services / Azure / ARM deployment (resource group)
A resource-group-scoped Azure Resource Manager (ARM) deployment is the control-plane record of a template-based provisioning operation within a resource group, capturing which resources were deployed and their configuration.
The deployment record itself is metadata/history; the dangerous capability is the write path, which executes an arbitrary template that can provision any resource type including role assignments, managed identities, and compute.
Microsoft.Resources/subscriptions/resourceGroups/deployments/write
Creating/updating a resource-group deployment executes an arbitrary template that can create role assignments (privilege escalation), assign/act as managed identities (lateral movement), rewrite configuration (manipulation), and provision costly compute (hijack/spend).
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security