services / Azure / Azure Key Vault keys

A cryptographic key stored in an Azure Key Vault (software- or HSM-protected). These keys are used for encryption, decryption, signing, key wrapping, and as customer-managed encryption keys (CMK) protecting downstream services and data.

Key Vault keys are among the most sensitive assets in a cloud tenant: they underpin envelope encryption, disk/storage/database encryption, and code/token signing. Private key material is non-exportable via normal reads, so the headline risk varies sharply by operation (read vs. crypto-oracle vs. export).


Microsoft.​KeyVault/​Vaults/​keys/​release/​action

Secure Key Release exports the exportable key material out of the vault/HSM boundary, wrapped to a KEK from an attestation token, delivering the actual private key to the requesting environment.

Risks

Scope: CRITICAL

This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.

Links

  • https:​/​/​azure.​permissions.​cloud/​iam/​Microsoft.​KeyVault
  • https:​/​/​learn.​microsoft.​com/​en-​us/​azure/​role-​based-​access-​control/​resource-​provider-​operations
  • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog