services / Azure / Key Vault certificate

An Azure Key Vault certificate is a managed X.509 certificate object that bundles a private key, the certificate (public) material, and an issuance/lifecycle policy. It is a credential used by applications and services for TLS, signing, and authentication.

Certificates contain private key material; compromise enables impersonation/MITM of dependent services. Vaults are CRITICAL-sensitivity assets per the scope guide.


Microsoft.​KeyVault/​Vaults/​certificates/​import/​action

Imports an externally created certificate (PFX or PEM) containing a private key the attacker already possesses, letting an attacker plant a certificate of their own choosing for an application or TLS endpoint to trust, enabling impersonation.

Risks

Scope: CRITICAL

This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.

Links

  • https:​/​/​azure.​permissions.​cloud/​iam/​Microsoft.​KeyVault
  • https:​/​/​learn.​microsoft.​com/​en-​us/​azure/​role-​based-​access-​control/​resource-​provider-​operations
  • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog