services / Azure / Key Vault
An Azure Key Vault is a managed secrets store holding cryptographic keys, secrets, and certificates and their access/network configuration.
Key Vaults are CRITICAL-tier assets: they centralize credentials and cryptographic material relied on across many organizational functions.
Microsoft.KeyVault/Vaults/write
Creating/updating a vault lets an attacker rewrite access policies (or switch to RBAC) to grant themselves data-plane access to keys and secrets (escalation), relax network ACLs/firewall and protection settings (defense destruction), and alter operational configuration (manipulation).
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security