services / Azure / Kubernetes ServiceAccounts (AKS data plane)
Kubernetes ServiceAccount objects within an AKS managed cluster representing in-cluster identities that workloads authenticate as and that are bound to RBAC roles.
Identities themselves; manipulating or impersonating them is high impact, but plain enumeration of the objects is low-sensitivity.
Microsoft.ContainerService/managedClusters/serviceaccounts/delete
Deleting ServiceAccounts removes the in-cluster identities workloads authenticate with, destroying accounts and breaking dependent controllers/workloads.
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security
© 2023–present P0 Security and contributors to the IAM Privilege Catalog