services / Azure / Key Vault access policy
A Key Vault access policy granting a principal data-plane permissions over the vault's keys, secrets, and certificates.
Controls who can read/use all cryptographic and credential material in the vault, so it is a CRITICAL access-control asset.
Microsoft.KeyVault/Vaults/accessPolicies/write
Adds or merges/replaces a vault access policy, letting an attacker grant their own identity full key/secret/certificate permissions (escalation) and, via replace, remove legitimate principals' access (denial-of-access).
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security
© 2023–present P0 Security and contributors to the IAM Privilege Catalog