April Recap: New AWS Sensitive Permissions

As April 2025 wraps up, we’re back with the latest roundup of AWS sensitive permission updates and key service developments shaping the cloud security landscape. Keeping pace with these changes is critical for protecting your environments—especially as newly introduced permissions can open pathways for risks like lateral movement, data exfiltration, and command execution. This month, we’ve flagged new sensitive permissions across services including CodeBuild, Mainframe Modernization, and S3 Tables, each with potential impacts on access control, data protection, and operational integrity. Read on for the full breakdown of what’s new and why it matters for securing your cloud environment.

Existing Services with New Sensitive Permissions

AWS CodeBuild

Service Type: Development and DevOps Tools

Permission: codebuild:StartSandboxConnection

• Action: Grants permission to establish a connection to the sandbox
• Mitre Tactic: Lateral Movement
• Why it’s sensitive: Allows establishing a connection to a CodeBuild sandbox environment via SSM or direct SSH, enabling immediate access to the sandbox and potentially exposing build environments or sensitive artifacts without additional authentication barriers.

Permission: codebuild:StartCommandExecution

• Action: Grants permission to start running a command execution
• Mitre Tactic: Command and Control
• Why it’s sensitive: Allows execution of arbitrary commands within a CodeBuild sandbox environment, potentially enabling data exfiltration, environment modification, or abuse of credentials and build artifacts.

AWS Mainframe Modernization

Service Type: Migration and Transfer

Permission: m2: CreateDataSetExportTask

• Action: Grants permission to create a data set export task
• Mitre Tactic: Exfiltration
• Why it’s sensitive: Allows exporting mainframe datasets to an external S3 URI, potentially exposing sensitive application data or proprietary information to unauthorized access.

Amazon S3 Tables

Service Type: Storage Solutions

Permission: s3tables:PutTableBucketEncryption

• Action: Grants permission to overwrite encryption configuration on a table bucket
• Mitre Tactic: Impact
• Why it’s sensitive: Allows changing the KMS key used to encrypt S3 Express One Zone table data, potentially altering who can access the data since kms:Decrypt permissions govern access to SSE-KMS encrypted tables. This could weaken data protection or expose sensitive information.

Conclusion

As AWS continues to expand its capabilities, the challenge of maintaining strong cloud security grows in parallel. This month’s updates highlight how sensitive permissions—ranging from direct sandbox access in CodeBuild to encryption changes in S3 Tables—can introduce critical vulnerabilities if not carefully managed. Even specialized services like Mainframe Modernization are introducing permissions that, if overlooked, could lead to unintended data exposure or access escalation.

Sonrai Security helps teams stay ahead of these risks with our Cloud Permissions Firewall, designed to automatically detect, restrict, and monitor sensitive permissions across AWS environments. By enforcing least privilege and delivering continuous visibility into permission exposure, we empower security and governance teams to reduce risk, maintain compliance, and confidently adapt to AWS’s ever-evolving service ecosystem.

*** This is a Security Bloggers Network syndicated blog from Sonrai | Enterprise Cloud Security Platform authored by Adeel Nazar. Read the original post at: https://sonraisecurity.com/blog/april-recap-new-aws-sensitive-permissions-and-regions-2025/