services / Azure / Backup Vault cross-region restore (Backup Jobs)
Location-scoped cross-region restore operations on a Backup Vault, used to enumerate recovery points and trigger/validate/track restores of protected backup data from the paired secondary region.
Backup data can include full copies of production databases, VMs, and files; the ability to enumerate and restore it from the secondary region is effectively access to the organization's recoverable data.
Microsoft.DataProtection/subscriptions/resourceGroups/providers/Locations/crossRegionRestore/action
Triggers an actual cross-region restore of a backup instance, re-materializing backed-up (potentially production) data into a restore target the attacker can reach (exfiltration), can overwrite/alter live data when restoring to an existing location (manipulation), and provisions costly restore resources (spend).
Risks
Scope: HIGH
This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.
Links
Contributed by P0 Security