services / Azure / Bastion Host
Azure Bastion is a managed PaaS jump host deployed in a VNet that brokers secure browser-based RDP/SSH connectivity to VMs without exposing public IPs on those VMs.
A production secure-access entry point into a private network; controlling or observing it affects reachability of all VMs behind it.
Microsoft.Network/BastionHosts/createShareableLinks/action
Creating shareable URLs mints durable, RBAC-less links granting browser-based access to internal VMs through the Bastion, providing both network movement and a persistent backdoor access path.
Risks
Scope: HIGH
This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.
Links
Contributed by P0 Security
© 2023–present P0 Security and contributors to the IAM Privilege Catalog