services / Azure / Backup recovery points
Recovery points are point-in-time backup snapshots of protected items (VMs, databases, file shares) stored within a Recovery Services vault.
Recovery points hold full copies of production organizational data; access to them is equivalent to access to the source data.
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/accessToken/action
Returns an access token for cross-region restore, disclosing credential material that grants the holder access to the backed-up data copy in the secondary region.
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security
© 2023–present P0 Security and contributors to the IAM Privilege Catalog