services / Azure / ARM deployment

An Azure Resource Manager (ARM) deployment is a control-plane record of a template-based provisioning operation at management-group or tenant scope, capturing which resources were deployed and their configuration.

The deployment record itself is metadata/history; the dangerous capability is the write path, which executes an arbitrary template that can provision any resource type including role assignments, managed identities, and compute.


Microsoft.​Resources/​deployments/​write

Creating/updating an ARM deployment executes an arbitrary template that can create role assignments (privilege escalation), assign and act as managed identities (lateral movement), rewrite configuration (manipulation), and provision costly compute (hijack/spend).

Risks

Scope: CRITICAL

This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.

Links

  • https:​/​/​azure.​permissions.​cloud/​iam/​Microsoft.​Resources
  • https:​/​/​learn.​microsoft.​com/​en-​us/​azure/​role-​based-​access-​control/​resource-​provider-​operations
  • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog