services / Azure / Kubernetes user impersonation (AKS)

The Kubernetes user-impersonation capability on an AKS managed cluster, allowing the API caller to issue requests as an arbitrary cluster user identity.

Impersonation lets the holder act as any other identity (including cluster-admins), inheriting that identity's full RBAC privileges — equivalent to broad cluster takeover.


Microsoft.​ContainerService/​managedClusters/​users/​impersonate/​action

Impersonating a user lets the attacker act as any other cluster identity, acquiring that identity's privileges for both lateral movement and privilege escalation up to cluster-admin.

Risks

Scope: CRITICAL

This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.

Links

  • https:​/​/​azure.​permissions.​cloud/​iam/​Microsoft.​ContainerService
  • https:​/​/​learn.​microsoft.​com/​en-​us/​azure/​role-​based-​access-​control/​resource-​provider-​operations
  • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog