services / Azure / API connection access-control lists (legacy connector connection ACLs)

Connection ACLs are access-control list entries on legacy API Management account / managed-connector API connections, governing which principals and resources may use a connection. The connection itself typically holds backing credentials (tokens/keys) to a connected backend.

Sensitivity is that of a single integration function's authorization gate; the connection may broker credentialed access to a backend.


Microsoft.​Web/​apimanagementaccounts/​apis/​connections/​connectionacls/​write

Creating/updating the connection ACL lets an attacker grant a controlled principal use of the credentialed connection (an access-control grant) and tamper with who may invoke it.

Risks

Scope: MEDIUM

This privilege may grant access to confidential data, or its exploit can incur operational cost.

Links

  • https:​/​/​azure.​permissions.​cloud/​iam/​Microsoft.​Web
  • https:​/​/​learn.​microsoft.​com/​en-​us/​azure/​role-​based-​access-​control/​resource-​provider-​operations
  • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog