Cyber Daily Report

News

Home News

June Recap: New AWS Services and Privileged Permissions

  • None--securityboulevard.com
  • published date: 2025-06-30 00:00:00 UTC

None

<p>As June 2025 wraps up, we’re back with another monthly roundup of AWS privileged permission changes and service updates that could reshape your cloud security posture. Each month brings a wave of new permissions — and with them, potential pathways for unauthorized access, policy evasion, and abuse of trust boundaries. This month’s highlights include sensitive updates across EC2, AWS Backup, Security Hub, and Bedrock, with several permissions impacting automation workflows, restore approvals, and connector integrity. Understanding these changes is critical for proactive privilege management and staying ahead of emerging risks. Dive in below to see what’s new — and why it matters for securing your AWS environment.</p><h3 class="wp-block-heading">New Region</h3><p>Asia Pacific (Taipei)</p><p><strong>API name:</strong> ap-east-2</p><div class="code-block code-block-12 ai-track" data-ai="WzEyLCIiLCJCbG9jayAxMiIsIiIsMV0=" style="margin: 8px 0; clear: both;"> <style> .ai-rotate {position: relative;} .ai-rotate-hidden {visibility: hidden;} .ai-rotate-hidden-2 {position: absolute; top: 0; left: 0; width: 100%; height: 100%;} .ai-list-data, .ai-ip-data, .ai-filter-check, .ai-fallback, .ai-list-block, .ai-list-block-ip, .ai-list-block-filter {visibility: hidden; position: absolute; width: 50%; height: 1px; top: -1000px; z-index: -9999; margin: 0px!important;} .ai-list-data, .ai-ip-data, .ai-filter-check, .ai-fallback {min-width: 1px;} </style> <div class="ai-rotate ai-unprocessed ai-timed-rotation ai-12-1" data-info="WyIxMi0xIiwyXQ==" style="position: relative;"> <div class="ai-rotate-option" style="visibility: hidden;" data-index="1" data-name="VGVjaHN0cm9uZyBHYW5nIFlvdXR1YmU=" data-time="MTA="> <div class="custom-ad"> <div style="margin: auto; text-align: center;"><a href="https://youtu.be/Fojn5NFwaw8" target="_blank"><img src="https://securityboulevard.com/wp-content/uploads/2024/12/Techstrong-Gang-Youtube-PodcastV2-770.png" alt="Techstrong Gang Youtube"></a></div> <div class="clear-custom-ad"></div> </div></div> <div class="ai-rotate-option" style="visibility: hidden; position: absolute; top: 0; left: 0; width: 100%; height: 100%;" data-index="1" data-name="QVdTIEh1Yg==" data-time="MTA="> <div class="custom-ad"> <div style="margin: auto; text-align: center;"><a href="https://devops.com/builder-community-hub/?ref=in-article-ad-1&amp;utm_source=do&amp;utm_medium=referral&amp;utm_campaign=in-article-ad-1" target="_blank"><img src="https://devops.com/wp-content/uploads/2024/10/Gradient-1.png" alt="AWS Hub"></a></div> <div class="clear-custom-ad"></div> </div></div> </div> </div><p><strong>Availability zones:</strong> 3</p><h2 class="wp-block-heading"><strong>Existing Services with New Privileged Permissions</strong></h2><h3 class="wp-block-heading"><strong><strong>EC2</strong></strong></h3><p><strong>Service Type: Compute Services</strong></p><div class="code-block code-block-15" style="margin: 8px 0; clear: both;"> <script async src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js?client=ca-pub-2091799172090865" crossorigin="anonymous" type="47126b1af6bfd513ac61a617-text/javascript"></script> <!-- SB In Article Ad 1 --> <ins class="adsbygoogle" style="display:block" data-ad-client="ca-pub-2091799172090865" data-ad-slot="8723094367" data-ad-format="auto" data-full-width-responsive="true"></ins> <script type="47126b1af6bfd513ac61a617-text/javascript"> (adsbygoogle = window.adsbygoogle || []).push({}); </script></div><h4 class="wp-block-heading">Permission: ec2:CreateMacSystemIntegrityProtectionModificationTask</h4><ul class="wp-block-list"> <li><strong>Action:</strong> Grants permission to create a System Integrity Protection (SIP) modification task for an Amazon EC2 Mac instance</li> <li><strong>Mitre Tactic:</strong> Defense Evasion</li> <li><strong>Why it’s privileged: </strong>Enables actions that directly impact the security boundaries of macOS EC2 instances by manipulating System Integrity Protection (SIP).</li> </ul><h3 class="wp-block-heading">AWS Backup</h3><p><strong>Service Type: Archival, Backup and Recovery</strong></p><h4 class="wp-block-heading">Permission: backup:DisassociateBackupVaultMpaApprovalTeam</h4><ul class="wp-block-list"> <li><strong>Action:</strong> Grants permission to disassociate an MPA approval team from a backup vault</li> <li><strong>Mitre Tactic:</strong> Defense Evasion</li> <li><strong>Why it’s privileged: </strong>Disables the restore approval workflow by removing the designated approval team from a backup vault, potentially allowing unauthorized or unapproved restore operations.</li> </ul><h4 class="wp-block-heading">Permission: backup:AssociateBackupVaultMpaApprovalTeam</h4><ul class="wp-block-list"> <li><strong>Action:</strong> Grants permission to associate an MPA approval team with a backup vault</li> <li><strong>Mitre Tactic:</strong> Privilege Escalation</li> <li><strong>Why it’s privileged: </strong>Overrides the existing approval team on a backup vault, potentially redirecting restore approvals to an unintended or unauthorized team.</li> </ul><h3 class="wp-block-heading">AWS Security Hub</h3><p><strong>Service Type: Security and Compliance</strong></p><h4 class="wp-block-heading">Permission: securityhub:UpdateConnectorV2</h4><ul class="wp-block-list"> <li><strong>Action:</strong> Grants permission to update a connector V2 in Security Hub based on connector id and input parameters</li> <li><strong>Mitre Tactic:</strong> Defense Evasion</li> <li><strong>Why it’s privileged: </strong>Redirects security issues by modifying the JIRA projectKey in the connector configuration without requiring re-registration, potentially causing issues to be sent to an unintended destination.</li> </ul><h4 class="wp-block-heading">Permission: securityhub:DeleteAutomationRuleV2</h4><ul class="wp-block-list"> <li><strong>Action:</strong> Grants permission to delete an automation rule V2 in Security Hub</li> <li><strong>Mitre Tactic:</strong> Defense Evasion</li> <li><strong>Why it’s privileged: </strong>Deletes an automation rule, potentially disrupting security workflows and preventing expected automatic responses to findings.</li> </ul><h4 class="wp-block-heading">Permission: securityhub:ConnectorRegistrationsV2</h4><ul class="wp-block-list"> <li><strong>Action:</strong> Grants permission to complete the OAuth 2.0 authorization code flow based on input parameters</li> <li><strong>Mitre Tactic:</strong> Defense Evasion</li> <li><strong>Why it’s privileged: </strong>Authenticates and finalizes connector registration, enabling integration with external systems like Jira and potentially exposing sensitive workflows if misused.</li> </ul><h4 class="wp-block-heading">Permission: securityhub:UpdateAutomationRuleV2</h4><ul class="wp-block-list"> <li><strong>Action:</strong> Grants permission to update an automation rule V2 in Security Hub based on rule Amazon Resource Name (ARN) and input parameters</li> <li><strong>Mitre Tactic:</strong> Defense Evasion</li> <li><strong>Why it’s privileged: </strong>Modifies automation rules, potentially altering security workflows and allowing unauthorized changes to detection or response behavior.</li> </ul><h4 class="wp-block-heading">Permission: securityhub:DisableSecurityHubV2</h4><ul class="wp-block-list"> <li><strong>Action:</strong> Grants permission to disable Security Hub V2</li> <li><strong>Mitre Tactic:</strong> Defense Evasion</li> <li><strong>Why it’s privileged: </strong>Disables Security Hub for the account, effectively halting security data aggregation, analysis, and automated response actions.</li> </ul><h4 class="wp-block-heading">Permission: securityhub:CreateAutomationRuleV2</h4><ul class="wp-block-list"> <li><strong>Action:</strong> Grants permission to create an automation rule V2 based on input parameters</li> <li><strong>Mitre Tactic:</strong> Defense Evasion</li> <li><strong>Why it’s privileged: </strong>Creates automation rules that define how Security Hub responds to findings, potentially enabling unauthorized or malicious automated actions.</li> </ul><h3 class="wp-block-heading">Amazon Bedrock</h3><p><strong>Service Type: Artificial Intelligence &amp; Machine Learning</strong></p><h4 class="wp-block-heading">Permission: bedrock:CreateCustomModel</h4><ul class="wp-block-list"> <li><strong>Action:</strong> Grants permission to create a custom model into Bedrock</li> <li><strong>Mitre Tactic:</strong> Resource Development</li> <li><strong>Why it’s privileged: </strong>Creates a custom foundation model, potentially embedding unauthorized data or behaviors that can impact downstream applications and security controls.</li> </ul><h2 class="wp-block-heading">New Services</h2><h3 class="wp-block-heading">Amazon Elastic Virtualization Services</h3><p><strong>Service Type: Compute Services</strong></p><p><em><em>No privileged permissions</em></em></p><h3 class="wp-block-heading">AWS Support Console</h3><p><strong>Service Type: Support and Service Management</strong></p><p><em><em>No privileged permissions</em></em></p><h3 class="wp-block-heading">Multi-Party Approval</h3><p><strong>Service Type: Identity and Access Management</strong></p><p><em><em>No privileged permissions</em></em></p><h2 class="wp-block-heading"><strong>Conclusion</strong></h2><p>As AWS continues to expand its services and deepen integrations, the complexity and impact of new permissions grow with it. This month’s highlights — from altering macOS system protections in EC2 to quietly redirecting Security Hub automation or disabling backup restore approvals — illustrate how privileged access can subtly undermine security workflows and trust boundaries.</p><p>Sonrai Security’s Cloud Permissions Firewall empowers teams to get ahead of these risks by delivering cloud-native Privileged Access Management. We help organizations automatically detect and lock down high-risk permissions, enforce least privilege across identities and resources, and stay secure as AWS evolves. Because in the cloud, privilege is everywhere — and controlling it is everything.</p><figure class="wp-block-image size-full"><a href="https://sonraisecurity.com/cloud-security-platform/cloud-permissions-firewall/"><img fetchpriority="high" decoding="async" width="1584" height="365" src="https://sonraisecurity.com/wp-content/uploads/ad-blog-sensitive-permissions.png" alt="secure sensitive permissions" class="wp-image-28438"></a></figure><div class="spu-placeholder" style="display:none"></div><p class="syndicated-attribution">*** This is a Security Bloggers Network syndicated blog from <a href="https://sonraisecurity.com/">Sonrai | Enterprise Cloud Security Platform</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by Adeel Nazar">Adeel Nazar</a>. Read the original post at: <a href="https://sonraisecurity.com/blog/june-recap-new-aws-services-and-privileged-permissions/">https://sonraisecurity.com/blog/june-recap-new-aws-services-and-privileged-permissions/</a> </p>

Most Popular

The Rise of Agentic AI: From Chatbots to Web Agents

  • None -- securityboulevard.com
  • Published date: 2025-06-30 00:00:00 UTC

The Rise of Agentic AI: Uncovering Security Risks in AI Web Agents

  • None -- securityboulevard.com
  • Published date: 2025-06-30 00:00:00 UTC

The Best Email Security Companies: Rankings and Reviews

  • None -- securityboulevard.com
  • Published date: 2025-06-30 00:00:00 UTC

Russian Throttling of Cloudflare ‘Renders Many Websites Barely Usable’

  • Jeffrey Burt -- securityboulevard.com
  • Published date: 2025-06-30 00:00:00 UTC

Meet Legit MCP: AI-Powered Security That Works Where Your Team Works

  • None -- securityboulevard.com
  • Published date: 2025-06-30 00:00:00 UTC