Oct Recap: New AWS Privileged Permissions and Services
As October 2025 closes, Sonrai’s latest analysis of new AWS permissions reveals a continued trend: incremental privilege changes with outsized impact.
Oct Recap: New AWS Privileged Permissions and Services
As October 2025 closes, Sonrai’s latest analysis of new AWS permissions reveals a continued trend: incremental privilege changes with outsized impact. This month’s additions span OpenSearch Ingestion, Aurora DSQL, QuickSight, Parallel Computing Service, ARC Region Switch, and RTB Fabric, touching critical areas of data analytics, compute orchestration, and real-time traffic systems.
These updates introduce capabilities to create new data ingress points, modify or remove logging pipelines, alter enforcement and auditing mechanisms, and even reroute or suppress alerting paths. Collectively, they highlight how cloud privilege expansion often hides in plain sight—each new API action quietly shifting control boundaries and enabling new ways to disrupt monitoring, escalate access, or manipulate data flows.
Existing Services with New Privileged Permissions
Amazon OpenSearch Ingestion
Service Type: Data and Analytics
Permission: osis:CreatePipelineEndpoint
Action: Grants permission to create an OpenSearch Ingestion pipeline endpoint
Mitre Tactic: Collection
Why it’s privileged: Allows creation of a network endpoint that can exfiltrate data from a private VPC to an OpenSearch ingestion pipeline, enabling potential unauthorized data collection or transfer.
Permission: osis:PutResourcePolicy
Action: Grants permission to put a resource policy for an OpenSearch Ingestion resource
Mitre Tactic: Impact
Why it’s privileged: Allows an attacker to alter cross-account OpenSearch access, enabling them to disrupt centralized logging. .
Permission: osis:DeleteResourcePolicy
Action: Grants permission to delete a resource policy for an OpenSearch Ingestion resource
Mitre Tactic: Impact
Why it’s privileged: Allows deletion of policies that enable cross-account logging, effectively disabling centralized monitoring.
AWS Parallel Computing Service
Service Type: Compute Services
Permission: pcs:UpdateCluster
Action: Grants permission to update cluster properties
Mitre Tactic: Privilege Escalation
Why it’s privileged: Changing accounting or retention settings can disable usage controls and delete audit trails, hiding malicious activity. Additionally, Slurm settings implementing fine-grained access controls to cluster resources can be modified, enabling privilege escalation.
Amazon Aurora DSQL
Service Type: Database Services
Permission: dsql:PutClusterPolicy
Action: Grants permission to attach or update the inline resource-based policy attached to a cluster
Mitre Tactic: Privilege Escalation
Why it’s privileged: Lets an actor grant themselves or others cluster admin/connect rights or remove protections (e.g., public-access blocks), enabling escalation and lateral access.
Permission: dsql:DeleteClusterPolicy
Action: Grants permission to remove the inline resource-based policy attached to a cluster
Mitre Tactic: Defense Evasion
Why it’s privileged: Removing a cluster’s resource policy can disable enforced security controls (like public-access blocks), exposing the cluster and allowing attackers to evade protections and detection.
Amazon QuickSight
Service Type: Data and Analytics
Permission: quicksight:DeleteActionConnector
Action: Grants permission to delete an action connector
Mitre Tactic: Defense Evasion
Why it’s privileged: Removing connectors (e.g., PagerDuty alerts) can silence or disrupt alerting and reduce visibility into incidents, enabling attackers to evade detection.
Permission: quicksight:CreateActionConnector
Action: Grants permission to create an action connector
Mitre Tactic: Collection
Why it’s privileged: Lets an attacker add connectors that route actions or data to attacker-controlled endpoints, enabling data exfiltration or interception and misrouting automated workflows.
Permission: quicksight:UpdateActionConnector
Action: Grants permission to update an action connector
Mitre Tactic: Defense Evasion
Why it’s privileged: Lets an actor corrupt or disable connectors (by altering auth or settings), breaking alerting or integrations to hide activity.
New Services with Privileged Permissions
Amazon ARC Region Switch
Service Type: Infrastructure Management
Permission: arc-region-switch:CreatePlan
Action: Grants permission to create a plan
Mitre Tactic: Execution
Why it’s privileged: Allows creation of executable plans that can trigger actions like Lambda invocations through assigned roles.
Permission: arc-region-switch:DeletePlan
Action: Grants permission to delete a plan
Mitre Tactic: Impact
Why it’s privileged: Allows deletion of automated response plans, potentially disabling critical remediation actions.
Permission: arc-region-switch:UpdatePlan
Action: Grants permission to update a plan
Mitre Tactic: Execution
Why it’s privileged: Allows modification of executable plans to run attacker-controlled actions through assigned roles.
AWS RTB Fabric
Service Type: Networking and Content Delivery
Permission: rtbfabric:AcceptLink
Action: Grants permission to accept a link invitation from another Gateway
Mitre Tactic: Impact
Why it’s privileged: Accepting malicious or bot gateways can expose the system to spam or fraudulent bid traffic, degrading process integrity and performance.
Permission: rtbfabric:UpdateLink
Action: Grants permission to update configuration settings for an existing link
Mitre Tactic: Defense Evasion
Why it’s privileged: Can change log sampling (e.g., set to 0%) to remove or reduce audit logs, enabling attackers to evade detection.
Permission: rtbfabric:UpdateLinkModuleFlow
Action: Grants permission to update a link module flow
Mitre Tactic: Impact
Why it’s privileged: Allows altering bidding logic and flow parameters, which can disrupt service behavior, manipulate transactions, or degrade system performance.
Permission: rtbfabric:UpdateResponderGateway
Action: Grants permission to update a responder gateway
Mitre Tactic: Impact
Why it’s privileged: Allows changes to domains, ports, and load-balancing settings, which can disrupt bid traffic flow or degrade system availability.
AWS User Experience Customization
Service Type: Support and Service Management
No privileged permissions identified
AWS Billing and Cost Management Recommended Actions
Service Type: Subscription Management
No privileged permissions identified
AWS Action Recommendations
Service Type: Infrastructure Management
No privileged permissions identified
Conclusion
As AWS broadens functionality across data, compute, and networking services, the emergence of new privileged permissions continues to redefine security perimeters. From disabling centralized logging in OpenSearch to manipulating Aurora DSQL cluster policies or corrupting QuickSight integrations, these permissions underscore how operational changes can quickly translate into security exposure.
Sonrai Security’s Cloud Permissions Firewall helps organizations stay ahead of this constant evolution—identifying new privileged permissions as they appear, mapping them to MITRE ATT&CK tactics, and enforcing least privilege before attackers can exploit new paths. In the dynamic landscape of cloud privilege sprawl, continuous visibility isn’t optional, it’s essential.
*** This is a Security Bloggers Network syndicated blog from Sonrai | Enterprise Cloud Security Platform authored by Adeel Nazar. Read the original post at: https://sonraisecurity.com/blog/oct-25-recap-new-aws-privileged-permissions-and-services/
About Author
