services / Azure / Backup Vault cross-region restore (Backup Jobs)

Location-scoped cross-region restore operations on a Backup Vault, used to enumerate recovery points and trigger/validate/track restores of protected backup data from the paired secondary region.

Backup data can include full copies of production databases, VMs, and files; the ability to enumerate and restore it from the secondary region is effectively access to the organization's recoverable data.


Microsoft.​DataProtection/​subscriptions/​resourceGroups/​providers/​Locations/​crossRegionRestore/​action

Triggers an actual cross-region restore of a backup instance, re-materializing backed-up (potentially production) data into a restore target the attacker can reach (exfiltration), can overwrite/alter live data when restoring to an existing location (manipulation), and provisions costly restore resources (spend).

Risks

Scope: HIGH

This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.

Links

  • https:​/​/​azure.​permissions.​cloud/​iam/​Microsoft.​DataProtection
  • https:​/​/​learn.​microsoft.​com/​en-​us/​azure/​role-​based-​access-​control/​resource-​provider-​operations
  • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog