August Recap: New AWS Sensitive Permissions and Services
2024-9-5 02:16:45 Author: securityboulevard.com(查看原文) 阅读量:6 收藏

As AWS continues to evolve, new services and permissions are frequently introduced to enhance functionality and security. This blog provides a comprehensive recap of new sensitive permissions and services added in August 2024. Our intention in sharing this is to flag the most important releases to keep your eye on and update your permissions and access control policies accordingly.

AWS CodePipeline

Service Type: Development & DevOps Tools

Permission: OverrideStageCondition

  • Action: Grants permission to resume the pipeline execution by overriding a condition in a stage
  • Mitre Tactic: Execution
  • Why it’s sensitive:  Users can override a lambda function’s operation condition within a pipeline. This could be used to allow deployment pipelines to continue when they would otherwise be stopped, like continuing to deploy vulnerable software after failed security scans.

Amazon Elastic Container Registry (ECR)

Service Type: Containers and Orchestration

Permission: PutAccountSetting

  • Action: Allows modification of settings for the ECR account
  • Mitre Tactic: Defense Invasion
  • Why it’s sensitive: Users can change tag mutability, automated image scanning, how scans are conducted (e.g. on push or manually), and encryption settings.

New Services

AWS Parallel Computing Services

Service Type: Compute Services

Permission: CreateComputeNodeGroup

  • Action: Grants permission to create compute node groups
  • Mitre Tactic: Execution
  • Why it’s sensitive: Users can use an API parameter in calls to this permission which override the launch template AMI. By specifying a custom (potentially malicious) AMI, an attacker could get arbitrary malicious code running within the node pool that processes jobs. 

Permission: UpdateComputeNodeGroup

  • Action: Grants permission to update compute node group properties
  • Mitre Tactic: Execution
  • Why it’s sensitive: Users can use an API parameter in calls to this permission which override the launch template AMI. By specifying a custom (potentially malicious) AMI, an attacker could get arbitrary malicious code running within the node pool that processes jobs.

New Regions

Asia Pacific (Malaysia)

  • API name: ap-southeast-5
  • Availability zones: 3

Conclusion

If you’re an AWS user, your cloud is always changing. This means a constantly evolving attack surface for you to secure. As new permissions are released for pre-existing services, by default, your users gain access to that permission. If it is a sensitive permission, this can be risky.  Access to sensitive permissions should be restricted to only those human and machine identities that need them.

Claroty

To reduce the risk resulting from new services, your teams should update any SCPs and IAM policies used to restrict access to services your teams aren’t using.

If you’re interested in managing sensitive permissions and securing AWS services efficiently, look into our Cloud Permissions Firewall.

secure sensitive permissions

*** This is a Security Bloggers Network syndicated blog from Sonrai | Enterprise Cloud Security Platform authored by James Casagrande. Read the original post at: https://sonraisecurity.com/blog/aug-recap-new-aws-sensitive-permissions-and-services/


文章来源: https://securityboulevard.com/2024/09/august-recap-new-aws-sensitive-permissions-and-services/
如有侵权请联系:admin#unsafe.sh