services / Azure / Kubernetes ServiceAccounts (AKS data plane)
Kubernetes ServiceAccount objects within an AKS managed cluster representing in-cluster identities that workloads authenticate as and that are bound to RBAC roles.
Identities themselves; manipulating or impersonating them is high impact, but plain enumeration of the objects is low-sensitivity.
Microsoft.ContainerService/managedClusters/serviceaccounts/write
Creating/updating ServiceAccounts lets an attacker mint new in-cluster identities (and configure their tokens/annotations, e.g. workload-identity bindings) for durable persistence and lateral movement, and to position identities for privileged access.
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security