services / Azure / ARM deployment (resource group)

A resource-group-scoped Azure Resource Manager (ARM) deployment is the control-plane record of a template-based provisioning operation within a resource group, capturing which resources were deployed and their configuration.

The deployment record itself is metadata/history; the dangerous capability is the write path, which executes an arbitrary template that can provision any resource type including role assignments, managed identities, and compute.


Microsoft.​Resources/​subscriptions/​resourceGroups/​deployments/​write

Creating/updating a resource-group deployment executes an arbitrary template that can create role assignments (privilege escalation), assign/act as managed identities (lateral movement), rewrite configuration (manipulation), and provision costly compute (hijack/spend).

Risks

Scope: CRITICAL

This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.

Links

  • https:​/​/​azure.​permissions.​cloud/​iam/​Microsoft.​Resources
  • https:​/​/​learn.​microsoft.​com/​en-​us/​azure/​role-​based-​access-​control/​resource-​provider-​operations
  • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog