services / Azure / Backup Instance
A backup instance in an Azure Data Protection backup vault represents the protection configuration that ties a data source (e.g. a disk, database, blob storage account) to a backup policy, governing which recovery points are created and retained.
These are control-plane (management) operations. Backup instances are the recoverability defense and the store of recovery points that mitigate data destruction and ransomware for a single protected workload.
Microsoft.DataProtection/backupVaults/backupInstances/restore/action
Triggers a restore that writes backup contents (which may include sensitive production data) to a target the attacker can influence, enabling exfiltration of backed-up data and overwriting/manipulation of the restore target.
Risks
Scope: HIGH
This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.
Links
Contributed by P0 Security