When an admin is identified that can be assumed by an a service, such as EC2, this is now it's own finding (High severity).
Similarly, if a principal can list the S3 buckets in the account and exfil data from them, and this is an EC2, this is now it's own finding (High severity). This could create high severity alerts more often than I think it should.
It is checking for s3:ListAllMyBuckets
and s3:GetObject
. Please let me know if it does flag things you have legit reasons for and what the situation is where this is ok.
There is also now an ability to filter findings by severity, so if you only wanted to send High severity alerts to Slack, but still have your nightly auditor generate a report with any Medium, Low, or Info level alerts, you can do that now.