services / Azure / Bastion Host session recording SAS URL

Azure Bastion is a managed PaaS jump host deployed in a VNet that brokers secure browser-based RDP/SSH connectivity to VMs without exposing public IPs on those VMs.

A production secure-access entry point into a private network; controlling or observing it affects reachability of all VMs behind it.


Microsoft.​Network/​BastionHosts/​getsessionrecordingsasurl/​read

Returns the SAS URL (a bearer credential token) that grants direct access to the storage holding recorded RDP/SSH privileged sessions, exposing both the credential token and the sensitive session audit recordings.

Risks

Scope: HIGH

This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.

Links

  • https:​/​/​azure.​permissions.​cloud/​iam/​Microsoft.​Network
  • https:​/​/​learn.​microsoft.​com/​en-​us/​azure/​role-​based-​access-​control/​resource-​provider-​operations
  • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog