services / Azure / Azure deployment stacks
Deployment Stacks are Azure resources that manage a collection of resources deployed from a template as a single governed unit, with denySettings that apply deny-assignment-like protections to the managed resources.
A stack can span an entire resource group, subscription, or management group, can deploy role assignments and managed identities, and can enforce locks on its managed resources, making it a high-leverage control-plane asset.
Microsoft.Resources/deploymentStacks/delete
Deletes a deployment stack and, depending on delete mode, can cascade-delete all of its managed resources, destroying infrastructure and disrupting the services it hosts.
Risks
Scope: HIGH
This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.
Links
Contributed by P0 Security