services / Azure / Azure Automation Account

An Azure Automation account is the top-level container for runbooks, schedules, assets (variables, credentials, certificates), DSC/hybrid-worker registration, and an optional managed/Run As identity used to execute automation across the subscription.

The account's managed/Run As identity often holds broad subscription roles, and the account holds runbook code and secret assets, making it a high-value automation control point.


Microsoft.​Automation/​automationAccounts/​listKeys/​action

Returns the account's primary/secondary registration keys (credential material used to enroll DSC nodes and hybrid runbook workers); an attacker can register a rogue worker and execute code under the account, so this is cryptographic exfiltration enabling lateral movement.

Risks

Scope: CRITICAL

This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.

Links

  • https:​/​/​azure.​permissions.​cloud/​iam/​Microsoft.​Automation
  • https:​/​/​learn.​microsoft.​com/​en-​us/​azure/​role-​based-​access-​control/​resource-​provider-​operations
  • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog