Jan Recap: New AWS Privileged Permissions and Services

The latest wave of AWS permission updates underscores a strategic shift in cloud security: privilege is increasingly embedded in networking and configuration APIs rather than classic IAM roles. By exposing granular controls over firewalls, DNS resolvers, and VPC encryption, Amazon is empowering customers with finer‑grained management, but also handing threat actors new levers for evasion and lateral movement. This trend mirrors broader industry movements where the control plane itself becomes a high‑value target, demanding a reevaluation of traditional perimeter defenses.

Specific services illustrate the risk. Network Firewall now offers actions to create, modify, and delete proxy rule groups, directly influencing traffic inspection and bypass capabilities. Route 53 Global Resolver’s bulk firewall rule APIs let administrators reshape DNS‑based filtering across entire accounts in a single call. EC2’s VPC encryption control permissions can toggle data‑at‑rest protections, while Clean Rooms’ collaboration change request updates open pathways for cross‑account data exfiltration. Each of these maps to MITRE ATT&CK tactics such as Defense Evasion, Lateral Movement, and Exfiltration, highlighting how seemingly innocuous configuration changes can become attack vectors.

To mitigate these emerging threats, organizations should adopt continuous permission discovery and automated policy enforcement. Tools like Sonrai’s Cloud Permissions Firewall provide real‑time mapping of privileged actions to ATT&CK techniques, enabling security teams to enforce least‑privilege principles across the cloud control plane. Coupled with rigorous change‑management workflows, regular audits, and micro‑segmentation of network resources, firms can contain the blast radius of any misused permission. In an environment where network‑level privileges are expanding monthly, proactive governance is no longer optional—it’s a core component of cloud resilience.