March Recap: New AWS Privileged Permissions and Services
嗯,用户让我帮忙总结一篇文章,控制在100字以内,而且不需要特定的开头。首先,我得仔细阅读这篇文章,理解它的主要内容。 文章讲的是2026年3月AWS的新权限扩展,涉及客户互动、AI驱动的DevOps自动化和核心数据库基础设施。每个权限都有一个共同点:它们导致的操作性损害不容易被立即发现。比如删除通知、更新目标和关联表副本,这些操作不会触发警报,安全团队可能无法及时发现。 用户的需求是总结内容,所以我要抓住关键点:新权限、三个领域、潜在风险以及这些权限如何导致无声降级。同时,要控制在100字以内,语言要简洁明了。 可能需要注意的是,用户可能希望总结中包含主要的服务和权限类型,以及它们带来的安全影响。因此,在总结时要涵盖这些方面。 最后,确保语言流畅自然,不使用复杂的术语,让读者一目了然。 </think> 2026年3月AWS新增权限扩展至客户互动、AI驱动的DevOps自动化及数据库基础设施领域。这些权限可能导致"无声降级"风险,如删除通知、更新目标或创建表副本等操作不会触发警报或日志记录。安全团队需限制权限持有者以应对潜在威胁。 2026-4-2 12:4:31 Author: securityboulevard.com(查看原文) 阅读量:2 收藏

As March 2026 comes to a close, the newest AWS permissions reflect expansion across three distinct domains: customer engagement, AI-driven DevOps automation, and core database infrastructure. The volume is modest, but the risk profile is not.

The central theme for March is “Silent Degradation.” Each of these permissions shares a common characteristic: the damage they enable is operational rather than immediately visible. Alerts stop firing. Pipelines run toward the wrong objectives. Data replicates continuously into attacker-controlled tables. None of these actions announce themselves. Security teams relying on reactive detection will miss them. The only effective control is restricting who holds these permissions in the first place.

Existing Services with New Privileged Permissions

Amazon Connect

Service Type: Customer Engagement

Permission: connect:DeleteNotification

  • Action: Grants permission to delete a notification in an Amazon Connect Instance
  • Mitre Tactic: Defense Evasion
  • Why it’s privileged: Silently removes contact center alert configurations without triggering errors or log entries. Queue anomalies, off-hours activity, and threshold breaches stop firing. Detection is degraded with no visible indication of tampering.

AWS DevOps Agent Service

Service Type: Artificial Intelligence & Machine Learning

Permission: aidevops:UpdateGoal

  • Action: Grants permission to update a goal
  • Mitre Tactic: Defense Evasion
  • Why it’s privileged: Modifies the objectives governing automated DevOps agent behavior.  This can disrupt preventative actions being taken by the agent to secure the cloud.

Amazon DynamoDB

Service Type: Database Service

Permission: dynamodb:AssociateTableReplica

  • Action: Grants permission to create multi account global table replica
  • Mitre Tactic: Exfiltration
  • Why it’s privileged: Converts an existing table into a replica, forcing continuous data sync from a source table. An attacker can redirect sensitive data flows into a table they control. Existing data is overwritten with no new infrastructure required.

New Services with Privileged Permissions

AWS Elemental Interference

Service Type: Content Delivery and Management

No privileged permissions

Conclusion

The March updates reinforce a pattern that security teams cannot afford to ignore. Privileged permissions are not concentrated in a handful of high-profile services. They are spreading into automation pipelines, contact center infrastructure, and database replication layers, each carrying the ability to degrade detection, redirect data, or quietly alter operational behavior.

Sonrai Security’s Cloud Permissions Firewall tracks these permissions as they are released, maps them to the MITRE ATT&CK framework, and flags them before they become a breach. When the most dangerous actions in your environment are the ones that leave no immediate trace, least privilege is not a best practice, it is the only viable control.

Secure Sensitive Cloud Permissions graphic

*** This is a Security Bloggers Network syndicated blog from Sonrai | Enterprise Cloud Security Platform authored by Karen Levy. Read the original post at: https://sonraisecurity.com/blog/march-recap-new-aws-privileged-permissions-and-services-2026/


文章来源: https://securityboulevard.com/2026/04/march-recap-new-aws-privileged-permissions-and-services/
如有侵权请联系:admin#unsafe.sh