services / Azure / Cosmos DB database account
An Azure Cosmos DB (DocumentDB) database account, the top-level control-plane resource that hosts databases and containers and governs endpoints, regions, consistency, networking, identity, and backup configuration. It is a primary production data store.
Account master keys are root-equivalent data-plane credentials granting full read/write access to all data in the account, which makes this resource type security-sensitive.
Microsoft.DocumentDB/databaseAccounts/joinPerimeter/action
Joins the account to a Network Security Perimeter, changing which network trust boundary governs access to the resource. Joining it to a perimeter with looser member/inbound rules can widen the set of networks able to reach the account.
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security