services / Azure / Azure Key Vault keys
A cryptographic key stored in an Azure Key Vault (software- or HSM-protected). These keys are used for encryption, decryption, signing, key wrapping, and as customer-managed encryption keys (CMK) protecting downstream services and data.
Key Vault keys are among the most sensitive assets in a cloud tenant: they underpin envelope encryption, disk/storage/database encryption, and code/token signing. Private key material is non-exportable via normal reads, so the headline risk varies sharply by operation (read vs. crypto-oracle vs. export).
Microsoft.KeyVault/Vaults/keys/backup/action
Produces a portable backup file of the key (including private material in encrypted, restorable form) that can be restored into another vault in the subscription, exporting the cryptographic asset out of its original boundary.
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security