to destructive lifecycle policies in S3 Buckets.
Permission: s3tables:PutTableReplication
Action: Grants permission to put table replication configuration on a table
Mitre Tactic: Exfiltration
Why it’s privileged: Allows configuring cross-account replication, enabling automated copying of table data to external AWS accounts.
Amazon Bedrock AgentCore
Service Type: Artificial Intelligence & Machine Learning
Permission: bedrock-agentcore:PutResourcePolicy
Action: Grants permission to create or update the resource-based policy for a Bedrock resource
Mitre Tactic: Privilege Escalation
Why it’s privileged: Allows modifying resource-based policies to grant identities access to Bedrock agent runtimes, expanding who can invoke or control agents.
Permission: bedrock-agentcore:DeletePolicy
Action: Grants permission to delete a policy
Mitre Tactic: Privilege Escalation
Why it’s privileged: Allows removal of restrictive MCP policies, potentially granting agents broader access to gateway tools or protected capabilities.
Permission: bedrock-agentcore:ManageAdminPolicy
Action: Grants permission to create or modify wildcard policies that apply to gateway resources
Mitre Tactic: Privilege Escalation
Why it’s privileged: Allows creation of broad allow policies in a default-deny MCP policy engine, potentially granting agents expanded access to gateway tools and protected resources.
Permission: bedrock-agentcore:ManageResourceScopedPolicy
Action: Grants permission to create or modify policies that apply to specific gateway resources
Mitre Tactic: Privilege Escalation
Why it’s privileged: Allows adding allow policies in a default-deny MCP policy engine, potentially expanding agent access to specific gateway tools or protected resources.
Permission: bedrock-agentcore:UpdatePolicy
Action: Grants permission to update an existing policy
Mitre Tactic: Privilege Escalation
Why it’s privileged: Allows modifying policies in a default-deny MCP policy engine to introduce allow rules, potentially expanding agent access to gateway tools or protected resources.
Permission: bedrock-agentcore:DeleteResourcePolicy
Action: Grants permission to delete the resource-based policy for a Bedrock resource
Mitre Tactic: Privilege Escalation
Why it’s privileged: Allows removal of explicit deny policies, potentially granting additional identities access to Bedrock agent runtimes.
Permission: bedrock-agentcore:CreatePolicy
Action: Grants permission to create a new policy within a policy engine
Mitre Tactic: Privilege Escalation
Why it’s privileged: Allows adding allow policies in a default-deny MCP policy engine, potentially expanding agent access to gateway tools or protected resources.
New Services with Privileged Permissions
Amazon EKS MCP Server
Service Type: Artificial Intelligence & Machine Learning
Permission: eks-mcp:CallPrivilegedTool
Action: Grants permission to call privileged tools in MCP service
Mitre Tactic: Impact
Why it’s privileged: Allows invocation of MCP tools with write access to EKS clusters or the AWS control plane, enabling unintended or malicious changes if the tool is triggered without explicit user intent.
Amazon MWAA Serverless
Service Type: Process Automation and Integration
Permission: airflow-serverless:CreateWorkflow
Action: Grants permission to create a new workflow
Mitre Tactic: Execution
Why it’s privileged: Allows creation of workflows that invoke Amazon provider operators, enabling execution of sensitive AWS control plane actions across multiple services using the workflow’s execution role.
Permission: airflow-serverless:UpdateWorkflow
Action: Grants permission to update an existing workflow
Mitre Tactic: Execution
Why it’s privileged: Allows modification of workflow definitions to invoke Amazon provider operators, enabling execution of sensitive AWS control plane actions using the workflow’s execution role.
AWS Sagemaker Unified Studio MCP
Service Type: Artificial Intelligence & Machine Learning
Permission: sagemaker-unified-studio-mcp:CallPrivilegedTool
Action: Grants permission to call privileged tools in MCP service
Mitre Tactic: Impact
Why it’s privileged: Allows invocation of MCP tools with write or build access to EMR and Spark environments, enabling unintended or malicious code execution if the tool is triggered without explicit user intent.
Amazon Bedrock Mantle
Service Type: Artificial Intelligence and Machine Learning
Permission: bedrock-mantle:CreateInference
Action: Grants permission to create a chat completion inference request
Mitre Tactic: Collection
Why it’s privileged: Enables a mechanism for invoking models using OpenAI SDKs without needing to go through additional guardrails, potentially retrieving sensitive model data.
AWS DevOps Agent Service
Service Type: Artificial Intelligence and Machine Learning
Permission: aidevops:AssociateService
Action: Grants permission to associate service
Mitre Tactic: Discovery
Why it’s privileged: Allows the agent to use a passed role to monitor the current or another AWS account, enabling discovery activities across associated accounts.
Permission: aidevops:CreateOneTimeLoginSession
Action: Grants permission to generate secure one-time session for initiating off-console application login
Mitre Tactic: Lateral Movement
Why it’s privileged: Grants access to the DevOps Agent Web App, where users can interact with the privileged agent and have it perform investigations on real AWS infrastructure using its execution role.
Permission: aidevops:DeregisterService
Action: Grants permission to deregister a service
Mitre Tactic: Defense Evasion
Why it’s privileged: Allows removal of integrations with security and monitoring tools, disrupting workflows that rely on third-party visibility or alerting.
Permission: aidevops:DisassociateService
Action: Grants permission to disassociate a service
Mitre Tactic: Defense Evasion
Why it’s privileged: Allows removing agent monitoring from an AWS account, reducing visibility into activity and security events.
Permission: aidevops:InitiateServiceRegistration
Action: Grants permission to initiate OAuth flow
Mitre Tactic: Exfiltration
Why it’s privileged: Allows setting up integrations such as Slack that can send agent activity summaries and discovery data to external or unauthorized channels.
Permission: aidevops:UpdateAssociation
Action: Grants permission to update association
Mitre Tactic: Privilege Escalation
Why it’s privileged: Allows modifying association configurations in ways that can break integrations with other AWS accounts or third-party data sources, reducing visibility or disrupting security workflows.
AWS Security Agent
Service Type: Artificial Intelligence and Machine Learning
Permission: securityagent:CreateMembership
Action: Grants permission to add a single member to an agent instance with specified role
Mitre Tactic: Lateral Movement
Why it’s privileged: Grants an identity center identity long-term access to the security agent web app, where users can then interact with the privileged agent and have it perform pentests on arbitrary targets and display results.
Permission: securityagent:CreateOneTimeLoginSession
Action: Grants permission to create a one-time login session
Mitre Tactic: Lateral Movement
Why it’s privileged: Grants admin access to the security agent application, which uses the agent instance role to perform security agent operations and access protected resources.
Permission: securityagent:DeleteControl
Action: Grants permission to delete a customer-managed control
Mitre Tactic: Defense Evasion
Why it’s privileged: Allows removal of custom controls from design and code reviews, reducing enforcement of security standards and oversight.
Permission: securityagent:ToggleManagedControl
Action: Grants permission to toggle the status
Mitre Tactic: Defense Evasion
Why it’s privileged: Allows disabling managed controls used in design and code reviews, reducing security enforcement and oversight.
Permission: securityagent:UpdateControl
Action: Grants permission to update a customer managed control
Mitre Tactic: Defense Evasion
Why it’s privileged: Allows modifying control requirements in ways that weaken or effectively remove security checks from design and code reviews.
AWS Transform Custom
Service Type: Migration and Transfer
No privileged permissions
Conclusion
As AWS continues to expand its portfolio of managed and AI-driven services, new privileged permissions are increasingly shaping how access, execution, and visibility are controlled in the cloud. This month’s additions show how modifying configurations, policies, and agent behaviors can quietly expand privilege, weaken safeguards, or enable data movement without ever touching traditional administrator roles. Even subtle permission changes can have an outsized impact on trust boundaries and blast radius across cloud environments.
Sonrai Security’s Cloud Permissions Firewall helps organizations stay ahead of these shifts by continuously identifying emerging privileged permissions, mapping them to MITRE ATT&CK tactics, and enforcing least privilege across cloud control planes. In an environment where new sources of privilege are introduced every month, maintaining continuous visibility and control is essential to preventing overlooked permissions from becoming attack paths.
*** This is a Security Bloggers Network syndicated blog from Sonrai | Enterprise Cloud Security Platform authored by Adeel Nazar. Read the original post at: https://sonraisecurity.com/blog/dec-25-recap-new-aws-privileged-permissions-and-services/
About Author
