Permission & Access
Azure PIM: How to Set Up Just-in-Time Privileged Access
BLUF: Azure PIM converts always-on privileged role assignments into time-bound activations. Users request access, complete the required checks, do the work, and lose the role when the window closes. That’s the foundation ...
Why IAM Access Analyzer Tells You About Unused Permissions But Won’t Remove Them
IAM Access Analyzer is a useful starting point for any team trying to enforce least privilege. It surfaces unused permissions, unused roles, unused access keys, and unused passwords across your AWS environment ...
Why 92% of Cloud Permissions Are Never Used, and What That Costs You
Let’s say the typical enterprise has a 5-to-10 person security team responsible for over 11,000 identities in a single AWS organization. The majority of those identities aren’t humans. Instead they’re machine identities ...
Why SCPs Beat Permission Boundaries for Org-Wide Least Privilege — And How to Enforce It Safely at Scale
The cloud moves fast. Accounts multiply, roles get spun up for every new service, and somewhere along the way, the permissions inventory balloons into the thousands. Most enterprise AWS environments are sitting ...
AWS Bedrock Agent Permissions: What You Need to Lock Down Before Go-Live
Most Bedrock agents in production are running on the same IAM role they were built with. That role is now a standing identity with access to whatever services got attached during testing, ...
How AI Agents Accumulate Permissions Over Time and the Associated Security Risks
Every AI agent deployed in AWS, GCP or Azure becomes a cloud identity the moment it goes live. It gets an IAM role. That role carries permissions, sometimes very privileged ones. And ...
Global S3: Another C2 Channel for AgentCore Code Interpreters
Introduction Building on recent research identifying DNS-based exfiltration risks in Sandbox mode AgentCore Code Interpreters, I identified global S3 access as another Command & Control channel for sandboxed code interpreters. Unlike DNS-based ...
Dec Recap: New AWS Privileged Permissions and Services
As December 2025 comes to a close, Sonrai’s latest review of newly released AWS permissions highlights a continued expansion of cloud privilege. This month’s updates span identity, observability, AI, and managed service ...
Preventing This Week’s AWS Cryptomining Attacks: Why Detection Fails and Permissions Matter
The recent discovery of a cryptomining campaign targeting Amazon compute resources highlights a critical gap in traditional cloud defense. Attackers are bypassing perimeter defenses by leveraging compromised credentials to execute legitimate but ...
August Recap: New AWS Privileged Permissions
As August 2025 comes to a close, we’re back with the latest roundup of newly released AWS privileged permissions, and once again the scope of cloud security boundaries continues to expand. This ...
