As October 2025 closes, Sonrai’s latest analysis of new AWS permissions reveals a continued trend: incremental privilege changes with outsized impact. This month’s additions span OpenSearch Ingestion, Aurora DSQL, QuickSight, Parallel Computing Service, ARC Region Switch, and RTB Fabric, touching critical areas of data analytics, compute orchestration, and real-time traffic systems.

These updates introduce capabilities to create new data ingress points, modify or remove logging pipelines, alter enforcement and auditing mechanisms, and even reroute or suppress alerting paths. Collectively, they highlight how cloud privilege expansion often hides in plain sight—each new API action quietly shifting control boundaries and enabling new ways to disrupt monitoring, escalate access, or manipulate data flows.

Existing Services with New Privileged Permissions

Amazon OpenSearch Ingestion

Service Type: Data and Analytics

Permission: osis:CreatePipelineEndpoint

• Action: Grants permission to create an OpenSearch Ingestion pipeline endpoint
• Mitre Tactic: Collection
• Why it’s privileged: Allows creation of a network endpoint that can exfiltrate data from a private VPC to an OpenSearch ingestion pipeline, enabling potential unauthorized data collection or transfer.

Permission: osis:PutResourcePolicy

• Action: Grants permission to put a resource policy for an OpenSearch Ingestion resource
• Mitre Tactic: Impact
• Why it’s privileged: Allows an attacker to alter cross-account OpenSearch access, enabling them to disrupt centralized logging. .

Permission: osis:DeleteResourcePolicy

• Action: Grants permission to delete a resource policy for an OpenSearch Ingestion resource 
• Mitre Tactic: Impact
• Why it’s privileged: Allows deletion of policies that enable cross-account logging, effectively disabling centralized monitoring.

AWS Parallel Computing Service

Service Type: Compute Services

Permission: pcs:UpdateCluster

• Action: Grants permission to update cluster properties
• Mitre Tactic: Privilege Escalation
• Why it’s privileged: Changing accounting or retention settings can disable usage controls and delete audit trails, hiding malicious activity. Additionally, Slurm settings implementing fine-grained access controls to cluster resources can be modified, enabling privilege escalation. 

Amazon Aurora DSQL

Service Type: Database Services

Permission: dsql:PutClusterPolicy

• Action: Grants permission to attach or update the inline resource-based policy attached to a cluster
• Mitre Tactic: Privilege Escalation
• Why it’s privileged: Lets an actor grant themselves or others cluster admin/connect rights or remove protections (e.g., public-access blocks), enabling escalation and lateral access.

Permission: dsql:DeleteClusterPolicy

• Action: Grants permission to remove the inline resource-based policy attached to a cluster
• Mitre Tactic: Defense Evasion
• Why it’s privileged: Removing a cluster’s resource policy can disable enforced security controls (like public-access blocks), exposing the cluster and allowing attackers to evade protections and detection.

Amazon QuickSight

Service Type: Data and Analytics

Permission: quicksight:DeleteActionConnector

• Action: Grants permission to delete an action connector
• Mitre Tactic: Defense Evasion
• Why it’s privileged: Removing connectors (e.g., PagerDuty alerts) can silence or disrupt alerting and reduce visibility into incidents, enabling attackers to evade detection.

Permission: quicksight:CreateActionConnector

• Action: Grants permission to create an action connector
• Mitre Tactic: Collection
• Why it’s privileged: Lets an attacker add connectors that route actions or data to attacker-controlled endpoints, enabling data exfiltration or interception and misrouting automated workflows.

Permission: quicksight:UpdateActionConnector

• Action: Grants permission to update an action connector
• Mitre Tactic: Defense Evasion
• Why it’s privileged: Lets an actor corrupt or disable connectors (by altering auth or settings), breaking alerting or integrations to hide activity.

New Services with Privileged Permissions

Amazon ARC Region Switch

Service Type: Infrastructure Management

Permission: arc-region-switch:CreatePlan

• Action: Grants permission to create a plan
• Mitre Tactic: Execution
• Why it’s privileged: Allows creation of executable plans that can trigger actions like Lambda invocations through assigned roles.

Permission: arc-region-switch:DeletePlan

• Action: Grants permission to delete a plan
• Mitre Tactic: Impact
• Why it’s privileged: Allows deletion of automated response plans, potentially disabling critical remediation actions.

Permission: arc-region-switch:UpdatePlan

• Action: Grants permission to update a plan
• Mitre Tactic: Execution
• Why it’s privileged: Allows modification of executable plans to run attacker-controlled actions through assigned roles.

AWS RTB Fabric

Service Type: Networking and Content Delivery

Permission: rtbfabric:AcceptLink

• Action: Grants permission to accept a link invitation from another Gateway
• Mitre Tactic: Impact
• Why it’s privileged: Accepting malicious or bot gateways can expose the system to spam or fraudulent bid traffic, degrading process integrity and performance.

Permission: rtbfabric:UpdateLink

• Action: Grants permission to update configuration settings for an existing link
• Mitre Tactic: Defense Evasion
• Why it’s privileged: Can change log sampling (e.g., set to 0%) to remove or reduce audit logs, enabling attackers to evade detection.

Permission: rtbfabric:UpdateLinkModuleFlow

• Action: Grants permission to update a link module flow
• Mitre Tactic: Impact
• Why it’s privileged: Allows altering bidding logic and flow parameters, which can disrupt service behavior, manipulate transactions, or degrade system performance.

Permission: rtbfabric:UpdateResponderGateway

• Action: Grants permission to update a responder gateway
• Mitre Tactic: Impact
• Why it’s privileged: Allows changes to domains, ports, and load-balancing settings, which can disrupt bid traffic flow or degrade system availability.

AWS User Experience Customization

Service Type: Support and Service Management

No privileged permissions identified

AWS Billing and Cost Management Recommended Actions

Service Type: Subscription Management

No privileged permissions identified

AWS Action Recommendations

Service Type: Infrastructure Management

No privileged permissions identified

Conclusion

As AWS broadens functionality across data, compute, and networking services, the emergence of new privileged permissions continues to redefine security perimeters. From disabling centralized logging in OpenSearch to manipulating Aurora DSQL cluster policies or corrupting QuickSight integrations, these permissions underscore how operational changes can quickly translate into security exposure.

Sonrai Security’s Cloud Permissions Firewall helps organizations stay ahead of this constant evolution—identifying new privileged permissions as they appear, mapping them to MITRE ATT&CK tactics, and enforcing least privilege before attackers can exploit new paths. In the dynamic landscape of cloud privilege sprawl, continuous visibility isn’t optional, it’s essential.

*** This is a Security Bloggers Network syndicated blog from Sonrai | Enterprise Cloud Security Platform authored by Adeel Nazar. Read the original post at: https://sonraisecurity.com/blog/oct-25-recap-new-aws-privileged-permissions-and-services/