services / Azure / Azure deployment stacks

Deployment Stacks are Azure resources that manage a collection of resources deployed from a template as a single governed unit, with denySettings that apply deny-assignment-like protections to the managed resources.

A stack can span an entire resource group, subscription, or management group, can deploy role assignments and managed identities, and can enforce locks on its managed resources, making it a high-leverage control-plane asset.


Microsoft.​Resources/​deploymentStacks/​write

Creates or updates a deployment stack, deploying arbitrary ARM resources at stack scope: it can provision/run costly compute (hijack, spend), assign and run as managed identities (lateral movement), create role assignments (privilege escalation), broadly alter infrastructure config (manipulation), and apply denySettings that lock other principals out of managed resources (denial-of-access).

Risks

Scope: HIGH

This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.

Links

  • https:​/​/​azure.​permissions.​cloud/​iam/​Microsoft.​Resources
  • https:​/​/​learn.​microsoft.​com/​en-​us/​azure/​role-​based-​access-​control/​resource-​provider-​operations
  • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog