services / Azure / Automation DSC agent registration information

DSC agent registration information for an Azure Automation account contains the registration endpoint URL and the primary/secondary registration keys that machines use to enroll as DSC pull-mode managed nodes.

The registration keys are credential material: holding them lets an attacker onboard arbitrary/rogue nodes and pull or push desired-state configurations to managed machines, so this resource is treated as CRITICAL.


Microsoft.​Automation/​automationAccounts/​agentRegistrationInformation/​read

The GET returns the registration endpoint and primary/secondary registration keys (credentials), exporting secret material that lets an attacker register nodes and pivot onto managed machines.

Risks

Scope: CRITICAL

This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.

Links

  • https:​/​/​azure.​permissions.​cloud/​iam/​Microsoft.​Automation
  • https:​/​/​learn.​microsoft.​com/​en-​us/​azure/​role-​based-​access-​control/​resource-​provider-​operations
  • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog