{"risks":{"collection:data":{"id":"collection:data","name":"Automated data collection","description":"Allows an attacker to collect organizational data in a central location, or in an automatic fashion over time. Organizational data include application, customer, financial and operational data.","score":"BOOST","mitigations":[],"links":["https://attack.mitre.org/techniques/T1119/","https://attack.mitre.org/techniques/T1530/"]},"escalation:lateral":{"id":"escalation:lateral","name":"Lateral movement","description":"Allows an attacker to gain access to additional components within a service, or to additional services within the system. Often occurs when an attacker can gain access to an additional identity (e.g., a service account) that has broader access.","score":"BOOST","mitigations":["Use least-privileged access","Rotate service account credentials","Prevent unencrypted service-account credential storage","Monitor suspicious account access"],"links":["https://attack.mitre.org/techniques/T1550/"]},"escalation:network":{"id":"escalation:network","name":"Network movement","description":"Allows an attacker to gain access to additional resources on the same network.","score":"BOOST","mitigations":["Use network segmentation"],"links":["https://attack.mitre.org/techniques/T1021/"]},"persistence:account":{"id":"persistence:account","name":"Account persistence","description":"Allows an attacker to maintain access to the target system by manipulating existing accounts or creating new accounts. This can include modifying credentials and permission groups and other activity designed to subvert security policies.","score":"BOOST","mitigations":["Use least-privileged access","Use multi-factor authentication for user and privileged accounts","Use firewalls and other access control mechanisms to isolate critical systems"],"links":["https://attack.mitre.org/techniques/T1098/","https://attack.mitre.org/techniques/T1136/"]},"destruction:account":{"id":"destruction:account","name":"Account destruction","description":"Allows an attacker to delete accounts in the system.","score":"CRITICAL","mitigations":[],"links":[]},"destruction:crypto":{"id":"destruction:crypto","name":"Cryptographic destruction","description":"Allows an attacker to delete secret data, such as encryption keys, or private components of asymmetric keys.\n","score":"CRITICAL","mitigations":[],"links":[]},"destruction:data":{"id":"destruction:data","name":"Data destruction","description":"Allows an attacker to delete organizational data. May cause interruption of services (including critical operations of the organization) and significant legal liability. Data loss can be either permanent or temporary, and is mitigated by frequent data backup.","score":"CRITICAL","mitigations":["Data backup"],"links":["https://attack.mitre.org/techniques/T1485/"]},"destruction:policy":{"id":"destruction:policy","name":"Policy destruction","description":"Allows an attacker to delete IAM policies. When these policies would otherwise deny attacker access, can allow an attacker both vertical and lateral privilege escalation.","score":"CRITICAL","mitigations":["Favor restricted allow policies over deny policies"],"links":["https://attack.mitre.org/techniques/T1098/"]},"escalation:data":{"id":"escalation:data","name":"Data escalation","description":"Allows an attacker to access additional data within an already compromised component.","score":"CRITICAL","mitigations":[],"links":[]},"escalation:privilege":{"id":"escalation:privilege","name":"Privilege escalation","description":"Allows an attacker to either access an account with more sensitive privileges (e.g. an admin-specific account), or add these privileges to an account under the attacker's control.","score":"CRITICAL","mitigations":["Avoid use of admin or root accounts","Securely store admin and root account credentials","Scan for insecurely stored account credentials","Use ephemeral entitlement grants for sensitive operations","Apply permission boundaries to identity entitlements"],"links":["https://attack.mitre.org/techniques/T1078/","https://attack.mitre.org/techniques/T1098/","https://attack.mitre.org/techniques/T1552/"]},"exfiltration:crypto":{"id":"exfiltration:crypto","name":"Cryptographic exfiltration","description":"Allows an attacker to export cryptographic material from a system. Implies \"Account Takeover\" when the cryptographic material is an account credential.","score":"CRITICAL","mitigations":["Rotate credentials","Avoid secret re-use"],"links":["https://attack.mitre.org/techniques/T1552/"]},"exfiltration:data":{"id":"exfiltration:data","name":"Data exfiltration","description":"Allows an attacker to export sensitive data from a system. Often combined with data-collection exploits (see `collection:data`).","score":"CRITICAL","mitigations":["Filter network traffic"],"links":["https://attack.mitre.org/techniques/T1537/"]},"impact:encryption":{"id":"impact:encryption","name":"Data encryption","description":"Allows an attacker to encrypt data within a system. This can be used to either make data permanently inaccessible, or extort compensation for access to the encryption key, in the case of ransomware.","score":"CRITICAL","mitigations":["Backup data"],"links":["https://attack.mitre.org/techniques/T1486/"]},"takeover:account":{"id":"takeover:account","name":"Account takeover","description":"Allows an attacker to export account identification credentials from a system.","score":"CRITICAL","mitigations":["Rotate account credentials","Require multi-factor authentication","Use short-lived tokens"],"links":["https://attack.mitre.org/techniques/T1528/"]},"takeover:domain":{"id":"takeover:domain","name":"Domain takeover","description":"Allows an attacker to arbitrarily route traffic on a domain or subdomain.","score":"CRITICAL","mitigations":["Restrict edit access to DNS records","Use firewalls for internal networks"],"links":["https://attack.mitre.org/techniques/T1584/002/","https://attack.mitre.org/techniques/T1583/002/"]},"destruction:defense":{"id":"destruction:defense","name":"Defense destruction","description":"Allows an attacker to disable or remove defense mechanism, such as IDS, antivirus, and the like. Note that other mechanisms may serve as defense mechanisms but are explicitly separate (see `destruction:logs` and `destruction:policy`)","score":"EVASION","mitigations":["Monitor defense system metrics"],"links":["https://attack.mitre.org/techniques/T1562/"]},"destruction:logs":{"id":"destruction:logs","name":"Logs destruction","description":"Allows an attacker to delete logs data. The most critical effect is that this disrupts security incident response. Can also disrupt support and business-intelligence operations.","score":"EVASION","mitigations":["Backup logs"],"links":[]},"impact:access":{"id":"impact:access","name":"Denial-of-access","description":"Allows an attacker to prevent authorized operational access. This can allow an attacker to continue system abuse.","score":"EVASION","mitigations":[],"links":["https://attack.mitre.org/techniques/T1531/"]},"destruction:infra":{"id":"destruction:infra","name":"Infrastructure destruction","description":"Allows an attacker to delete infrastructure. May cause interruption of services (including central operations of the organization). Can be similar in effect to a denial of service.","score":"HIGH","mitigations":["Define infrastructure as code"],"links":[]},"destruction:network":{"id":"destruction:network","name":"Network destruction","description":"Allows an attacker to delete network components (such as endpoints, routes, VLANs, VPCs and the like). Implies denial-of-service when the network hosts a service. Removal of network firewall policies is covered by destruction:policy.","score":"HIGH","mitigations":["Network redundancy"],"links":[]},"exfiltration:code":{"id":"exfiltration:code","name":"Code exfiltration","description":"Allows an attacker to export system source code.","score":"HIGH","mitigations":[],"links":[]},"impact:defacement":{"id":"impact:defacement","name":"Defacement","description":"Allows an attacker to alter an organization's public-facing assets. Often used to vandalize these properties.","score":"HIGH","mitigations":["Data backup"],"links":["https://attack.mitre.org/techniques/T1491/"]},"impact:dos":{"id":"impact:dos","name":"Denial-of-service","description":"Allows an attacker to disrupt an organization's operations. When applied to critical systems, can disable an organization's core systems.","score":"HIGH","mitigations":["Redundant infrastructure","Rate limiting"],"links":["https://attack.mitre.org/techniques/T1499/"]},"impact:manipulation":{"id":"impact:manipulation","name":"Data manipulation","description":"Allows an attacker to insert, delete, or manipulate organizational data. This may be done to evade detection or impact business/operational processes.","score":"HIGH","mitigations":["Data encryption","Network segmentation","Data backup","Least privilege permissions"],"links":["https://attack.mitre.org/techniques/T1565/"]},"discovery:account":{"id":"discovery:account","name":"Account discovery","description":"Allows an attacker to inventory system accounts. These accounts may then be further targeted for compromise to escalate access.","score":"LOW","mitigations":["Use least-privileged access","Use multi-factor authentication for user accounts","Rotate service-account credentials","Prevent unencrypted service-account credential storage","Monitor suspicious account access","Remove or suspend inactive accounts"],"links":["https://attack.mitre.org/techniques/T1078/","https://attack.mitre.org/techniques/T1087/","https://attack.mitre.org/techniques/T1550/","https://attack.mitre.org/techniques/T1552/"]},"discovery:data":{"id":"discovery:data","name":"Data discovery","description":"Allows an attacker to inventory stored data objects. May allow an attacker to focus attacks on specific data repositories. When object identifiers contain sensitive information (e.g. tenant identifiers), gives attackers access to this information.","score":"LOW","mitigations":["Avoid using sensitive data identifiers"],"links":["https://attack.mitre.org/techniques/T1619/"]},"discovery:finance":{"id":"discovery:finance","name":"Financial discovery","description":"Allows an attacker gain information related to organizational finances and spending, such as invoices and spending history.","score":"LOW","mitigations":[],"links":[]},"discovery:infra":{"id":"discovery:infra","name":"Infrastructure discovery","description":"Allows an attacker to inventory infrastructure resources. May allow an attacker to focus attacks on specific resources. When component identifiers contain sensitive information (e.g. tenant identifiers), gives attackers access to this information.","score":"LOW","mitigations":["Avoid using sensitive component identifiers"],"links":["https://attack.mitre.org/techniques/T1580/"]},"discovery:logs":{"id":"discovery:logs","name":"Logs discovery","description":"Allows an attacker to inventory logs, such as viewing the types of logs collected, log fields, and aggregate statistics on logs.","score":"LOW","mitigations":[],"links":[]},"discovery:metadata":{"id":"discovery:metadata","name":"Metadata discovery","description":"Allows an attacker to inventory metadata schema. May allow an attacker to focus attacks on specific metadata objects.","score":"LOW","mitigations":[],"links":[]},"discovery:network":{"id":"discovery:network","name":"Network discovery","description":"Allows an attacker to inventory network resources. May allow an attacker to focus attacks on specific network locations.","score":"LOW","mitigations":["Use network filtering","Use network segmentation","Apply zero-trust networking principles"],"links":["https://attack.mitre.org/techniques/T1046/"]},"discovery:policy":{"id":"discovery:policy","name":"Policy discovery","description":"Allows an attacker to read access-control policies. May allow an attacker to focus attacks on policy weak points (e.g. overprovisioned accounts, or unsecured infrastructure).","score":"LOW","mitigations":["Avoid overprovisioned entitlements"],"links":["https://attack.mitre.org/techniques/T1069/"]},"impact:consumption":{"id":"impact:consumption","name":"Infrastructure consumption","description":"Allows an attacker to consume resources from a potentially limited pool. This may impact the time to assign resources.","score":"LOW","mitigations":[],"links":[]},"destruction:artifact":{"id":"destruction:artifact","name":"Artifact destruction","description":"Allows an attacker to delete artifacts like machine learning models.\n","score":"MEDIUM","mitigations":[],"links":[]},"destruction:metadata":{"id":"destruction:metadata","name":"Metadata destruction","description":"Allows an attacker to delete metadata. Can be impactful if those metadata are used operationally (e.g. timestamp filtering, customer identification, etc.).","score":"MEDIUM","mitigations":["Backup metadata","Define metadata using infrastructure-as-code"],"links":[]},"discovery:code":{"id":"discovery:code","name":"Code discovery","description":"Allows an attacker to inventory source code repositories or files.","score":"MEDIUM","mitigations":[],"links":[]},"exfiltration:logs":{"id":"exfiltration:logs","name":"Logs exfiltration","description":"Allows an attacker to export logs from a system. Logs may contain sensitive customer or organizational data.","score":"MEDIUM","mitigations":[],"links":[]},"exfiltration:metadata":{"id":"exfiltration:metadata","name":"Metadata exfiltration","description":"Allows an attacker to read object metadata. This may contain sensitive data (for example customer identifiers or the like).","score":"MEDIUM","mitigations":[],"links":[]},"impact:hijack":{"id":"impact:hijack","name":"Resource hijacking","description":"Allows an attacker to use system resources for their own purposes. Typically used for resource-intensive pursuits such as cryptomining, or to provide infrastructure for other illegal activities such as running a bot net.","score":"MEDIUM","mitigations":["Monitor resource usage and spend"],"links":["https://attack.mitre.org/techniques/T1496/"]},"impact:spend":{"id":"impact:spend","name":"Spend","description":"Allows an attacker to cause increased infrastructure spend, without benefit to the attacker.","score":"MEDIUM","mitigations":["Add billing plan limits"],"links":[]}},"privileges":{"aws":{"acm-pca:CreatePermission":{"id":"acm-pca:CreatePermission","name":"acm-pca","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/acm-pca"],"seeAlso":[]},"acm-pca:DeletePermission":{"id":"acm-pca:DeletePermission","name":"acm-pca","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/acm-pca"],"seeAlso":[]},"acm-pca:DeletePolicy":{"id":"acm-pca:DeletePolicy","name":"acm-pca","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/acm-pca"],"seeAlso":[]},"acm-pca:PutPolicy":{"id":"acm-pca:PutPolicy","name":"acm-pca","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/acm-pca"],"seeAlso":[]},"aoss:APIAccessAll":{"id":"aoss:APIAccessAll","name":"aoss","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/aoss"],"seeAlso":[]},"aoss:DashboardsAccessAll":{"id":"aoss:DashboardsAccessAll","name":"aoss","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/aoss"],"seeAlso":[]},"apigateway:UpdateRestApiPolicy":{"id":"apigateway:UpdateRestApiPolicy","name":"apigateway","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/apigateway"],"seeAlso":[]},"appsync:GetDataSource":{"id":"appsync:GetDataSource","name":"appsync","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/appsync"],"seeAlso":[]},"appsync:GetFunction":{"id":"appsync:GetFunction","name":"appsync","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/appsync"],"seeAlso":[]},"appsync:ListApiKeys":{"id":"appsync:ListApiKeys","name":"appsync","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/appsync"],"seeAlso":[]},"athena:GetQueryExecution":{"id":"athena:GetQueryExecution","name":"athena","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/athena"],"seeAlso":[]},"athena:GetQueryResults":{"id":"athena:GetQueryResults","name":"athena","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/athena"],"seeAlso":[]},"athena:GetQueryResultsStream":{"id":"athena:GetQueryResultsStream","name":"athena","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/athena"],"seeAlso":[]},"athena:GetSession":{"id":"athena:GetSession","name":"athena","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/athena"],"seeAlso":[]},"backup:DeleteBackupVaultAccessPolicy":{"id":"backup:DeleteBackupVaultAccessPolicy","name":"backup","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/backup"],"seeAlso":[]},"backup:PutBackupVaultAccessPolicy":{"id":"backup:PutBackupVaultAccessPolicy","name":"backup","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/backup"],"seeAlso":[]},"cassandra:Select":{"id":"cassandra:Select","name":"cassandra","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/cassandra"],"seeAlso":[]},"chatbot:DescribeSlackChannels":{"id":"chatbot:DescribeSlackChannels","name":"chatbot","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/chatbot"],"seeAlso":[]},"chatbot:DescribeSlackUserIdentities":{"id":"chatbot:DescribeSlackUserIdentities","name":"chatbot","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/chatbot"],"seeAlso":[]},"chatbot:GetMicrosoftTeamsOauthParameters":{"id":"chatbot:GetMicrosoftTeamsOauthParameters","name":"chatbot","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/chatbot"],"seeAlso":[]},"chatbot:GetSlackOauthParameters":{"id":"chatbot:GetSlackOauthParameters","name":"chatbot","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/chatbot"],"seeAlso":[]},"chatbot:ListMicrosoftTeamsConfiguredTeams":{"id":"chatbot:ListMicrosoftTeamsConfiguredTeams","name":"chatbot","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/chatbot"],"seeAlso":[]},"chatbot:ListMicrosoftTeamsUserIdentities":{"id":"chatbot:ListMicrosoftTeamsUserIdentities","name":"chatbot","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/chatbot"],"seeAlso":[]},"chime:CreateApiKey":{"id":"chime:CreateApiKey","name":"chime","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/chime"],"seeAlso":[]},"chime:DeleteVoiceConnectorTerminationCredentials":{"id":"chime:DeleteVoiceConnectorTerminationCredentials","name":"chime","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/chime"],"seeAlso":[]},"chime:GetAttendee":{"id":"chime:GetAttendee","name":"chime","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/chime"],"seeAlso":[]},"chime:GetChannelMessage":{"id":"chime:GetChannelMessage","name":"chime","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/chime"],"seeAlso":[]},"chime:GetMeeting":{"id":"chime:GetMeeting","name":"chime","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/chime"],"seeAlso":[]},"chime:GetMeetingDetail":{"id":"chime:GetMeetingDetail","name":"chime","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/chime"],"seeAlso":[]},"chime:GetRoom":{"id":"chime:GetRoom","name":"chime","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/chime"],"seeAlso":[]},"chime:GetUser":{"id":"chime:GetUser","name":"chime","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/chime"],"seeAlso":[]},"chime:GetUserActivityReportData":{"id":"chime:GetUserActivityReportData","name":"chime","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/chime"],"seeAlso":[]},"chime:GetUserByEmail":{"id":"chime:GetUserByEmail","name":"chime","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/chime"],"seeAlso":[]},"chime:GetUserSettings":{"id":"chime:GetUserSettings","name":"chime","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/chime"],"seeAlso":[]},"chime:ListAttendees":{"id":"chime:ListAttendees","name":"chime","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/chime"],"seeAlso":[]},"chime:ListMeetingEvents":{"id":"chime:ListMeetingEvents","name":"chime","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/chime"],"seeAlso":[]},"chime:ListMeetings":{"id":"chime:ListMeetings","name":"chime","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/chime"],"seeAlso":[]},"chime:ListUsers":{"id":"chime:ListUsers","name":"chime","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/chime"],"seeAlso":[]},"chime:PutVoiceConnectorTerminationCredentials":{"id":"chime:PutVoiceConnectorTerminationCredentials","name":"chime","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/chime"],"seeAlso":[]},"cleanrooms:GetProtectedQuery":{"id":"cleanrooms:GetProtectedQuery","name":"cleanrooms","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/cleanrooms"],"seeAlso":[]},"cloud9:CreateEnvironmentSSH":{"id":"cloud9:CreateEnvironmentSSH","name":"cloud9","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/cloud9"],"seeAlso":[]},"cloud9:CreateEnvironmentToken":{"id":"cloud9:CreateEnvironmentToken","name":"cloud9","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/cloud9"],"seeAlso":[]},"cloudformation:GetTemplate":{"id":"cloudformation:GetTemplate","name":"cloudformation","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/cloudformation"],"seeAlso":[]},"cloudformation:SetStackPolicy":{"id":"cloudformation:SetStackPolicy","name":"cloudformation","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/cloudformation"],"seeAlso":[]},"cloudfront:GetFunction":{"id":"cloudfront:GetFunction","name":"cloudfront","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/cloudfront"],"seeAlso":[]},"cloudsearch:UpdateServiceAccessPolicies":{"id":"cloudsearch:UpdateServiceAccessPolicies","name":"cloudsearch","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/cloudsearch"],"seeAlso":[]},"cloudtrail:GetQueryResults":{"id":"cloudtrail:GetQueryResults","name":"cloudtrail","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/cloudtrail"],"seeAlso":[]},"cloudtrail:LookupEvents":{"id":"cloudtrail:LookupEvents","name":"cloudtrail","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/cloudtrail"],"seeAlso":[]},"codeartifact:DeleteDomainPermissionsPolicy":{"id":"codeartifact:DeleteDomainPermissionsPolicy","name":"codeartifact","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/codeartifact"],"seeAlso":[]},"codeartifact:DeleteRepositoryPermissionsPolicy":{"id":"codeartifact:DeleteRepositoryPermissionsPolicy","name":"codeartifact","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/codeartifact"],"seeAlso":[]},"codeartifact:GetAuthorizationToken":{"id":"codeartifact:GetAuthorizationToken","name":"codeartifact","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/codeartifact"],"seeAlso":[]},"codeartifact:GetPackageVersionAsset":{"id":"codeartifact:GetPackageVersionAsset","name":"codeartifact","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/codeartifact"],"seeAlso":[]},"codeartifact:GetPackageVersionReadme":{"id":"codeartifact:GetPackageVersionReadme","name":"codeartifact","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/codeartifact"],"seeAlso":[]},"codeartifact:ReadFromRepository":{"id":"codeartifact:ReadFromRepository","name":"codeartifact","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/codeartifact"],"seeAlso":[]},"codebuild:BatchGetReportGroups":{"id":"codebuild:BatchGetReportGroups","name":"codebuild","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/codebuild"],"seeAlso":[]},"codebuild:BatchGetReports":{"id":"codebuild:BatchGetReports","name":"codebuild","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/codebuild"],"seeAlso":[]},"codebuild:DeleteResourcePolicy":{"id":"codebuild:DeleteResourcePolicy","name":"codebuild","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/codebuild"],"seeAlso":[]},"codebuild:DeleteSourceCredentials":{"id":"codebuild:DeleteSourceCredentials","name":"codebuild","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/codebuild"],"seeAlso":[]},"codebuild:ImportSourceCredentials":{"id":"codebuild:ImportSourceCredentials","name":"codebuild","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/codebuild"],"seeAlso":[]},"codebuild:PutResourcePolicy":{"id":"codebuild:PutResourcePolicy","name":"codebuild","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/codebuild"],"seeAlso":[]},"codecommit:BatchGetCommits":{"id":"codecommit:BatchGetCommits","name":"codecommit","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/codecommit"],"seeAlso":[]},"codecommit:BatchGetPullRequests":{"id":"codecommit:BatchGetPullRequests","name":"codecommit","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/codecommit"],"seeAlso":[]},"codecommit:BatchGetRepositories":{"id":"codecommit:BatchGetRepositories","name":"codecommit","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/codecommit"],"seeAlso":[]},"codecommit:DescribeMergeConflicts":{"id":"codecommit:DescribeMergeConflicts","name":"codecommit","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/codecommit"],"seeAlso":[]},"codecommit:DescribePullRequestEvents":{"id":"codecommit:DescribePullRequestEvents","name":"codecommit","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/codecommit"],"seeAlso":[]},"codecommit:GetApprovalRuleTemplate":{"id":"codecommit:GetApprovalRuleTemplate","name":"codecommit","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/codecommit"],"seeAlso":[]},"codecommit:GetBlob":{"id":"codecommit:GetBlob","name":"codecommit","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/codecommit"],"seeAlso":[]},"codecommit:GetBranch":{"id":"codecommit:GetBranch","name":"codecommit","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/codecommit"],"seeAlso":[]},"codecommit:GetComment":{"id":"codecommit:GetComment","name":"codecommit","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/codecommit"],"seeAlso":[]},"codecommit:GetCommentReactions":{"id":"codecommit:GetCommentReactions","name":"codecommit","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/codecommit"],"seeAlso":[]},"codecommit:GetCommentsForComparedCommit":{"id":"codecommit:GetCommentsForComparedCommit","name":"codecommit","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/codecommit"],"seeAlso":[]},"codecommit:GetCommentsForPullRequest":{"id":"codecommit:GetCommentsForPullRequest","name":"codecommit","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/codecommit"],"seeAlso":[]},"codecommit:GetCommit":{"id":"codecommit:GetCommit","name":"codecommit","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/codecommit"],"seeAlso":[]},"codecommit:GetCommitHistory":{"id":"codecommit:GetCommitHistory","name":"codecommit","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/codecommit"],"seeAlso":[]},"codecommit:GetCommitsFromMergeBase":{"id":"codecommit:GetCommitsFromMergeBase","name":"codecommit","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/codecommit"],"seeAlso":[]},"codecommit:GetDifferences":{"id":"codecommit:GetDifferences","name":"codecommit","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/codecommit"],"seeAlso":[]},"codecommit:GetFile":{"id":"codecommit:GetFile","name":"codecommit","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/codecommit"],"seeAlso":[]},"codecommit:GetFolder":{"id":"codecommit:GetFolder","name":"codecommit","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/codecommit"],"seeAlso":[]},"codecommit:GetMergeCommit":{"id":"codecommit:GetMergeCommit","name":"codecommit","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/codecommit"],"seeAlso":[]},"codecommit:GetMergeConflicts":{"id":"codecommit:GetMergeConflicts","name":"codecommit","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/codecommit"],"seeAlso":[]},"codecommit:GetMergeOptions":{"id":"codecommit:GetMergeOptions","name":"codecommit","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/codecommit"],"seeAlso":[]},"codecommit:GetObjectIdentifier":{"id":"codecommit:GetObjectIdentifier","name":"codecommit","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/codecommit"],"seeAlso":[]},"codecommit:GetPullRequest":{"id":"codecommit:GetPullRequest","name":"codecommit","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/codecommit"],"seeAlso":[]},"codecommit:GetPullRequestApprovalStates":{"id":"codecommit:GetPullRequestApprovalStates","name":"codecommit","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/codecommit"],"seeAlso":[]},"codecommit:GetPullRequestOverrideState":{"id":"codecommit:GetPullRequestOverrideState","name":"codecommit","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/codecommit"],"seeAlso":[]},"codecommit:GetReferences":{"id":"codecommit:GetReferences","name":"codecommit","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/codecommit"],"seeAlso":[]},"codecommit:GetTree":{"id":"codecommit:GetTree","name":"codecommit","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/codecommit"],"seeAlso":[]},"codecommit:GitPull":{"id":"codecommit:GitPull","name":"codecommit","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/codecommit"],"seeAlso":[]},"codeguru-profiler:GetRecommendations":{"id":"codeguru-profiler:GetRecommendations","name":"codeguru-profiler","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/codeguru-profiler"],"seeAlso":[]},"codeguru-profiler:PutPermission":{"id":"codeguru-profiler:PutPermission","name":"codeguru-profiler","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/codeguru-profiler"],"seeAlso":[]},"codeguru-profiler:RemovePermission":{"id":"codeguru-profiler:RemovePermission","name":"codeguru-profiler","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/codeguru-profiler"],"seeAlso":[]},"codeguru-reviewer:DescribeCodeReview":{"id":"codeguru-reviewer:DescribeCodeReview","name":"codeguru-reviewer","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/codeguru-reviewer"],"seeAlso":[]},"codeguru-reviewer:DescribeRecommendationFeedback":{"id":"codeguru-reviewer:DescribeRecommendationFeedback","name":"codeguru-reviewer","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/codeguru-reviewer"],"seeAlso":[]},"codepipeline:GetPipelineExecution":{"id":"codepipeline:GetPipelineExecution","name":"codepipeline","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/codepipeline"],"seeAlso":[]},"codepipeline:PollForJobs":{"id":"codepipeline:PollForJobs","name":"codepipeline","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/codepipeline"],"seeAlso":[]},"codestar:AssociateTeamMember":{"id":"codestar:AssociateTeamMember","name":"codestar","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy","escalation:privilege"],"notes":null,"links":["https://aws.permissions.cloud/iam/codestar"],"seeAlso":[]},"codestar:CreateProject":{"id":"codestar:CreateProject","name":"codestar","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy","escalation:privilege"],"notes":null,"links":["https://aws.permissions.cloud/iam/codestar"],"seeAlso":[]},"codestar:DeleteProject":{"id":"codestar:DeleteProject","name":"codestar","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/codestar"],"seeAlso":[]},"codestar:DisassociateTeamMember":{"id":"codestar:DisassociateTeamMember","name":"codestar","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/codestar"],"seeAlso":[]},"codestar:UpdateTeamMember":{"id":"codestar:UpdateTeamMember","name":"codestar","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/codestar"],"seeAlso":[]},"cognito-identity:CreateIdentityPool":{"id":"cognito-identity:CreateIdentityPool","name":"cognito-identity","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/cognito-identity"],"seeAlso":[]},"cognito-identity:DeleteIdentities":{"id":"cognito-identity:DeleteIdentities","name":"cognito-identity","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/cognito-identity"],"seeAlso":[]},"cognito-identity:DeleteIdentityPool":{"id":"cognito-identity:DeleteIdentityPool","name":"cognito-identity","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/cognito-identity"],"seeAlso":[]},"cognito-identity:GetCredentialsForIdentity":{"id":"cognito-identity:GetCredentialsForIdentity","name":"cognito-identity","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/cognito-identity"],"seeAlso":[]},"cognito-identity:GetId":{"id":"cognito-identity:GetId","name":"cognito-identity","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/cognito-identity"],"seeAlso":[]},"cognito-identity:GetOpenIdToken":{"id":"cognito-identity:GetOpenIdToken","name":"cognito-identity","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/cognito-identity"],"seeAlso":[]},"cognito-identity:GetOpenIdTokenForDeveloperIdentity":{"id":"cognito-identity:GetOpenIdTokenForDeveloperIdentity","name":"cognito-identity","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/cognito-identity"],"seeAlso":[]},"cognito-identity:LookupDeveloperIdentity":{"id":"cognito-identity:LookupDeveloperIdentity","name":"cognito-identity","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/cognito-identity"],"seeAlso":[]},"cognito-identity:MergeDeveloperIdentities":{"id":"cognito-identity:MergeDeveloperIdentities","name":"cognito-identity","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/cognito-identity"],"seeAlso":[]},"cognito-identity:SetIdentityPoolRoles":{"id":"cognito-identity:SetIdentityPoolRoles","name":"cognito-identity","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/cognito-identity"],"seeAlso":[]},"cognito-identity:UnlinkDeveloperIdentity":{"id":"cognito-identity:UnlinkDeveloperIdentity","name":"cognito-identity","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/cognito-identity"],"seeAlso":[]},"cognito-identity:UnlinkIdentity":{"id":"cognito-identity:UnlinkIdentity","name":"cognito-identity","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/cognito-identity"],"seeAlso":[]},"cognito-identity:UpdateIdentityPool":{"id":"cognito-identity:UpdateIdentityPool","name":"cognito-identity","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/cognito-identity"],"seeAlso":[]},"cognito-idp:AdminGetDevice":{"id":"cognito-idp:AdminGetDevice","name":"cognito-idp","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/cognito-idp"],"seeAlso":[]},"cognito-idp:AdminGetUser":{"id":"cognito-idp:AdminGetUser","name":"cognito-idp","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/cognito-idp"],"seeAlso":[]},"cognito-idp:AdminListDevices":{"id":"cognito-idp:AdminListDevices","name":"cognito-idp","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/cognito-idp"],"seeAlso":[]},"cognito-idp:AdminListGroupsForUser":{"id":"cognito-idp:AdminListGroupsForUser","name":"cognito-idp","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/cognito-idp"],"seeAlso":[]},"cognito-idp:AdminListUserAuthEvents":{"id":"cognito-idp:AdminListUserAuthEvents","name":"cognito-idp","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/cognito-idp"],"seeAlso":[]},"cognito-idp:DescribeUserPoolClient":{"id":"cognito-idp:DescribeUserPoolClient","name":"cognito-idp","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/cognito-idp"],"seeAlso":[]},"cognito-idp:GetDevice":{"id":"cognito-idp:GetDevice","name":"cognito-idp","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/cognito-idp"],"seeAlso":[]},"cognito-idp:GetGroup":{"id":"cognito-idp:GetGroup","name":"cognito-idp","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/cognito-idp"],"seeAlso":[]},"cognito-idp:GetUser":{"id":"cognito-idp:GetUser","name":"cognito-idp","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/cognito-idp"],"seeAlso":[]},"cognito-idp:GetUserAttributeVerificationCode":{"id":"cognito-idp:GetUserAttributeVerificationCode","name":"cognito-idp","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/cognito-idp"],"seeAlso":[]},"cognito-idp:ListDevices":{"id":"cognito-idp:ListDevices","name":"cognito-idp","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/cognito-idp"],"seeAlso":[]},"cognito-idp:ListGroups":{"id":"cognito-idp:ListGroups","name":"cognito-idp","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/cognito-idp"],"seeAlso":[]},"cognito-idp:ListUsers":{"id":"cognito-idp:ListUsers","name":"cognito-idp","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/cognito-idp"],"seeAlso":[]},"cognito-sync:ListRecords":{"id":"cognito-sync:ListRecords","name":"cognito-sync","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/cognito-sync"],"seeAlso":[]},"cognito-sync:QueryRecords":{"id":"cognito-sync:QueryRecords","name":"cognito-sync","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/cognito-sync"],"seeAlso":[]},"connect:GetFederationToken":{"id":"connect:GetFederationToken","name":"connect","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/connect"],"seeAlso":[]},"connect:ListSecurityKeys":{"id":"connect:ListSecurityKeys","name":"connect","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/connect"],"seeAlso":[]},"connect:ListUsers":{"id":"connect:ListUsers","name":"connect","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/connect"],"seeAlso":[]},"datapipeline:QueryObjects":{"id":"datapipeline:QueryObjects","name":"datapipeline","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/datapipeline"],"seeAlso":[]},"dax:BatchGetItem":{"id":"dax:BatchGetItem","name":"dax","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/dax"],"seeAlso":[]},"dax:GetItem":{"id":"dax:GetItem","name":"dax","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/dax"],"seeAlso":[]},"dax:Query":{"id":"dax:Query","name":"dax","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/dax"],"seeAlso":[]},"dax:Scan":{"id":"dax:Scan","name":"dax","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/dax"],"seeAlso":[]},"deeplens:AssociateServiceRoleToAccount":{"id":"deeplens:AssociateServiceRoleToAccount","name":"deeplens","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/deeplens"],"seeAlso":[]},"ds:CreateConditionalForwarder":{"id":"ds:CreateConditionalForwarder","name":"ds","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/ds"],"seeAlso":[]},"ds:CreateDirectory":{"id":"ds:CreateDirectory","name":"ds","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/ds"],"seeAlso":[]},"ds:CreateMicrosoftAD":{"id":"ds:CreateMicrosoftAD","name":"ds","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/ds"],"seeAlso":[]},"ds:CreateTrust":{"id":"ds:CreateTrust","name":"ds","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/ds"],"seeAlso":[]},"ds:ShareDirectory":{"id":"ds:ShareDirectory","name":"ds","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/ds"],"seeAlso":[]},"dynamodb:BatchGetItem":{"id":"dynamodb:BatchGetItem","name":"dynamodb","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/dynamodb"],"seeAlso":[]},"dynamodb:GetItem":{"id":"dynamodb:GetItem","name":"dynamodb","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/dynamodb"],"seeAlso":[]},"dynamodb:GetRecords":{"id":"dynamodb:GetRecords","name":"dynamodb","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/dynamodb"],"seeAlso":[]},"dynamodb:Query":{"id":"dynamodb:Query","name":"dynamodb","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/dynamodb"],"seeAlso":[]},"dynamodb:Scan":{"id":"dynamodb:Scan","name":"dynamodb","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/dynamodb"],"seeAlso":[]},"ec2-instance-connect:SendSSHPublicKey":{"id":"ec2-instance-connect:SendSSHPublicKey","name":"ec2-instance-connect","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["escalation:privilege","exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/ec2-instance-connect"],"seeAlso":[]},"ec2:CreateNetworkInterfacePermission":{"id":"ec2:CreateNetworkInterfacePermission","name":"ec2","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/ec2"],"seeAlso":[]},"ec2:DeleteNetworkInterfacePermission":{"id":"ec2:DeleteNetworkInterfacePermission","name":"ec2","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/ec2"],"seeAlso":[]},"ec2:DisableImageBlockPublicAccess":{"id":"ec2:DisableImageBlockPublicAccess","name":"ec2","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/ec2"],"seeAlso":[]},"ec2:GetPasswordData":{"id":"ec2:GetPasswordData","name":"ec2","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/ec2"],"seeAlso":[]},"ec2:ModifySnapshotAttribute":{"id":"ec2:ModifySnapshotAttribute","name":"ec2","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/ec2"],"seeAlso":[]},"ec2:ModifyVpcEndpointServicePermissions":{"id":"ec2:ModifyVpcEndpointServicePermissions","name":"ec2","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/ec2"],"seeAlso":[]},"ec2:ResetSnapshotAttribute":{"id":"ec2:ResetSnapshotAttribute","name":"ec2","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/ec2"],"seeAlso":[]},"ecr-public:GetAuthorizationToken":{"id":"ecr-public:GetAuthorizationToken","name":"ecr-public","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/ecr-public"],"seeAlso":[]},"ecr:DeleteRepositoryPolicy":{"id":"ecr:DeleteRepositoryPolicy","name":"ecr","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/ecr"],"seeAlso":[]},"ecr:GetAuthorizationToken":{"id":"ecr:GetAuthorizationToken","name":"ecr","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/ecr"],"seeAlso":[]},"ecr:GetDownloadUrlForLayer":{"id":"ecr:GetDownloadUrlForLayer","name":"ecr","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/ecr"],"seeAlso":[]},"ecr:SetRepositoryPolicy":{"id":"ecr:SetRepositoryPolicy","name":"ecr","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/ecr"],"seeAlso":[]},"elasticfilesystem:DeleteFileSystemPolicy":{"id":"elasticfilesystem:DeleteFileSystemPolicy","name":"elasticfilesystem","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/elasticfilesystem"],"seeAlso":[]},"elasticfilesystem:PutFileSystemPolicy":{"id":"elasticfilesystem:PutFileSystemPolicy","name":"elasticfilesystem","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/elasticfilesystem"],"seeAlso":[]},"elasticmapreduce:PutBlockPublicAccessConfiguration":{"id":"elasticmapreduce:PutBlockPublicAccessConfiguration","name":"elasticmapreduce","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/elasticmapreduce"],"seeAlso":[]},"es:CreateElasticsearchDomain":{"id":"es:CreateElasticsearchDomain","name":"es","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/es"],"seeAlso":[]},"es:ESHttpDelete":{"id":"es:ESHttpDelete","name":"es","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/es"],"seeAlso":[]},"es:ESHttpGet":{"id":"es:ESHttpGet","name":"es","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/es"],"seeAlso":[]},"es:ESHttpHead":{"id":"es:ESHttpHead","name":"es","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/es"],"seeAlso":[]},"es:ESHttpPatch":{"id":"es:ESHttpPatch","name":"es","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/es"],"seeAlso":[]},"es:ESHttpPost":{"id":"es:ESHttpPost","name":"es","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/es"],"seeAlso":[]},"es:ESHttpPut":{"id":"es:ESHttpPut","name":"es","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/es"],"seeAlso":[]},"es:UpdateElasticsearchDomainConfig":{"id":"es:UpdateElasticsearchDomainConfig","name":"es","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/es"],"seeAlso":[]},"gamelift:GetComputeAuthToken":{"id":"gamelift:GetComputeAuthToken","name":"gamelift","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/gamelift"],"seeAlso":[]},"gamelift:GetGameSessionLogUrl":{"id":"gamelift:GetGameSessionLogUrl","name":"gamelift","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/gamelift"],"seeAlso":[]},"gamelift:GetInstanceAccess":{"id":"gamelift:GetInstanceAccess","name":"gamelift","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:crypto","exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/gamelift"],"seeAlso":[]},"gamelift:RequestUploadCredentials":{"id":"gamelift:RequestUploadCredentials","name":"gamelift","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/gamelift"],"seeAlso":[]},"glacier:AbortVaultLock":{"id":"glacier:AbortVaultLock","name":"glacier","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/glacier"],"seeAlso":[]},"glacier:CompleteVaultLock":{"id":"glacier:CompleteVaultLock","name":"glacier","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/glacier"],"seeAlso":[]},"glacier:DeleteVaultAccessPolicy":{"id":"glacier:DeleteVaultAccessPolicy","name":"glacier","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/glacier"],"seeAlso":[]},"glacier:InitiateVaultLock":{"id":"glacier:InitiateVaultLock","name":"glacier","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/glacier"],"seeAlso":[]},"glacier:SetDataRetrievalPolicy":{"id":"glacier:SetDataRetrievalPolicy","name":"glacier","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/glacier"],"seeAlso":[]},"glacier:SetVaultAccessPolicy":{"id":"glacier:SetVaultAccessPolicy","name":"glacier","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/glacier"],"seeAlso":[]},"glue:DeleteResourcePolicy":{"id":"glue:DeleteResourcePolicy","name":"glue","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/glue"],"seeAlso":[]},"glue:PutResourcePolicy":{"id":"glue:PutResourcePolicy","name":"glue","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/glue"],"seeAlso":[]},"glue:UpdateDevEndpoint":{"id":"glue:UpdateDevEndpoint","name":"glue","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["escalation:privilege"],"notes":null,"links":["https://aws.permissions.cloud/iam/glue"],"seeAlso":[]},"greengrass:AssociateServiceRoleToAccount":{"id":"greengrass:AssociateServiceRoleToAccount","name":"greengrass","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/greengrass"],"seeAlso":[]},"health:DisableHealthServiceAccessForOrganization":{"id":"health:DisableHealthServiceAccessForOrganization","name":"health","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/health"],"seeAlso":[]},"health:EnableHealthServiceAccessForOrganization":{"id":"health:EnableHealthServiceAccessForOrganization","name":"health","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/health"],"seeAlso":[]},"healthlake:ReadResource":{"id":"healthlake:ReadResource","name":"healthlake","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/healthlake"],"seeAlso":[]},"healthlake:SearchWithGet":{"id":"healthlake:SearchWithGet","name":"healthlake","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/healthlake"],"seeAlso":[]},"healthlake:SearchWithPost":{"id":"healthlake:SearchWithPost","name":"healthlake","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/healthlake"],"seeAlso":[]},"iam:AddClientIDToOpenIDConnectProvider":{"id":"iam:AddClientIDToOpenIDConnectProvider","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:AddRoleToInstanceProfile":{"id":"iam:AddRoleToInstanceProfile","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:AddUserToGroup":{"id":"iam:AddUserToGroup","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy","escalation:privilege"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:AttachGroupPolicy":{"id":"iam:AttachGroupPolicy","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy","escalation:privilege"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:AttachRolePolicy":{"id":"iam:AttachRolePolicy","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy","escalation:privilege"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:AttachUserPolicy":{"id":"iam:AttachUserPolicy","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy","escalation:privilege"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:ChangePassword":{"id":"iam:ChangePassword","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:CreateAccessKey":{"id":"iam:CreateAccessKey","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy","escalation:privilege","exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:CreateAccountAlias":{"id":"iam:CreateAccountAlias","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:CreateGroup":{"id":"iam:CreateGroup","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:CreateInstanceProfile":{"id":"iam:CreateInstanceProfile","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:CreateLoginProfile":{"id":"iam:CreateLoginProfile","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy","escalation:privilege","exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:CreateOpenIDConnectProvider":{"id":"iam:CreateOpenIDConnectProvider","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:CreatePolicy":{"id":"iam:CreatePolicy","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:CreatePolicyVersion":{"id":"iam:CreatePolicyVersion","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy","escalation:privilege"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:CreateRole":{"id":"iam:CreateRole","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:CreateSAMLProvider":{"id":"iam:CreateSAMLProvider","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:CreateServiceLinkedRole":{"id":"iam:CreateServiceLinkedRole","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy","escalation:privilege"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:CreateServiceSpecificCredential":{"id":"iam:CreateServiceSpecificCredential","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy","exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:CreateUser":{"id":"iam:CreateUser","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:CreateVirtualMFADevice":{"id":"iam:CreateVirtualMFADevice","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy","escalation:privilege"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:DeactivateMFADevice":{"id":"iam:DeactivateMFADevice","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:DeleteAccessKey":{"id":"iam:DeleteAccessKey","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:DeleteAccountAlias":{"id":"iam:DeleteAccountAlias","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:DeleteAccountPasswordPolicy":{"id":"iam:DeleteAccountPasswordPolicy","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:DeleteGroup":{"id":"iam:DeleteGroup","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:DeleteGroupPolicy":{"id":"iam:DeleteGroupPolicy","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:DeleteInstanceProfile":{"id":"iam:DeleteInstanceProfile","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:DeleteLoginProfile":{"id":"iam:DeleteLoginProfile","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:DeleteOpenIDConnectProvider":{"id":"iam:DeleteOpenIDConnectProvider","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:DeletePolicy":{"id":"iam:DeletePolicy","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:DeletePolicyVersion":{"id":"iam:DeletePolicyVersion","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:DeleteRole":{"id":"iam:DeleteRole","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:DeleteRolePermissionsBoundary":{"id":"iam:DeleteRolePermissionsBoundary","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:DeleteRolePolicy":{"id":"iam:DeleteRolePolicy","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:DeleteSAMLProvider":{"id":"iam:DeleteSAMLProvider","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:DeleteSSHPublicKey":{"id":"iam:DeleteSSHPublicKey","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:DeleteServerCertificate":{"id":"iam:DeleteServerCertificate","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:DeleteServiceLinkedRole":{"id":"iam:DeleteServiceLinkedRole","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:DeleteServiceSpecificCredential":{"id":"iam:DeleteServiceSpecificCredential","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:DeleteSigningCertificate":{"id":"iam:DeleteSigningCertificate","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:DeleteUser":{"id":"iam:DeleteUser","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:DeleteUserPermissionsBoundary":{"id":"iam:DeleteUserPermissionsBoundary","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:DeleteUserPolicy":{"id":"iam:DeleteUserPolicy","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:DeleteVirtualMFADevice":{"id":"iam:DeleteVirtualMFADevice","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:DetachGroupPolicy":{"id":"iam:DetachGroupPolicy","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:DetachRolePolicy":{"id":"iam:DetachRolePolicy","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:DetachUserPolicy":{"id":"iam:DetachUserPolicy","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:EnableMFADevice":{"id":"iam:EnableMFADevice","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy","escalation:privilege"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:PassRole":{"id":"iam:PassRole","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy","escalation:privilege"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:PutGroupPolicy":{"id":"iam:PutGroupPolicy","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy","escalation:privilege"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:PutRolePermissionsBoundary":{"id":"iam:PutRolePermissionsBoundary","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:PutRolePolicy":{"id":"iam:PutRolePolicy","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy","escalation:privilege"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:PutUserPermissionsBoundary":{"id":"iam:PutUserPermissionsBoundary","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:PutUserPolicy":{"id":"iam:PutUserPolicy","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy","escalation:privilege"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:RemoveClientIDFromOpenIDConnectProvider":{"id":"iam:RemoveClientIDFromOpenIDConnectProvider","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:RemoveRoleFromInstanceProfile":{"id":"iam:RemoveRoleFromInstanceProfile","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:RemoveUserFromGroup":{"id":"iam:RemoveUserFromGroup","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:ResetServiceSpecificCredential":{"id":"iam:ResetServiceSpecificCredential","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy","exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:ResyncMFADevice":{"id":"iam:ResyncMFADevice","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy","escalation:privilege"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:SetDefaultPolicyVersion":{"id":"iam:SetDefaultPolicyVersion","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy","escalation:privilege"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:SetSecurityTokenServicePreferences":{"id":"iam:SetSecurityTokenServicePreferences","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:UpdateAccessKey":{"id":"iam:UpdateAccessKey","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy","exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:UpdateAccountPasswordPolicy":{"id":"iam:UpdateAccountPasswordPolicy","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:UpdateAssumeRolePolicy":{"id":"iam:UpdateAssumeRolePolicy","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy","escalation:privilege"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:UpdateGroup":{"id":"iam:UpdateGroup","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:UpdateLoginProfile":{"id":"iam:UpdateLoginProfile","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy","escalation:privilege"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:UpdateOpenIDConnectProviderThumbprint":{"id":"iam:UpdateOpenIDConnectProviderThumbprint","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:UpdateRole":{"id":"iam:UpdateRole","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:UpdateRoleDescription":{"id":"iam:UpdateRoleDescription","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:UpdateSAMLProvider":{"id":"iam:UpdateSAMLProvider","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:UpdateSSHPublicKey":{"id":"iam:UpdateSSHPublicKey","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:UpdateServerCertificate":{"id":"iam:UpdateServerCertificate","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:UpdateServiceSpecificCredential":{"id":"iam:UpdateServiceSpecificCredential","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:UpdateSigningCertificate":{"id":"iam:UpdateSigningCertificate","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:UpdateUser":{"id":"iam:UpdateUser","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:UploadSSHPublicKey":{"id":"iam:UploadSSHPublicKey","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:UploadServerCertificate":{"id":"iam:UploadServerCertificate","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:UploadSigningCertificate":{"id":"iam:UploadSigningCertificate","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"imagebuilder:PutComponentPolicy":{"id":"imagebuilder:PutComponentPolicy","name":"imagebuilder","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/imagebuilder"],"seeAlso":[]},"imagebuilder:PutImagePolicy":{"id":"imagebuilder:PutImagePolicy","name":"imagebuilder","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/imagebuilder"],"seeAlso":[]},"imagebuilder:PutImageRecipePolicy":{"id":"imagebuilder:PutImageRecipePolicy","name":"imagebuilder","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/imagebuilder"],"seeAlso":[]},"iot:AttachPolicy":{"id":"iot:AttachPolicy","name":"iot","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iot"],"seeAlso":[]},"iot:AttachPrincipalPolicy":{"id":"iot:AttachPrincipalPolicy","name":"iot","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iot"],"seeAlso":[]},"iot:DetachPolicy":{"id":"iot:DetachPolicy","name":"iot","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iot"],"seeAlso":[]},"iot:DetachPrincipalPolicy":{"id":"iot:DetachPrincipalPolicy","name":"iot","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iot"],"seeAlso":[]},"iot:SetDefaultAuthorizer":{"id":"iot:SetDefaultAuthorizer","name":"iot","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iot"],"seeAlso":[]},"iot:SetDefaultPolicyVersion":{"id":"iot:SetDefaultPolicyVersion","name":"iot","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iot"],"seeAlso":[]},"iotsitewise:CreateAccessPolicy":{"id":"iotsitewise:CreateAccessPolicy","name":"iotsitewise","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iotsitewise"],"seeAlso":[]},"iotsitewise:DeleteAccessPolicy":{"id":"iotsitewise:DeleteAccessPolicy","name":"iotsitewise","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iotsitewise"],"seeAlso":[]},"iotsitewise:UpdateAccessPolicy":{"id":"iotsitewise:UpdateAccessPolicy","name":"iotsitewise","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iotsitewise"],"seeAlso":[]},"kendra:Query":{"id":"kendra:Query","name":"kendra","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/kendra"],"seeAlso":[]},"kinesis:GetRecords":{"id":"kinesis:GetRecords","name":"kinesis","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/kinesis"],"seeAlso":[]},"kinesisvideo:GetImages":{"id":"kinesisvideo:GetImages","name":"kinesisvideo","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/kinesisvideo"],"seeAlso":[]},"kinesisvideo:GetMedia":{"id":"kinesisvideo:GetMedia","name":"kinesisvideo","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/kinesisvideo"],"seeAlso":[]},"kms:CreateGrant":{"id":"kms:CreateGrant","name":"kms","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/kms"],"seeAlso":[]},"kms:PutKeyPolicy":{"id":"kms:PutKeyPolicy","name":"kms","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/kms"],"seeAlso":[]},"kms:RetireGrant":{"id":"kms:RetireGrant","name":"kms","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/kms"],"seeAlso":[]},"kms:RevokeGrant":{"id":"kms:RevokeGrant","name":"kms","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/kms"],"seeAlso":[]},"lakeformation:BatchGrantPermissions":{"id":"lakeformation:BatchGrantPermissions","name":"lakeformation","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/lakeformation"],"seeAlso":[]},"lakeformation:BatchRevokePermissions":{"id":"lakeformation:BatchRevokePermissions","name":"lakeformation","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/lakeformation"],"seeAlso":[]},"lakeformation:GrantPermissions":{"id":"lakeformation:GrantPermissions","name":"lakeformation","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/lakeformation"],"seeAlso":[]},"lakeformation:PutDataLakeSettings":{"id":"lakeformation:PutDataLakeSettings","name":"lakeformation","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/lakeformation"],"seeAlso":[]},"lakeformation:RevokePermissions":{"id":"lakeformation:RevokePermissions","name":"lakeformation","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/lakeformation"],"seeAlso":[]},"lambda:AddLayerVersionPermission":{"id":"lambda:AddLayerVersionPermission","name":"lambda","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/lambda"],"seeAlso":[]},"lambda:AddPermission":{"id":"lambda:AddPermission","name":"lambda","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/lambda"],"seeAlso":[]},"lambda:DisableReplication":{"id":"lambda:DisableReplication","name":"lambda","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/lambda"],"seeAlso":[]},"lambda:EnableReplication":{"id":"lambda:EnableReplication","name":"lambda","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/lambda"],"seeAlso":[]},"lambda:GetFunction":{"id":"lambda:GetFunction","name":"lambda","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/lambda"],"seeAlso":[]},"lambda:GetLayerVersion":{"id":"lambda:GetLayerVersion","name":"lambda","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/lambda"],"seeAlso":[]},"lambda:RemoveLayerVersionPermission":{"id":"lambda:RemoveLayerVersionPermission","name":"lambda","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/lambda"],"seeAlso":[]},"lambda:RemovePermission":{"id":"lambda:RemovePermission","name":"lambda","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/lambda"],"seeAlso":[]},"license-manager:UpdateServiceSettings":{"id":"license-manager:UpdateServiceSettings","name":"license-manager","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/license-manager"],"seeAlso":[]},"lightsail:DownloadDefaultKeyPair":{"id":"lightsail:DownloadDefaultKeyPair","name":"lightsail","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/lightsail"],"seeAlso":[]},"lightsail:GetBucketAccessKeys":{"id":"lightsail:GetBucketAccessKeys","name":"lightsail","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/lightsail"],"seeAlso":[]},"lightsail:GetContainerImages":{"id":"lightsail:GetContainerImages","name":"lightsail","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/lightsail"],"seeAlso":[]},"lightsail:GetKeyPair":{"id":"lightsail:GetKeyPair","name":"lightsail","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/lightsail"],"seeAlso":[]},"lightsail:GetKeyPairs":{"id":"lightsail:GetKeyPairs","name":"lightsail","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/lightsail"],"seeAlso":[]},"lightsail:GetRelationalDatabaseMasterUserPassword":{"id":"lightsail:GetRelationalDatabaseMasterUserPassword","name":"lightsail","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy","exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/lightsail"],"seeAlso":[]},"logs:DeleteResourcePolicy":{"id":"logs:DeleteResourcePolicy","name":"logs","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/logs"],"seeAlso":[]},"logs:GetLogEvents":{"id":"logs:GetLogEvents","name":"logs","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/logs"],"seeAlso":[]},"logs:GetLogRecord":{"id":"logs:GetLogRecord","name":"logs","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/logs"],"seeAlso":[]},"logs:GetQueryResults":{"id":"logs:GetQueryResults","name":"logs","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/logs"],"seeAlso":[]},"logs:PutResourcePolicy":{"id":"logs:PutResourcePolicy","name":"logs","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/logs"],"seeAlso":[]},"logs:Unmask":{"id":"logs:Unmask","name":"logs","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/logs"],"seeAlso":[]},"macie2:GetFindings":{"id":"macie2:GetFindings","name":"macie2","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/macie2"],"seeAlso":[]},"mediapackage:RotateChannelCredentials":{"id":"mediapackage:RotateChannelCredentials","name":"mediapackage","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/mediapackage"],"seeAlso":[]},"mediapackage:RotateIngestEndpointCredentials":{"id":"mediapackage:RotateIngestEndpointCredentials","name":"mediapackage","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy","exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/mediapackage"],"seeAlso":[]},"mediastore:DeleteContainerPolicy":{"id":"mediastore:DeleteContainerPolicy","name":"mediastore","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/mediastore"],"seeAlso":[]},"mediastore:GetObject":{"id":"mediastore:GetObject","name":"mediastore","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/mediastore"],"seeAlso":[]},"mediastore:PutContainerPolicy":{"id":"mediastore:PutContainerPolicy","name":"mediastore","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/mediastore"],"seeAlso":[]},"opsworks:SetPermission":{"id":"opsworks:SetPermission","name":"opsworks","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/opsworks"],"seeAlso":[]},"opsworks:UpdateUserProfile":{"id":"opsworks:UpdateUserProfile","name":"opsworks","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/opsworks"],"seeAlso":[]},"qldb:GetBlock":{"id":"qldb:GetBlock","name":"qldb","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/qldb"],"seeAlso":[]},"quicksight:CreateAdmin":{"id":"quicksight:CreateAdmin","name":"quicksight","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/quicksight"],"seeAlso":[]},"quicksight:CreateGroup":{"id":"quicksight:CreateGroup","name":"quicksight","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/quicksight"],"seeAlso":[]},"quicksight:CreateGroupMembership":{"id":"quicksight:CreateGroupMembership","name":"quicksight","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/quicksight"],"seeAlso":[]},"quicksight:CreateIAMPolicyAssignment":{"id":"quicksight:CreateIAMPolicyAssignment","name":"quicksight","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/quicksight"],"seeAlso":[]},"quicksight:CreateUser":{"id":"quicksight:CreateUser","name":"quicksight","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/quicksight"],"seeAlso":[]},"quicksight:DeleteGroup":{"id":"quicksight:DeleteGroup","name":"quicksight","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/quicksight"],"seeAlso":[]},"quicksight:DeleteGroupMembership":{"id":"quicksight:DeleteGroupMembership","name":"quicksight","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/quicksight"],"seeAlso":[]},"quicksight:DeleteIAMPolicyAssignment":{"id":"quicksight:DeleteIAMPolicyAssignment","name":"quicksight","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/quicksight"],"seeAlso":[]},"quicksight:DeleteUser":{"id":"quicksight:DeleteUser","name":"quicksight","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/quicksight"],"seeAlso":[]},"quicksight:DeleteUserByPrincipalId":{"id":"quicksight:DeleteUserByPrincipalId","name":"quicksight","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/quicksight"],"seeAlso":[]},"quicksight:RegisterUser":{"id":"quicksight:RegisterUser","name":"quicksight","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/quicksight"],"seeAlso":[]},"quicksight:UpdateDashboardPermissions":{"id":"quicksight:UpdateDashboardPermissions","name":"quicksight","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/quicksight"],"seeAlso":[]},"quicksight:UpdateGroup":{"id":"quicksight:UpdateGroup","name":"quicksight","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/quicksight"],"seeAlso":[]},"quicksight:UpdateIAMPolicyAssignment":{"id":"quicksight:UpdateIAMPolicyAssignment","name":"quicksight","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/quicksight"],"seeAlso":[]},"quicksight:UpdateTemplatePermissions":{"id":"quicksight:UpdateTemplatePermissions","name":"quicksight","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/quicksight"],"seeAlso":[]},"quicksight:UpdateUser":{"id":"quicksight:UpdateUser","name":"quicksight","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/quicksight"],"seeAlso":[]},"ram:AcceptResourceShareInvitation":{"id":"ram:AcceptResourceShareInvitation","name":"ram","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/ram"],"seeAlso":[]},"ram:AssociateResourceShare":{"id":"ram:AssociateResourceShare","name":"ram","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/ram"],"seeAlso":[]},"ram:CreateResourceShare":{"id":"ram:CreateResourceShare","name":"ram","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/ram"],"seeAlso":[]},"ram:DeleteResourceShare":{"id":"ram:DeleteResourceShare","name":"ram","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/ram"],"seeAlso":[]},"ram:DisassociateResourceShare":{"id":"ram:DisassociateResourceShare","name":"ram","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/ram"],"seeAlso":[]},"ram:EnableSharingWithAwsOrganization":{"id":"ram:EnableSharingWithAwsOrganization","name":"ram","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/ram"],"seeAlso":[]},"ram:RejectResourceShareInvitation":{"id":"ram:RejectResourceShareInvitation","name":"ram","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/ram"],"seeAlso":[]},"ram:UpdateResourceShare":{"id":"ram:UpdateResourceShare","name":"ram","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/ram"],"seeAlso":[]},"rds-db:connect":{"id":"rds-db:connect","name":"rds-db","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy","exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/rds-db"],"seeAlso":[]},"rds:AuthorizeDBSecurityGroupIngress":{"id":"rds:AuthorizeDBSecurityGroupIngress","name":"rds","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/rds"],"seeAlso":[]},"rds:DownloadCompleteDBLogFile":{"id":"rds:DownloadCompleteDBLogFile","name":"rds","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/rds"],"seeAlso":[]},"rds:DownloadDBLogFilePortion":{"id":"rds:DownloadDBLogFilePortion","name":"rds","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/rds"],"seeAlso":[]},"redshift:AuthorizeSnapshotAccess":{"id":"redshift:AuthorizeSnapshotAccess","name":"redshift","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/redshift"],"seeAlso":[]},"redshift:CreateClusterUser":{"id":"redshift:CreateClusterUser","name":"redshift","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/redshift"],"seeAlso":[]},"redshift:CreateSnapshotCopyGrant":{"id":"redshift:CreateSnapshotCopyGrant","name":"redshift","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/redshift"],"seeAlso":[]},"redshift:GetClusterCredentials":{"id":"redshift:GetClusterCredentials","name":"redshift","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/redshift"],"seeAlso":[]},"redshift:JoinGroup":{"id":"redshift:JoinGroup","name":"redshift","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/redshift"],"seeAlso":[]},"redshift:ModifyClusterIamRoles":{"id":"redshift:ModifyClusterIamRoles","name":"redshift","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/redshift"],"seeAlso":[]},"redshift:RevokeSnapshotAccess":{"id":"redshift:RevokeSnapshotAccess","name":"redshift","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/redshift"],"seeAlso":[]},"robomaker:GetWorldTemplateBody":{"id":"robomaker:GetWorldTemplateBody","name":"robomaker","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/robomaker"],"seeAlso":[]},"route53resolver:PutResolverRulePolicy":{"id":"route53resolver:PutResolverRulePolicy","name":"route53resolver","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/route53resolver"],"seeAlso":[]},"s3-object-lambda:GetObject":{"id":"s3-object-lambda:GetObject","name":"s3-object-lambda","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/s3-object-lambda"],"seeAlso":[]},"s3-object-lambda:GetObjectVersion":{"id":"s3-object-lambda:GetObjectVersion","name":"s3-object-lambda","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/s3-object-lambda"],"seeAlso":[]},"s3-object-lambda:ListBucket":{"id":"s3-object-lambda:ListBucket","name":"s3-object-lambda","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/s3-object-lambda"],"seeAlso":[]},"s3:BypassGovernanceRetention":{"id":"s3:BypassGovernanceRetention","name":"s3","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/s3"],"seeAlso":[]},"s3:DeleteAccessPointPolicy":{"id":"s3:DeleteAccessPointPolicy","name":"s3","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/s3"],"seeAlso":[]},"s3:DeleteBucketPolicy":{"id":"s3:DeleteBucketPolicy","name":"s3","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/s3"],"seeAlso":[]},"s3:GetObject":{"id":"s3:GetObject","name":"s3","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/s3"],"seeAlso":[]},"s3:GetObjectVersion":{"id":"s3:GetObjectVersion","name":"s3","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/s3"],"seeAlso":[]},"s3:ObjectOwnerOverrideToBucketOwner":{"id":"s3:ObjectOwnerOverrideToBucketOwner","name":"s3","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/s3"],"seeAlso":[]},"s3:PutAccessPointPolicy":{"id":"s3:PutAccessPointPolicy","name":"s3","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/s3"],"seeAlso":[]},"s3:PutAccountPublicAccessBlock":{"id":"s3:PutAccountPublicAccessBlock","name":"s3","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/s3"],"seeAlso":[]},"s3:PutBucketAcl":{"id":"s3:PutBucketAcl","name":"s3","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/s3"],"seeAlso":[]},"s3:PutBucketPolicy":{"id":"s3:PutBucketPolicy","name":"s3","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/s3"],"seeAlso":[]},"s3:PutBucketPublicAccessBlock":{"id":"s3:PutBucketPublicAccessBlock","name":"s3","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/s3"],"seeAlso":[]},"s3:PutObjectAcl":{"id":"s3:PutObjectAcl","name":"s3","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/s3"],"seeAlso":[]},"s3:PutObjectVersionAcl":{"id":"s3:PutObjectVersionAcl","name":"s3","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/s3"],"seeAlso":[]},"sagemaker:Search":{"id":"sagemaker:Search","name":"sagemaker","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/sagemaker"],"seeAlso":[]},"sdb:Select":{"id":"sdb:Select","name":"sdb","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/sdb"],"seeAlso":[]},"secretsmanager:DeleteResourcePolicy":{"id":"secretsmanager:DeleteResourcePolicy","name":"secretsmanager","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/secretsmanager"],"seeAlso":[]},"secretsmanager:PutResourcePolicy":{"id":"secretsmanager:PutResourcePolicy","name":"secretsmanager","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/secretsmanager"],"seeAlso":[]},"secretsmanager:ValidateResourcePolicy":{"id":"secretsmanager:ValidateResourcePolicy","name":"secretsmanager","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/secretsmanager"],"seeAlso":[]},"serverlessrepo:GetApplication":{"id":"serverlessrepo:GetApplication","name":"serverlessrepo","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/serverlessrepo"],"seeAlso":[]},"serverlessrepo:GetCloudFormationTemplate":{"id":"serverlessrepo:GetCloudFormationTemplate","name":"serverlessrepo","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/serverlessrepo"],"seeAlso":[]},"servicecatalog:CreatePortfolioShare":{"id":"servicecatalog:CreatePortfolioShare","name":"servicecatalog","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/servicecatalog"],"seeAlso":[]},"servicecatalog:DeletePortfolioShare":{"id":"servicecatalog:DeletePortfolioShare","name":"servicecatalog","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/servicecatalog"],"seeAlso":[]},"snowball:GetJobUnlockCode":{"id":"snowball:GetJobUnlockCode","name":"snowball","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/snowball"],"seeAlso":[]},"sns:AddPermission":{"id":"sns:AddPermission","name":"sns","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sns"],"seeAlso":[]},"sns:CreateTopic":{"id":"sns:CreateTopic","name":"sns","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sns"],"seeAlso":[]},"sns:RemovePermission":{"id":"sns:RemovePermission","name":"sns","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sns"],"seeAlso":[]},"sns:SetTopicAttributes":{"id":"sns:SetTopicAttributes","name":"sns","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sns"],"seeAlso":[]},"sqs:AddPermission":{"id":"sqs:AddPermission","name":"sqs","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sqs"],"seeAlso":[]},"sqs:CreateQueue":{"id":"sqs:CreateQueue","name":"sqs","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sqs"],"seeAlso":[]},"sqs:ReceiveMessage":{"id":"sqs:ReceiveMessage","name":"sqs","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/sqs"],"seeAlso":[]},"sqs:RemovePermission":{"id":"sqs:RemovePermission","name":"sqs","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sqs"],"seeAlso":[]},"sqs:SetQueueAttributes":{"id":"sqs:SetQueueAttributes","name":"sqs","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sqs"],"seeAlso":[]},"ssm:GetDocument":{"id":"ssm:GetDocument","name":"ssm","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/ssm"],"seeAlso":[]},"ssm:GetParameter":{"id":"ssm:GetParameter","name":"ssm","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/ssm"],"seeAlso":[]},"ssm:GetParameterHistory":{"id":"ssm:GetParameterHistory","name":"ssm","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/ssm"],"seeAlso":[]},"ssm:GetParameters":{"id":"ssm:GetParameters","name":"ssm","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/ssm"],"seeAlso":[]},"ssm:GetParametersByPath":{"id":"ssm:GetParametersByPath","name":"ssm","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/ssm"],"seeAlso":[]},"ssm:ModifyDocumentPermission":{"id":"ssm:ModifyDocumentPermission","name":"ssm","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/ssm"],"seeAlso":[]},"sso-directory:AddMemberToGroup":{"id":"sso-directory:AddMemberToGroup","name":"sso-directory","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso-directory"],"seeAlso":[]},"sso-directory:CreateAlias":{"id":"sso-directory:CreateAlias","name":"sso-directory","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso-directory"],"seeAlso":[]},"sso-directory:CreateGroup":{"id":"sso-directory:CreateGroup","name":"sso-directory","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso-directory"],"seeAlso":[]},"sso-directory:CreateUser":{"id":"sso-directory:CreateUser","name":"sso-directory","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso-directory"],"seeAlso":[]},"sso-directory:DeleteGroup":{"id":"sso-directory:DeleteGroup","name":"sso-directory","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso-directory"],"seeAlso":[]},"sso-directory:DeleteUser":{"id":"sso-directory:DeleteUser","name":"sso-directory","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso-directory"],"seeAlso":[]},"sso-directory:DescribeGroup":{"id":"sso-directory:DescribeGroup","name":"sso-directory","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso-directory"],"seeAlso":[]},"sso-directory:DescribeUser":{"id":"sso-directory:DescribeUser","name":"sso-directory","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso-directory"],"seeAlso":[]},"sso-directory:DisableUser":{"id":"sso-directory:DisableUser","name":"sso-directory","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso-directory"],"seeAlso":[]},"sso-directory:EnableUser":{"id":"sso-directory:EnableUser","name":"sso-directory","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso-directory"],"seeAlso":[]},"sso-directory:ListBearerTokens":{"id":"sso-directory:ListBearerTokens","name":"sso-directory","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso-directory"],"seeAlso":[]},"sso-directory:RemoveMemberFromGroup":{"id":"sso-directory:RemoveMemberFromGroup","name":"sso-directory","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso-directory"],"seeAlso":[]},"sso-directory:SearchGroups":{"id":"sso-directory:SearchGroups","name":"sso-directory","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso-directory"],"seeAlso":[]},"sso-directory:SearchUsers":{"id":"sso-directory:SearchUsers","name":"sso-directory","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso-directory"],"seeAlso":[]},"sso-directory:UpdateGroup":{"id":"sso-directory:UpdateGroup","name":"sso-directory","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso-directory"],"seeAlso":[]},"sso-directory:UpdatePassword":{"id":"sso-directory:UpdatePassword","name":"sso-directory","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso-directory"],"seeAlso":[]},"sso-directory:UpdateUser":{"id":"sso-directory:UpdateUser","name":"sso-directory","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso-directory"],"seeAlso":[]},"sso-directory:VerifyEmail":{"id":"sso-directory:VerifyEmail","name":"sso-directory","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso-directory"],"seeAlso":[]},"sso:AssociateDirectory":{"id":"sso:AssociateDirectory","name":"sso","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso"],"seeAlso":[]},"sso:AssociateProfile":{"id":"sso:AssociateProfile","name":"sso","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso"],"seeAlso":[]},"sso:CreateApplicationInstance":{"id":"sso:CreateApplicationInstance","name":"sso","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso"],"seeAlso":[]},"sso:CreateApplicationInstanceCertificate":{"id":"sso:CreateApplicationInstanceCertificate","name":"sso","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso"],"seeAlso":[]},"sso:CreatePermissionSet":{"id":"sso:CreatePermissionSet","name":"sso","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso"],"seeAlso":[]},"sso:CreateProfile":{"id":"sso:CreateProfile","name":"sso","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso"],"seeAlso":[]},"sso:CreateTrust":{"id":"sso:CreateTrust","name":"sso","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso"],"seeAlso":[]},"sso:DeleteApplicationInstance":{"id":"sso:DeleteApplicationInstance","name":"sso","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso"],"seeAlso":[]},"sso:DeleteApplicationInstanceCertificate":{"id":"sso:DeleteApplicationInstanceCertificate","name":"sso","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso"],"seeAlso":[]},"sso:DeletePermissionSet":{"id":"sso:DeletePermissionSet","name":"sso","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso"],"seeAlso":[]},"sso:DeletePermissionsPolicy":{"id":"sso:DeletePermissionsPolicy","name":"sso","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso"],"seeAlso":[]},"sso:DeleteProfile":{"id":"sso:DeleteProfile","name":"sso","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso"],"seeAlso":[]},"sso:DisassociateDirectory":{"id":"sso:DisassociateDirectory","name":"sso","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso"],"seeAlso":[]},"sso:DisassociateProfile":{"id":"sso:DisassociateProfile","name":"sso","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso"],"seeAlso":[]},"sso:ImportApplicationInstanceServiceProviderMetadata":{"id":"sso:ImportApplicationInstanceServiceProviderMetadata","name":"sso","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso"],"seeAlso":[]},"sso:PutPermissionsPolicy":{"id":"sso:PutPermissionsPolicy","name":"sso","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso"],"seeAlso":[]},"sso:SearchGroups":{"id":"sso:SearchGroups","name":"sso","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso"],"seeAlso":[]},"sso:SearchUsers":{"id":"sso:SearchUsers","name":"sso","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso"],"seeAlso":[]},"sso:StartSSO":{"id":"sso:StartSSO","name":"sso","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso"],"seeAlso":[]},"sso:UpdateApplicationInstanceActiveCertificate":{"id":"sso:UpdateApplicationInstanceActiveCertificate","name":"sso","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso"],"seeAlso":[]},"sso:UpdateApplicationInstanceDisplayData":{"id":"sso:UpdateApplicationInstanceDisplayData","name":"sso","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso"],"seeAlso":[]},"sso:UpdateApplicationInstanceResponseConfiguration":{"id":"sso:UpdateApplicationInstanceResponseConfiguration","name":"sso","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso"],"seeAlso":[]},"sso:UpdateApplicationInstanceResponseSchemaConfiguration":{"id":"sso:UpdateApplicationInstanceResponseSchemaConfiguration","name":"sso","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso"],"seeAlso":[]},"sso:UpdateApplicationInstanceSecurityConfiguration":{"id":"sso:UpdateApplicationInstanceSecurityConfiguration","name":"sso","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso"],"seeAlso":[]},"sso:UpdateApplicationInstanceServiceProviderConfiguration":{"id":"sso:UpdateApplicationInstanceServiceProviderConfiguration","name":"sso","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso"],"seeAlso":[]},"sso:UpdateApplicationInstanceStatus":{"id":"sso:UpdateApplicationInstanceStatus","name":"sso","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso"],"seeAlso":[]},"sso:UpdateDirectoryAssociation":{"id":"sso:UpdateDirectoryAssociation","name":"sso","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso"],"seeAlso":[]},"sso:UpdatePermissionSet":{"id":"sso:UpdatePermissionSet","name":"sso","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso"],"seeAlso":[]},"sso:UpdateProfile":{"id":"sso:UpdateProfile","name":"sso","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso"],"seeAlso":[]},"sso:UpdateSSOConfiguration":{"id":"sso:UpdateSSOConfiguration","name":"sso","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso"],"seeAlso":[]},"sso:UpdateTrust":{"id":"sso:UpdateTrust","name":"sso","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso"],"seeAlso":[]},"storagegateway:DeleteChapCredentials":{"id":"storagegateway:DeleteChapCredentials","name":"storagegateway","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/storagegateway"],"seeAlso":[]},"storagegateway:DescribeChapCredentials":{"id":"storagegateway:DescribeChapCredentials","name":"storagegateway","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/storagegateway"],"seeAlso":[]},"storagegateway:SetLocalConsolePassword":{"id":"storagegateway:SetLocalConsolePassword","name":"storagegateway","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/storagegateway"],"seeAlso":[]},"storagegateway:SetSMBGuestPassword":{"id":"storagegateway:SetSMBGuestPassword","name":"storagegateway","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/storagegateway"],"seeAlso":[]},"storagegateway:UpdateChapCredentials":{"id":"storagegateway:UpdateChapCredentials","name":"storagegateway","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/storagegateway"],"seeAlso":[]},"sts:AssumeRole":{"id":"sts:AssumeRole","name":"sts","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/sts"],"seeAlso":[]},"sts:AssumeRoleWithSAML":{"id":"sts:AssumeRoleWithSAML","name":"sts","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/sts"],"seeAlso":[]},"sts:AssumeRoleWithWebIdentity":{"id":"sts:AssumeRoleWithWebIdentity","name":"sts","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/sts"],"seeAlso":[]},"sts:GetFederationToken":{"id":"sts:GetFederationToken","name":"sts","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/sts"],"seeAlso":[]},"sts:GetSessionToken":{"id":"sts:GetSessionToken","name":"sts","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/sts"],"seeAlso":[]},"support:DescribeAttachment":{"id":"support:DescribeAttachment","name":"support","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/support"],"seeAlso":[]},"support:DescribeCommunications":{"id":"support:DescribeCommunications","name":"support","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/support"],"seeAlso":[]},"waf-regional:DeletePermissionPolicy":{"id":"waf-regional:DeletePermissionPolicy","name":"waf-regional","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/waf-regional"],"seeAlso":[]},"waf-regional:GetChangeToken":{"id":"waf-regional:GetChangeToken","name":"waf-regional","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/waf-regional"],"seeAlso":[]},"waf-regional:PutPermissionPolicy":{"id":"waf-regional:PutPermissionPolicy","name":"waf-regional","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/waf-regional"],"seeAlso":[]},"waf:DeletePermissionPolicy":{"id":"waf:DeletePermissionPolicy","name":"waf","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/waf"],"seeAlso":[]},"waf:GetChangeToken":{"id":"waf:GetChangeToken","name":"waf","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/waf"],"seeAlso":[]},"waf:PutPermissionPolicy":{"id":"waf:PutPermissionPolicy","name":"waf","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/waf"],"seeAlso":[]},"wafv2:CreateWebACL":{"id":"wafv2:CreateWebACL","name":"wafv2","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/wafv2"],"seeAlso":[]},"wafv2:DeletePermissionPolicy":{"id":"wafv2:DeletePermissionPolicy","name":"wafv2","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/wafv2"],"seeAlso":[]},"wafv2:DeleteWebACL":{"id":"wafv2:DeleteWebACL","name":"wafv2","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/wafv2"],"seeAlso":[]},"wafv2:PutPermissionPolicy":{"id":"wafv2:PutPermissionPolicy","name":"wafv2","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/wafv2"],"seeAlso":[]},"wafv2:UpdateWebACL":{"id":"wafv2:UpdateWebACL","name":"wafv2","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/wafv2"],"seeAlso":[]},"workdocs:GetDocument":{"id":"workdocs:GetDocument","name":"workdocs","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/workdocs"],"seeAlso":[]},"workdocs:GetDocumentPath":{"id":"workdocs:GetDocumentPath","name":"workdocs","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/workdocs"],"seeAlso":[]},"workdocs:GetDocumentVersion":{"id":"workdocs:GetDocumentVersion","name":"workdocs","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/workdocs"],"seeAlso":[]},"worklink:UpdateDevicePolicyConfiguration":{"id":"worklink:UpdateDevicePolicyConfiguration","name":"worklink","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/worklink"],"seeAlso":[]},"workmail:ListGroupMembers":{"id":"workmail:ListGroupMembers","name":"workmail","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/workmail"],"seeAlso":[]},"workmail:ListGroups":{"id":"workmail:ListGroups","name":"workmail","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/workmail"],"seeAlso":[]},"workmail:ListUsers":{"id":"workmail:ListUsers","name":"workmail","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/workmail"],"seeAlso":[]},"workmail:ResetPassword":{"id":"workmail:ResetPassword","name":"workmail","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/workmail"],"seeAlso":[]},"workmail:ResetUserPassword":{"id":"workmail:ResetUserPassword","name":"workmail","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/workmail"],"seeAlso":[]},"xray:PutEncryptionConfig":{"id":"xray:PutEncryptionConfig","name":"xray","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/xray"],"seeAlso":[]}},"azure":{"Microsoft.ApiManagement/service/Tenants/keys/regeneratePrimaryKey/action":{"id":"Microsoft.ApiManagement/service/Tenants/keys/regeneratePrimaryKey/action","name":"API Management tenant access keys","scope":"CRITICAL","parent":{"notes":"These keys grant broad management-plane access to a single APIM service instance; possession is equivalent to administrative control of the gateway. The /read action exposes the listSecrets path, which returns the live key values.","description":"The API Management tenant access keys (primary/secondary) authenticate direct access to the service's legacy Management REST endpoint and the Git configuration repository, which control the entire APIM service configuration (APIs, policies, named values)."},"risks":["impact:access","persistence:account"],"notes":"Regenerating the primary key invalidates the existing credential, denying access to legitimate key holders and tooling, while replacing it with a fresh value the attacker controls for persistent management access. The REST operation returns 204 No Content, so it does not itself disclose the new key (separate listSecrets call required).","links":["https://azure.permissions.cloud/iam/Microsoft.ApiManagement","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ApiManagement/service/Tenants/keys/regenerateSecondaryKey/action":{"id":"Microsoft.ApiManagement/service/Tenants/keys/regenerateSecondaryKey/action","name":"API Management tenant access keys","scope":"CRITICAL","parent":{"notes":"These keys grant broad management-plane access to a single APIM service instance; possession is equivalent to administrative control of the gateway. The /read action exposes the listSecrets path, which returns the live key values.","description":"The API Management tenant access keys (primary/secondary) authenticate direct access to the service's legacy Management REST endpoint and the Git configuration repository, which control the entire APIM service configuration (APIs, policies, named values)."},"risks":["impact:access","persistence:account"],"notes":"Regenerating the secondary key invalidates the existing secondary credential (denying clients relying on it) and mints a new attacker-controllable value for persistent management access. The REST operation returns 204 No Content and does not disclose the new key.","links":["https://azure.permissions.cloud/iam/Microsoft.ApiManagement","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ApiManagement/service/Tenants/keys/delete":{"id":"Microsoft.ApiManagement/service/Tenants/keys/delete","name":"API Management tenant access keys","scope":"CRITICAL","parent":{"notes":"These keys grant broad management-plane access to a single APIM service instance; possession is equivalent to administrative control of the gateway. The /read action exposes the listSecrets path, which returns the live key values.","description":"The API Management tenant access keys (primary/secondary) authenticate direct access to the service's legacy Management REST endpoint and the Git configuration repository, which control the entire APIM service configuration (APIs, policies, named values)."},"risks":["destruction:crypto","impact:access"],"notes":"Deleting the tenant access key destroys credential material and revokes the management/Git access path that legitimate operators and automation rely on.","links":["https://azure.permissions.cloud/iam/Microsoft.ApiManagement","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ApiManagement/service/Tenants/keys/read":{"id":"Microsoft.ApiManagement/service/Tenants/keys/read","name":"API Management tenant access keys","scope":"CRITICAL","parent":{"notes":"These keys grant broad management-plane access to a single APIM service instance; possession is equivalent to administrative control of the gateway. The /read action exposes the listSecrets path, which returns the live key values.","description":"The API Management tenant access keys (primary/secondary) authenticate direct access to the service's legacy Management REST endpoint and the Git configuration repository, which control the entire APIM service configuration (APIs, policies, named values)."},"risks":["exfiltration:crypto","escalation:lateral"],"notes":"The control-plane read covers the listSecrets POST, which returns the live primaryKey/secondaryKey values (confirmed by the AccessInformationSecretsContract schema); these credentials let an attacker authenticate to the APIM Management/Git endpoint and move laterally into service administration.","links":["https://azure.permissions.cloud/iam/Microsoft.ApiManagement","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ApiManagement/service/Tenants/keys/write":{"id":"Microsoft.ApiManagement/service/Tenants/keys/write","name":"API Management tenant access keys","scope":"CRITICAL","parent":{"notes":"These keys grant broad management-plane access to a single APIM service instance; possession is equivalent to administrative control of the gateway. The /read action exposes the listSecrets path, which returns the live key values.","description":"The API Management tenant access keys (primary/secondary) authenticate direct access to the service's legacy Management REST endpoint and the Git configuration repository, which control the entire APIM service configuration (APIs, policies, named values)."},"risks":["persistence:account","impact:manipulation"],"notes":"Create/update/renew lets an attacker set or rotate the tenant access key to a value they control, planting durable management-plane credentials and altering the service's authentication configuration.","links":["https://azure.permissions.cloud/iam/Microsoft.ApiManagement","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ApiManagement/service/apis/Operations/Policies/delete":{"id":"Microsoft.ApiManagement/service/apis/Operations/Policies/delete","name":"API Management API operation policies","scope":"HIGH","parent":{"notes":"APIM operation policy XML acts as the gateway's enforcement layer and frequently references or embeds secret material (named-value references, authorization headers, backend credentials, tokens).","description":"The policy configuration (XML) applied at the API operation level on an Azure API Management gateway, controlling inbound/outbound request processing such as authentication, authorization, rate limiting, IP filtering, and backend routing."},"risks":["destruction:defense","impact:manipulation"],"notes":"Deleting an operation policy removes the enforced controls (auth validation, rate limiting, IP restrictions) protecting that endpoint, disabling defenses and altering how requests are processed.","links":["https://azure.permissions.cloud/iam/Microsoft.ApiManagement","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ApiManagement/service/apis/Operations/Policies/read":{"id":"Microsoft.ApiManagement/service/apis/Operations/Policies/read","name":"API Management API operation policies","scope":"HIGH","parent":{"notes":"APIM operation policy XML acts as the gateway's enforcement layer and frequently references or embeds secret material (named-value references, authorization headers, backend credentials, tokens).","description":"The policy configuration (XML) applied at the API operation level on an Azure API Management gateway, controlling inbound/outbound request processing such as authentication, authorization, rate limiting, IP filtering, and backend routing."},"risks":["discovery:policy","exfiltration:crypto"],"notes":"Reading operation-level policy XML reveals the gateway's enforcement controls (auth, rate limits, IP filters) for reconnaissance of weak points, and the policy XML can disclose embedded secrets/credentials (named values, authorization headers, tokens).","links":["https://azure.permissions.cloud/iam/Microsoft.ApiManagement","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ApiManagement/service/apis/Operations/Policies/write":{"id":"Microsoft.ApiManagement/service/apis/Operations/Policies/write","name":"API Management API operation policies","scope":"HIGH","parent":{"notes":"APIM operation policy XML acts as the gateway's enforcement layer and frequently references or embeds secret material (named-value references, authorization headers, backend credentials, tokens).","description":"The policy configuration (XML) applied at the API operation level on an Azure API Management gateway, controlling inbound/outbound request processing such as authentication, authorization, rate limiting, IP filtering, and backend routing."},"risks":["destruction:defense","impact:manipulation"],"notes":"Setting an operation policy lets an attacker strip authentication/IP-filtering/rate-limit enforcement and rewrite request/response handling to reroute backend traffic, both disabling defenses and manipulating gateway behavior.","links":["https://azure.permissions.cloud/iam/Microsoft.ApiManagement","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ApiManagement/service/apis/Policies/delete":{"id":"Microsoft.ApiManagement/service/apis/Policies/delete","name":"API policies configuration","scope":"HIGH","parent":{"notes":"Policy XML is the gateway's security and routing enforcement layer; it may reference named-values/secrets but read access returns those as references rather than decrypted secret material.","description":"The API-level policy configuration (XML) in Azure API Management defines the gateway's request/response processing for an API: authentication (validate-jwt), authorization, IP filtering, rate limiting, caching, and backend routing/transformation."},"risks":["destruction:defense","impact:manipulation"],"notes":"Deleting the API policy strips whatever protections it enforced (authentication, authorization, IP filtering, rate limiting), weakening the gateway's defenses and reverting/altering how requests are processed.","links":["https://azure.permissions.cloud/iam/Microsoft.ApiManagement","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ApiManagement/service/apis/Policies/write":{"id":"Microsoft.ApiManagement/service/apis/Policies/write","name":"API policies configuration","scope":"HIGH","parent":{"notes":"Policy XML is the gateway's security and routing enforcement layer; it may reference named-values/secrets but read access returns those as references rather than decrypted secret material.","description":"The API-level policy configuration (XML) in Azure API Management defines the gateway's request/response processing for an API: authentication (validate-jwt), authorization, IP filtering, rate limiting, caching, and backend routing/transformation."},"risks":["impact:manipulation","destruction:defense","exfiltration:data"],"notes":"Writing the API policy lets an attacker disable JWT/subscription-key/IP/rate-limit validation, reroute traffic to an attacker backend, and inject log-to-eventhub/send-request policies to capture or forward request/response bodies.","links":["https://azure.permissions.cloud/iam/Microsoft.ApiManagement","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ApiManagement/service/authorizationProviders/authorizations/confirmConsentCode/action":{"id":"Microsoft.ApiManagement/service/authorizationProviders/authorizations/confirmConsentCode/action","name":"API Management credential-manager authorization (connection)","scope":"HIGH","parent":{"notes":"The stored tokens are encrypted and write-only: they are never returned by read/list APIs and are usable only at runtime through the get-authorization-context policy. Read operations expose only connection metadata/status.","description":"An Authorization (connection) is a stored credential-manager record holding the OAuth access/refresh tokens (or client-credential secret) that APIM uses to call an OAuth-protected backend identity on the caller's behalf."},"risks":["escalation:lateral","persistence:account"],"notes":"Confirming the consent code completes the OAuth flow and persists the access/refresh tokens into the connection, binding a backend identity's credentials that APIM can subsequently use, granting durable lateral access to that backend.","links":["https://azure.permissions.cloud/iam/Microsoft.ApiManagement","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ApiManagement/service/authorizationProviders/authorizations/permission/delete":{"id":"Microsoft.ApiManagement/service/authorizationProviders/authorizations/permission/delete","name":"APIM Credential Manager authorization permission","scope":"HIGH","parent":{"notes":"Permissions govern who may leverage stored third-party OAuth credentials/connections through the gateway; manipulating them controls access to those backing credentials.","description":"An access-control grant on an API Management Credential Manager authorization, specifying which Azure AD principals or managed identities are permitted to use a stored OAuth credential/connection."},"risks":["destruction:policy","impact:access"],"notes":"Deleting an authorization permission removes an access-control grant on a stored credential, destroying policy data and revoking other principals' authorized use of the connection.","links":["https://azure.permissions.cloud/iam/Microsoft.ApiManagement","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ApiManagement/service/authorizationProviders/authorizations/permission/write":{"id":"Microsoft.ApiManagement/service/authorizationProviders/authorizations/permission/write","name":"APIM Credential Manager authorization permission","scope":"HIGH","parent":{"notes":"Permissions govern who may leverage stored third-party OAuth credentials/connections through the gateway; manipulating them controls access to those backing credentials.","description":"An access-control grant on an API Management Credential Manager authorization, specifying which Azure AD principals or managed identities are permitted to use a stored OAuth credential/connection."},"risks":["escalation:privilege","escalation:lateral"],"notes":"Creating a permission grants a chosen principal the right to use a stored OAuth credential/connection, adding privileges to a controlled identity and enabling lateral movement to the backend the credential authorizes.","links":["https://azure.permissions.cloud/iam/Microsoft.ApiManagement","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ApiManagement/service/authorizationProviders/authorizations/delete":{"id":"Microsoft.ApiManagement/service/authorizationProviders/authorizations/delete","name":"API Management credential-manager authorization (connection)","scope":"HIGH","parent":{"notes":"The stored tokens are encrypted and write-only: they are never returned by read/list APIs and are usable only at runtime through the get-authorization-context policy. Read operations expose only connection metadata/status.","description":"An Authorization (connection) is a stored credential-manager record holding the OAuth access/refresh tokens (or client-credential secret) that APIM uses to call an OAuth-protected backend identity on the caller's behalf."},"risks":["destruction:crypto","impact:access"],"notes":"Deleting an authorization destroys the stored OAuth token/credential connection and breaks the backend access that dependent APIs rely on, denying authorized operation.","links":["https://azure.permissions.cloud/iam/Microsoft.ApiManagement","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ApiManagement/service/authorizationProviders/authorizations/write":{"id":"Microsoft.ApiManagement/service/authorizationProviders/authorizations/write","name":"API Management credential-manager authorization (connection)","scope":"HIGH","parent":{"notes":"The stored tokens are encrypted and write-only: they are never returned by read/list APIs and are usable only at runtime through the get-authorization-context policy. Read operations expose only connection metadata/status.","description":"An Authorization (connection) is a stored credential-manager record holding the OAuth access/refresh tokens (or client-credential secret) that APIM uses to call an OAuth-protected backend identity on the caller's behalf."},"risks":["persistence:account","escalation:lateral","impact:manipulation"],"notes":"Creating an authorization establishes a stored OAuth credential/connection bound to a backend identity, giving the attacker a durable, attacker-provisioned credential connection that APIM policies can use to act as that identity (lateral movement to the backend).","links":["https://azure.permissions.cloud/iam/Microsoft.ApiManagement","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ApiManagement/service/authorizationProviders/delete":{"id":"Microsoft.ApiManagement/service/authorizationProviders/delete","name":"API Management credential-manager authorization provider","scope":"HIGH","parent":{"notes":"Provider configuration may reference a client secret, but read operations do not return secret material; the stored access/refresh tokens live in child Authorization records and are write-only (usable only at runtime via the get-authorization-context policy).","description":"An AuthorizationProvider (credential manager) defines an OAuth 2.0 credential-provider connection configuration (identity provider, client id, scopes, grant type) used by APIM to broker tokens to backend SaaS/OAuth APIs."},"risks":["destruction:infra"],"notes":"Deleting an authorization provider removes the credential-provider integration and cascades to delete all its child connections and access policies (confirmed by docs), breaking every API/policy that depends on it for backend authorization.","links":["https://azure.permissions.cloud/iam/Microsoft.ApiManagement","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ApiManagement/service/authorizationProviders/write":{"id":"Microsoft.ApiManagement/service/authorizationProviders/write","name":"API Management credential-manager authorization provider","scope":"HIGH","parent":{"notes":"Provider configuration may reference a client secret, but read operations do not return secret material; the stored access/refresh tokens live in child Authorization records and are write-only (usable only at runtime via the get-authorization-context policy).","description":"An AuthorizationProvider (credential manager) defines an OAuth 2.0 credential-provider connection configuration (identity provider, client id, scopes, grant type) used by APIM to broker tokens to backend SaaS/OAuth APIs."},"risks":["impact:manipulation","persistence:account"],"notes":"Creating/updating an authorization provider lets an attacker wire up an attacker-controlled OAuth credential-provider configuration (client id/secret, identity provider) as a foothold for brokering token access to backends and altering integration config.","links":["https://azure.permissions.cloud/iam/Microsoft.ApiManagement","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ApiManagement/service/authorizationServers/listSecrets/action":{"id":"Microsoft.ApiManagement/service/authorizationServers/listSecrets/action","name":"API Management OAuth authorization servers","scope":"CRITICAL","parent":{"notes":"This configuration governs API authentication for a single function; its stored client secret is a credential, but it is only returned by the dedicated listSecrets action, not by the standard read.","description":"An API Management OAuth authorization server is the control-plane configuration describing an OAuth 2.0 provider used to authorize APIs and the developer portal (token/authorization endpoints, grant types, scopes, client ID, and a stored client secret)."},"risks":["exfiltration:crypto","escalation:lateral"],"notes":"Returns the authorization server's secrets (client secret and resource-owner credentials), exporting reusable credential material an attacker can redeem to mint OAuth tokens and pivot into the OAuth-protected backends and identities.","links":["https://azure.permissions.cloud/iam/Microsoft.ApiManagement","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ApiManagement/service/backends/listSecrets/action":{"id":"Microsoft.ApiManagement/service/backends/listSecrets/action","name":"API Management backends","scope":"CRITICAL","parent":{"notes":"Backends wire the gateway to internal/production services and can hold references to credential material; tampering redirects production API traffic.","description":"Backend entities in an Azure API Management service define the upstream services (URLs, protocols, connection and authorization configuration) that the API gateway proxies requests to."},"risks":["exfiltration:crypto","escalation:lateral"],"notes":"Returns the backend's stored secret material (authorization credentials/headers used to authenticate to the upstream), enabling credential export and reuse to access the backing services.","links":["https://azure.permissions.cloud/iam/Microsoft.ApiManagement","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ApiManagement/service/backup/action":{"id":"Microsoft.ApiManagement/service/backup/action","name":"API Management service","scope":"HIGH","parent":{"notes":"The gateway sits on the public-facing path of an organizational function's APIs and can hold credential material (named values, certificates, subscription keys) and a managed identity; treat it as a single-function production service of HIGH sensitivity.","description":"An Azure API Management (APIM) service instance is a managed API gateway that fronts, secures, and routes traffic to a business function's backend APIs, holding gateway policies, named-value secrets, certificates, custom domains, and developer/subscription identities."},"risks":["exfiltration:crypto","exfiltration:data"],"notes":"Backing up to an attacker-provided storage account exports the full service state including named-value secrets, certificates, and subscription keys (crypto) alongside policies and configuration data (data).","links":["https://azure.permissions.cloud/iam/Microsoft.ApiManagement","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ApiManagement/service/clientApplications/listSecrets/action":{"id":"Microsoft.ApiManagement/service/clientApplications/listSecrets/action","name":"API Management client applications","scope":"CRITICAL","parent":{"notes":"These registrations are credential-bearing application identities; their secrets grant authenticated API access.","description":"A client application is a registered OAuth application identity that consumes/authenticates to APIs published through API Management."},"risks":["exfiltration:crypto","takeover:account","escalation:lateral"],"notes":"This action returns the client application's secret credentials, allowing an attacker to export usable credential material and impersonate the application to authenticate to protected APIs.","links":["https://azure.permissions.cloud/iam/Microsoft.ApiManagement","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ApiManagement/service/clientApplications/delete":{"id":"Microsoft.ApiManagement/service/clientApplications/delete","name":"API Management client applications","scope":"HIGH","parent":{"notes":"These registrations are credential-bearing application identities; their secrets grant authenticated API access.","description":"A client application is a registered OAuth application identity that consumes/authenticates to APIs published through API Management."},"risks":["destruction:account","impact:access"],"notes":"Deleting a client application removes a registered application identity (destruction:account) and revokes a legitimate consumer's authorized API access (impact:access).","links":["https://azure.permissions.cloud/iam/Microsoft.ApiManagement","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ApiManagement/service/clientApplications/write":{"id":"Microsoft.ApiManagement/service/clientApplications/write","name":"API Management client applications","scope":"HIGH","parent":{"notes":"These registrations are credential-bearing application identities; their secrets grant authenticated API access.","description":"A client application is a registered OAuth application identity that consumes/authenticates to APIs published through API Management."},"risks":["persistence:account","impact:manipulation"],"notes":"Registering or updating a client application creates/modifies a credential-bearing application identity, enabling attacker-controlled persistent API access and tampering with app trust/config.","links":["https://azure.permissions.cloud/iam/Microsoft.ApiManagement","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ApiManagement/service/gateways/generateToken/action":{"id":"Microsoft.ApiManagement/service/gateways/generateToken/action","name":"API Management self-hosted gateways","scope":"CRITICAL","parent":{"notes":"Gateways front a single API surface/function; their keys and tokens are connection credentials, and their configuration can embed backend secrets and named values.","description":"A self-hosted gateway is a containerized API Management gateway registered with an APIM service instance that proxies and applies policies to API traffic for backend services, deployable outside Azure."},"risks":["exfiltration:crypto","escalation:lateral"],"notes":"Issues a Shared Access Authorization Token for the gateway, returning a directly usable bearer credential that lets an attacker authenticate as the gateway and intercept or route its traffic.","links":["https://azure.permissions.cloud/iam/Microsoft.ApiManagement","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ApiManagement/service/gateways/getConfiguration/action":{"id":"Microsoft.ApiManagement/service/gateways/getConfiguration/action","name":"API Management self-hosted gateways","scope":"CRITICAL","parent":{"notes":"Gateways front a single API surface/function; their keys and tokens are connection credentials, and their configuration can embed backend secrets and named values.","description":"A self-hosted gateway is a containerized API Management gateway registered with an APIM service instance that proxies and applies policies to API traffic for backend services, deployable outside Azure."},"risks":["exfiltration:crypto","exfiltration:data"],"notes":"Data action that fetches the full self-hosted gateway configuration, exporting API definitions and policies (sensitive operational data) along with embedded named-value secrets, backend credentials, and certificates.","links":["https://azure.permissions.cloud/iam/Microsoft.ApiManagement","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ApiManagement/service/gateways/hostnameConfigurations/delete":{"id":"Microsoft.ApiManagement/service/gateways/hostnameConfigurations/delete","name":"Gateway hostname configurations","scope":"HIGH","parent":{"notes":"Controls public-facing domain routing for a single API gateway; writes can hijack traffic on a domain.","description":"Custom hostname (domain) bindings attached to an API Management self-hosted/gateway resource, defining the network-facing endpoints and associated certificates through which the gateway serves APIs."},"risks":["destruction:network","impact:dos"],"notes":"Removes the gateway's hostname/endpoint binding, breaking client connectivity to APIs served on that domain (denial of service).","links":["https://azure.permissions.cloud/iam/Microsoft.ApiManagement","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ApiManagement/service/gateways/hostnameConfigurations/write":{"id":"Microsoft.ApiManagement/service/gateways/hostnameConfigurations/write","name":"Gateway hostname configurations","scope":"HIGH","parent":{"notes":"Controls public-facing domain routing for a single API gateway; writes can hijack traffic on a domain.","description":"Custom hostname (domain) bindings attached to an API Management self-hosted/gateway resource, defining the network-facing endpoints and associated certificates through which the gateway serves APIs."},"risks":["takeover:domain","impact:manipulation"],"notes":"Binds a custom domain/hostname (and certificate) to the gateway, letting an attacker route traffic for that domain through the gateway and alter the public-facing endpoint configuration.","links":["https://azure.permissions.cloud/iam/Microsoft.ApiManagement","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ApiManagement/service/gateways/keys/action":{"id":"Microsoft.ApiManagement/service/gateways/keys/action","name":"API Management self-hosted gateways","scope":"CRITICAL","parent":{"notes":"Gateways front a single API surface/function; their keys and tokens are connection credentials, and their configuration can embed backend secrets and named values.","description":"A self-hosted gateway is a containerized API Management gateway registered with an APIM service instance that proxies and applies policies to API traffic for backend services, deployable outside Azure."},"risks":["exfiltration:crypto","escalation:lateral"],"notes":"Alias of listKeys that retrieves the gateway keys (credential material), enabling token generation and authentication as the gateway for impersonation and lateral movement.","links":["https://azure.permissions.cloud/iam/Microsoft.ApiManagement","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ApiManagement/service/gateways/listDebugCredentials/action":{"id":"Microsoft.ApiManagement/service/gateways/listDebugCredentials/action","name":"API Management self-hosted gateways","scope":"HIGH","parent":{"notes":"Gateways front a single API surface/function; their keys and tokens are connection credentials, and their configuration can embed backend secrets and named values.","description":"A self-hosted gateway is a containerized API Management gateway registered with an APIM service instance that proxies and applies policies to API traffic for backend services, deployable outside Azure."},"risks":["exfiltration:crypto","escalation:lateral"],"notes":"Despite the 'list' name, this issues new debug credentials, returning credential material that grants privileged access to trace and inspect live request/response traffic through the gateway.","links":["https://azure.permissions.cloud/iam/Microsoft.ApiManagement","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ApiManagement/service/gateways/listKeys/action":{"id":"Microsoft.ApiManagement/service/gateways/listKeys/action","name":"API Management self-hosted gateways","scope":"CRITICAL","parent":{"notes":"Gateways front a single API surface/function; their keys and tokens are connection credentials, and their configuration can embed backend secrets and named values.","description":"A self-hosted gateway is a containerized API Management gateway registered with an APIM service instance that proxies and applies policies to API traffic for backend services, deployable outside Azure."},"risks":["exfiltration:crypto","escalation:lateral"],"notes":"Retrieves the gateway's primary/secondary keys, returning credential material usable to mint SAS tokens and authenticate as the gateway, enabling impersonation and lateral access to its traffic.","links":["https://azure.permissions.cloud/iam/Microsoft.ApiManagement","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ApiManagement/service/gateways/listTrace/action":{"id":"Microsoft.ApiManagement/service/gateways/listTrace/action","name":"API Management self-hosted gateways","scope":"HIGH","parent":{"notes":"Gateways front a single API surface/function; their keys and tokens are connection credentials, and their configuration can embed backend secrets and named values.","description":"A self-hosted gateway is a containerized API Management gateway registered with an APIM service instance that proxies and applies policies to API traffic for backend services, deployable outside Azure."},"risks":["exfiltration:data"],"notes":"Lists trace data collected by the gateway, exposing captured request/response payloads, headers, and tokens flowing through the API surface.","links":["https://azure.permissions.cloud/iam/Microsoft.ApiManagement","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ApiManagement/service/gateways/token/action":{"id":"Microsoft.ApiManagement/service/gateways/token/action","name":"API Management self-hosted gateways","scope":"CRITICAL","parent":{"notes":"Gateways front a single API surface/function; their keys and tokens are connection credentials, and their configuration can embed backend secrets and named values.","description":"A self-hosted gateway is a containerized API Management gateway registered with an APIM service instance that proxies and applies policies to API traffic for backend services, deployable outside Azure."},"risks":["exfiltration:crypto","escalation:lateral"],"notes":"Alias of generateToken that returns the gateway's Shared Access Authorization Token, a usable bearer credential enabling impersonation and lateral movement as the gateway.","links":["https://azure.permissions.cloud/iam/Microsoft.ApiManagement","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ApiManagement/service/getssotoken/action":{"id":"Microsoft.ApiManagement/service/getssotoken/action","name":"API Management service","scope":"CRITICAL","parent":{"notes":"The gateway sits on the public-facing path of an organizational function's APIs and can hold credential material (named values, certificates, subscription keys) and a managed identity; treat it as a single-function production service of HIGH sensitivity.","description":"An Azure API Management (APIM) service instance is a managed API gateway that fronts, secures, and routes traffic to a business function's backend APIs, holding gateway policies, named-value secrets, certificates, custom domains, and developer/subscription identities."},"risks":["exfiltration:crypto","escalation:lateral"],"notes":"Returns an SSO token that logs into the APIM legacy portal as an administrator, exporting reusable credential material (crypto) that yields administrative session access to the gateway (lateral).","links":["https://azure.permissions.cloud/iam/Microsoft.ApiManagement","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ApiManagement/service/groups/users/delete":{"id":"Microsoft.ApiManagement/service/groups/users/delete","name":"APIM group users","scope":"MEDIUM","parent":{"notes":"Group membership governs which products/APIs a developer-portal account can see and subscribe to, so it functions as an access-control grouping within the APIM instance.","description":"The membership association between API Management developer-portal groups and user accounts; groups gate visibility of and access to API products."},"risks":["impact:access"],"notes":"Removing a user from a group revokes that account's group-derived product/API access, denying authorized operational access.","links":["https://azure.permissions.cloud/iam/Microsoft.ApiManagement","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ApiManagement/service/groups/users/write":{"id":"Microsoft.ApiManagement/service/groups/users/write","name":"APIM group users","scope":"MEDIUM","parent":{"notes":"Group membership governs which products/APIs a developer-portal account can see and subscribe to, so it functions as an access-control grouping within the APIM instance.","description":"The membership association between API Management developer-portal groups and user accounts; groups gate visibility of and access to API products."},"risks":["escalation:privilege"],"notes":"Adding a controlled user to a group grants that account the product/API access tied to the group, escalating its effective privileges in the developer portal.","links":["https://azure.permissions.cloud/iam/Microsoft.ApiManagement","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ApiManagement/service/groups/delete":{"id":"Microsoft.ApiManagement/service/groups/delete","name":"API Management groups","scope":"MEDIUM","parent":{"notes":"Groups are the access-control grouping layer of the developer-facing surface; manipulating them changes who can access which APIs/products.","description":"API Management groups are authorization constructs that bind users/developers to product and API access; group membership governs which products and APIs a developer can subscribe to and use."},"risks":["destruction:policy","impact:access"],"notes":"Deletes a group used for product/API authorization, destroying the access-control grouping and revoking legitimate members' access to the products/APIs they relied on.","links":["https://azure.permissions.cloud/iam/Microsoft.ApiManagement","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ApiManagement/service/groups/write":{"id":"Microsoft.ApiManagement/service/groups/write","name":"API Management groups","scope":"MEDIUM","parent":{"notes":"Groups are the access-control grouping layer of the developer-facing surface; manipulating them changes who can access which APIs/products.","description":"API Management groups are authorization constructs that bind users/developers to product and API access; group membership governs which products and APIs a developer can subscribe to and use."},"risks":["escalation:privilege","impact:manipulation"],"notes":"Creates or updates groups that gate user access to products/APIs, letting an attacker grant broader API access by altering the authorization grouping (escalation) and manipulate the access-control configuration.","links":["https://azure.permissions.cloud/iam/Microsoft.ApiManagement","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ApiManagement/service/identityProviders/listSecrets/action":{"id":"Microsoft.ApiManagement/service/identityProviders/listSecrets/action","name":"APIM identity providers","scope":"CRITICAL","parent":{"notes":"These configurations govern who can authenticate to the API Management portal and management surface; their secrets are usable IdP credentials.","description":"Identity provider configurations for an Azure API Management service, defining the external/federated authentication sources (AAD, OAuth, social logins) used to authenticate to the developer portal."},"risks":["exfiltration:crypto","escalation:lateral"],"notes":"Returns the IdP client secrets (OAuth/AAD app credentials), letting an attacker export usable credential material and impersonate the federated identity integration to pivot.","links":["https://azure.permissions.cloud/iam/Microsoft.ApiManagement","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ApiManagement/service/identityProviders/delete":{"id":"Microsoft.ApiManagement/service/identityProviders/delete","name":"APIM identity providers","scope":"HIGH","parent":{"notes":"These configurations govern who can authenticate to the API Management portal and management surface; their secrets are usable IdP credentials.","description":"Identity provider configurations for an Azure API Management service, defining the external/federated authentication sources (AAD, OAuth, social logins) used to authenticate to the developer portal."},"risks":["destruction:defense","impact:access"],"notes":"Deleting an IdP configuration removes an authentication mechanism, disabling a defense and denying legitimate users their configured sign-in path.","links":["https://azure.permissions.cloud/iam/Microsoft.ApiManagement","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ApiManagement/service/identityProviders/write":{"id":"Microsoft.ApiManagement/service/identityProviders/write","name":"APIM identity providers","scope":"HIGH","parent":{"notes":"These configurations govern who can authenticate to the API Management portal and management surface; their secrets are usable IdP credentials.","description":"Identity provider configurations for an Azure API Management service, defining the external/federated authentication sources (AAD, OAuth, social logins) used to authenticate to the developer portal."},"risks":["impact:manipulation","destruction:defense","escalation:privilege"],"notes":"Creating/updating an IdP lets an attacker redirect authentication to an attacker-controlled IdP or add a trusted source, manipulating and weakening the auth mechanism and admitting attacker-controlled identities.","links":["https://azure.permissions.cloud/iam/Microsoft.ApiManagement","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ApiManagement/service/namedValues/listValue/action":{"id":"Microsoft.ApiManagement/service/namedValues/listValue/action","name":"API Management named values","scope":"CRITICAL","parent":{"notes":"May hold or reference credentials and backend URLs; secret-flagged values are masked on GET and require the listValue action to reveal.","description":"Named values are key/value constants (some flagged secret or backed by Key Vault) referenced across all API configurations and policies in an API Management instance."},"risks":["exfiltration:crypto","escalation:lateral"],"notes":"Returns the plaintext secret of a named value, which commonly stores backend credentials, keys, or connection strings used in policies, enabling credential exfiltration and lateral access to backends.","links":["https://azure.permissions.cloud/iam/Microsoft.ApiManagement","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ApiManagement/service/openidConnectProviders/listSecrets/action":{"id":"Microsoft.ApiManagement/service/openidConnectProviders/listSecrets/action","name":"API Management OpenID Connect providers","scope":"CRITICAL","parent":{"notes":"Authentication/authorization configuration that gates API access; the associated client secret is a credential.","description":"OpenID Connect identity provider registrations used by API Management to authenticate API consumers and the developer portal. They define the auth trust (issuer, client ID) and hold a client secret."},"risks":["exfiltration:crypto","escalation:lateral"],"notes":"Returns the OIDC provider client secret, exporting credential material that can be reused to impersonate the API Management relying party against the configured identity provider and move laterally into that trust relationship.","links":["https://azure.permissions.cloud/iam/Microsoft.ApiManagement","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ApiManagement/service/portalConfigs/listDelegationSecrets/action":{"id":"Microsoft.ApiManagement/service/portalConfigs/listDelegationSecrets/action","name":"APIM developer portal config","scope":"CRITICAL","parent":{"notes":"The developer portal is an externally visible asset; its config controls public access and delegated-authentication behavior.","description":"Configuration of the API Management developer portal (a public-facing site), including sign-in/sign-up, delegation, CORS, and CSP settings."},"risks":["exfiltration:crypto"],"notes":"Returns the portal delegation validation (signing) key, cryptographic credential material an attacker can use to forge valid delegation sign-in/subscription requests and impersonate portal users.","links":["https://azure.permissions.cloud/iam/Microsoft.ApiManagement","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ApiManagement/service/portalConfigs/listMediaContentSecrets/action":{"id":"Microsoft.ApiManagement/service/portalConfigs/listMediaContentSecrets/action","name":"APIM developer portal config","scope":"CRITICAL","parent":{"notes":"The developer portal is an externally visible asset; its config controls public access and delegated-authentication behavior.","description":"Configuration of the API Management developer portal (a public-facing site), including sign-in/sign-up, delegation, CORS, and CSP settings."},"risks":["exfiltration:crypto"],"notes":"Returns the media content blob container URI including its SAS token, credential material granting direct out-of-band read/write access to the portal's backing storage container.","links":["https://azure.permissions.cloud/iam/Microsoft.ApiManagement","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ApiManagement/service/portalSettings/listSecrets/action":{"id":"Microsoft.ApiManagement/service/portalSettings/listSecrets/action","name":"APIM portal settings","scope":"CRITICAL","parent":{"notes":"These settings shape portal authentication and user-onboarding flows; the delegation validation key is a signing secret.","description":"Developer portal settings for an Azure API Management service, controlling sign-in, sign-up, and delegation behavior of the portal."},"risks":["exfiltration:crypto"],"notes":"Returns the portal delegation validation key (a signing secret), enabling an attacker to forge trusted delegated sign-in/sign-up requests.","links":["https://azure.permissions.cloud/iam/Microsoft.ApiManagement","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ApiManagement/service/products/groups/delete":{"id":"Microsoft.ApiManagement/service/products/groups/delete","name":"APIM product developer-group associations","scope":"MEDIUM","parent":{"notes":"This is developer-portal visibility/subscription gating, not Azure RBAC; it governs which API consumers can reach a product through the gateway.","description":"The set of APIM developer groups associated with a product, controlling which groups of developer-portal users can view and subscribe to the product's APIs."},"risks":["impact:access"],"notes":"Removing a group's association revokes that group's developers' authorized visibility/subscription access to the product's APIs, denying legitimate consumers.","links":["https://azure.permissions.cloud/iam/Microsoft.ApiManagement","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ApiManagement/service/products/groups/write":{"id":"Microsoft.ApiManagement/service/products/groups/write","name":"APIM product developer-group associations","scope":"MEDIUM","parent":{"notes":"This is developer-portal visibility/subscription gating, not Azure RBAC; it governs which API consumers can reach a product through the gateway.","description":"The set of APIM developer groups associated with a product, controlling which groups of developer-portal users can view and subscribe to the product's APIs."},"risks":["escalation:privilege","impact:manipulation"],"notes":"Associating a group with a product broadens which developers can see and subscribe to the product's APIs, expanding access entitlements and altering the access-control configuration.","links":["https://azure.permissions.cloud/iam/Microsoft.ApiManagement","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ApiManagement/service/properties/listSecrets/action":{"id":"Microsoft.ApiManagement/service/properties/listSecrets/action","name":"API Management named values (properties)","scope":"CRITICAL","parent":{"notes":"Secret-typed named values commonly store API keys, connection strings, and backend credentials; control-plane reads mask secret values (a separate listSecrets action returns them).","description":"Named values (properties) in an Azure API Management service are constant string values referenced across all API configurations and policies; they may be plain or secret-typed."},"risks":["exfiltration:crypto","escalation:lateral"],"notes":"Returns the cleartext secret value of a named value, which commonly holds API keys, connection strings, or backend credentials, enabling credential exfiltration and reuse against the systems those secrets authenticate to.","links":["https://azure.permissions.cloud/iam/Microsoft.ApiManagement","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ApiManagement/service/subscriptions/listSecrets/action":{"id":"Microsoft.ApiManagement/service/subscriptions/listSecrets/action","name":"APIM product subscriptions","scope":"CRITICAL","parent":{"notes":"Subscription keys are bearer credentials granting authorized access to backend APIs; the subscription entity itself (without keys) is access-grant configuration.","description":"APIM product subscriptions, which bind a user/principal to a product and carry the primary/secondary subscription keys used to authenticate calls to the product's APIs through the gateway."},"risks":["exfiltration:crypto","escalation:lateral"],"notes":"Returns the subscription's primary and secondary keys — bearer credentials an attacker can replay to authenticate to and invoke the product's protected backend APIs as the subscriber.","links":["https://azure.permissions.cloud/iam/Microsoft.ApiManagement","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ApiManagement/service/subscriptions/delete":{"id":"Microsoft.ApiManagement/service/subscriptions/delete","name":"APIM product subscriptions","scope":"HIGH","parent":{"notes":"Subscription keys are bearer credentials granting authorized access to backend APIs; the subscription entity itself (without keys) is access-grant configuration.","description":"APIM product subscriptions, which bind a user/principal to a product and carry the primary/secondary subscription keys used to authenticate calls to the product's APIs through the gateway."},"risks":["impact:access","impact:dos"],"notes":"Deleting a subscription immediately revokes the associated keys, cutting off legitimate consumers' authorized access to the product's APIs and disrupting dependent integrations.","links":["https://azure.permissions.cloud/iam/Microsoft.ApiManagement","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ApiManagement/service/subscriptions/write":{"id":"Microsoft.ApiManagement/service/subscriptions/write","name":"APIM product subscriptions","scope":"HIGH","parent":{"notes":"Subscription keys are bearer credentials granting authorized access to backend APIs; the subscription entity itself (without keys) is access-grant configuration.","description":"APIM product subscriptions, which bind a user/principal to a product and carry the primary/secondary subscription keys used to authenticate calls to the product's APIs through the gateway."},"risks":["escalation:privilege","persistence:account","impact:manipulation"],"notes":"Creating/updating a subscription provisions a keyed access credential for a chosen user to a product, granting (and persisting) authorized access to the product's protected APIs and altering subscription state.","links":["https://azure.permissions.cloud/iam/Microsoft.ApiManagement","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ApiManagement/service/tenant/listSecrets/action":{"id":"Microsoft.ApiManagement/service/tenant/listSecrets/action","name":"API Management tenant settings","scope":"CRITICAL","parent":{"notes":"Controls that govern every API in the service instance; the tenant access keys themselves are credential material that grant administrative access to the configuration repository.","description":"The tenant resource of an Azure API Management service represents service-wide configuration: the global (tenant) policy applied to all API traffic, tenant access (git/management) settings, and the configuration git repository used to manage the whole service."},"risks":["exfiltration:crypto","escalation:lateral"],"notes":"Returns tenant access information including the primary/secondary access keys used to authenticate to the management/git configuration endpoint, exporting credential material that grants administrative access to the entire service configuration.","links":["https://azure.permissions.cloud/iam/Microsoft.ApiManagement","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ApiManagement/service/toolServers/listSecrets/action":{"id":"Microsoft.ApiManagement/service/toolServers/listSecrets/action","name":"API Management tool servers","scope":"CRITICAL","parent":{"notes":"The configuration holds backend credential material (header values, OAuth2 client secrets, OpenAPI spec), but secret values are exposed only via the separate listSecrets action.","description":"Tool server registrations on an Azure API Management AI gateway that define backend MCP/tool integrations (endpoints, namespaces, header/OAuth2 configuration) the gateway brokers for agent tool calls."},"risks":["exfiltration:crypto","escalation:lateral"],"notes":"Per its description this action explicitly returns the secret subtrees (header values, oauth2.clientSecret, OpenAPI spec content) for every endpoint, exporting reusable credential material an attacker can replay to authenticate to the backend tool servers as the gateway.","links":["https://azure.permissions.cloud/iam/Microsoft.ApiManagement","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ApiManagement/service/updatehostname/action":{"id":"Microsoft.ApiManagement/service/updatehostname/action","name":"API Management service","scope":"HIGH","parent":{"notes":"The gateway sits on the public-facing path of an organizational function's APIs and can hold credential material (named values, certificates, subscription keys) and a managed identity; treat it as a single-function production service of HIGH sensitivity.","description":"An Azure API Management (APIM) service instance is a managed API gateway that fronts, secures, and routes traffic to a business function's backend APIs, holding gateway policies, named-value secrets, certificates, custom domains, and developer/subscription identities."},"risks":["takeover:domain","impact:defacement"],"notes":"Setting/updating/removing custom domain names rebinds which domain routes to the gateway, enabling domain takeover and alteration of the public-facing API endpoint.","links":["https://azure.permissions.cloud/iam/Microsoft.ApiManagement","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ApiManagement/service/users/generateSsoUrl/action":{"id":"Microsoft.ApiManagement/service/users/generateSsoUrl/action","name":"APIM user accounts","scope":"HIGH","parent":{"notes":"User records include identifying attributes (name, email, state) and gate developer-portal access; they are identities but scoped to the APIM developer portal, not Azure RBAC.","description":"Registered developer-portal user accounts within an API Management service instance, identifying developers who consume the published APIs."},"risks":["exfiltration:crypto","escalation:lateral","takeover:account"],"notes":"Returns a redirection URL embedding an authentication token that signs the caller into the developer portal AS the target user, yielding usable credential material and account takeover.","links":["https://azure.permissions.cloud/iam/Microsoft.ApiManagement","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ApiManagement/service/users/keys/read":{"id":"Microsoft.ApiManagement/service/users/keys/read","name":"API Management user subscription keys","scope":"CRITICAL","parent":{"notes":"These are live, reusable credentials; possession grants the user's authenticated access to the published APIs.","description":"The subscription/API access keys (primary and secondary) associated with an API Management developer/user identity. These keys authenticate API calls made as that user."},"risks":["exfiltration:crypto","takeover:account","escalation:lateral"],"notes":"Returns the user's subscription keys (credential material), enabling credential exfiltration and impersonation of that user's authenticated API access.","links":["https://azure.permissions.cloud/iam/Microsoft.ApiManagement","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ApiManagement/service/users/token/action":{"id":"Microsoft.ApiManagement/service/users/token/action","name":"APIM user accounts","scope":"HIGH","parent":{"notes":"User records include identifying attributes (name, email, state) and gate developer-portal access; they are identities but scoped to the APIM developer portal, not Azure RBAC.","description":"Registered developer-portal user accounts within an API Management service instance, identifying developers who consume the published APIs."},"risks":["exfiltration:crypto","escalation:lateral","takeover:account"],"notes":"Returns a Shared Access Authorization Token for the user, exporting credential material that authenticates as that identity, enabling impersonation/account takeover.","links":["https://azure.permissions.cloud/iam/Microsoft.ApiManagement","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ApiManagement/service/users/action":{"id":"Microsoft.ApiManagement/service/users/action","name":"API Management user accounts","scope":"MEDIUM","parent":{"notes":"User accounts can be used to obtain/manage subscriptions and subscription keys for APIs published through the APIM instance.","description":"A developer-portal user account record in an Azure API Management (APIM) service instance."},"risks":["persistence:account"],"notes":"Registering a new developer-portal user creates an attacker-controlled account that can maintain access to the API surface and obtain subscription keys for protected APIs.","links":["https://azure.permissions.cloud/iam/Microsoft.ApiManagement","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ApiManagement/service/users/delete":{"id":"Microsoft.ApiManagement/service/users/delete","name":"API Management user accounts","scope":"MEDIUM","parent":{"notes":"User accounts can be used to obtain/manage subscriptions and subscription keys for APIs published through the APIM instance.","description":"A developer-portal user account record in an Azure API Management (APIM) service instance."},"risks":["destruction:account"],"notes":"Deletes a developer-portal user account, removing the identity from the API Management instance.","links":["https://azure.permissions.cloud/iam/Microsoft.ApiManagement","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ApiManagement/service/users/write":{"id":"Microsoft.ApiManagement/service/users/write","name":"API Management user accounts","scope":"MEDIUM","parent":{"notes":"User accounts can be used to obtain/manage subscriptions and subscription keys for APIs published through the APIM instance.","description":"A developer-portal user account record in an Azure API Management (APIM) service instance."},"risks":["persistence:account","impact:manipulation"],"notes":"Creates or updates a developer-portal user, letting an attacker register a controlled account for persistent access and alter existing user records/state.","links":["https://azure.permissions.cloud/iam/Microsoft.ApiManagement","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ApiManagement/service/workspaces/apis/Operations/Policies/delete":{"id":"Microsoft.ApiManagement/service/workspaces/apis/Operations/Policies/delete","name":"API operation policies configuration","scope":"HIGH","parent":{"notes":"APIM policies are the gateway's security and traffic-control enforcement layer for an endpoint; they are processing policies, not Azure IAM/RBAC.","description":"The policy configuration (XML pipeline of inbound/backend/outbound rules) applied at a single API operation, controlling authentication, authorization, IP filtering, rate limiting, request/response transformation, and backend routing."},"risks":["destruction:defense","impact:manipulation"],"notes":"Deleting the operation policy strips its enforced security controls (auth, IP filtering, rate limiting, validation) and reverts request handling to default, weakening defenses and altering operational behavior at that endpoint.","links":["https://azure.permissions.cloud/iam/Microsoft.ApiManagement","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ApiManagement/service/workspaces/apis/Operations/Policies/write":{"id":"Microsoft.ApiManagement/service/workspaces/apis/Operations/Policies/write","name":"API operation policies configuration","scope":"HIGH","parent":{"notes":"APIM policies are the gateway's security and traffic-control enforcement layer for an endpoint; they are processing policies, not Azure IAM/RBAC.","description":"The policy configuration (XML pipeline of inbound/backend/outbound rules) applied at a single API operation, controlling authentication, authorization, IP filtering, rate limiting, request/response transformation, and backend routing."},"risks":["destruction:defense","impact:manipulation","exfiltration:data"],"notes":"Setting the operation policy lets an attacker disable auth/JWT-validation/IP-filter/rate-limit defenses, rewrite request/response handling and backend routing, and inject log-to/send-request directives that mirror request and response data through the gateway to an attacker-controlled sink.","links":["https://azure.permissions.cloud/iam/Microsoft.ApiManagement","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ApiManagement/service/workspaces/apis/Policies/delete":{"id":"Microsoft.ApiManagement/service/workspaces/apis/Policies/delete","name":"API policies configuration","scope":"HIGH","parent":{"notes":"APIM policies are the gateway's security and traffic-control enforcement layer for an API; they are processing policies, not Azure IAM/RBAC.","description":"The policy configuration (XML pipeline of inbound/backend/outbound rules) applied at the whole API level, controlling authentication, authorization, IP filtering, rate limiting, request/response transformation, and backend routing for all of the API's operations."},"risks":["destruction:defense","impact:manipulation"],"notes":"Deleting the API-level policy strips the enforced security controls (auth, IP filtering, rate limiting, validation) protecting every operation of the API and reverts request handling to default, weakening defenses and altering operational behavior.","links":["https://azure.permissions.cloud/iam/Microsoft.ApiManagement","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ApiManagement/service/workspaces/apis/Policies/write":{"id":"Microsoft.ApiManagement/service/workspaces/apis/Policies/write","name":"API policies configuration","scope":"HIGH","parent":{"notes":"APIM policies are the gateway's security and traffic-control enforcement layer for an API; they are processing policies, not Azure IAM/RBAC.","description":"The policy configuration (XML pipeline of inbound/backend/outbound rules) applied at the whole API level, controlling authentication, authorization, IP filtering, rate limiting, request/response transformation, and backend routing for all of the API's operations."},"risks":["destruction:defense","impact:manipulation","exfiltration:data"],"notes":"Setting the API-level policy lets an attacker disable security controls (auth, JWT validation, IP filtering, rate limiting) across every operation, rewrite request handling and backend routing, and inject logging/forwarding that mirrors all traffic flowing through the API to an attacker sink.","links":["https://azure.permissions.cloud/iam/Microsoft.ApiManagement","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ApiManagement/service/workspaces/backends/listSecrets/action":{"id":"Microsoft.ApiManagement/service/workspaces/backends/listSecrets/action","name":"APIM workspace backend","scope":"CRITICAL","parent":{"notes":"Backends sit behind the gateway and often reference internal services and the credentials used to authenticate to them; controlling a backend lets an attacker influence proxied production traffic.","description":"An API Management workspace backend defines an upstream/target service (URL, protocol, credentials, TLS settings) that the API gateway proxies requests to."},"risks":["exfiltration:crypto","escalation:lateral"],"notes":"Returns the backend's stored secret material (credentials/authorization headers/connection secrets used to authenticate to the upstream service), enabling credential exfiltration and reuse to pivot laterally into the backing service.","links":["https://azure.permissions.cloud/iam/Microsoft.ApiManagement","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ApiManagement/service/workspaces/groups/users/delete":{"id":"Microsoft.ApiManagement/service/workspaces/groups/users/delete","name":"APIM workspace group users","scope":"MEDIUM","parent":{"notes":"These are API Management developer-portal authorization constructs, not Azure RBAC identities; their blast radius is scoped to API/product consumption within the APIM service.","description":"The membership linking developer-portal user accounts to an APIM workspace group; membership confers the group's product/API access on the user."},"risks":["impact:access"],"notes":"Removes a user from a group, revoking the product/API access that membership conferred and denying that developer their authorized access.","links":["https://azure.permissions.cloud/iam/Microsoft.ApiManagement","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ApiManagement/service/workspaces/groups/users/write":{"id":"Microsoft.ApiManagement/service/workspaces/groups/users/write","name":"APIM workspace group users","scope":"MEDIUM","parent":{"notes":"These are API Management developer-portal authorization constructs, not Azure RBAC identities; their blast radius is scoped to API/product consumption within the APIM service.","description":"The membership linking developer-portal user accounts to an APIM workspace group; membership confers the group's product/API access on the user."},"risks":["escalation:privilege","impact:manipulation"],"notes":"Adds an existing user to a group, granting that (possibly attacker-controlled) developer account all the product/API access the group confers, escalating its effective privileges.","links":["https://azure.permissions.cloud/iam/Microsoft.ApiManagement","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ApiManagement/service/workspaces/namedValues/listValue/action":{"id":"Microsoft.ApiManagement/service/workspaces/namedValues/listValue/action","name":"API Management workspace named values","scope":"CRITICAL","parent":{"notes":"Secret-typed named values store credential material used by API policies; the actual secret is only returned by the dedicated listValue action, while read/list returns masked metadata.","description":"API Management named values are reusable key/value pairs (plain, secret, or Key Vault-referenced) consumed at runtime by gateway policies, commonly holding backend credentials, API keys, and connection strings."},"risks":["exfiltration:crypto","escalation:lateral"],"notes":"Returns the plaintext secret of a named value (backend credentials, API keys, connection strings), enabling credential exfiltration and lateral movement to the backends those credentials access.","links":["https://azure.permissions.cloud/iam/Microsoft.ApiManagement","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ApiManagement/service/workspaces/products/groupLinks/delete":{"id":"Microsoft.ApiManagement/service/workspaces/products/groupLinks/delete","name":"APIM Product-group links","scope":"MEDIUM","parent":{"notes":"These control developer-portal product visibility/subscription eligibility (an access-control-adjacent surface for a single API gateway function); they are not Azure RBAC/IAM role assignments.","description":"Product-group links are association records in an Azure API Management workspace that connect a product to developer-portal groups, governing which groups can see and subscribe to a product's APIs."},"risks":["impact:access"],"notes":"Deleting a product-group link revokes a developer group's authorized access to a product, denying legitimate consumers access to its APIs.","links":["https://azure.permissions.cloud/iam/Microsoft.ApiManagement","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ApiManagement/service/workspaces/products/groupLinks/write":{"id":"Microsoft.ApiManagement/service/workspaces/products/groupLinks/write","name":"APIM Product-group links","scope":"MEDIUM","parent":{"notes":"These control developer-portal product visibility/subscription eligibility (an access-control-adjacent surface for a single API gateway function); they are not Azure RBAC/IAM role assignments.","description":"Product-group links are association records in an Azure API Management workspace that connect a product to developer-portal groups, governing which groups can see and subscribe to a product's APIs."},"risks":["impact:manipulation","escalation:privilege"],"notes":"Creating a product-group link grants a developer group visibility and subscription access to a product's APIs, expanding which principals can consume the product and altering the access mapping.","links":["https://azure.permissions.cloud/iam/Microsoft.ApiManagement","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ApiManagement/service/workspaces/products/groups/delete":{"id":"Microsoft.ApiManagement/service/workspaces/products/groups/delete","name":"APIM workspace product-group associations","scope":"MEDIUM","parent":{"notes":"These are API Management developer-portal authorization constructs, not Azure RBAC identities; their blast radius is scoped to API/product consumption within the APIM service.","description":"The association binding APIM developer groups to a product within a workspace; membership in an associated group grants developers access to consume the product's APIs through the developer portal."},"risks":["impact:access","destruction:policy"],"notes":"Deleting the group-product association revokes API access for all members of that group and tears down an access-control binding, denying authorized developers their access.","links":["https://azure.permissions.cloud/iam/Microsoft.ApiManagement","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ApiManagement/service/workspaces/products/groups/write":{"id":"Microsoft.ApiManagement/service/workspaces/products/groups/write","name":"APIM workspace product-group associations","scope":"MEDIUM","parent":{"notes":"These are API Management developer-portal authorization constructs, not Azure RBAC identities; their blast radius is scoped to API/product consumption within the APIM service.","description":"The association binding APIM developer groups to a product within a workspace; membership in an associated group grants developers access to consume the product's APIs through the developer portal."},"risks":["escalation:privilege","impact:manipulation"],"notes":"Associating a group with a product grants all of that group's members access to the product's APIs, broadening entitlements and altering the gateway access-control configuration.","links":["https://azure.permissions.cloud/iam/Microsoft.ApiManagement","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ApiManagement/service/workspaces/subscriptions/listSecrets/action":{"id":"Microsoft.ApiManagement/service/workspaces/subscriptions/listSecrets/action","name":"APIM product subscriptions","scope":"CRITICAL","parent":{"notes":"Subscriptions are the access-grant + credential construct of the APIM gateway; the keys themselves are credentials, but the subscription entity (without keys) is access-mapping metadata.","description":"An API Management product subscription binds a user/principal to an API product and holds the gateway API keys that authorize calls to the product's published APIs."},"risks":["exfiltration:crypto","escalation:lateral"],"notes":"Returns the subscription's primary/secondary API keys, which are usable credentials that let an attacker invoke the product's protected backend APIs as the authorized subscriber.","links":["https://azure.permissions.cloud/iam/Microsoft.ApiManagement","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ApiManagement/service/workspaces/subscriptions/delete":{"id":"Microsoft.ApiManagement/service/workspaces/subscriptions/delete","name":"APIM product subscriptions","scope":"MEDIUM","parent":{"notes":"Subscriptions are the access-grant + credential construct of the APIM gateway; the keys themselves are credentials, but the subscription entity (without keys) is access-mapping metadata.","description":"An API Management product subscription binds a user/principal to an API product and holds the gateway API keys that authorize calls to the product's published APIs."},"risks":["impact:access"],"notes":"Deleting a subscription revokes a legitimate consumer's authorized access to the product's APIs, denying authorized operational access.","links":["https://azure.permissions.cloud/iam/Microsoft.ApiManagement","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ApiManagement/service/workspaces/subscriptions/write":{"id":"Microsoft.ApiManagement/service/workspaces/subscriptions/write","name":"APIM product subscriptions","scope":"HIGH","parent":{"notes":"Subscriptions are the access-grant + credential construct of the APIM gateway; the keys themselves are credentials, but the subscription entity (without keys) is access-mapping metadata.","description":"An API Management product subscription binds a user/principal to an API product and holds the gateway API keys that authorize calls to the product's published APIs."},"risks":["impact:manipulation","escalation:privilege"],"notes":"Creating a subscription grants a controlled user authorized access to a product's APIs (a fresh credential binding) and updates subscription state, expanding access without legitimate approval.","links":["https://azure.permissions.cloud/iam/Microsoft.ApiManagement","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ApiManagement/service/workspaces/toolServers/listSecrets/action":{"id":"Microsoft.ApiManagement/service/workspaces/toolServers/listSecrets/action","name":"API Management AI gateway tool servers","scope":"CRITICAL","parent":{"notes":"Supporting AI-integration configuration scoped to a single gateway/workspace; sensitivity is MEDIUM at the control plane, but the resource backs the CRITICAL-tier listSecrets action that returns endpoint credentials.","description":"An API Management workspace tool server is a control-plane configuration object defining a backend tool integration (endpoints, headers, OAuth2/OpenAPI spec settings) that the AI gateway can invoke on behalf of agents."},"risks":["exfiltration:crypto","escalation:lateral"],"notes":"Returns the secret subtrees (endpoint header values, oauth2.clientSecret, and spec contentBase64) for each endpoint, exporting usable credential material that an attacker can reuse to authenticate to the connected tool/IdP backends and pivot to those identities.","links":["https://azure.permissions.cloud/iam/Microsoft.ApiManagement","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Authorization/denyAssignments/delete":{"id":"Microsoft.Authorization/denyAssignments/delete","name":"Azure deny assignments","scope":"CRITICAL","parent":{"notes":"Deny assignments override role grants and are a tenant access-control control; creating/removing them reshapes who can do what across a scope.","description":"A deny assignment is an RBAC primitive that explicitly blocks specified principals from performing specified actions at a scope, overriding any Allow role assignments. Deny assignments are created by Azure (e.g. Blueprints/managed apps) and govern the access-control fabric."},"risks":["destruction:policy","escalation:privilege"],"notes":"Deleting a deny assignment removes an explicit-deny rule that was overriding Allow grants and blocking actions; lifting it unblocks the attacker's otherwise-denied actions, effectively escalating their access.","links":["https://azure.permissions.cloud/iam/Microsoft.Authorization","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Authorization/denyAssignments/write":{"id":"Microsoft.Authorization/denyAssignments/write","name":"Azure deny assignments","scope":"CRITICAL","parent":{"notes":"Deny assignments override role grants and are a tenant access-control control; creating/removing them reshapes who can do what across a scope.","description":"A deny assignment is an RBAC primitive that explicitly blocks specified principals from performing specified actions at a scope, overriding any Allow role assignments. Deny assignments are created by Azure (e.g. Blueprints/managed apps) and govern the access-control fabric."},"risks":["impact:access","destruction:defense"],"notes":"Creating a deny assignment blocks other principals' authorized actions even if they hold Owner, letting an attacker lock out legitimate administrators/defenders while exempting themselves to entrench access.","links":["https://azure.permissions.cloud/iam/Microsoft.Authorization","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Authorization/elevateAccess/action":{"id":"Microsoft.Authorization/elevateAccess/action","name":"Tenant access elevation","scope":"CRITICAL","parent":{"notes":"This is the canonical Azure privilege-escalation primitive; once elevated, the caller can assign any role (including Owner) anywhere in the tenant.","description":"A tenant-scope administrative action that self-assigns the caller the User Access Administrator role at the root (tenant) scope, granting authority to manage role assignments across every subscription in the tenant."},"risks":["escalation:privilege","escalation:lateral"],"notes":"Self-elevates to User Access Administrator at tenant root scope, directly escalating privilege and enabling the attacker to subsequently assign roles to themselves or any controlled identity tenant-wide.","links":["https://azure.permissions.cloud/iam/Microsoft.Authorization","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Authorization/roleAssignmentScheduleRequests/write":{"id":"Microsoft.Authorization/roleAssignmentScheduleRequests/write","name":"PIM role assignment schedule request","scope":"CRITICAL","parent":{"notes":"This is the actual grant mechanism for PIM-managed RBAC roles and therefore controls privileged access to the subscription/tenant.","description":"A role assignment schedule request is the PIM (Privileged Identity Management) object used to create or query a time-bound or permanent active RBAC role assignment for a principal at a scope. Writing it grants real RBAC privileges."},"risks":["escalation:privilege","persistence:account"],"notes":"Creating this request grants/activates an RBAC role assignment to a chosen principal via PIM, directly escalating privilege and establishing durable elevated access.","links":["https://azure.permissions.cloud/iam/Microsoft.Authorization","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Authorization/roleAssignments/delete":{"id":"Microsoft.Authorization/roleAssignments/delete","name":"Role assignment","scope":"CRITICAL","parent":{"notes":"Role assignments are the core access-control bindings of Azure; the asset is tenant/subscription-wide identity and access-control data.","description":"An RBAC role assignment binds a principal (user, group, service principal, or managed identity) to a role definition at a given scope, granting that principal the role's permissions."},"risks":["destruction:policy","impact:access"],"notes":"Deleting a role assignment destroys an access-control binding, which can strip legitimate principals of access (denial-of-access) and tear down deny/constraining grants that would otherwise limit the attacker.","links":["https://azure.permissions.cloud/iam/Microsoft.Authorization","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Authorization/roleAssignments/write":{"id":"Microsoft.Authorization/roleAssignments/write","name":"Role assignment","scope":"CRITICAL","parent":{"notes":"Role assignments are the core access-control bindings of Azure; the asset is tenant/subscription-wide identity and access-control data.","description":"An RBAC role assignment binds a principal (user, group, service principal, or managed identity) to a role definition at a given scope, granting that principal the role's permissions."},"risks":["escalation:privilege","escalation:lateral","persistence:account"],"notes":"Creating a role assignment lets an attacker grant any role (including Owner) to themselves or a controlled principal/managed identity, the headline RBAC privilege-escalation and lateral-movement primitive, and establishes durable access.","links":["https://azure.permissions.cloud/iam/Microsoft.Authorization","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Authorization/roleDefinitions/delete":{"id":"Microsoft.Authorization/roleDefinitions/delete","name":"Role definition","scope":"CRITICAL","parent":{"notes":"Role definitions describe the permission sets behind every role; the asset is tenant/subscription-wide access-control policy.","description":"An RBAC role definition specifies a named set of allowed/denied actions (permissions) and assignable scopes that can be bound to principals via role assignments."},"risks":["destruction:policy","impact:access"],"notes":"Deleting a custom role definition destroys an access-control policy object and breaks every assignment referencing it, revoking the access of all principals assigned that role.","links":["https://azure.permissions.cloud/iam/Microsoft.Authorization","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Authorization/roleDefinitions/write":{"id":"Microsoft.Authorization/roleDefinitions/write","name":"Role definition","scope":"CRITICAL","parent":{"notes":"Role definitions describe the permission sets behind every role; the asset is tenant/subscription-wide access-control policy.","description":"An RBAC role definition specifies a named set of allowed/denied actions (permissions) and assignable scopes that can be bound to principals via role assignments."},"risks":["escalation:privilege"],"notes":"Creating or updating a custom role definition lets an attacker inject arbitrary permissions and assignable scopes, escalating the privileges of every principal bound to that role.","links":["https://azure.permissions.cloud/iam/Microsoft.Authorization","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Authorization/roleEligibilityScheduleRequests/whenApprovalRequired/write":{"id":"Microsoft.Authorization/roleEligibilityScheduleRequests/whenApprovalRequired/write","name":"PIM role eligibility schedule request","scope":"CRITICAL","parent":{"notes":"Operates on RBAC/identity controls; eligibility for a privileged role is a tenant/subscription-wide privilege-escalation primitive.","description":"A Privileged Identity Management (PIM) role eligibility schedule request makes a principal eligible for an Azure RBAC role at a scope, creating a standing eligibility the principal can later activate (here, subject to approval)."},"risks":["escalation:privilege","persistence:account"],"notes":"Creating a role eligibility schedule request places a principal on the path to a (potentially privileged) RBAC role and establishes durable standing eligibility, even though final activation is approval-gated.","links":["https://azure.permissions.cloud/iam/Microsoft.Authorization","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Authorization/roleEligibilityScheduleRequests/write":{"id":"Microsoft.Authorization/roleEligibilityScheduleRequests/write","name":"PIM role eligibility schedule request","scope":"CRITICAL","parent":{"notes":"Eligibility is one activation step away from active privileged access, so these objects govern privilege-escalation pathways into the subscription/tenant.","description":"A role eligibility schedule request is the PIM object used to create or query eligibility for a principal to activate a privileged RBAC role at a scope. Writing it makes a principal eligible to elevate into a role."},"risks":["escalation:privilege","persistence:account"],"notes":"Creating this request makes a controlled principal eligible to activate a privileged role via PIM, establishing a durable privilege-escalation and persistence pathway.","links":["https://azure.permissions.cloud/iam/Microsoft.Authorization","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Authorization/roleManagementPolicies/approvalRule/action":{"id":"Microsoft.Authorization/roleManagementPolicies/approvalRule/action","name":"PIM role management policy","scope":"CRITICAL","parent":{"notes":"Directly governs how privileged-role activation is controlled; weakening it enables tenant/subscription-wide privilege escalation, hence a CRITICAL-tier asset.","description":"A PIM role management policy defines the activation rules and guardrails (MFA, approval, justification, maximum activation duration, notifications) governing how eligible principals activate privileged Azure roles."},"risks":["escalation:privilege","destruction:defense"],"notes":"Modifying the approval rule can remove the approver gate on privileged-role activation, enabling self-approved escalation and dismantling a key access-control defense.","links":["https://azure.permissions.cloud/iam/Microsoft.Authorization","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Authorization/roleManagementPolicies/write":{"id":"Microsoft.Authorization/roleManagementPolicies/write","name":"PIM role management policy","scope":"CRITICAL","parent":{"notes":"Directly governs how privileged-role activation is controlled; weakening it enables tenant/subscription-wide privilege escalation, hence a CRITICAL-tier asset.","description":"A PIM role management policy defines the activation rules and guardrails (MFA, approval, justification, maximum activation duration, notifications) governing how eligible principals activate privileged Azure roles."},"risks":["escalation:privilege","destruction:defense"],"notes":"Updating the policy lets an attacker remove MFA/approval/justification requirements or extend activation durations on privileged roles, easing privilege escalation and disabling the defensive controls guarding PIM activation.","links":["https://azure.permissions.cloud/iam/Microsoft.Authorization","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Automation/automationAccounts/SourceControls/listKeys/action":{"id":"Microsoft.Automation/automationAccounts/SourceControls/listKeys/action","name":"Azure Automation Source Control keys","scope":"CRITICAL","parent":{"notes":"The displayName is mislabeled as 'Create or Update'; this is a listKeys credential-retrieval action that returns reusable secret material.","description":"The listKeys action for an Azure Automation source control returns the stored access token (Git PAT/OAuth credential) used to authenticate to the linked repository."},"risks":["exfiltration:crypto","escalation:lateral"],"notes":"Despite the misleading displayName, this listKeys action returns the source control's stored Git access token, exporting reusable credential material that lets an attacker authenticate to and pivot into the linked source repository.","links":["https://azure.permissions.cloud/iam/Microsoft.Automation","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Automation/automationAccounts/agentRegistrationInformation/regenerateKey/action":{"id":"Microsoft.Automation/automationAccounts/agentRegistrationInformation/regenerateKey/action","name":"Automation DSC agent registration information","scope":"CRITICAL","parent":{"notes":"The registration keys are credential material: holding them lets an attacker onboard arbitrary/rogue nodes and pull or push desired-state configurations to managed machines, so this resource is treated as CRITICAL.","description":"DSC agent registration information for an Azure Automation account contains the registration endpoint URL and the primary/secondary registration keys that machines use to enroll as DSC pull-mode managed nodes."},"risks":["exfiltration:crypto","escalation:lateral","impact:access"],"notes":"Regenerating the registration key returns fresh usable key material to the caller (credential exfiltration enabling rogue node onboarding/lateral access) while invalidating the prior key, denying legitimately enrolled nodes the ability to register.","links":["https://azure.permissions.cloud/iam/Microsoft.Automation","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Automation/automationAccounts/agentRegistrationInformation/read":{"id":"Microsoft.Automation/automationAccounts/agentRegistrationInformation/read","name":"Automation DSC agent registration information","scope":"CRITICAL","parent":{"notes":"The registration keys are credential material: holding them lets an attacker onboard arbitrary/rogue nodes and pull or push desired-state configurations to managed machines, so this resource is treated as CRITICAL.","description":"DSC agent registration information for an Azure Automation account contains the registration endpoint URL and the primary/secondary registration keys that machines use to enroll as DSC pull-mode managed nodes."},"risks":["exfiltration:crypto","escalation:lateral"],"notes":"The GET returns the registration endpoint and primary/secondary registration keys (credentials), exporting secret material that lets an attacker register nodes and pivot onto managed machines.","links":["https://azure.permissions.cloud/iam/Microsoft.Automation","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Automation/automationAccounts/certificates/delete":{"id":"Microsoft.Automation/automationAccounts/certificates/delete","name":"Azure Automation certificate asset","scope":"HIGH","parent":{"notes":"Certificate assets are credential material used by runbooks for authentication, so write/delete on them are credential-planting and cryptographic-destruction primitives; the underlying asset is sensitive (HIGH for write/delete).","description":"An Azure Automation certificate asset stores a certificate (and optionally its private key) within an Automation account for runbooks to use when authenticating to external systems. Control-plane reads return metadata, not the private key material."},"risks":["destruction:crypto"],"notes":"Deleting a certificate asset destroys stored cryptographic credential material used by runbooks for authentication, constituting cryptographic destruction and breaking dependent automations.","links":["https://azure.permissions.cloud/iam/Microsoft.Automation","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Automation/automationAccounts/certificates/write":{"id":"Microsoft.Automation/automationAccounts/certificates/write","name":"Azure Automation certificate asset","scope":"HIGH","parent":{"notes":"Certificate assets are credential material used by runbooks for authentication, so write/delete on them are credential-planting and cryptographic-destruction primitives; the underlying asset is sensitive (HIGH for write/delete).","description":"An Azure Automation certificate asset stores a certificate (and optionally its private key) within an Automation account for runbooks to use when authenticating to external systems. Control-plane reads return metadata, not the private key material."},"risks":["persistence:account","impact:manipulation"],"notes":"Creating or updating a certificate asset uploads attacker-controlled certificate/private-key material that runbooks use to authenticate, planting a credential the attacker controls (persistence) and overwriting trusted authentication material (manipulation).","links":["https://azure.permissions.cloud/iam/Microsoft.Automation","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Automation/automationAccounts/connections/delete":{"id":"Microsoft.Automation/automationAccounts/connections/delete","name":"Azure Automation connection asset","scope":"HIGH","parent":{"notes":"Connection assets reference credential material, but the control plane does not return the encrypted secret field values in plaintext; they are resolved only at runbook runtime via Get-AutomationConnection.","description":"An Azure Automation Connection asset stores the authentication configuration runbooks use to connect to external services (e.g. service principal app/tenant IDs, certificate thumbprints, subscription bindings). Secret field values are stored encrypted and write-only."},"risks":["impact:dos","destruction:crypto"],"notes":"Deleting a connection asset removes the stored credential/connection configuration that runbooks depend on, destroying the credential material and breaking dependent automation jobs (denial of service to those workflows).","links":["https://azure.permissions.cloud/iam/Microsoft.Automation","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Automation/automationAccounts/connections/write":{"id":"Microsoft.Automation/automationAccounts/connections/write","name":"Azure Automation connection asset","scope":"HIGH","parent":{"notes":"Connection assets reference credential material, but the control plane does not return the encrypted secret field values in plaintext; they are resolved only at runbook runtime via Get-AutomationConnection.","description":"An Azure Automation Connection asset stores the authentication configuration runbooks use to connect to external services (e.g. service principal app/tenant IDs, certificate thumbprints, subscription bindings). Secret field values are stored encrypted and write-only."},"risks":["persistence:account","escalation:lateral","impact:manipulation"],"notes":"Create/update lets an attacker plant or alter the credential/service-principal material that runbooks authenticate with, staging persistent attacker-controlled credentials and redirecting automated jobs to authenticate as a modified identity (lateral movement).","links":["https://azure.permissions.cloud/iam/Microsoft.Automation","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Automation/automationAccounts/credentials/delete":{"id":"Microsoft.Automation/automationAccounts/credentials/delete","name":"Azure Automation credential asset","scope":"HIGH","parent":{"notes":"The password value is write-only via ARM and is only retrievable from inside a runbook (Get-AutomationPSCredential); the control plane never returns the secret. The asset still represents a stored service-account identity.","description":"An Azure Automation credential asset stores a username/password pair within an Automation account that runbooks and DSC configurations use to authenticate to external systems and resources."},"risks":["destruction:crypto","impact:dos"],"notes":"Deleting a credential asset destroys stored secret credential material and breaks any runbooks/automation that depend on it, disrupting automated operations.","links":["https://azure.permissions.cloud/iam/Microsoft.Automation","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Automation/automationAccounts/credentials/write":{"id":"Microsoft.Automation/automationAccounts/credentials/write","name":"Azure Automation credential asset","scope":"HIGH","parent":{"notes":"The password value is write-only via ARM and is only retrievable from inside a runbook (Get-AutomationPSCredential); the control plane never returns the secret. The asset still represents a stored service-account identity.","description":"An Azure Automation credential asset stores a username/password pair within an Automation account that runbooks and DSC configurations use to authenticate to external systems and resources."},"risks":["persistence:account","impact:manipulation"],"notes":"Creating or updating a credential asset lets an attacker plant attacker-controlled username/password material that runbooks authenticate with (persistence) or overwrite existing credentials to poison downstream automation (manipulation).","links":["https://azure.permissions.cloud/iam/Microsoft.Automation","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Automation/automationAccounts/jobs/output/read":{"id":"Microsoft.Automation/automationAccounts/jobs/output/read","name":"Azure Automation job","scope":"HIGH","parent":{"notes":"Automation Account identities are frequently granted broad privileges (e.g. Contributor) to manage subscription resources, making job control a strong lateral-movement and code-execution surface. Runbook scripts and their output commonly contain hardcoded secrets.","description":"An Azure Automation job is an execution instance of a runbook (automation script) within an Automation Account. Runbooks typically run under the Automation Account's managed identity or Run As credentials with privileges across managed resources."},"risks":["exfiltration:data"],"notes":"Reads the output produced by a job's runbook execution, which routinely contains query results, configuration, and occasionally secrets/tokens emitted during the run.","links":["https://azure.permissions.cloud/iam/Microsoft.Automation","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Automation/automationAccounts/jobs/runbookContent/action":{"id":"Microsoft.Automation/automationAccounts/jobs/runbookContent/action","name":"Azure Automation job","scope":"HIGH","parent":{"notes":"Automation Account identities are frequently granted broad privileges (e.g. Contributor) to manage subscription resources, making job control a strong lateral-movement and code-execution surface. Runbook scripts and their output commonly contain hardcoded secrets.","description":"An Azure Automation job is an execution instance of a runbook (automation script) within an Automation Account. Runbooks typically run under the Automation Account's managed identity or Run As credentials with privileges across managed resources."},"risks":["exfiltration:code","exfiltration:crypto"],"notes":"Returns the full runbook source as executed by the job, exfiltrating proprietary automation code along with hardcoded credentials, connection strings, and secrets commonly embedded in runbook scripts.","links":["https://azure.permissions.cloud/iam/Microsoft.Automation","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Automation/automationAccounts/jobs/streams/read":{"id":"Microsoft.Automation/automationAccounts/jobs/streams/read","name":"Azure Automation job stream","scope":"HIGH","parent":{"notes":"Streams frequently capture intermediate data and values surfaced during runbook execution and are a common place where sensitive data and secrets are inadvertently logged.","description":"An Azure Automation job stream holds the detailed per-record output of a runbook job execution (output, verbose, error, warning, debug, and progress streams)."},"risks":["exfiltration:data"],"notes":"Reads job stream records (output/verbose/error/debug), which frequently expose intermediate sensitive data and occasionally credentials logged during runbook execution.","links":["https://azure.permissions.cloud/iam/Microsoft.Automation","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Automation/automationAccounts/listKeys/action":{"id":"Microsoft.Automation/automationAccounts/listKeys/action","name":"Azure Automation Account","scope":"CRITICAL","parent":{"notes":"The account's managed/Run As identity often holds broad subscription roles, and the account holds runbook code and secret assets, making it a high-value automation control point.","description":"An Azure Automation account is the top-level container for runbooks, schedules, assets (variables, credentials, certificates), DSC/hybrid-worker registration, and an optional managed/Run As identity used to execute automation across the subscription."},"risks":["exfiltration:crypto","escalation:lateral"],"notes":"Returns the account's primary/secondary registration keys (credential material used to enroll DSC nodes and hybrid runbook workers); an attacker can register a rogue worker and execute code under the account, so this is cryptographic exfiltration enabling lateral movement.","links":["https://azure.permissions.cloud/iam/Microsoft.Automation","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Automation/automationAccounts/nodeConfigurations/rawContent/action":{"id":"Microsoft.Automation/automationAccounts/nodeConfigurations/rawContent/action","name":"Azure Automation DSC node configuration","scope":"HIGH","parent":{"notes":"MOF content can embed sensitive settings, file paths, and (in poorly-secured configs) credentials, and reveals exactly how the managed fleet is configured.","description":"An Azure Automation DSC Node Configuration is a compiled Desired State Configuration (MOF) document that defines and is enforced on managed nodes (VMs/servers) registered to the Automation account."},"risks":["exfiltration:data","discovery:infra"],"notes":"Returns the raw compiled MOF content of a node configuration, exposing the exact configuration applied to managed nodes and any embedded sensitive settings or credentials.","links":["https://azure.permissions.cloud/iam/Microsoft.Automation","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Automation/automationAccounts/sourceControls/delete":{"id":"Microsoft.Automation/automationAccounts/sourceControls/delete","name":"Azure Automation Source Control","scope":"MEDIUM","parent":{"notes":"The stored access token (PAT/OAuth) is never returned on a normal read; the read exposes only the linkage configuration.","description":"An Azure Automation source control links the account to a Git repository (GitHub/Azure DevOps) whose code is synced into runbooks that execute under the account's identity, authenticated by a stored access token."},"risks":["destruction:infra"],"notes":"Deleting a source control removes the Git-to-runbook integration, destroying automation configuration and disrupting the runbook code-sync pipeline (the source repo and runbooks themselves are not deleted).","links":["https://azure.permissions.cloud/iam/Microsoft.Automation","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Automation/automationAccounts/sourceControls/write":{"id":"Microsoft.Automation/automationAccounts/sourceControls/write","name":"Azure Automation Source Control","scope":"HIGH","parent":{"notes":"The stored access token (PAT/OAuth) is never returned on a normal read; the read exposes only the linkage configuration.","description":"An Azure Automation source control links the account to a Git repository (GitHub/Azure DevOps) whose code is synced into runbooks that execute under the account's identity, authenticated by a stored access token."},"risks":["impact:manipulation","escalation:lateral","persistence:account"],"notes":"Creating/updating a source control can repoint runbook sync at an attacker-controlled repo, injecting code (manipulation) that executes under the account identity (lateral movement) and delivers attacker-controlled code persistently.","links":["https://azure.permissions.cloud/iam/Microsoft.Automation","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Automation/automationAccounts/variables/delete":{"id":"Microsoft.Automation/automationAccounts/variables/delete","name":"Azure Automation Variable Asset","scope":"HIGH","parent":{"notes":"Variables commonly hold operational config and, when not marked encrypted, are frequently misused to store connection strings, endpoints, and other sensitive values that the management-plane read returns in cleartext; encrypted variable values are NOT returned by the management API.","description":"An Azure Automation variable asset is a named value stored in an Automation account and consumed by runbooks/DSC; variables can be plaintext or marked encrypted (secure)."},"risks":["destruction:data"],"notes":"Deletes a variable asset, destroying stored automation config/state that runbooks depend on and potentially breaking the workflows that consume it.","links":["https://azure.permissions.cloud/iam/Microsoft.Automation","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Automation/automationAccounts/variables/read":{"id":"Microsoft.Automation/automationAccounts/variables/read","name":"Azure Automation Variable Asset","scope":"HIGH","parent":{"notes":"Variables commonly hold operational config and, when not marked encrypted, are frequently misused to store connection strings, endpoints, and other sensitive values that the management-plane read returns in cleartext; encrypted variable values are NOT returned by the management API.","description":"An Azure Automation variable asset is a named value stored in an Automation account and consumed by runbooks/DSC; variables can be plaintext or marked encrypted (secure)."},"risks":["exfiltration:data"],"notes":"The control-plane read returns the value of non-encrypted variables (encrypted values are withheld), exposing operational config and any sensitive values stored unencrypted.","links":["https://azure.permissions.cloud/iam/Microsoft.Automation","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Automation/automationAccounts/variables/write":{"id":"Microsoft.Automation/automationAccounts/variables/write","name":"Azure Automation Variable Asset","scope":"HIGH","parent":{"notes":"Variables commonly hold operational config and, when not marked encrypted, are frequently misused to store connection strings, endpoints, and other sensitive values that the management-plane read returns in cleartext; encrypted variable values are NOT returned by the management API.","description":"An Azure Automation variable asset is a named value stored in an Automation account and consumed by runbooks/DSC; variables can be plaintext or marked encrypted (secure)."},"risks":["impact:manipulation"],"notes":"Creating/updating a variable alters operational values consumed by runbooks, letting an attacker poison config (e.g. redirect endpoints or change parameters) and manipulate automation behavior.","links":["https://azure.permissions.cloud/iam/Microsoft.Automation","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Automation/automationAccounts/webhooks/delete":{"id":"Microsoft.Automation/automationAccounts/webhooks/delete","name":"Azure Automation Webhook","scope":"MEDIUM","parent":{"notes":"The secret token-bearing invocation URI is returned only at creation, never on read.","description":"An Azure Automation webhook is a token-bearing HTTP trigger that invokes a runbook, which then executes under the Automation account's managed/Run As identity."},"risks":["destruction:infra"],"notes":"Deleting a webhook removes the runbook trigger integration, destroying automation configuration and disrupting any workflow that depends on it.","links":["https://azure.permissions.cloud/iam/Microsoft.Automation","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Automation/automationAccounts/webhooks/write":{"id":"Microsoft.Automation/automationAccounts/webhooks/write","name":"Azure Automation Webhook","scope":"HIGH","parent":{"notes":"The secret token-bearing invocation URI is returned only at creation, never on read.","description":"An Azure Automation webhook is a token-bearing HTTP trigger that invokes a runbook, which then executes under the Automation account's managed/Run As identity."},"risks":["escalation:lateral","persistence:account","impact:hijack"],"notes":"Creating/updating a webhook yields an unauthenticated token-bearing trigger URL that runs a runbook as the account identity, enabling code execution as that identity (lateral movement), a durable backdoor trigger (persistence), and arbitrary workload abuse (hijack).","links":["https://azure.permissions.cloud/iam/Microsoft.Automation","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Compute/Snapshots/beginGetAccess/action":{"id":"Microsoft.Compute/Snapshots/beginGetAccess/action","name":"Disk snapshots","scope":"HIGH","parent":{"notes":"A snapshot is a full copy of a single workload's disk data, often used for backup/recovery. SAS-based access to its raw bytes bypasses VM-level access controls.","description":"An Azure snapshot is a read-only point-in-time copy of a managed disk; it captures the complete filesystem contents of the source disk including any OS credentials, application data, and secrets present at capture time."},"risks":["exfiltration:crypto","exfiltration:data"],"notes":"Mints a SAS URI (a SAS token, cryptographic credential material) granting direct blob-level read of the entire raw snapshot image, enabling bulk exfiltration of a full copy of the source disk's data outside Azure RBAC.","links":["https://azure.permissions.cloud/iam/Microsoft.Compute","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Compute/Snapshots/download/action":{"id":"Microsoft.Compute/Snapshots/download/action","name":"Disk snapshots","scope":"HIGH","parent":{"notes":"A snapshot is a full copy of a single workload's disk data, often used for backup/recovery. SAS-based access to its raw bytes bypasses VM-level access controls.","description":"An Azure snapshot is a read-only point-in-time copy of a managed disk; it captures the complete filesystem contents of the source disk including any OS credentials, application data, and secrets present at capture time."},"risks":["exfiltration:data"],"notes":"Data-plane read over the snapshot SAS URI streams the full raw snapshot contents, a complete point-in-time copy of the source disk's data, directly exfiltrating it.","links":["https://azure.permissions.cloud/iam/Microsoft.Compute","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Compute/disks/beginGetAccess/action":{"id":"Microsoft.Compute/disks/beginGetAccess/action","name":"Managed disks","scope":"HIGH","parent":{"notes":"A managed disk holds the persistent data of a single compute workload. SAS-based access to its raw bytes bypasses VM-level access controls and OS authentication.","description":"An Azure managed disk is the block-storage volume backing a virtual machine's OS or data partition; it holds the full filesystem contents of the VM including any OS credentials, application data, and secrets stored on disk."},"risks":["exfiltration:crypto","exfiltration:data"],"notes":"Mints a SAS URI (a SAS token, cryptographic credential material) granting direct out-of-band blob-level read of the entire raw disk image, enabling bulk exfiltration of all data on the volume outside Azure RBAC.","links":["https://azure.permissions.cloud/iam/Microsoft.Compute","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Compute/disks/download/action":{"id":"Microsoft.Compute/disks/download/action","name":"Managed disks","scope":"HIGH","parent":{"notes":"A managed disk holds the persistent data of a single compute workload. SAS-based access to its raw bytes bypasses VM-level access controls and OS authentication.","description":"An Azure managed disk is the block-storage volume backing a virtual machine's OS or data partition; it holds the full filesystem contents of the VM including any OS credentials, application data, and secrets stored on disk."},"risks":["exfiltration:data"],"notes":"Data-plane read over the disk SAS URI streams the full raw disk contents (OS/data volume), directly exfiltrating all organizational data it holds.","links":["https://azure.permissions.cloud/iam/Microsoft.Compute","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Compute/galleries/remoteContainerImages/beginGetAccess/action":{"id":"Microsoft.Compute/galleries/remoteContainerImages/beginGetAccess/action","name":"Gallery remote container image","scope":"HIGH","parent":{"notes":"Image artifact reference whose contents may be consumed by downstream deployments; supply-chain relevant.","description":"A reference/definition in an Azure Compute Gallery pointing to a remote container image artifact distributable to consumers."},"risks":["exfiltration:data","exfiltration:crypto"],"notes":"Returns a SAS URI for direct blob access to the remote container image, enabling export of the image contents (and any secrets baked into it); the returned SAS token is itself credential material.","links":["https://azure.permissions.cloud/iam/Microsoft.Compute","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Compute/galleries/share/action":{"id":"Microsoft.Compute/galleries/share/action","name":"Azure Compute Galleries","scope":"MEDIUM","parent":{"notes":"The gallery resource holds artifact-container configuration; the read does not access image data itself.","description":"An Azure Compute Gallery (Shared Image Gallery) is a container resource that organizes, versions, and distributes custom VM image and application artifact definitions."},"risks":["exfiltration:data","impact:manipulation"],"notes":"Shares the gallery to other scopes/tenants/community, both exposing proprietary VM image artifacts (which may embed code/secrets) to external principals and altering the gallery's access boundary.","links":["https://azure.permissions.cloud/iam/Microsoft.Compute","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Compute/restorePointCollections/restorePoints/diskRestorePoints/beginGetAccess/action":{"id":"Microsoft.Compute/restorePointCollections/restorePoints/diskRestorePoints/beginGetAccess/action","name":"DiskRestorePoint","scope":"HIGH","parent":{"notes":"The underlying snapshot is a complete copy of disk data (which may contain credentials and sensitive data).","description":"A disk restore point is a point-in-time incremental snapshot of a VM managed disk captured under a restore point collection, representing a recoverable copy of the full disk (OS/data) contents."},"risks":["exfiltration:data","exfiltration:crypto"],"notes":"Returns a SAS URI granting direct download access to the full disk restore point image (OS/application data, possibly embedded credentials); the SAS token is itself reusable credential material.","links":["https://azure.permissions.cloud/iam/Microsoft.Compute","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Compute/restorePointCollections/restorePoints/retrieveSasUris/action":{"id":"Microsoft.Compute/restorePointCollections/restorePoints/retrieveSasUris/action","name":"VM restore points","scope":"HIGH","parent":{"notes":"Each restore point is a full copy of VM disk data; the snapshot data itself is reachable only via separate SAS-URI retrieval.","description":"Restore points: individual point-in-time crash-consistent snapshots of a VM's OS and data disks, stored within a restore point collection."},"risks":["exfiltration:data","exfiltration:crypto"],"notes":"Returns blob SAS URIs for the restore point's disk snapshots: pre-authenticated, credential-bearing tokens granting direct out-of-control-plane download of full VM OS/data disk contents (including any secrets on disk).","links":["https://azure.permissions.cloud/iam/Microsoft.Compute","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Compute/sshPublicKeys/generateKeyPair/action":{"id":"Microsoft.Compute/sshPublicKeys/generateKeyPair/action","name":"Azure SSH public key resource","scope":"HIGH","parent":{"notes":"The resource holds only the non-secret public key component; it is not bound to a running VM and contains no private credential material.","description":"An sshPublicKeys resource is a stored, reusable SSH public key object in Azure Compute that can be referenced when provisioning VMs."},"risks":["exfiltration:crypto","escalation:lateral"],"notes":"This action generates and RETURNS a new SSH private/public key pair, handing the caller usable private credential material that can authenticate to any VM provisioned with the corresponding public key.","links":["https://azure.permissions.cloud/iam/Microsoft.Compute","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Compute/virtualMachineScaleSets/disks/beginGetAccess/action":{"id":"Microsoft.Compute/virtualMachineScaleSets/disks/beginGetAccess/action","name":"Virtual machine scale set disk","scope":"HIGH","parent":{"notes":"Production compute disks can contain application data, configuration, and secrets/credentials stored on disk.","description":"A managed OS/data disk attached to a Virtual Machine Scale Set instance, holding the VM's filesystem contents."},"risks":["exfiltration:data","exfiltration:crypto"],"notes":"Returns a SAS URI granting direct blob-level read access to the full scale-set disk, enabling export of all disk contents; the returned SAS token is itself credential material (exfiltration:crypto) and grants any on-disk secrets.","links":["https://azure.permissions.cloud/iam/Microsoft.Compute","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Compute/virtualMachineScaleSets/virtualMachines/diagnosticRunCommand/action":{"id":"Microsoft.Compute/virtualMachineScaleSets/virtualMachines/diagnosticRunCommand/action","name":"Virtual Machine in Scale Set","scope":"HIGH","parent":{"notes":"Production compute supporting a single organizational function; instances can hold managed identities and host application data on attached disks.","description":"An individual virtual machine instance within an Azure Virtual Machine Scale Set, a production compute resource that runs application workloads and may carry an attached managed identity."},"risks":["escalation:lateral","impact:hijack","impact:manipulation","exfiltration:data"],"notes":"Executes a diagnostic script inside the instance in its identity context, providing in-guest code execution enabling lateral movement via the managed identity, on-host data exfiltration, tampering, and compute hijacking.","links":["https://azure.permissions.cloud/iam/Microsoft.Compute","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Compute/virtualMachineScaleSets/virtualMachines/runCommand/action":{"id":"Microsoft.Compute/virtualMachineScaleSets/virtualMachines/runCommand/action","name":"Virtual Machine in Scale Set","scope":"HIGH","parent":{"notes":"Production compute supporting a single organizational function; instances can hold managed identities and host application data on attached disks.","description":"An individual virtual machine instance within an Azure Virtual Machine Scale Set, a production compute resource that runs application workloads and may carry an attached managed identity."},"risks":["escalation:lateral","impact:hijack","impact:manipulation","exfiltration:data"],"notes":"Executes attacker-controlled scripts inside the instance (typically root/SYSTEM) in its identity context, enabling lateral movement via the VM's managed identity, on-host data exfiltration, system/data tampering, and compute hijacking.","links":["https://azure.permissions.cloud/iam/Microsoft.Compute","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Compute/virtualMachines/WACloginAsAdmin/action":{"id":"Microsoft.Compute/virtualMachines/WACloginAsAdmin/action","name":"Virtual Machines","scope":"HIGH","parent":{"notes":"A VM typically supports a single organizational function; control-plane and data-plane access to it can expose on-disk data, attached managed-identity credentials, and the hosted service's availability.","description":"An Azure virtual machine: a production compute resource running an OS, applications, attached disks, network interfaces, and optionally a managed identity."},"risks":["escalation:lateral","exfiltration:data","impact:manipulation","impact:hijack"],"notes":"This data action grants administrator OS management via Windows Admin Center, equivalent to full in-guest admin access to harvest credentials, read data, manipulate the system, and hijack the host.","links":["https://azure.permissions.cloud/iam/Microsoft.Compute","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Compute/virtualMachines/attachDetachDataDisks/action":{"id":"Microsoft.Compute/virtualMachines/attachDetachDataDisks/action","name":"Virtual Machines","scope":"HIGH","parent":{"notes":"A VM typically supports a single organizational function; control-plane and data-plane access to it can expose on-disk data, attached managed-identity credentials, and the hosted service's availability.","description":"An Azure virtual machine: a production compute resource running an OS, applications, attached disks, network interfaces, and optionally a managed identity."},"risks":["exfiltration:data","destruction:data","impact:dos"],"notes":"Attaching a data disk to an attacker-controlled VM exposes its data for exfiltration, while detaching disks removes storage from the source VM, causing data loss and service disruption.","links":["https://azure.permissions.cloud/iam/Microsoft.Compute","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Compute/virtualMachines/capture/action":{"id":"Microsoft.Compute/virtualMachines/capture/action","name":"Virtual Machines","scope":"HIGH","parent":{"notes":"A VM typically supports a single organizational function; control-plane and data-plane access to it can expose on-disk data, attached managed-identity credentials, and the hosted service's availability.","description":"An Azure virtual machine: a production compute resource running an OS, applications, attached disks, network interfaces, and optionally a managed identity."},"risks":["exfiltration:data"],"notes":"Capturing copies the VM's virtual hard disks into a reusable image/template, exposing the full contents of OS and data disks including any secrets on them.","links":["https://azure.permissions.cloud/iam/Microsoft.Compute","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Compute/virtualMachines/deallocate/action":{"id":"Microsoft.Compute/virtualMachines/deallocate/action","name":"Virtual Machines","scope":"HIGH","parent":{"notes":"A VM typically supports a single organizational function; control-plane and data-plane access to it can expose on-disk data, attached managed-identity credentials, and the hosted service's availability.","description":"An Azure virtual machine: a production compute resource running an OS, applications, attached disks, network interfaces, and optionally a managed identity."},"risks":["impact:dos"],"notes":"Powers off the VM and releases its compute resources, interrupting whatever organizational function it served. Ephemeral OS/temp disk contents and dynamic public IPs are lost on deallocation.","links":["https://azure.permissions.cloud/iam/Microsoft.Compute","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Compute/virtualMachines/deletePreservedOSDisk/action":{"id":"Microsoft.Compute/virtualMachines/deletePreservedOSDisk/action","name":"Virtual Machines","scope":"HIGH","parent":{"notes":"A VM typically supports a single organizational function; control-plane and data-plane access to it can expose on-disk data, attached managed-identity credentials, and the hosted service's availability.","description":"An Azure virtual machine: a production compute resource running an OS, applications, attached disks, network interfaces, and optionally a managed identity."},"risks":["destruction:data"],"notes":"Deletes an OS disk preserved from a prior delete/reimage operation, destroying a recovery artifact that could otherwise be used to restore the VM's prior state.","links":["https://azure.permissions.cloud/iam/Microsoft.Compute","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Compute/virtualMachines/diagnosticRunCommand/action":{"id":"Microsoft.Compute/virtualMachines/diagnosticRunCommand/action","name":"Virtual Machines","scope":"HIGH","parent":{"notes":"A VM typically supports a single organizational function; control-plane and data-plane access to it can expose on-disk data, attached managed-identity credentials, and the hosted service's availability.","description":"An Azure virtual machine: a production compute resource running an OS, applications, attached disks, network interfaces, and optionally a managed identity."},"risks":["escalation:lateral","exfiltration:data","impact:manipulation"],"notes":"Executes a diagnostic script on the VM, providing in-guest code execution that can harvest the managed-identity token, read on-disk data, and modify host state.","links":["https://azure.permissions.cloud/iam/Microsoft.Compute","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Compute/virtualMachines/login/action":{"id":"Microsoft.Compute/virtualMachines/login/action","name":"Virtual Machines","scope":"HIGH","parent":{"notes":"A VM typically supports a single organizational function; control-plane and data-plane access to it can expose on-disk data, attached managed-identity credentials, and the hosted service's availability.","description":"An Azure virtual machine: a production compute resource running an OS, applications, attached disks, network interfaces, and optionally a managed identity."},"risks":["escalation:lateral","exfiltration:data"],"notes":"This data action grants interactive AAD login to the VM as a regular user, providing a foothold on the host for lateral movement and access to data readable by that user.","links":["https://azure.permissions.cloud/iam/Microsoft.Compute","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Compute/virtualMachines/loginAsAdmin/action":{"id":"Microsoft.Compute/virtualMachines/loginAsAdmin/action","name":"Virtual Machines","scope":"HIGH","parent":{"notes":"A VM typically supports a single organizational function; control-plane and data-plane access to it can expose on-disk data, attached managed-identity credentials, and the hosted service's availability.","description":"An Azure virtual machine: a production compute resource running an OS, applications, attached disks, network interfaces, and optionally a managed identity."},"risks":["escalation:lateral","exfiltration:data","impact:manipulation","impact:hijack"],"notes":"This data action grants Windows administrator/Linux root login to the VM, giving full in-guest control to harvest the managed-identity token, read all local data, tamper with the system, and hijack the host for workloads.","links":["https://azure.permissions.cloud/iam/Microsoft.Compute","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Compute/virtualMachines/powerOff/action":{"id":"Microsoft.Compute/virtualMachines/powerOff/action","name":"Virtual Machines","scope":"HIGH","parent":{"notes":"A VM typically supports a single organizational function; control-plane and data-plane access to it can expose on-disk data, attached managed-identity credentials, and the hosted service's availability.","description":"An Azure virtual machine: a production compute resource running an OS, applications, attached disks, network interfaces, and optionally a managed identity."},"risks":["impact:dos"],"notes":"Powers off the running workload, interrupting whatever organizational function the VM served (the VM continues to be billed while stopped-but-allocated).","links":["https://azure.permissions.cloud/iam/Microsoft.Compute","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Compute/virtualMachines/redeploy/action":{"id":"Microsoft.Compute/virtualMachines/redeploy/action","name":"Virtual Machines","scope":"HIGH","parent":{"notes":"A VM typically supports a single organizational function; control-plane and data-plane access to it can expose on-disk data, attached managed-identity credentials, and the hosted service's availability.","description":"An Azure virtual machine: a production compute resource running an OS, applications, attached disks, network interfaces, and optionally a managed identity."},"risks":["impact:dos"],"notes":"Moves the VM to a new host, dropping ephemeral OS/temp disk contents and interrupting the running workload for the duration of the move.","links":["https://azure.permissions.cloud/iam/Microsoft.Compute","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Compute/virtualMachines/reimage/action":{"id":"Microsoft.Compute/virtualMachines/reimage/action","name":"Virtual Machines","scope":"HIGH","parent":{"notes":"A VM typically supports a single organizational function; control-plane and data-plane access to it can expose on-disk data, attached managed-identity credentials, and the hosted service's availability.","description":"An Azure virtual machine: a production compute resource running an OS, applications, attached disks, network interfaces, and optionally a managed identity."},"risks":["destruction:data","impact:dos"],"notes":"Resets the VM's differencing OS disk back to its original image state, wiping any OS-level changes and application data written since deployment and interrupting the running workload.","links":["https://azure.permissions.cloud/iam/Microsoft.Compute","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Compute/virtualMachines/restart/action":{"id":"Microsoft.Compute/virtualMachines/restart/action","name":"Virtual Machines","scope":"HIGH","parent":{"notes":"A VM typically supports a single organizational function; control-plane and data-plane access to it can expose on-disk data, attached managed-identity credentials, and the hosted service's availability.","description":"An Azure virtual machine: a production compute resource running an OS, applications, attached disks, network interfaces, and optionally a managed identity."},"risks":["impact:dos"],"notes":"Forces a reboot of the running workload, interrupting whatever organizational function the VM served and dropping any in-memory state or in-flight work.","links":["https://azure.permissions.cloud/iam/Microsoft.Compute","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Compute/virtualMachines/retrieveBootDiagnosticsData/action":{"id":"Microsoft.Compute/virtualMachines/retrieveBootDiagnosticsData/action","name":"Virtual Machines","scope":"HIGH","parent":{"notes":"A VM typically supports a single organizational function; control-plane and data-plane access to it can expose on-disk data, attached managed-identity credentials, and the hosted service's availability.","description":"An Azure virtual machine: a production compute resource running an OS, applications, attached disks, network interfaces, and optionally a managed identity."},"risks":["exfiltration:crypto","exfiltration:logs"],"notes":"Returns SAS URIs to the VM's boot/serial console logs, which frequently capture cloud-init output, provisioning scripts, or early-boot error dumps that can contain credentials or configuration secrets.","links":["https://azure.permissions.cloud/iam/Microsoft.Compute","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Compute/virtualMachines/runCommand/action":{"id":"Microsoft.Compute/virtualMachines/runCommand/action","name":"Virtual Machines","scope":"HIGH","parent":{"notes":"A VM typically supports a single organizational function; control-plane and data-plane access to it can expose on-disk data, attached managed-identity credentials, and the hosted service's availability.","description":"An Azure virtual machine: a production compute resource running an OS, applications, attached disks, network interfaces, and optionally a managed identity."},"risks":["escalation:lateral","exfiltration:data","impact:manipulation","impact:hijack"],"notes":"Run Command executes arbitrary scripts on the VM as SYSTEM/root, yielding code execution as the VM's managed identity (lateral movement), theft of on-disk data, in-guest tampering, and use of the host for attacker workloads.","links":["https://azure.permissions.cloud/iam/Microsoft.Compute","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Compute/virtualMachines/write":{"id":"Microsoft.Compute/virtualMachines/write","name":"Virtual Machines","scope":"HIGH","parent":{"notes":"A VM typically supports a single organizational function; control-plane and data-plane access to it can expose on-disk data, attached managed-identity credentials, and the hosted service's availability.","description":"An Azure virtual machine: a production compute resource running an OS, applications, attached disks, network interfaces, and optionally a managed identity."},"risks":["escalation:privilege","impact:manipulation"],"notes":"Creating or updating a VM's model can attach a managed identity or admin credentials, change the OS disk/image, or alter extensions, letting an attacker grant themselves the identity's privileges or plant a backdoored configuration.","links":["https://azure.permissions.cloud/iam/Microsoft.Compute","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Compute/virtualMachines/delete":{"id":"Microsoft.Compute/virtualMachines/delete","name":"Virtual Machines","scope":"HIGH","parent":{"notes":"A VM typically supports a single organizational function; control-plane and data-plane access to it can expose on-disk data, attached managed-identity credentials, and the hosted service's availability.","description":"An Azure virtual machine: a production compute resource running an OS, applications, attached disks, network interfaces, and optionally a managed identity."},"risks":["destruction:infra","impact:dos"],"notes":"Permanently deletes the virtual machine, destroying the compute workload and interrupting whatever organizational function it served.","links":["https://azure.permissions.cloud/iam/Microsoft.Compute","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerRegistry/registries/credentialSets/delete":{"id":"Microsoft.ContainerRegistry/registries/credentialSets/delete","name":"Container registry credential sets","scope":"MEDIUM","parent":{"notes":"Reading exposes auth wiring and the identity binding but not the raw secret values, which are held in Key Vault; writing can repoint authentication and bind an attacker-influenced identity.","description":"A credential set on an Azure Container Registry stores the configuration used to authenticate to an upstream registry for pull-through cache rules, referencing Key Vault secret URIs for the upstream credentials and binding a (typically user-assigned) managed identity."},"risks":["destruction:infra"],"notes":"Deleting a credential set removes the authentication configuration that cache rules depend on, breaking upstream pull-through caching as a DoS-like disruption of supporting infrastructure.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerRegistry","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerRegistry/registries/credentialSets/write":{"id":"Microsoft.ContainerRegistry/registries/credentialSets/write","name":"Container registry credential sets","scope":"MEDIUM","parent":{"notes":"Reading exposes auth wiring and the identity binding but not the raw secret values, which are held in Key Vault; writing can repoint authentication and bind an attacker-influenced identity.","description":"A credential set on an Azure Container Registry stores the configuration used to authenticate to an upstream registry for pull-through cache rules, referencing Key Vault secret URIs for the upstream credentials and binding a (typically user-assigned) managed identity."},"risks":["escalation:lateral","persistence:account","impact:manipulation"],"notes":"Creating/updating a credential set binds a managed identity and points upstream authentication at attacker-chosen Key Vault secrets, enabling identity-backed lateral access, persistent control over the credential configuration, and manipulation of the registry's pull pipeline.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerRegistry","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerRegistry/registries/exportPipelines/delete":{"id":"Microsoft.ContainerRegistry/registries/exportPipelines/delete","name":"Container registry export pipelines","scope":"MEDIUM","parent":{"notes":"Control-plane configuration of the registry's content-export workflow; the pipeline binds a managed identity and points at an external storage target.","description":"Export pipeline resources that configure automated copy of container registry artifacts out to a target storage account (with an associated managed identity and key-vault SAS reference)."},"risks":["destruction:infra"],"notes":"Deletes an export pipeline, removing the configured artifact-export infrastructure and disrupting legitimate replication/export workflows.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerRegistry","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerRegistry/registries/exportPipelines/write":{"id":"Microsoft.ContainerRegistry/registries/exportPipelines/write","name":"Container registry export pipelines","scope":"HIGH","parent":{"notes":"Control-plane configuration of the registry's content-export workflow; the pipeline binds a managed identity and points at an external storage target.","description":"Export pipeline resources that configure automated copy of container registry artifacts out to a target storage account (with an associated managed identity and key-vault SAS reference)."},"risks":["exfiltration:data","exfiltration:code","escalation:lateral","impact:manipulation"],"notes":"Creates or updates an export pipeline, configuring automated export of registry artifacts (container images containing application code/binaries) to attacker-chosen storage and binding a managed identity to operate the transfer.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerRegistry","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerRegistry/registries/generateCredentials/action":{"id":"Microsoft.ContainerRegistry/registries/generateCredentials/action","name":"Container registry","scope":"CRITICAL","parent":{"notes":"The registry backs the image supply chain for one or more applications; its credentials and stored images are sensitive, but control-plane property reads are low-sensitivity.","description":"An Azure Container Registry (ACR) resource that stores and serves container images and OCI artifacts (Helm charts, etc.) consumed by clusters and CI/CD pipelines."},"risks":["exfiltration:crypto","escalation:lateral","persistence:account"],"notes":"Generates and returns scoped token keys/passwords for a registry token, yielding usable credential material that grants repository access and durable, attacker-held authentication to the registry.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerRegistry","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerRegistry/registries/listCredentials/action":{"id":"Microsoft.ContainerRegistry/registries/listCredentials/action","name":"Container registry","scope":"CRITICAL","parent":{"notes":"The registry backs the image supply chain for one or more applications; its credentials and stored images are sensitive, but control-plane property reads are low-sensitivity.","description":"An Azure Container Registry (ACR) resource that stores and serves container images and OCI artifacts (Helm charts, etc.) consumed by clusters and CI/CD pipelines."},"risks":["exfiltration:crypto","escalation:lateral","takeover:account"],"notes":"Returns the registry admin username and passwords, a reusable standalone credential granting full push/pull access; an attacker can exfiltrate it, authenticate as the registry account, and move laterally into the image supply chain.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerRegistry","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerRegistry/registries/pull/read":{"id":"Microsoft.ContainerRegistry/registries/pull/read","name":"Container registry image content (pull)","scope":"HIGH","parent":{"notes":"Container images frequently bundle proprietary application code, binaries, configuration, and baked-in secrets, making the registry a sensitive production artifact store.","description":"The data-plane image-pull capability of an Azure Container Registry, allowing download of full container image layers and manifests."},"risks":["exfiltration:data","exfiltration:code"],"notes":"Pulling images exports full container artifacts, exfiltrating application code as well as embedded secrets, configuration, and sensitive data in image layers.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerRegistry","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerRegistry/registries/quarantine/read":{"id":"Microsoft.ContainerRegistry/registries/quarantine/read","name":"Container registry quarantined images","scope":"HIGH","parent":{"notes":"The quarantine gate is a defense control; reading/modifying it bypasses image vetting and can expose unvetted artifact content.","description":"Quarantined images are container images held in a gated, not-yet-validated state in an Azure Container Registry pending security scanning/content-trust approval before they may be pulled normally."},"risks":["exfiltration:data"],"notes":"Pulls quarantined images, exporting the image content/layers (which may contain sensitive code and data) before they have passed the security gate.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerRegistry","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerRegistry/registries/quarantine/write":{"id":"Microsoft.ContainerRegistry/registries/quarantine/write","name":"Container registry quarantined images","scope":"HIGH","parent":{"notes":"The quarantine gate is a defense control; reading/modifying it bypasses image vetting and can expose unvetted artifact content.","description":"Quarantined images are container images held in a gated, not-yet-validated state in an Azure Container Registry pending security scanning/content-trust approval before they may be pulled normally."},"risks":["destruction:defense","impact:manipulation"],"notes":"Modifies quarantine state, letting an attacker mark a malicious/unscanned image as passed, bypassing the quarantine security gate so a poisoned image becomes pullable into production.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerRegistry","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read":{"id":"Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read","name":"Container registry quarantined artifacts","scope":"HIGH","parent":{"notes":"Data-plane access to registry image content, which may include proprietary application code, binaries, and embedded secrets.","description":"Container artifacts (image layers/manifests) held in quarantine pending vulnerability/compliance scanning before being released for general pull; the data action accesses their actual content."},"risks":["exfiltration:data"],"notes":"Pulls/reads quarantined artifact content, exporting unvetted container image data (potentially including code and embedded secrets) out of the registry.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerRegistry","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerRegistry/registries/quarantinedArtifacts/write":{"id":"Microsoft.ContainerRegistry/registries/quarantinedArtifacts/write","name":"Container registry quarantined artifacts","scope":"HIGH","parent":{"notes":"Data-plane access to registry image content, which may include proprietary application code, binaries, and embedded secrets.","description":"Container artifacts (image layers/manifests) held in quarantine pending vulnerability/compliance scanning before being released for general pull; the data action accesses their actual content."},"risks":["impact:manipulation","destruction:defense"],"notes":"Updates the quarantine state of artifacts, letting an attacker release an unscanned or failed-scan (potentially malicious) image into general availability, bypassing the quarantine security gate.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerRegistry","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerRegistry/registries/regenerateCredential/action":{"id":"Microsoft.ContainerRegistry/registries/regenerateCredential/action","name":"Container registry","scope":"CRITICAL","parent":{"notes":"The registry backs the image supply chain for one or more applications; its credentials and stored images are sensitive, but control-plane property reads are low-sensitivity.","description":"An Azure Container Registry (ACR) resource that stores and serves container images and OCI artifacts (Helm charts, etc.) consumed by clusters and CI/CD pipelines."},"risks":["exfiltration:crypto","escalation:lateral","impact:access"],"notes":"Regenerates an admin login password, returning the new usable credential to the caller while invalidating the prior one, denying access to legitimate clients that relied on it.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerRegistry","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerRegistry/registries/repositories/content/delete":{"id":"Microsoft.ContainerRegistry/registries/repositories/content/delete","name":"Container registry repository image content","scope":"HIGH","parent":{"notes":"Image layers routinely embed proprietary application source/binaries, configuration, and baked-in secrets; controlling content is a supply-chain position over everything that consumes the registry.","description":"The data-plane image/artifact content of repositories in an Azure Container Registry: the actual container image layers, manifests, and OCI artifacts that downstream Kubernetes clusters and workloads pull and run."},"risks":["destruction:artifact"],"notes":"Deleting artifacts removes container images from the registry, destroying deployable build outputs and potentially breaking dependent deployments.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerRegistry","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerRegistry/registries/repositories/content/read":{"id":"Microsoft.ContainerRegistry/registries/repositories/content/read","name":"Container registry repository image content","scope":"HIGH","parent":{"notes":"Image layers routinely embed proprietary application source/binaries, configuration, and baked-in secrets; controlling content is a supply-chain position over everything that consumes the registry.","description":"The data-plane image/artifact content of repositories in an Azure Container Registry: the actual container image layers, manifests, and OCI artifacts that downstream Kubernetes clusters and workloads pull and run."},"risks":["exfiltration:data","exfiltration:code"],"notes":"Pulling images is a data-plane read that exports the full container artifacts, which commonly bundle application code, binaries, configuration, and embedded secrets, constituting data and code exfiltration.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerRegistry","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerRegistry/registries/repositories/content/write":{"id":"Microsoft.ContainerRegistry/registries/repositories/content/write","name":"Container registry repository image content","scope":"HIGH","parent":{"notes":"Image layers routinely embed proprietary application source/binaries, configuration, and baked-in secrets; controlling content is a supply-chain position over everything that consumes the registry.","description":"The data-plane image/artifact content of repositories in an Azure Container Registry: the actual container image layers, manifests, and OCI artifacts that downstream Kubernetes clusters and workloads pull and run."},"risks":["impact:manipulation","impact:hijack"],"notes":"Pushing images lets an attacker overwrite trusted tags with malicious/backdoored content that downstream clusters will pull and execute, enabling supply-chain manipulation and hijacking of compute via the deployed workloads.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerRegistry","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerRegistry/registries/runs/listLogSasUrl/action":{"id":"Microsoft.ContainerRegistry/registries/runs/listLogSasUrl/action","name":"Container registry task runs","scope":"MEDIUM","parent":{"notes":"Run records are build-pipeline operational metadata; some run-scoped actions (log SAS URLs) expose credential and log material.","description":"The ACR Tasks run records of an Azure Container Registry, representing build/task execution jobs and their properties, status, and logs."},"risks":["exfiltration:crypto","exfiltration:logs"],"notes":"Returns a pre-authenticated SAS URL granting out-of-band access to a run's build logs, yielding both credential-bearing token material and log contents that can leak secrets.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerRegistry","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerRegistry/registries/scopeMaps/delete":{"id":"Microsoft.ContainerRegistry/registries/scopeMaps/delete","name":"Container registry scope maps","scope":"CRITICAL","parent":{"notes":"Scope maps are ACR's RBAC mechanism for token-based access; creating/altering them grants or revokes registry access.","description":"Scope maps define the repository-level permissions (content/pull/push/delete actions per repository) that are bound to Azure Container Registry tokens, forming the registry's repository-scoped access-control model."},"risks":["destruction:policy","impact:access"],"notes":"Deletes a scope map, removing the access-control policy bound to registry tokens; this destroys RBAC configuration and can revoke legitimate principals' access to repositories.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerRegistry","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerRegistry/registries/scopeMaps/write":{"id":"Microsoft.ContainerRegistry/registries/scopeMaps/write","name":"Container registry scope maps","scope":"CRITICAL","parent":{"notes":"Scope maps are ACR's RBAC mechanism for token-based access; creating/altering them grants or revokes registry access.","description":"Scope maps define the repository-level permissions (content/pull/push/delete actions per repository) that are bound to Azure Container Registry tokens, forming the registry's repository-scoped access-control model."},"risks":["escalation:privilege","impact:manipulation"],"notes":"Create/update grants or broadens repository-level permissions bound to registry tokens, directly escalating registry access (ACR's RBAC grant mechanism) and altering the access-control policy.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerRegistry","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerRegistry/registries/taskruns/listDetails/action":{"id":"Microsoft.ContainerRegistry/registries/taskruns/listDetails/action","name":"ACR task runs","scope":"HIGH","parent":{"notes":"Taskruns execute attacker-definable workloads and their full details can embed source and custom-registry login credentials.","description":"ACR taskruns are quick-task / task execution records that run containerized build and run steps on ACR-managed compute, frequently under the registry's or task's assigned managed identity."},"risks":["exfiltration:crypto","escalation:lateral"],"notes":"listDetails returns the full run request including embedded source and custom-registry login credentials, allowing an attacker to export reusable secret material and pivot into those registries/sources.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerRegistry","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerRegistry/registries/tasks/listDetails/action":{"id":"Microsoft.ContainerRegistry/registries/tasks/listDetails/action","name":"Container registry tasks","scope":"CRITICAL","parent":{"notes":"Tasks frequently run under an assigned managed identity and embed source-control and registry credentials, making them a supply-chain and lateral-movement vector.","description":"ACR tasks are build/run automation definitions (triggers, steps, base images, identity references) that execute container build and command workloads for an Azure Container Registry, forming the registry's CI/build pipeline."},"risks":["exfiltration:crypto","escalation:lateral"],"notes":"listDetails returns the full task definition including embedded source-control tokens, custom registry credentials, and secret build arguments, exposing reusable credential material that enables pivoting to connected systems.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerRegistry","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerRegistry/registries/tokens/delete":{"id":"Microsoft.ContainerRegistry/registries/tokens/delete","name":"ACR registry tokens","scope":"HIGH","parent":{"notes":"Tokens are credential-backed access identities for the registry's image supply chain; their passwords are generated separately via the credentials action and are not returned by read.","description":"ACR tokens are named, repository-scoped access principals bound to scope maps that authorize pull/push/delete operations against a container registry."},"risks":["destruction:policy","impact:access"],"notes":"Delete token removes a registry access-control credential and its scope-map binding, revoking legitimate principals' authorized registry access and destroying access-control state.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerRegistry","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerRegistry/registries/tokens/write":{"id":"Microsoft.ContainerRegistry/registries/tokens/write","name":"ACR registry tokens","scope":"HIGH","parent":{"notes":"Tokens are credential-backed access identities for the registry's image supply chain; their passwords are generated separately via the credentials action and are not returned by read.","description":"ACR tokens are named, repository-scoped access principals bound to scope maps that authorize pull/push/delete operations against a container registry."},"risks":["persistence:account","escalation:privilege"],"notes":"Create/Update token provisions a durable attacker-controlled scoped credential identity and can broaden its scope-map permissions (push/pull/delete), establishing persistent privileged access to registry content.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerRegistry","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerRegistry/registries/webhooks/getCallbackConfig/action":{"id":"Microsoft.ContainerRegistry/registries/webhooks/getCallbackConfig/action","name":"Container registry webhooks","scope":"MEDIUM","parent":{"notes":"Supporting integration/notification plumbing for a registry; the callback configuration can embed authentication secrets in custom headers, but the webhook itself does not hold image artifacts.","description":"A webhook on an Azure Container Registry that fires HTTP callbacks to a configured service URI when registry events occur (image push, delete, quarantine, chart push/delete)."},"risks":["exfiltration:crypto"],"notes":"Unlike the plain webhook read, this action returns the service URI plus the custom headers, which typically embed an Authorization/bearer token for the destination, disclosing credential-equivalent secret material.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerRegistry","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/aiManagers/admissionregistration.k8s.io/initializerconfigurations/delete":{"id":"Microsoft.ContainerService/aiManagers/admissionregistration.k8s.io/initializerconfigurations/delete","name":"Kubernetes initializer configurations (admission control)","scope":"CRITICAL","parent":{"notes":"Admission-control objects are cluster-wide security enforcement points; controlling them is effectively cluster-admin over policy enforcement, hence CRITICAL asset sensitivity.","description":"Cluster-wide Kubernetes initializerConfiguration objects (admissionregistration.k8s.io) that register admission-control initializers intercepting and gating object creation across the entire AKS-managed cluster."},"risks":["destruction:defense","destruction:policy"],"notes":"Deleting initializer configurations removes cluster-wide admission enforcement, disabling a security defense and the policy it imposes so previously-constrained malicious object creation proceeds unchecked.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/aiManagers/admissionregistration.k8s.io/initializerconfigurations/write":{"id":"Microsoft.ContainerService/aiManagers/admissionregistration.k8s.io/initializerconfigurations/write","name":"Kubernetes initializer configurations (admission control)","scope":"CRITICAL","parent":{"notes":"Admission-control objects are cluster-wide security enforcement points; controlling them is effectively cluster-admin over policy enforcement, hence CRITICAL asset sensitivity.","description":"Cluster-wide Kubernetes initializerConfiguration objects (admissionregistration.k8s.io) that register admission-control initializers intercepting and gating object creation across the entire AKS-managed cluster."},"risks":["destruction:defense","impact:manipulation","escalation:privilege"],"notes":"Creating/updating cluster-wide initializer configurations lets an attacker intercept and mutate every object creation, injecting privileged config into incoming resources while disabling existing admission-based security enforcement.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/aiManagers/admissionregistration.k8s.io/mutatingwebhookconfigurations/delete":{"id":"Microsoft.ContainerService/aiManagers/admissionregistration.k8s.io/mutatingwebhookconfigurations/delete","name":"Kubernetes mutating webhook configurations (admission control)","scope":"CRITICAL","parent":{"notes":"Mutating admission webhooks are a primary cluster-wide security/enforcement mechanism; the ability to control them approaches cluster-admin, hence CRITICAL asset sensitivity.","description":"Cluster-wide Kubernetes mutatingWebhookConfiguration objects (admissionregistration.k8s.io) that register webhooks which intercept and rewrite API objects during admission across the entire AKS-managed cluster."},"risks":["destruction:defense","destruction:policy"],"notes":"Deleting mutating webhook configurations strips cluster-wide admission mutation/enforcement (e.g. security sidecar injection, policy mutation), disabling defenses so malicious objects that would be mutated or rejected are admitted unchanged.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/aiManagers/admissionregistration.k8s.io/mutatingwebhookconfigurations/write":{"id":"Microsoft.ContainerService/aiManagers/admissionregistration.k8s.io/mutatingwebhookconfigurations/write","name":"Kubernetes mutating webhook configurations (admission control)","scope":"CRITICAL","parent":{"notes":"Mutating admission webhooks are a primary cluster-wide security/enforcement mechanism; the ability to control them approaches cluster-admin, hence CRITICAL asset sensitivity.","description":"Cluster-wide Kubernetes mutatingWebhookConfiguration objects (admissionregistration.k8s.io) that register webhooks which intercept and rewrite API objects during admission across the entire AKS-managed cluster."},"risks":["destruction:defense","impact:manipulation","escalation:privilege","escalation:lateral","exfiltration:data"],"notes":"Registering a mutating webhook is a classic full-cluster takeover primitive: it intercepts and rewrites every admitted object cluster-wide (inject privileged sidecars, attach service accounts/managed identities, mount secrets), can read secret-bearing admission payloads, and disables mutating security defenses.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/aiManagers/admissionregistration.k8s.io/validatingwebhookconfigurations/delete":{"id":"Microsoft.ContainerService/aiManagers/admissionregistration.k8s.io/validatingwebhookconfigurations/delete","name":"Kubernetes validating webhook configurations (admission control)","scope":"CRITICAL","parent":{"notes":"Validating admission webhooks are the cluster's primary policy guardrails; controlling them governs what workloads can be admitted, hence CRITICAL asset sensitivity.","description":"Cluster-wide Kubernetes validatingWebhookConfiguration objects (admissionregistration.k8s.io) that register webhooks validating/admitting API requests (e.g. OPA Gatekeeper, Kyverno, Pod Security) across the entire AKS-managed cluster."},"risks":["destruction:defense","destruction:policy"],"notes":"Deleting validating webhook configurations removes cluster-wide admission policy validation (Gatekeeper/Pod Security), disabling a key defense so previously-denied privileged or non-compliant resources are admitted unchecked.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/aiManagers/admissionregistration.k8s.io/validatingwebhookconfigurations/write":{"id":"Microsoft.ContainerService/aiManagers/admissionregistration.k8s.io/validatingwebhookconfigurations/write","name":"Kubernetes validating webhook configurations (admission control)","scope":"CRITICAL","parent":{"notes":"Validating admission webhooks are the cluster's primary policy guardrails; controlling them governs what workloads can be admitted, hence CRITICAL asset sensitivity.","description":"Cluster-wide Kubernetes validatingWebhookConfiguration objects (admissionregistration.k8s.io) that register webhooks validating/admitting API requests (e.g. OPA Gatekeeper, Kyverno, Pod Security) across the entire AKS-managed cluster."},"risks":["destruction:defense","impact:manipulation","escalation:privilege"],"notes":"Writing validating webhook configurations lets an attacker neuter or repoint cluster-wide policy enforcement (Gatekeeper/Kyverno/Pod Security) to admit previously-blocked privileged or malicious workloads, or set failurePolicy/scope to deny legitimate operations.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/aiManagers/authentication.k8s.io/userextras/impersonate/action":{"id":"Microsoft.ContainerService/aiManagers/authentication.k8s.io/userextras/impersonate/action","name":"Kubernetes userextras impersonation","scope":"CRITICAL","parent":{"notes":"Extra authentication attributes feed authorization decisions (e.g. authorizing webhooks); spoofing them completes privileged impersonation.","description":"The Kubernetes userextras-impersonation capability on an AKS-managed aiManagers cluster, which lets a caller set arbitrary extra authentication attributes on impersonated requests."},"risks":["escalation:lateral","escalation:privilege"],"notes":"Impersonating userextras lets an attacker forge extra authentication attributes used in authorization, completing identity assumption and enabling privilege escalation and lateral movement.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/aiManagers/certificates.k8s.io/certificatesigningrequests/delete":{"id":"Microsoft.ContainerService/aiManagers/certificates.k8s.io/certificatesigningrequests/delete","name":"Kubernetes CertificateSigningRequests","scope":"CRITICAL","parent":{"notes":"An approved CSR's status.certificate field contains a signed client certificate that is a usable cluster credential; CSRs are a well-known Kubernetes privilege-escalation and credential-minting vector, making this a CRITICAL identity/credential asset.","description":"Kubernetes CertificateSigningRequest objects (certificates.k8s.io) used to request and issue X.509 client/serving certificates that authenticate identities to the cluster API server."},"risks":["destruction:crypto"],"notes":"Deleting CSRs removes pending/issued certificate-signing requests and their associated signed-certificate material, destroying cryptographic identity artifacts and disrupting certificate provisioning.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/aiManagers/certificates.k8s.io/certificatesigningrequests/read":{"id":"Microsoft.ContainerService/aiManagers/certificates.k8s.io/certificatesigningrequests/read","name":"Kubernetes CertificateSigningRequests","scope":"CRITICAL","parent":{"notes":"An approved CSR's status.certificate field contains a signed client certificate that is a usable cluster credential; CSRs are a well-known Kubernetes privilege-escalation and credential-minting vector, making this a CRITICAL identity/credential asset.","description":"Kubernetes CertificateSigningRequest objects (certificates.k8s.io) used to request and issue X.509 client/serving certificates that authenticate identities to the cluster API server."},"risks":["exfiltration:crypto","escalation:lateral"],"notes":"Reading/listing CSRs can return the signed client certificate in status.certificate (usable authentication credential) and enumerates the identities/groups requesting cluster access; the exported cert authenticates as the requested identity.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/aiManagers/certificates.k8s.io/certificatesigningrequests/write":{"id":"Microsoft.ContainerService/aiManagers/certificates.k8s.io/certificatesigningrequests/write","name":"Kubernetes CertificateSigningRequests","scope":"CRITICAL","parent":{"notes":"An approved CSR's status.certificate field contains a signed client certificate that is a usable cluster credential; CSRs are a well-known Kubernetes privilege-escalation and credential-minting vector, making this a CRITICAL identity/credential asset.","description":"Kubernetes CertificateSigningRequest objects (certificates.k8s.io) used to request and issue X.509 client/serving certificates that authenticate identities to the cluster API server."},"risks":["escalation:privilege","persistence:account","escalation:lateral"],"notes":"Creating CSRs lets an attacker request a client certificate bound to an arbitrary username/group (e.g. system:masters / cluster-admin); once signed it mints a durable credential for a higher-privileged identity.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/aiManagers/configmaps/delete":{"id":"Microsoft.ContainerService/aiManagers/configmaps/delete","name":"Kubernetes ConfigMaps (AKS aiManagers)","scope":"HIGH","parent":{"notes":"Although not a designated secret store, ConfigMaps routinely contain sensitive operational values (endpoints, connection strings, tokens) and, as a common anti-pattern, inadvertently stored credentials.","description":"The Kubernetes ConfigMaps resource within an AKS aiManagers cluster, holding key-value application and workload configuration consumed by pods as env vars, files, or mounted volumes."},"risks":["destruction:data","impact:dos"],"notes":"Deleting ConfigMaps destroys configuration data that workloads depend on, breaking or crashing dependent pods and disrupting the hosted service.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/aiManagers/configmaps/read":{"id":"Microsoft.ContainerService/aiManagers/configmaps/read","name":"Kubernetes ConfigMaps (AKS aiManagers)","scope":"HIGH","parent":{"notes":"Although not a designated secret store, ConfigMaps routinely contain sensitive operational values (endpoints, connection strings, tokens) and, as a common anti-pattern, inadvertently stored credentials.","description":"The Kubernetes ConfigMaps resource within an AKS aiManagers cluster, holding key-value application and workload configuration consumed by pods as env vars, files, or mounted volumes."},"risks":["exfiltration:data","discovery:infra"],"notes":"Reading ConfigMaps exports workload configuration that frequently includes sensitive settings and misplaced credentials, exfiltrating data while inventorying cluster/workload config.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/aiManagers/configmaps/write":{"id":"Microsoft.ContainerService/aiManagers/configmaps/write","name":"Kubernetes ConfigMaps (AKS aiManagers)","scope":"HIGH","parent":{"notes":"Although not a designated secret store, ConfigMaps routinely contain sensitive operational values (endpoints, connection strings, tokens) and, as a common anti-pattern, inadvertently stored credentials.","description":"The Kubernetes ConfigMaps resource within an AKS aiManagers cluster, holding key-value application and workload configuration consumed by pods as env vars, files, or mounted volumes."},"risks":["impact:manipulation"],"notes":"Creating/overwriting ConfigMaps lets an attacker poison configuration consumed by pods, altering workload behavior or redirecting applications.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/aiManagers/extensions/podsecuritypolicies/delete":{"id":"Microsoft.ContainerService/aiManagers/extensions/podsecuritypolicies/delete","name":"Kubernetes PodSecurityPolicies (AKS aiManagers)","scope":"HIGH","parent":{"notes":"As an admission/security-enforcement control, this resource type governs the cluster's defensive posture against privileged-workload escalation; modifying or removing it weakens cluster security.","description":"PodSecurityPolicies are Kubernetes cluster-scoped admission-control resources (in the aiManagers AKS data plane) that constrain the security context of pods, such as whether privileged, hostPath, or host-network pods are permitted."},"risks":["destruction:defense","destruction:policy"],"notes":"Deleting a PodSecurityPolicy removes the pod-admission security enforcement, eliminating a defense mechanism and dropping the access-control policy that would otherwise restrict privileged pod creation.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/aiManagers/extensions/podsecuritypolicies/write":{"id":"Microsoft.ContainerService/aiManagers/extensions/podsecuritypolicies/write","name":"Kubernetes PodSecurityPolicies (AKS aiManagers)","scope":"HIGH","parent":{"notes":"As an admission/security-enforcement control, this resource type governs the cluster's defensive posture against privileged-workload escalation; modifying or removing it weakens cluster security.","description":"PodSecurityPolicies are Kubernetes cluster-scoped admission-control resources (in the aiManagers AKS data plane) that constrain the security context of pods, such as whether privileged, hostPath, or host-network pods are permitted."},"risks":["destruction:defense","escalation:privilege"],"notes":"Creating/updating a PodSecurityPolicy lets an attacker relax pod-admission constraints (allow privileged/hostPath/host-network pods), disabling the security defense and enabling privileged workloads that escalate to node/cluster compromise.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/aiManagers/groups/impersonate/action":{"id":"Microsoft.ContainerService/aiManagers/groups/impersonate/action","name":"Kubernetes group impersonation","scope":"CRITICAL","parent":{"notes":"Group impersonation grants the aggregated RBAC permissions of any group, including privileged built-in groups; equivalent to cluster-admin.","description":"The Kubernetes group-impersonation capability on an AKS-managed aiManagers cluster, which lets a caller assert arbitrary group memberships (e.g. system:masters) on impersonated requests."},"risks":["escalation:lateral","escalation:privilege"],"notes":"Impersonating groups lets an attacker assume membership in privileged groups like system:masters, inheriting their RBAC grants to escalate and move laterally.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/aiManagers/listCredential/action":{"id":"Microsoft.ContainerService/aiManagers/listCredential/action","name":"AKS AI Manager","scope":"CRITICAL","parent":{"notes":"A managed compute/AI resource that runs workloads and exposes credential material via listCredential, making the resource type sensitive.","description":"An AKS AI Manager control-plane resource that provisions and manages AI/ML workload infrastructure on a managed Kubernetes cluster and carries access credentials for the managed resource."},"risks":["exfiltration:crypto","escalation:lateral","takeover:account"],"notes":"This listCredential action returns the AI Manager's credential material (kubeconfig/access keys), exporting usable secret credentials that authenticate as the resource identity for lateral movement and effective account/cluster takeover.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/aiManagers/namespaces/listCredential/action":{"id":"Microsoft.ContainerService/aiManagers/namespaces/listCredential/action","name":"AI Manager namespaces","scope":"CRITICAL","parent":{"notes":"Namespaces are tenancy boundaries; the credential action on this resource type exposes usable cluster access, raising its sensitivity.","description":"Kubernetes-style namespaces for an AKS AI Manager, the logical workload-isolation/tenancy boundaries within which AI workloads, configuration, and access objects are organized."},"risks":["exfiltration:crypto","escalation:lateral"],"notes":"This action returns usable namespace credential material (e.g. a kubeconfig/access token), directly exfiltrating secret material and granting identity-bearing lateral access into the namespace and its workloads.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/aiManagers/pods/exec/action":{"id":"Microsoft.ContainerService/aiManagers/pods/exec/action","name":"AKS AI Managers Kubernetes pods","scope":"CRITICAL","parent":{"notes":"Data-plane access to pods is equivalent to control over the workloads of a single cluster/application function; pod specs frequently embed sensitive configuration and credential references.","description":"Kubernetes Pod objects within an AKS AI Managers cluster, representing running containerized workloads. Pod specs include container images, environment variables, mounted volumes, and references to secrets and service-account tokens."},"risks":["escalation:lateral","exfiltration:data","impact:hijack","impact:manipulation"],"notes":"Exec grants interactive command execution (RCE) inside a running container, giving the pod's mounted service-account identity and secrets, access to in-container data, the ability to run attacker code, and tampering with the workload.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/aiManagers/pods/delete":{"id":"Microsoft.ContainerService/aiManagers/pods/delete","name":"AKS AI Managers Kubernetes pods","scope":"HIGH","parent":{"notes":"Data-plane access to pods is equivalent to control over the workloads of a single cluster/application function; pod specs frequently embed sensitive configuration and credential references.","description":"Kubernetes Pod objects within an AKS AI Managers cluster, representing running containerized workloads. Pod specs include container images, environment variables, mounted volumes, and references to secrets and service-account tokens."},"risks":["impact:dos","destruction:infra"],"notes":"Deleting pods (including DeleteCollection) terminates running workloads, destroying compute instances and disrupting the services they back.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/aiManagers/pods/read":{"id":"Microsoft.ContainerService/aiManagers/pods/read","name":"AKS AI Managers Kubernetes pods","scope":"HIGH","parent":{"notes":"Data-plane access to pods is equivalent to control over the workloads of a single cluster/application function; pod specs frequently embed sensitive configuration and credential references.","description":"Kubernetes Pod objects within an AKS AI Managers cluster, representing running containerized workloads. Pod specs include container images, environment variables, mounted volumes, and references to secrets and service-account tokens."},"risks":["discovery:infra","exfiltration:data"],"notes":"Reading pod specs/status inventories running workloads and exposes embedded sensitive data such as environment variables and mounted secret references.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/aiManagers/pods/write":{"id":"Microsoft.ContainerService/aiManagers/pods/write","name":"AKS AI Managers Kubernetes pods","scope":"HIGH","parent":{"notes":"Data-plane access to pods is equivalent to control over the workloads of a single cluster/application function; pod specs frequently embed sensitive configuration and credential references.","description":"Kubernetes Pod objects within an AKS AI Managers cluster, representing running containerized workloads. Pod specs include container images, environment variables, mounted volumes, and references to secrets and service-account tokens."},"risks":["impact:hijack","escalation:lateral","impact:manipulation"],"notes":"Creating/updating pods lets an attacker run arbitrary containers (cryptomining/workloads), mount secrets or service-account tokens to assume in-cluster identities, and alter existing workload configuration.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/aiManagers/policy/podsecuritypolicies/use/action":{"id":"Microsoft.ContainerService/aiManagers/policy/podsecuritypolicies/use/action","name":"Kubernetes PodSecurityPolicies","scope":"CRITICAL","parent":{"notes":"These are cluster-wide security-enforcement guardrails; weakening or bypassing them enables container breakout to node and cluster-admin level compromise.","description":"PodSecurityPolicies are cluster-scoped Kubernetes admission-control objects that constrain which pod security attributes (privileged mode, host namespaces, hostPath volumes, capabilities, runAsRoot) are permitted when workloads are admitted to the cluster."},"risks":["escalation:privilege"],"notes":"The 'use' verb authorizes a subject to run pods governed by that PodSecurityPolicy; on a permissive policy this lets an attacker schedule privileged/host-access pods, enabling node breakout and privilege escalation.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/aiManagers/policy/podsecuritypolicies/delete":{"id":"Microsoft.ContainerService/aiManagers/policy/podsecuritypolicies/delete","name":"Kubernetes PodSecurityPolicies","scope":"CRITICAL","parent":{"notes":"These are cluster-wide security-enforcement guardrails; weakening or bypassing them enables container breakout to node and cluster-admin level compromise.","description":"PodSecurityPolicies are cluster-scoped Kubernetes admission-control objects that constrain which pod security attributes (privileged mode, host namespaces, hostPath volumes, capabilities, runAsRoot) are permitted when workloads are admitted to the cluster."},"risks":["destruction:defense","destruction:policy"],"notes":"Deleting a PodSecurityPolicy removes a cluster-wide admission-control defense and its access-control policy object, stripping the constraints that would otherwise block privileged, escape-capable workloads.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/aiManagers/policy/podsecuritypolicies/write":{"id":"Microsoft.ContainerService/aiManagers/policy/podsecuritypolicies/write","name":"Kubernetes PodSecurityPolicies","scope":"CRITICAL","parent":{"notes":"These are cluster-wide security-enforcement guardrails; weakening or bypassing them enables container breakout to node and cluster-admin level compromise.","description":"PodSecurityPolicies are cluster-scoped Kubernetes admission-control objects that constrain which pod security attributes (privileged mode, host namespaces, hostPath volumes, capabilities, runAsRoot) are permitted when workloads are admitted to the cluster."},"risks":["destruction:defense","escalation:privilege"],"notes":"Creating or updating a PodSecurityPolicy lets an attacker weaken or replace the admission-control defense to permit privileged/hostPath/host-namespace pods, disabling a security control and enabling pod-breakout privilege escalation to node/cluster-admin.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/aiManagers/rbac.authorization.k8s.io/clusterrolebindings/delete":{"id":"Microsoft.ContainerService/aiManagers/rbac.authorization.k8s.io/clusterrolebindings/delete","name":"Kubernetes ClusterRoleBindings","scope":"CRITICAL","parent":{"notes":"ClusterRoleBindings are the core cluster-wide access-control bindings of Kubernetes (the analog of Azure roleAssignments); they can confer cluster-admin, so the asset is cluster-wide identity and access-control data.","description":"A ClusterRoleBinding is a cluster-scoped Kubernetes RBAC object that binds a subject (user, group, or service account) to a ClusterRole, granting that subject the role's permissions across the entire cluster."},"risks":["destruction:policy","impact:access"],"notes":"Deleting a ClusterRoleBinding destroys a cluster-wide access-control binding, stripping legitimate principals (including defenders) of their access while tearing down grants that would otherwise constrain the attacker.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/aiManagers/rbac.authorization.k8s.io/clusterrolebindings/write":{"id":"Microsoft.ContainerService/aiManagers/rbac.authorization.k8s.io/clusterrolebindings/write","name":"Kubernetes ClusterRoleBindings","scope":"CRITICAL","parent":{"notes":"ClusterRoleBindings are the core cluster-wide access-control bindings of Kubernetes (the analog of Azure roleAssignments); they can confer cluster-admin, so the asset is cluster-wide identity and access-control data.","description":"A ClusterRoleBinding is a cluster-scoped Kubernetes RBAC object that binds a subject (user, group, or service account) to a ClusterRole, granting that subject the role's permissions across the entire cluster."},"risks":["escalation:privilege","escalation:lateral","persistence:account"],"notes":"Creating or updating a ClusterRoleBinding lets an attacker bind cluster-admin (or any ClusterRole) to their own identity or a controlled service account, the headline cluster-wide privilege-escalation and lateral-movement primitive that also establishes durable persistence.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/aiManagers/rbac.authorization.k8s.io/clusterroles/bind/action":{"id":"Microsoft.ContainerService/aiManagers/rbac.authorization.k8s.io/clusterroles/bind/action","name":"Kubernetes ClusterRoles","scope":"CRITICAL","parent":{"notes":"ClusterRoles define the permission sets behind every cluster-wide grant (the analog of Azure roleDefinitions); they can encode cluster-admin, so the asset is cluster-wide access-control policy.","description":"A ClusterRole is a cluster-scoped Kubernetes RBAC object that defines a named set of permissions (verbs over API resources) that can be bound to subjects cluster-wide via ClusterRoleBindings."},"risks":["escalation:privilege"],"notes":"The Kubernetes 'bind' verb authorizes a subject to create bindings referencing a ClusterRole, letting an attacker grant that role's (potentially cluster-admin) permissions to a controlled identity for cluster-wide privilege escalation.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/aiManagers/rbac.authorization.k8s.io/clusterroles/escalate/action":{"id":"Microsoft.ContainerService/aiManagers/rbac.authorization.k8s.io/clusterroles/escalate/action","name":"Kubernetes ClusterRoles","scope":"CRITICAL","parent":{"notes":"ClusterRoles define the permission sets behind every cluster-wide grant (the analog of Azure roleDefinitions); they can encode cluster-admin, so the asset is cluster-wide access-control policy.","description":"A ClusterRole is a cluster-scoped Kubernetes RBAC object that defines a named set of permissions (verbs over API resources) that can be bound to subjects cluster-wide via ClusterRoleBindings."},"risks":["escalation:privilege"],"notes":"The Kubernetes 'escalate' verb explicitly bypasses the RBAC escalation-prevention guard, letting a subject grant a ClusterRole permissions exceeding its own and achieve cluster-admin-level privilege escalation.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/aiManagers/rbac.authorization.k8s.io/clusterroles/delete":{"id":"Microsoft.ContainerService/aiManagers/rbac.authorization.k8s.io/clusterroles/delete","name":"Kubernetes ClusterRoles","scope":"CRITICAL","parent":{"notes":"ClusterRoles define the permission sets behind every cluster-wide grant (the analog of Azure roleDefinitions); they can encode cluster-admin, so the asset is cluster-wide access-control policy.","description":"A ClusterRole is a cluster-scoped Kubernetes RBAC object that defines a named set of permissions (verbs over API resources) that can be bound to subjects cluster-wide via ClusterRoleBindings."},"risks":["destruction:policy","impact:access"],"notes":"Deleting a ClusterRole destroys a cluster-wide access-control policy object and breaks every binding referencing it, revoking the access of all subjects assigned that role.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/aiManagers/rbac.authorization.k8s.io/clusterroles/write":{"id":"Microsoft.ContainerService/aiManagers/rbac.authorization.k8s.io/clusterroles/write","name":"Kubernetes ClusterRoles","scope":"CRITICAL","parent":{"notes":"ClusterRoles define the permission sets behind every cluster-wide grant (the analog of Azure roleDefinitions); they can encode cluster-admin, so the asset is cluster-wide access-control policy.","description":"A ClusterRole is a cluster-scoped Kubernetes RBAC object that defines a named set of permissions (verbs over API resources) that can be bound to subjects cluster-wide via ClusterRoleBindings."},"risks":["escalation:privilege"],"notes":"Creating or updating a ClusterRole lets an attacker inject arbitrary cluster-wide permissions into a role definition, escalating the privileges of every subject already bound to that role.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/aiManagers/rbac.authorization.k8s.io/rolebindings/delete":{"id":"Microsoft.ContainerService/aiManagers/rbac.authorization.k8s.io/rolebindings/delete","name":"Kubernetes RoleBindings","scope":"CRITICAL","parent":{"notes":"RBAC bindings are the cluster's access-control policy; controlling them is equivalent to controlling who can do what, up to cluster-admin.","description":"Kubernetes RoleBindings in an AKS-managed aiManagers cluster, which bind RBAC Roles/ClusterRoles to subjects (users, groups, service accounts) and thereby determine who holds which in-cluster permissions."},"risks":["destruction:policy","impact:access"],"notes":"Deleting RoleBindings tears down RBAC grants, destroying access-control policy and stripping legitimate operators of their cluster access.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/aiManagers/rbac.authorization.k8s.io/rolebindings/write":{"id":"Microsoft.ContainerService/aiManagers/rbac.authorization.k8s.io/rolebindings/write","name":"Kubernetes RoleBindings","scope":"CRITICAL","parent":{"notes":"RBAC bindings are the cluster's access-control policy; controlling them is equivalent to controlling who can do what, up to cluster-admin.","description":"Kubernetes RoleBindings in an AKS-managed aiManagers cluster, which bind RBAC Roles/ClusterRoles to subjects (users, groups, service accounts) and thereby determine who holds which in-cluster permissions."},"risks":["escalation:privilege"],"notes":"Creating/updating a RoleBinding binds an attacker-controlled subject to any role, directly granting elevated cluster permissions (the canonical privilege-escalation primitive).","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/aiManagers/rbac.authorization.k8s.io/roles/bind/action":{"id":"Microsoft.ContainerService/aiManagers/rbac.authorization.k8s.io/roles/bind/action","name":"Kubernetes Roles","scope":"CRITICAL","parent":{"notes":"Role definitions are core cluster access-control policy; manipulating them governs the permission surface up to cluster-admin.","description":"Kubernetes Roles in an AKS-managed aiManagers cluster, which define sets of RBAC permission rules (verbs over resources) that are granted to subjects via bindings."},"risks":["escalation:privilege"],"notes":"The Kubernetes 'bind' verb authorizes referencing a role in a new binding even without holding its permissions, letting an attacker grant the role's privileges to a controlled subject.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/aiManagers/rbac.authorization.k8s.io/roles/escalate/action":{"id":"Microsoft.ContainerService/aiManagers/rbac.authorization.k8s.io/roles/escalate/action","name":"Kubernetes Roles","scope":"CRITICAL","parent":{"notes":"Role definitions are core cluster access-control policy; manipulating them governs the permission surface up to cluster-admin.","description":"Kubernetes Roles in an AKS-managed aiManagers cluster, which define sets of RBAC permission rules (verbs over resources) that are granted to subjects via bindings."},"risks":["escalation:privilege"],"notes":"The Kubernetes 'escalate' verb explicitly bypasses the privilege-escalation prevention guard, allowing the holder to grant permissions exceeding their own, up to cluster-admin.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/aiManagers/rbac.authorization.k8s.io/roles/delete":{"id":"Microsoft.ContainerService/aiManagers/rbac.authorization.k8s.io/roles/delete","name":"Kubernetes Roles","scope":"CRITICAL","parent":{"notes":"Role definitions are core cluster access-control policy; manipulating them governs the permission surface up to cluster-admin.","description":"Kubernetes Roles in an AKS-managed aiManagers cluster, which define sets of RBAC permission rules (verbs over resources) that are granted to subjects via bindings."},"risks":["destruction:policy","impact:access"],"notes":"Deleting Roles destroys RBAC policy definitions and revokes the permissions legitimate workloads/operators depend on.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/aiManagers/rbac.authorization.k8s.io/roles/write":{"id":"Microsoft.ContainerService/aiManagers/rbac.authorization.k8s.io/roles/write","name":"Kubernetes Roles","scope":"CRITICAL","parent":{"notes":"Role definitions are core cluster access-control policy; manipulating them governs the permission surface up to cluster-admin.","description":"Kubernetes Roles in an AKS-managed aiManagers cluster, which define sets of RBAC permission rules (verbs over resources) that are granted to subjects via bindings."},"risks":["escalation:privilege"],"notes":"Creating/updating a Role lets an attacker define or expand a permission set that bound subjects inherit, escalating privilege within the cluster.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/aiManagers/secrets/delete":{"id":"Microsoft.ContainerService/aiManagers/secrets/delete","name":"AKS AI Manager secrets","scope":"CRITICAL","parent":{"notes":"Reading a Secret returns the raw secret material in plaintext, so this is a credential store of the highest sensitivity.","description":"Kubernetes Secret objects within an AKS AI Manager namespace holding credential material such as tokens, passwords, TLS keys, connection strings, and service-account tokens."},"risks":["destruction:crypto","impact:dos"],"notes":"Deleting secrets destroys credential/key material and breaks the workloads that mount it, causing service disruption.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/aiManagers/secrets/read":{"id":"Microsoft.ContainerService/aiManagers/secrets/read","name":"AKS AI Manager secrets","scope":"CRITICAL","parent":{"notes":"Reading a Secret returns the raw secret material in plaintext, so this is a credential store of the highest sensitivity.","description":"Kubernetes Secret objects within an AKS AI Manager namespace holding credential material such as tokens, passwords, TLS keys, connection strings, and service-account tokens."},"risks":["exfiltration:crypto","escalation:lateral","takeover:account"],"notes":"Reading secrets returns raw credential/key material that can be exfiltrated and reused to impersonate the identities those secrets authenticate.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/aiManagers/secrets/write":{"id":"Microsoft.ContainerService/aiManagers/secrets/write","name":"AKS AI Manager secrets","scope":"CRITICAL","parent":{"notes":"Reading a Secret returns the raw secret material in plaintext, so this is a credential store of the highest sensitivity.","description":"Kubernetes Secret objects within an AKS AI Manager namespace holding credential material such as tokens, passwords, TLS keys, connection strings, and service-account tokens."},"risks":["persistence:account","escalation:lateral","impact:manipulation"],"notes":"Writing secrets lets an attacker plant or overwrite credential material consumed by workloads, establishing persistence and supplying attacker-controlled identities for lateral movement.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/aiManagers/serviceaccounts/impersonate/action":{"id":"Microsoft.ContainerService/aiManagers/serviceaccounts/impersonate/action","name":"AKS AI Manager service accounts","scope":"CRITICAL","parent":{"notes":"ServiceAccounts are workload identities; impersonating one lets a caller act as that identity with its bound RBAC permissions and can enable lateral movement and privilege escalation up to cluster-admin.","description":"Kubernetes ServiceAccount objects within an AKS AI Manager namespace that represent workload identities used by pods to authenticate to the cluster API."},"risks":["escalation:lateral","escalation:privilege"],"notes":"Impersonating a service account lets an attacker act as that workload identity with its (potentially broader) RBAC permissions, the canonical lateral-movement and privilege-escalation primitive.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/aiManagers/serviceaccounts/delete":{"id":"Microsoft.ContainerService/aiManagers/serviceaccounts/delete","name":"AKS AI Manager service accounts","scope":"CRITICAL","parent":{"notes":"Reading the account object enumerates identities but does not by itself return their token secrets.","description":"Kubernetes ServiceAccount objects within an AKS AI Manager namespace that represent workload identities used by pods to authenticate to the cluster API."},"risks":["destruction:account","impact:dos"],"notes":"Deleting service accounts removes workload identities, breaking authentication for dependent pods and disrupting the services they run.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/aiManagers/serviceaccounts/write":{"id":"Microsoft.ContainerService/aiManagers/serviceaccounts/write","name":"AKS AI Manager service accounts","scope":"CRITICAL","parent":{"notes":"Reading the account object enumerates identities but does not by itself return their token secrets.","description":"Kubernetes ServiceAccount objects within an AKS AI Manager namespace that represent workload identities used by pods to authenticate to the cluster API."},"risks":["persistence:account","escalation:privilege","escalation:lateral"],"notes":"Creating/updating service accounts lets an attacker provision or modify cluster identities (and their bound credentials) for persistent, escalatable, laterally-usable access.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/aiManagers/users/impersonate/action":{"id":"Microsoft.ContainerService/aiManagers/users/impersonate/action","name":"Kubernetes user impersonation","scope":"CRITICAL","parent":{"notes":"Impersonation lets the holder assume any identity's RBAC permissions, equivalent to a master skeleton key over cluster access control.","description":"The Kubernetes user-impersonation capability on an AKS-managed aiManagers cluster, which lets a caller issue API requests as an arbitrary user identity via the impersonate verb."},"risks":["escalation:lateral","escalation:privilege"],"notes":"Impersonating users lets an attacker act as any cluster user, assuming that identity's (potentially cluster-admin) privileges and moving laterally.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/fleets/admissionregistration.k8s.io/initializerconfigurations/delete":{"id":"Microsoft.ContainerService/fleets/admissionregistration.k8s.io/initializerconfigurations/delete","name":"Fleet hub Kubernetes initializer configurations","scope":"CRITICAL","parent":{"notes":"Admission-control configuration is a cluster-admin-tier security primitive; controlling it can influence every object created cluster-wide.","description":"Initializer configurations are cluster-scoped Kubernetes admission-control objects on the Fleet Manager hub cluster that register interceptors which can gate or mutate objects during admission to the API server."},"risks":["destruction:defense"],"notes":"Deleting initializer configurations removes admission-control enforcement that may act as a security guardrail, disabling an admission-time defense for the cluster.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/fleets/admissionregistration.k8s.io/initializerconfigurations/write":{"id":"Microsoft.ContainerService/fleets/admissionregistration.k8s.io/initializerconfigurations/write","name":"Fleet hub Kubernetes initializer configurations","scope":"CRITICAL","parent":{"notes":"Admission-control configuration is a cluster-admin-tier security primitive; controlling it can influence every object created cluster-wide.","description":"Initializer configurations are cluster-scoped Kubernetes admission-control objects on the Fleet Manager hub cluster that register interceptors which can gate or mutate objects during admission to the API server."},"risks":["escalation:privilege","impact:manipulation","destruction:defense"],"notes":"Writing an initializer configuration registers an admission interceptor that can mutate objects admitted cluster-wide (inject privileged/mutated resources), enabling privilege escalation, tampering with admitted workloads, and bypass of other admission-based defenses.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/fleets/admissionregistration.k8s.io/mutatingwebhookconfigurations/delete":{"id":"Microsoft.ContainerService/fleets/admissionregistration.k8s.io/mutatingwebhookconfigurations/delete","name":"Fleet hub Kubernetes mutating webhook configurations","scope":"CRITICAL","parent":{"notes":"Mutating admission webhooks are a cluster-admin-tier security primitive able to alter every matching object created cluster-wide.","description":"Mutating webhook configurations are cluster-scoped Kubernetes admission-control objects on the Fleet Manager hub cluster that register webhooks which intercept and can rewrite objects submitted to the API server."},"risks":["destruction:defense"],"notes":"Deleting mutating webhook configurations removes admission controllers that frequently enforce security/policy (e.g. Gatekeeper, Kyverno, image/identity verification), disabling those defenses across the cluster.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/fleets/admissionregistration.k8s.io/mutatingwebhookconfigurations/write":{"id":"Microsoft.ContainerService/fleets/admissionregistration.k8s.io/mutatingwebhookconfigurations/write","name":"Fleet hub Kubernetes mutating webhook configurations","scope":"CRITICAL","parent":{"notes":"Mutating admission webhooks are a cluster-admin-tier security primitive able to alter every matching object created cluster-wide.","description":"Mutating webhook configurations are cluster-scoped Kubernetes admission-control objects on the Fleet Manager hub cluster that register webhooks which intercept and can rewrite objects submitted to the API server."},"risks":["escalation:privilege","impact:manipulation","destruction:defense"],"notes":"Writing a mutating webhook configuration registers a webhook that intercepts and rewrites every matching admission request (inject privileged sidecars/credentials, alter pod specs), a classic cluster-wide privilege-escalation, tampering, and admission-defense bypass primitive.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/fleets/admissionregistration.k8s.io/validatingwebhookconfigurations/delete":{"id":"Microsoft.ContainerService/fleets/admissionregistration.k8s.io/validatingwebhookconfigurations/delete","name":"Kubernetes validating webhook configurations (Fleet)","scope":"CRITICAL","parent":{"notes":"These objects are the cluster's policy-enforcement defense layer (e.g. Pod Security, OPA/Gatekeeper, Kyverno). Controlling them is effectively controlling whether security policy is enforced.","description":"ValidatingWebhookConfigurations are cluster-scoped Kubernetes admission-control objects that register external/in-cluster webhooks invoked to validate (admit or reject) API requests. In a Fleet they govern admission enforcement across member clusters."},"risks":["destruction:defense","destruction:policy"],"notes":"Deleting webhook configurations removes admission-control enforcement cluster/fleet-wide, disabling the security defense so otherwise-blocked malicious or privileged workloads can be admitted.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/fleets/admissionregistration.k8s.io/validatingwebhookconfigurations/write":{"id":"Microsoft.ContainerService/fleets/admissionregistration.k8s.io/validatingwebhookconfigurations/write","name":"Kubernetes validating webhook configurations (Fleet)","scope":"CRITICAL","parent":{"notes":"These objects are the cluster's policy-enforcement defense layer (e.g. Pod Security, OPA/Gatekeeper, Kyverno). Controlling them is effectively controlling whether security policy is enforced.","description":"ValidatingWebhookConfigurations are cluster-scoped Kubernetes admission-control objects that register external/in-cluster webhooks invoked to validate (admit or reject) API requests. In a Fleet they govern admission enforcement across member clusters."},"risks":["destruction:defense","impact:manipulation","exfiltration:data"],"notes":"Creating/updating webhook configs lets an attacker fail-open or narrow admission policy to bypass enforcement (defense destruction), and can register an attacker-controlled webhook endpoint that intercepts every matching API object (including secrets) for exfiltration and tampers with admission decisions.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/fleets/authentication.k8s.io/userextras/impersonate/action":{"id":"Microsoft.ContainerService/fleets/authentication.k8s.io/userextras/impersonate/action","name":"Kubernetes userextras impersonation (Fleet)","scope":"CRITICAL","parent":{"notes":"Userextras impersonation completes the impersonation primitive by spoofing authorization-relevant identity claims, enabling assumption of higher-privileged identities.","description":"The Kubernetes userextras-impersonation privilege on an AKS Fleet, which allows a caller to forge extra identity attributes (userextras) attached to an impersonated request and used in authorization decisions."},"risks":["escalation:privilege","escalation:lateral"],"notes":"Impersonating userextras lets an attacker forge extra authentication claims used in authorization, enabling privilege escalation and assumption of another identity's access.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/fleets/certificates.k8s.io/certificatesigningrequests/delete":{"id":"Microsoft.ContainerService/fleets/certificates.k8s.io/certificatesigningrequests/delete","name":"Kubernetes CertificateSigningRequests","scope":"CRITICAL","parent":{"notes":"CSRs are PKI/credential material: an approved CSR's status field contains a signed client certificate usable to authenticate as an arbitrary subject, including cluster-admin groups.","description":"Kubernetes CertificateSigningRequest objects in an AKS fleet, which request and (once approved/signed) carry issued client certificates used to authenticate identities to the cluster API."},"risks":["destruction:crypto","impact:access"],"notes":"Deleting CSRs destroys pending/issued certificate-signing material and can block legitimate principals from obtaining the certificates they are awaiting, denying authorized access provisioning.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/fleets/certificates.k8s.io/certificatesigningrequests/read":{"id":"Microsoft.ContainerService/fleets/certificates.k8s.io/certificatesigningrequests/read","name":"Kubernetes CertificateSigningRequests","scope":"CRITICAL","parent":{"notes":"CSRs are PKI/credential material: an approved CSR's status field contains a signed client certificate usable to authenticate as an arbitrary subject, including cluster-admin groups.","description":"Kubernetes CertificateSigningRequest objects in an AKS fleet, which request and (once approved/signed) carry issued client certificates used to authenticate identities to the cluster API."},"risks":["exfiltration:crypto","discovery:policy"],"notes":"Reading CSRs returns the issued client certificate in status.certificate (usable authentication credential) and reveals the requested subjects/groups, exposing both crypto material and identity-provisioning detail.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/fleets/certificates.k8s.io/certificatesigningrequests/write":{"id":"Microsoft.ContainerService/fleets/certificates.k8s.io/certificatesigningrequests/write","name":"Kubernetes CertificateSigningRequests","scope":"CRITICAL","parent":{"notes":"CSRs are PKI/credential material: an approved CSR's status field contains a signed client certificate usable to authenticate as an arbitrary subject, including cluster-admin groups.","description":"Kubernetes CertificateSigningRequest objects in an AKS fleet, which request and (once approved/signed) carry issued client certificates used to authenticate identities to the cluster API."},"risks":["escalation:privilege","persistence:account","escalation:lateral"],"notes":"Creating/updating CSRs (including the approval/status subresources implied by write) lets an attacker request and mint client certificates for arbitrary usernames/groups such as system:masters, forging cluster-admin identities for privilege escalation and durable credential-based persistence.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/fleets/configmaps/delete":{"id":"Microsoft.ContainerService/fleets/configmaps/delete","name":"Fleet Kubernetes configmaps","scope":"HIGH","parent":{"notes":"ConfigMaps routinely contain endpoints, connection settings, and inadvertently-stored credentials or tokens, making them sensitive to read and impactful to alter or delete.","description":"Kubernetes ConfigMap objects inside an Azure Fleet hub cluster, holding application and cluster configuration consumed by workloads and controllers."},"risks":["destruction:data","impact:dos"],"notes":"Deleting configmaps destroys configuration data workloads depend on, breaking dependent pods/controllers and disrupting service.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/fleets/configmaps/read":{"id":"Microsoft.ContainerService/fleets/configmaps/read","name":"Fleet Kubernetes configmaps","scope":"HIGH","parent":{"notes":"ConfigMaps routinely contain endpoints, connection settings, and inadvertently-stored credentials or tokens, making them sensitive to read and impactful to alter or delete.","description":"Kubernetes ConfigMap objects inside an Azure Fleet hub cluster, holding application and cluster configuration consumed by workloads and controllers."},"risks":["exfiltration:data"],"notes":"Reading configmaps discloses configuration data that frequently contains sensitive values (endpoints, connection strings, occasionally credentials), enabling data exfiltration.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/fleets/configmaps/write":{"id":"Microsoft.ContainerService/fleets/configmaps/write","name":"Fleet Kubernetes configmaps","scope":"HIGH","parent":{"notes":"ConfigMaps routinely contain endpoints, connection settings, and inadvertently-stored credentials or tokens, making them sensitive to read and impactful to alter or delete.","description":"Kubernetes ConfigMap objects inside an Azure Fleet hub cluster, holding application and cluster configuration consumed by workloads and controllers."},"risks":["impact:manipulation"],"notes":"Writing configmaps lets an attacker poison configuration consumed by workloads/controllers (e.g. CoreDNS, CA bundles, mounted scripts), altering operational behavior.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/fleets/customresources/delete":{"id":"Microsoft.ContainerService/fleets/customresources/delete","name":"Kubernetes custom resources (fleet)","scope":"HIGH","parent":{"notes":"A wildcard over custom resources spans whatever CRDs are installed; CR specs/status routinely embed connection details, configuration, and sensitive operational data, making the asset broadly sensitive across the fleet.","description":"This data-plane permission covers reading arbitrary Kubernetes custom resources (CRD-backed objects) across the fleet's member clusters, which can hold operator/controller configuration, application state, policy, and frequently secret-adjacent or credential-bearing data."},"risks":["destruction:data","impact:dos"],"notes":"Deleting arbitrary custom resources destroys operator/CRD-managed state across the fleet and disrupts the controllers and workloads that depend on those resources; deleting security-enforcing CRDs can also weaken defenses.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/fleets/customresources/read":{"id":"Microsoft.ContainerService/fleets/customresources/read","name":"Kubernetes custom resources (fleet)","scope":"HIGH","parent":{"notes":"A wildcard over custom resources spans whatever CRDs are installed; CR specs/status routinely embed connection details, configuration, and sensitive operational data, making the asset broadly sensitive across the fleet.","description":"This data-plane permission covers reading arbitrary Kubernetes custom resources (CRD-backed objects) across the fleet's member clusters, which can hold operator/controller configuration, application state, policy, and frequently secret-adjacent or credential-bearing data."},"risks":["exfiltration:data","discovery:infra"],"notes":"A data-plane read of arbitrary custom resources can return the full contents of operator/CRD objects, which frequently hold sensitive operational configuration and credential-adjacent data, constituting data exfiltration beyond mere enumeration.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/fleets/customresources/write":{"id":"Microsoft.ContainerService/fleets/customresources/write","name":"Kubernetes custom resources (fleet)","scope":"HIGH","parent":{"notes":"A wildcard over custom resources spans whatever CRDs are installed; CR specs/status routinely embed connection details, configuration, and sensitive operational data, making the asset broadly sensitive across the fleet.","description":"This data-plane permission covers reading arbitrary Kubernetes custom resources (CRD-backed objects) across the fleet's member clusters, which can hold operator/controller configuration, application state, policy, and frequently secret-adjacent or credential-bearing data."},"risks":["impact:manipulation","escalation:privilege"],"notes":"Writing arbitrary custom resources lets an attacker mutate operator/controller-driven state across the fleet; since CRDs back RBAC/policy/operator objects, crafted CRs can be reconciled into privilege grants or attacker-controlled workloads.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/fleets/extensions/podsecuritypolicies/delete":{"id":"Microsoft.ContainerService/fleets/extensions/podsecuritypolicies/delete","name":"Kubernetes PodSecurityPolicies (Fleet)","scope":"HIGH","parent":{"notes":"PSPs are a security/admission defense whose relaxation enables container breakout and node/cluster privilege escalation.","description":"Kubernetes PodSecurityPolicy objects governed by Azure Kubernetes Fleet Manager. These are admission-control rules that constrain pod privileges (privileged containers, host mounts, host networking/namespaces), acting as a security-enforcement defense against privileged workload deployment."},"risks":["destruction:defense","destruction:policy"],"notes":"Deleting a PodSecurityPolicy removes pod admission-control security enforcement, eliminating a defense that would otherwise block privileged/host-access workloads.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/fleets/extensions/podsecuritypolicies/write":{"id":"Microsoft.ContainerService/fleets/extensions/podsecuritypolicies/write","name":"Kubernetes PodSecurityPolicies (Fleet)","scope":"HIGH","parent":{"notes":"PSPs are a security/admission defense whose relaxation enables container breakout and node/cluster privilege escalation.","description":"Kubernetes PodSecurityPolicy objects governed by Azure Kubernetes Fleet Manager. These are admission-control rules that constrain pod privileges (privileged containers, host mounts, host networking/namespaces), acting as a security-enforcement defense against privileged workload deployment."},"risks":["destruction:defense","escalation:privilege","impact:manipulation"],"notes":"Creating/updating a PodSecurityPolicy can relax admission controls to permit privileged/host-mounted pods, disabling a security defense and opening a workload-to-node privilege-escalation path while altering policy state.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/fleets/groups/impersonate/action":{"id":"Microsoft.ContainerService/fleets/groups/impersonate/action","name":"Kubernetes group impersonation (Fleet)","scope":"CRITICAL","parent":{"notes":"Impersonating groups such as system:masters yields the aggregated RBAC of any privileged group, equivalent to full cluster-admin escalation.","description":"The Kubernetes group-impersonation privilege on an AKS Fleet, which allows a caller to issue API requests as a member of any group (the RBAC impersonate verb on groups)."},"risks":["escalation:privilege","escalation:lateral"],"notes":"Group impersonation lets an attacker assume membership in any group (e.g. system:masters), inheriting that group's RBAC for full privilege escalation and lateral movement.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/fleets/listCredentials/action":{"id":"Microsoft.ContainerService/fleets/listCredentials/action","name":"AKS Fleet Manager fleet","scope":"CRITICAL","parent":{"notes":"Governs centralized orchestration across multiple member AKS clusters.","description":"An AKS Fleet (Fleet Manager) is a multi-cluster management/orchestration hub that groups and coordinates updates and configuration across member AKS clusters, optionally hosting a managed hub cluster."},"risks":["exfiltration:crypto","escalation:lateral","takeover:account"],"notes":"Returns the fleet hub kubeconfig credential, exporting reusable secret material that grants administrative Kubernetes API access to the fleet and pivots into orchestration across its member clusters.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/fleets/members/admissionregistration.k8s.io/mutatingwebhookconfigurations/delete":{"id":"Microsoft.ContainerService/fleets/members/admissionregistration.k8s.io/mutatingwebhookconfigurations/delete","name":"Kubernetes mutating webhook configurations (fleet member)","scope":"CRITICAL","parent":{"notes":"Mutating admission webhooks can rewrite every object admitted cluster-wide (inject containers, mount secrets, attach privileged identities); controlling them is the canonical Kubernetes cluster-takeover primitive, making the asset cluster-admin-equivalent.","description":"MutatingWebhookConfigurations are cluster-wide Kubernetes admission-control objects that register webhooks intercepting and rewriting objects as they are admitted to the API server, accessed here as a data action against a fleet member cluster."},"risks":["destruction:defense","impact:dos"],"notes":"Deleting mutating webhook configurations removes admission-time controls that frequently enforce security defaults (sidecar/policy/identity injection), disabling a defense; deleting a failurePolicy=Fail webhook can also block all matching admissions, disrupting cluster operations.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/fleets/members/admissionregistration.k8s.io/mutatingwebhookconfigurations/write":{"id":"Microsoft.ContainerService/fleets/members/admissionregistration.k8s.io/mutatingwebhookconfigurations/write","name":"Kubernetes mutating webhook configurations (fleet member)","scope":"CRITICAL","parent":{"notes":"Mutating admission webhooks can rewrite every object admitted cluster-wide (inject containers, mount secrets, attach privileged identities); controlling them is the canonical Kubernetes cluster-takeover primitive, making the asset cluster-admin-equivalent.","description":"MutatingWebhookConfigurations are cluster-wide Kubernetes admission-control objects that register webhooks intercepting and rewriting objects as they are admitted to the API server, accessed here as a data action against a fleet member cluster."},"risks":["escalation:lateral","impact:manipulation","escalation:privilege","destruction:defense"],"notes":"Creating or updating a mutating webhook lets an attacker intercept and rewrite every object admitted cluster-wide, injecting privileged sidecars/containers, mounting Secrets and service-account tokens, and attaching privileged identities, a cluster-admin-equivalent primitive enabling lateral movement, privilege escalation, workload manipulation, and bypass of admission defenses.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/fleets/members/authentication.k8s.io/userextras/impersonate/action":{"id":"Microsoft.ContainerService/fleets/members/authentication.k8s.io/userextras/impersonate/action","name":"Kubernetes userextras impersonation (AKS fleet member)","scope":"CRITICAL","parent":{"notes":"Forged extra attributes feed authorization webhooks/policies, completing identity-spoofing chains to escalate privilege, hence CRITICAL.","description":"The Kubernetes impersonation capability for user-extra attributes on a member cluster of an AKS fleet. The impersonate verb on userextras lets a caller attach arbitrary extra authentication attributes (claims/scopes) when impersonating an identity."},"risks":["escalation:lateral","escalation:privilege"],"notes":"Impersonating userextras lets an attacker forge additional authentication attributes used in authorization decisions, augmenting an impersonated identity to escalate privilege and move laterally.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/fleets/members/certificates.k8s.io/certificatesigningrequests/delete":{"id":"Microsoft.ContainerService/fleets/members/certificates.k8s.io/certificatesigningrequests/delete","name":"Kubernetes CertificateSigningRequests (AKS fleet member)","scope":"CRITICAL","parent":{"notes":"CSRs are the classic Kubernetes credential-minting primitive: approved requests expose usable client certificates, and creating them lets a principal request credentials for arbitrary identities including cluster-admin groups (system:masters).","description":"CertificateSigningRequest objects on a Kubernetes cluster that is a member of an AKS fleet. They request that the cluster CA sign a client certificate for a named username/group, and approved requests carry the issued signed certificate in their status."},"risks":["destruction:crypto","impact:access"],"notes":"Deleting CSRs removes pending/issued certificate-signing requests and their embedded signed certificate material, disrupting legitimate credential issuance and blocking authorized principals from obtaining certificates.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/fleets/members/certificates.k8s.io/certificatesigningrequests/read":{"id":"Microsoft.ContainerService/fleets/members/certificates.k8s.io/certificatesigningrequests/read","name":"Kubernetes CertificateSigningRequests (AKS fleet member)","scope":"CRITICAL","parent":{"notes":"CSRs are the classic Kubernetes credential-minting primitive: approved requests expose usable client certificates, and creating them lets a principal request credentials for arbitrary identities including cluster-admin groups (system:masters).","description":"CertificateSigningRequest objects on a Kubernetes cluster that is a member of an AKS fleet. They request that the cluster CA sign a client certificate for a named username/group, and approved requests carry the issued signed certificate in their status."},"risks":["exfiltration:crypto","escalation:lateral"],"notes":"Reading CSRs returns the issued signed client certificate embedded in status.certificate of approved requests, which is reusable identity credential material that authenticates as the requested cluster identity.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/fleets/members/certificates.k8s.io/certificatesigningrequests/write":{"id":"Microsoft.ContainerService/fleets/members/certificates.k8s.io/certificatesigningrequests/write","name":"Kubernetes CertificateSigningRequests (AKS fleet member)","scope":"CRITICAL","parent":{"notes":"CSRs are the classic Kubernetes credential-minting primitive: approved requests expose usable client certificates, and creating them lets a principal request credentials for arbitrary identities including cluster-admin groups (system:masters).","description":"CertificateSigningRequest objects on a Kubernetes cluster that is a member of an AKS fleet. They request that the cluster CA sign a client certificate for a named username/group, and approved requests carry the issued signed certificate in their status."},"risks":["escalation:privilege","persistence:account","escalation:lateral"],"notes":"Creating/updating a CSR lets an attacker request a client certificate for an arbitrary username/group (e.g. system:masters); once signed it mints durable cluster-admin credentials, enabling privilege escalation, persistent credential-based access, and movement to other identities.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/fleets/members/configmaps/delete":{"id":"Microsoft.ContainerService/fleets/members/configmaps/delete","name":"Kubernetes ConfigMaps","scope":"HIGH","parent":{"notes":"Although intended for non-secret config, ConfigMaps very frequently contain sensitive values (connection strings, endpoints, tokens, and misplaced credentials), so they are treated as sensitive configuration data.","description":"Kubernetes ConfigMap objects within a Fleet member cluster. ConfigMaps store non-confidential application and cluster configuration as key-value data consumed by workloads."},"risks":["destruction:data","impact:dos"],"notes":"Deleting ConfigMaps destroys configuration data that workloads depend on, erasing operational config and breaking dependent pods (crash-loops / failed starts).","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/fleets/members/configmaps/read":{"id":"Microsoft.ContainerService/fleets/members/configmaps/read","name":"Kubernetes ConfigMaps","scope":"HIGH","parent":{"notes":"Although intended for non-secret config, ConfigMaps very frequently contain sensitive values (connection strings, endpoints, tokens, and misplaced credentials), so they are treated as sensitive configuration data.","description":"Kubernetes ConfigMap objects within a Fleet member cluster. ConfigMaps store non-confidential application and cluster configuration as key-value data consumed by workloads."},"risks":["exfiltration:data"],"notes":"Reading ConfigMaps exports application/cluster configuration that frequently contains connection strings, endpoints, and embedded credentials — direct data exfiltration.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/fleets/members/configmaps/write":{"id":"Microsoft.ContainerService/fleets/members/configmaps/write","name":"Kubernetes ConfigMaps","scope":"HIGH","parent":{"notes":"Although intended for non-secret config, ConfigMaps very frequently contain sensitive values (connection strings, endpoints, tokens, and misplaced credentials), so they are treated as sensitive configuration data.","description":"Kubernetes ConfigMap objects within a Fleet member cluster. ConfigMaps store non-confidential application and cluster configuration as key-value data consumed by workloads."},"risks":["impact:manipulation"],"notes":"Writing ConfigMaps lets an attacker alter configuration consumed by workloads — injecting malicious settings, redirecting endpoints, or poisoning application behavior.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/fleets/members/customresources/delete":{"id":"Microsoft.ContainerService/fleets/members/customresources/delete","name":"AKS Fleet member Kubernetes custom resources","scope":"HIGH","parent":{"notes":"This permission spans ALL custom resource types in the cluster, so its blast radius depends on which operators are installed; many CRDs hold or reference sensitive material.","description":"Arbitrary Kubernetes custom resources (CRD instances) on a member cluster of an AKS Fleet, accessed through the Azure RBAC data plane. Custom resources back operators and controllers (e.g. cert-manager, external-secrets, ingress, service mesh) and often store credentials, certificates, and operational configuration."},"risks":["destruction:data","impact:dos"],"notes":"Deleting custom resources removes operator/controller-managed objects, destroying configuration state and disrupting the controllers and services that depend on them.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/fleets/members/customresources/read":{"id":"Microsoft.ContainerService/fleets/members/customresources/read","name":"AKS Fleet member Kubernetes custom resources","scope":"HIGH","parent":{"notes":"This permission spans ALL custom resource types in the cluster, so its blast radius depends on which operators are installed; many CRDs hold or reference sensitive material.","description":"Arbitrary Kubernetes custom resources (CRD instances) on a member cluster of an AKS Fleet, accessed through the Azure RBAC data plane. Custom resources back operators and controllers (e.g. cert-manager, external-secrets, ingress, service mesh) and often store credentials, certificates, and operational configuration."},"risks":["discovery:infra","exfiltration:data"],"notes":"Reading arbitrary custom resources inventories operator/controller configuration and can return sensitive data, since CRDs commonly store credentials, certificates, and secret references.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/fleets/members/customresources/write":{"id":"Microsoft.ContainerService/fleets/members/customresources/write","name":"AKS Fleet member Kubernetes custom resources","scope":"HIGH","parent":{"notes":"This permission spans ALL custom resource types in the cluster, so its blast radius depends on which operators are installed; many CRDs hold or reference sensitive material.","description":"Arbitrary Kubernetes custom resources (CRD instances) on a member cluster of an AKS Fleet, accessed through the Azure RBAC data plane. Custom resources back operators and controllers (e.g. cert-manager, external-secrets, ingress, service mesh) and often store credentials, certificates, and operational configuration."},"risks":["impact:manipulation","escalation:lateral"],"notes":"Writing arbitrary custom resources alters operator/controller-managed state and can drive controllers to provision workloads or grant identities/access, enabling tampering and lateral movement.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/fleets/members/groups/impersonate/action":{"id":"Microsoft.ContainerService/fleets/members/groups/impersonate/action","name":"Kubernetes group impersonation (AKS fleet member)","scope":"CRITICAL","parent":{"notes":"Impersonating a privileged group such as system:masters yields full cluster-admin access, hence CRITICAL.","description":"The Kubernetes impersonation capability for group identities on a member cluster of an AKS fleet. The impersonate verb on groups lets a caller issue API requests claiming membership in arbitrary groups."},"risks":["escalation:lateral","escalation:privilege"],"notes":"Impersonating groups lets an attacker assume the aggregate RBAC permissions of any group (e.g. system:masters), enabling lateral movement and privilege escalation.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/fleets/members/pods/exec/action":{"id":"Microsoft.ContainerService/fleets/members/pods/exec/action","name":"AKS Fleet member Kubernetes pods","scope":"CRITICAL","parent":{"notes":"Pods are the production workload of a single cluster (one organizational function). Pod specs frequently embed sensitive configuration and reference credentials, and the cluster's service-account tokens grant in-cluster identity.","description":"Kubernetes Pods on a member cluster of an AKS Fleet, accessed through the Azure RBAC data plane. A Pod is the running unit of workload; its spec includes container images, command args, environment variables, and references to mounted secrets/configmaps and service-account tokens."},"risks":["escalation:lateral","exfiltration:data","impact:hijack","impact:manipulation"],"notes":"Exec yields an interactive shell inside a running container as the pod's identity, enabling arbitrary code execution, reading in-container data and the mounted service-account token for lateral movement, and tampering with the workload.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/fleets/members/pods/delete":{"id":"Microsoft.ContainerService/fleets/members/pods/delete","name":"AKS Fleet member Kubernetes pods","scope":"HIGH","parent":{"notes":"Pods are the production workload of a single cluster (one organizational function). Pod specs frequently embed sensitive configuration and reference credentials, and the cluster's service-account tokens grant in-cluster identity.","description":"Kubernetes Pods on a member cluster of an AKS Fleet, accessed through the Azure RBAC data plane. A Pod is the running unit of workload; its spec includes container images, command args, environment variables, and references to mounted secrets/configmaps and service-account tokens."},"risks":["impact:dos","destruction:data"],"notes":"Deleting pods (including DeleteCollection) terminates running workloads, disrupting the services they back and destroying any in-pod ephemeral/stateful workload state.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/fleets/members/pods/read":{"id":"Microsoft.ContainerService/fleets/members/pods/read","name":"AKS Fleet member Kubernetes pods","scope":"HIGH","parent":{"notes":"Pods are the production workload of a single cluster (one organizational function). Pod specs frequently embed sensitive configuration and reference credentials, and the cluster's service-account tokens grant in-cluster identity.","description":"Kubernetes Pods on a member cluster of an AKS Fleet, accessed through the Azure RBAC data plane. A Pod is the running unit of workload; its spec includes container images, command args, environment variables, and references to mounted secrets/configmaps and service-account tokens."},"risks":["discovery:infra","exfiltration:data"],"notes":"Reading/listing pods inventories running workloads and exposes pod specs including environment variables and mounted secret/configmap references that commonly leak sensitive data.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/fleets/members/pods/write":{"id":"Microsoft.ContainerService/fleets/members/pods/write","name":"AKS Fleet member Kubernetes pods","scope":"HIGH","parent":{"notes":"Pods are the production workload of a single cluster (one organizational function). Pod specs frequently embed sensitive configuration and reference credentials, and the cluster's service-account tokens grant in-cluster identity.","description":"Kubernetes Pods on a member cluster of an AKS Fleet, accessed through the Azure RBAC data plane. A Pod is the running unit of workload; its spec includes container images, command args, environment variables, and references to mounted secrets/configmaps and service-account tokens."},"risks":["impact:hijack","escalation:lateral","impact:manipulation"],"notes":"Creating/updating pods lets an attacker run arbitrary (potentially privileged/hostPath) containers for cryptomining or botnets, mount service-account tokens or host resources to pivot to other identities, and alter running workload configuration.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/fleets/members/policy/podsecuritypolicies/use/action":{"id":"Microsoft.ContainerService/fleets/members/policy/podsecuritypolicies/use/action","name":"Kubernetes PodSecurityPolicies (AKS Fleet member)","scope":"CRITICAL","parent":{"notes":"PSPs are a cluster security-enforcement defense gating container-to-node escape; loosening or removing them enables privileged workloads.","description":"Kubernetes PodSecurityPolicy objects on a member cluster of an AKS Fleet. PSPs are admission-control rules that constrain which pod security capabilities (privileged, hostPath/hostNetwork mounts, runAsRoot, capabilities) workloads may request."},"risks":["escalation:privilege"],"notes":"The PSP 'use' verb authorizes a workload to be admitted under a given (potentially permissive) policy, letting an attacker launch privileged/host-mounting pods that would otherwise be restricted, enabling node escape and host-level escalation.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/fleets/members/rbac.authorization.k8s.io/clusterrolebindings/delete":{"id":"Microsoft.ContainerService/fleets/members/rbac.authorization.k8s.io/clusterrolebindings/delete","name":"Kubernetes ClusterRoleBindings (AKS Fleet member)","scope":"CRITICAL","parent":{"notes":"Cluster-wide RBAC grant objects; writing them is the canonical Kubernetes cluster-admin privilege-escalation primitive, hence CRITICAL asset sensitivity.","description":"Kubernetes ClusterRoleBinding objects on a member cluster of an AKS Fleet. ClusterRoleBindings grant a ClusterRole's cluster-wide permissions to subjects (users, groups, service accounts)."},"risks":["destruction:policy","impact:access"],"notes":"Deleting ClusterRoleBindings removes cluster-wide RBAC grants, tearing down access-control policy and revoking legitimate admins'/operators' access (denial-of-access).","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/fleets/members/rbac.authorization.k8s.io/clusterrolebindings/write":{"id":"Microsoft.ContainerService/fleets/members/rbac.authorization.k8s.io/clusterrolebindings/write","name":"Kubernetes ClusterRoleBindings (AKS Fleet member)","scope":"CRITICAL","parent":{"notes":"Cluster-wide RBAC grant objects; writing them is the canonical Kubernetes cluster-admin privilege-escalation primitive, hence CRITICAL asset sensitivity.","description":"Kubernetes ClusterRoleBinding objects on a member cluster of an AKS Fleet. ClusterRoleBindings grant a ClusterRole's cluster-wide permissions to subjects (users, groups, service accounts)."},"risks":["escalation:privilege","persistence:account"],"notes":"Creating/updating a ClusterRoleBinding lets an attacker bind cluster-admin (or any ClusterRole) to their own identity or service account, the canonical cluster-wide privilege escalation and a durable persistence foothold.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/fleets/members/rbac.authorization.k8s.io/clusterroles/bind/action":{"id":"Microsoft.ContainerService/fleets/members/rbac.authorization.k8s.io/clusterroles/bind/action","name":"Kubernetes ClusterRoles (AKS Fleet member)","scope":"CRITICAL","parent":{"notes":"Cluster-wide RBAC permission definitions; creating/expanding or binding them enables cluster-admin escalation, hence CRITICAL asset sensitivity.","description":"Kubernetes ClusterRole objects on a member cluster of an AKS Fleet. ClusterRoles define cluster-wide permission sets (verbs over resources) that bindings can grant to subjects."},"risks":["escalation:privilege"],"notes":"The Kubernetes 'bind' verb is the authorization check that permits referencing a ClusterRole in a binding, letting an attacker grant that role's (possibly cluster-admin) permissions to a controlled subject.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/fleets/members/rbac.authorization.k8s.io/clusterroles/escalate/action":{"id":"Microsoft.ContainerService/fleets/members/rbac.authorization.k8s.io/clusterroles/escalate/action","name":"Kubernetes ClusterRoles (AKS Fleet member)","scope":"CRITICAL","parent":{"notes":"Cluster-wide RBAC permission definitions; creating/expanding or binding them enables cluster-admin escalation, hence CRITICAL asset sensitivity.","description":"Kubernetes ClusterRole objects on a member cluster of an AKS Fleet. ClusterRoles define cluster-wide permission sets (verbs over resources) that bindings can grant to subjects."},"risks":["escalation:privilege"],"notes":"The Kubernetes 'escalate' verb explicitly bypasses the privilege-escalation prevention check, letting an attacker add permissions to a ClusterRole that exceed those they currently hold, enabling unbounded cluster-wide privilege escalation.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/fleets/members/rbac.authorization.k8s.io/clusterroles/delete":{"id":"Microsoft.ContainerService/fleets/members/rbac.authorization.k8s.io/clusterroles/delete","name":"Kubernetes ClusterRoles (AKS Fleet member)","scope":"CRITICAL","parent":{"notes":"Cluster-wide RBAC permission definitions; creating/expanding or binding them enables cluster-admin escalation, hence CRITICAL asset sensitivity.","description":"Kubernetes ClusterRole objects on a member cluster of an AKS Fleet. ClusterRoles define cluster-wide permission sets (verbs over resources) that bindings can grant to subjects."},"risks":["destruction:policy","impact:access"],"notes":"Deleting ClusterRoles destroys cluster-wide RBAC permission definitions, breaking access-control policy and denying access to all principals whose bindings reference those roles.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/fleets/members/rbac.authorization.k8s.io/clusterroles/write":{"id":"Microsoft.ContainerService/fleets/members/rbac.authorization.k8s.io/clusterroles/write","name":"Kubernetes ClusterRoles (AKS Fleet member)","scope":"CRITICAL","parent":{"notes":"Cluster-wide RBAC permission definitions; creating/expanding or binding them enables cluster-admin escalation, hence CRITICAL asset sensitivity.","description":"Kubernetes ClusterRole objects on a member cluster of an AKS Fleet. ClusterRoles define cluster-wide permission sets (verbs over resources) that bindings can grant to subjects."},"risks":["escalation:privilege"],"notes":"Creating/updating a ClusterRole lets an attacker define or expand cluster-wide permissions; any subject already bound to the role (or one the attacker controls) thereby gains the added privileges.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/fleets/members/rbac.authorization.k8s.io/rolebindings/delete":{"id":"Microsoft.ContainerService/fleets/members/rbac.authorization.k8s.io/rolebindings/delete","name":"Kubernetes RoleBindings (AKS fleet member)","scope":"CRITICAL","parent":{"notes":"RBAC bindings govern who can do what in the cluster; controlling them enables cluster-admin-level privilege escalation, hence CRITICAL.","description":"Kubernetes namespaced RoleBindings on a member cluster of an AKS fleet. A RoleBinding grants the permissions of a referenced Role/ClusterRole to a set of subjects (users, groups, service accounts), and is the core of Kubernetes RBAC access control."},"risks":["destruction:policy","impact:access"],"notes":"Deleting RoleBindings removes RBAC grants, destroying access-control policy and revoking legitimate principals' authorized access to the cluster.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/fleets/members/rbac.authorization.k8s.io/rolebindings/write":{"id":"Microsoft.ContainerService/fleets/members/rbac.authorization.k8s.io/rolebindings/write","name":"Kubernetes RoleBindings (AKS fleet member)","scope":"CRITICAL","parent":{"notes":"RBAC bindings govern who can do what in the cluster; controlling them enables cluster-admin-level privilege escalation, hence CRITICAL.","description":"Kubernetes namespaced RoleBindings on a member cluster of an AKS fleet. A RoleBinding grants the permissions of a referenced Role/ClusterRole to a set of subjects (users, groups, service accounts), and is the core of Kubernetes RBAC access control."},"risks":["escalation:privilege"],"notes":"Creating/updating a RoleBinding binds any role (including admin) to an attacker-controlled subject, directly granting elevated cluster privileges.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/fleets/members/rbac.authorization.k8s.io/roles/bind/action":{"id":"Microsoft.ContainerService/fleets/members/rbac.authorization.k8s.io/roles/bind/action","name":"Kubernetes Roles (AKS fleet member)","scope":"CRITICAL","parent":{"notes":"Roles define the permission sets that drive cluster authorization; controlling them enables privilege escalation, hence CRITICAL.","description":"Kubernetes namespaced Roles on a member cluster of an AKS fleet. A Role defines a set of permission rules (verbs over resources) that can be granted to subjects via RoleBindings, forming the cluster's RBAC policy definitions."},"risks":["escalation:privilege"],"notes":"The Kubernetes 'bind' verb authorizes creating bindings that reference a role, letting an attacker grant that role's privileges to a controlled subject.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/fleets/members/rbac.authorization.k8s.io/roles/escalate/action":{"id":"Microsoft.ContainerService/fleets/members/rbac.authorization.k8s.io/roles/escalate/action","name":"Kubernetes Roles (AKS fleet member)","scope":"CRITICAL","parent":{"notes":"Roles define the permission sets that drive cluster authorization; controlling them enables privilege escalation, hence CRITICAL.","description":"Kubernetes namespaced Roles on a member cluster of an AKS fleet. A Role defines a set of permission rules (verbs over resources) that can be granted to subjects via RoleBindings, forming the cluster's RBAC policy definitions."},"risks":["escalation:privilege"],"notes":"The 'escalate' verb removes the guard preventing creation of roles with more permissions than the actor holds, the canonical Kubernetes privilege-escalation primitive.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/fleets/members/rbac.authorization.k8s.io/roles/delete":{"id":"Microsoft.ContainerService/fleets/members/rbac.authorization.k8s.io/roles/delete","name":"Kubernetes Roles (AKS fleet member)","scope":"CRITICAL","parent":{"notes":"Roles define the permission sets that drive cluster authorization; controlling them enables privilege escalation, hence CRITICAL.","description":"Kubernetes namespaced Roles on a member cluster of an AKS fleet. A Role defines a set of permission rules (verbs over resources) that can be granted to subjects via RoleBindings, forming the cluster's RBAC policy definitions."},"risks":["destruction:policy","impact:access"],"notes":"Deleting Roles removes RBAC permission definitions, destroying access-control policy and denying authorized principals (who depend on those roles) their operational access.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/fleets/members/rbac.authorization.k8s.io/roles/write":{"id":"Microsoft.ContainerService/fleets/members/rbac.authorization.k8s.io/roles/write","name":"Kubernetes Roles (AKS fleet member)","scope":"CRITICAL","parent":{"notes":"Roles define the permission sets that drive cluster authorization; controlling them enables privilege escalation, hence CRITICAL.","description":"Kubernetes namespaced Roles on a member cluster of an AKS fleet. A Role defines a set of permission rules (verbs over resources) that can be granted to subjects via RoleBindings, forming the cluster's RBAC policy definitions."},"risks":["escalation:privilege"],"notes":"Creating/updating a Role defines or expands the permission rules that all bound subjects inherit, enabling privilege escalation (subject to RBAC escalate guardrails).","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/fleets/members/secrets/delete":{"id":"Microsoft.ContainerService/fleets/members/secrets/delete","name":"Kubernetes secrets (Fleet member)","scope":"CRITICAL","parent":{"notes":"Secrets are first-class credential stores; reading them yields directly usable identity material enabling lateral movement and takeover across the cluster and connected systems.","description":"Kubernetes Secret objects in a namespace of an AKS Fleet member cluster. They hold credential material such as service-account tokens, TLS private keys, image-pull credentials, passwords, and connection strings consumed by workloads."},"risks":["destruction:crypto","impact:dos"],"notes":"Deleting Secrets destroys cryptographic/credential material (keys, tokens, certs) that workloads depend on, irreversibly removing secret data and disrupting pods that fail to mount or authenticate.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/fleets/members/secrets/read":{"id":"Microsoft.ContainerService/fleets/members/secrets/read","name":"Kubernetes secrets (Fleet member)","scope":"CRITICAL","parent":{"notes":"Secrets are first-class credential stores; reading them yields directly usable identity material enabling lateral movement and takeover across the cluster and connected systems.","description":"Kubernetes Secret objects in a namespace of an AKS Fleet member cluster. They hold credential material such as service-account tokens, TLS private keys, image-pull credentials, passwords, and connection strings consumed by workloads."},"risks":["exfiltration:crypto","escalation:lateral","takeover:account"],"notes":"Reading/listing Secrets returns raw credential material (tokens, keys, passwords, connection strings), enabling direct cryptographic exfiltration, lateral movement to the identities they authenticate, and account takeover.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/fleets/members/secrets/write":{"id":"Microsoft.ContainerService/fleets/members/secrets/write","name":"Kubernetes secrets (Fleet member)","scope":"CRITICAL","parent":{"notes":"Secrets are first-class credential stores; reading them yields directly usable identity material enabling lateral movement and takeover across the cluster and connected systems.","description":"Kubernetes Secret objects in a namespace of an AKS Fleet member cluster. They hold credential material such as service-account tokens, TLS private keys, image-pull credentials, passwords, and connection strings consumed by workloads."},"risks":["impact:manipulation","persistence:account","escalation:lateral"],"notes":"Writing Secrets lets an attacker plant or overwrite credential material consumed by workloads, manipulating authentication data, establishing persistent attacker-controlled credentials, and enabling lateral movement via injected identities.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/fleets/members/serviceaccounts/impersonate/action":{"id":"Microsoft.ContainerService/fleets/members/serviceaccounts/impersonate/action","name":"Kubernetes service account impersonation (AKS fleet member)","scope":"CRITICAL","parent":{"notes":"Impersonating a ServiceAccount yields that identity's RBAC permissions, enabling lateral movement and privilege escalation up to cluster-admin.","description":"The Kubernetes impersonate verb on ServiceAccount identities for a member cluster of an AKS fleet, allowing a caller to issue API requests as an arbitrary ServiceAccount."},"risks":["escalation:lateral","escalation:privilege"],"notes":"Impersonating a ServiceAccount lets an attacker act as that in-cluster identity and inherit its (potentially broader) RBAC, the canonical lateral-movement and privilege-escalation primitive.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/fleets/members/serviceaccounts/delete":{"id":"Microsoft.ContainerService/fleets/members/serviceaccounts/delete","name":"Kubernetes service accounts (Fleet member)","scope":"CRITICAL","parent":{"notes":"ServiceAccounts are identity objects; creating, deleting, or impersonating them directly affects who can act in the cluster.","description":"Kubernetes ServiceAccount objects in a namespace of an AKS Fleet member cluster. They represent in-cluster workload identities that pods authenticate as and that can be bound to RBAC roles and cloud (workload-identity) credentials."},"risks":["destruction:account","impact:dos"],"notes":"Deleting ServiceAccounts removes the in-cluster identities workloads authenticate as, destroying accounts and denying service to pods that can no longer obtain valid tokens.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/fleets/members/serviceaccounts/write":{"id":"Microsoft.ContainerService/fleets/members/serviceaccounts/write","name":"Kubernetes service accounts (Fleet member)","scope":"CRITICAL","parent":{"notes":"ServiceAccounts are identity objects; creating, deleting, or impersonating them directly affects who can act in the cluster.","description":"Kubernetes ServiceAccount objects in a namespace of an AKS Fleet member cluster. They represent in-cluster workload identities that pods authenticate as and that can be bound to RBAC roles and cloud (workload-identity) credentials."},"risks":["persistence:account","escalation:privilege","escalation:lateral"],"notes":"Creating/updating ServiceAccounts lets an attacker mint new in-cluster identities or rebind them (including workload-identity annotations), establishing persistent accounts and enabling privilege escalation and lateral movement via the new identity.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/fleets/members/users/impersonate/action":{"id":"Microsoft.ContainerService/fleets/members/users/impersonate/action","name":"Kubernetes user impersonation (AKS fleet member)","scope":"CRITICAL","parent":{"notes":"Impersonation lets an attacker act as any identity (including cluster-admins), so it is a direct path to full cluster compromise, hence CRITICAL.","description":"The Kubernetes impersonation capability for user identities on a member cluster of an AKS fleet. The impersonate verb on users lets a caller issue API requests as an arbitrary other user identity."},"risks":["escalation:lateral","escalation:privilege"],"notes":"Impersonating a user lets an attacker act as any other identity, assuming its (potentially cluster-admin) privileges for both lateral movement and privilege escalation.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/fleets/networking.fleet.azure.com/trafficManagerProfiles/delete":{"id":"Microsoft.ContainerService/fleets/networking.fleet.azure.com/trafficManagerProfiles/delete","name":"Fleet TrafficManagerProfile (public DNS routing profile)","scope":"HIGH","parent":{"notes":"Data-plane object controlling public DNS-based traffic routing for the fleet's externally exposed services; governs the routing method and endpoint set for a domain.","description":"An AKS Fleet Manager TrafficManagerProfile resource representing an Azure Traffic Manager profile that performs DNS-based traffic routing for fleet services over a domain name."},"risks":["destruction:network","impact:dos"],"notes":"Deleting removes the DNS routing profile so the domain can no longer route to any backend, destroying the routing layer and denying public access to fronted services.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/fleets/networking.fleet.azure.com/trafficManagerProfiles/write":{"id":"Microsoft.ContainerService/fleets/networking.fleet.azure.com/trafficManagerProfiles/write","name":"Fleet TrafficManagerProfile (public DNS routing profile)","scope":"HIGH","parent":{"notes":"Data-plane object controlling public DNS-based traffic routing for the fleet's externally exposed services; governs the routing method and endpoint set for a domain.","description":"An AKS Fleet Manager TrafficManagerProfile resource representing an Azure Traffic Manager profile that performs DNS-based traffic routing for fleet services over a domain name."},"risks":["takeover:domain","impact:manipulation","escalation:network"],"notes":"Creating/updating controls the profile's DNS-based routing, letting an attacker arbitrarily redirect traffic on the Traffic Manager domain to chosen endpoints and reshape cross-cluster exposure.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/works/delete":{"id":"Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/works/delete","name":"Fleet Work","scope":"HIGH","parent":{"notes":"Because Work objects embed the full manifest payload deployed to member clusters, they can contain inline configuration and secret-bearing objects, and writing them directly controls what runs on member clusters.","description":"A Kubernetes Fleet Manager Work resource is the envelope that carries the concrete, rendered set of Kubernetes manifests the fleet agent reconciles onto a specific member cluster; it is the unit of actual manifest application."},"risks":["impact:dos","impact:manipulation"],"notes":"Deleting a Work object removes the manifest bundle being reconciled onto a member cluster, tearing down the deployed workloads (denial of service) and disrupting the fleet deployment state on that cluster.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/works/read":{"id":"Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/works/read","name":"Fleet Work","scope":"HIGH","parent":{"notes":"Because Work objects embed the full manifest payload deployed to member clusters, they can contain inline configuration and secret-bearing objects, and writing them directly controls what runs on member clusters.","description":"A Kubernetes Fleet Manager Work resource is the envelope that carries the concrete, rendered set of Kubernetes manifests the fleet agent reconciles onto a specific member cluster; it is the unit of actual manifest application."},"risks":["discovery:infra","exfiltration:data"],"notes":"Reading a Work object enumerates the deployed workload topology and exposes the full content of the propagated manifests, which can include inline Secret/ConfigMap objects and other sensitive workload configuration.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/works/write":{"id":"Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/works/write","name":"Fleet Work","scope":"HIGH","parent":{"notes":"Because Work objects embed the full manifest payload deployed to member clusters, they can contain inline configuration and secret-bearing objects, and writing them directly controls what runs on member clusters.","description":"A Kubernetes Fleet Manager Work resource is the envelope that carries the concrete, rendered set of Kubernetes manifests the fleet agent reconciles onto a specific member cluster; it is the unit of actual manifest application."},"risks":["impact:manipulation","impact:hijack","escalation:lateral"],"notes":"Writing a Work object injects or replaces the actual Kubernetes manifests applied to a member cluster, letting an attacker deploy arbitrary attacker-controlled workloads, tamper with deployed objects, and run code as in-cluster service-account identities for lateral movement.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/fleets/policy/podsecuritypolicies/use/action":{"id":"Microsoft.ContainerService/fleets/policy/podsecuritypolicies/use/action","name":"Kubernetes PodSecurityPolicies (Fleet)","scope":"CRITICAL","parent":{"notes":"A security defense mechanism; weakening or removing it permits privileged pods that can escalate to node/cluster control.","description":"PodSecurityPolicies are cluster-level admission-control objects that constrain what pods may do (privileged mode, hostPath/hostNetwork/hostPID, capabilities, volume types), enforcing a pod-security defense across an AKS Fleet's member clusters."},"risks":["escalation:privilege"],"notes":"The 'use' verb authorizes a subject to create pods bound to a (potentially permissive) PSP; using a privileged policy lets a controlled workload run with elevated capabilities, escalating to the node.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/fleets/policy/podsecuritypolicies/delete":{"id":"Microsoft.ContainerService/fleets/policy/podsecuritypolicies/delete","name":"Kubernetes PodSecurityPolicies (Fleet)","scope":"HIGH","parent":{"notes":"A security defense mechanism; weakening or removing it permits privileged pods that can escalate to node/cluster control.","description":"PodSecurityPolicies are cluster-level admission-control objects that constrain what pods may do (privileged mode, hostPath/hostNetwork/hostPID, capabilities, volume types), enforcing a pod-security defense across an AKS Fleet's member clusters."},"risks":["destruction:defense"],"notes":"Deleting a PSP removes the admission-control enforcement that restricts pod privileges, disabling a defense so otherwise-restricted privileged pods can run.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/fleets/policy/podsecuritypolicies/write":{"id":"Microsoft.ContainerService/fleets/policy/podsecuritypolicies/write","name":"Kubernetes PodSecurityPolicies (Fleet)","scope":"HIGH","parent":{"notes":"A security defense mechanism; weakening or removing it permits privileged pods that can escalate to node/cluster control.","description":"PodSecurityPolicies are cluster-level admission-control objects that constrain what pods may do (privileged mode, hostPath/hostNetwork/hostPID, capabilities, volume types), enforcing a pod-security defense across an AKS Fleet's member clusters."},"risks":["destruction:defense","escalation:privilege"],"notes":"Writing a PSP can relax admission controls (allow privileged/hostPath/hostPID pods), disabling a defense and enabling deployment of privileged pods that escalate to the node/cluster.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/clusterrolebindings/delete":{"id":"Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/clusterrolebindings/delete","name":"Kubernetes ClusterRoleBindings (Fleet)","scope":"CRITICAL","parent":{"notes":"Cluster-wide access-control; writing grants cluster-admin (privilege escalation), making this the most security-sensitive RBAC primitive.","description":"ClusterRoleBindings are cluster-wide Kubernetes RBAC objects that bind subjects (users, groups, service accounts) to ClusterRoles, granting cluster-scoped permissions across an AKS Fleet's member clusters."},"risks":["destruction:policy","impact:access"],"notes":"Deleting ClusterRoleBindings removes cluster-wide RBAC grants, destroying access-control policy and revoking legitimate operators' access (denial-of-access).","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/clusterrolebindings/write":{"id":"Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/clusterrolebindings/write","name":"Kubernetes ClusterRoleBindings (Fleet)","scope":"CRITICAL","parent":{"notes":"Cluster-wide access-control; writing grants cluster-admin (privilege escalation), making this the most security-sensitive RBAC primitive.","description":"ClusterRoleBindings are cluster-wide Kubernetes RBAC objects that bind subjects (users, groups, service accounts) to ClusterRoles, granting cluster-scoped permissions across an AKS Fleet's member clusters."},"risks":["escalation:privilege","persistence:account"],"notes":"Creating/updating a ClusterRoleBinding can bind any subject (including attacker-controlled identities) to cluster-admin, the canonical Kubernetes privilege escalation and a durable persistence mechanism.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/clusterroles/bind/action":{"id":"Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/clusterroles/bind/action","name":"Kubernetes cluster roles (AKS Fleet)","scope":"CRITICAL","parent":{"notes":"ClusterRoles are cluster-wide access-control definitions; control over them (and the ability to bind/escalate them) can lead to full cluster-admin, the canonical CRITICAL RBAC asset.","description":"Kubernetes ClusterRole objects in an AKS Fleet cluster, defining cluster-wide RBAC permission rules (verbs on resources) that grant authorization when bound to subjects via (Cluster)RoleBindings."},"risks":["escalation:privilege"],"notes":"The Kubernetes bind verb permits referencing this ClusterRole in a binding, letting an attacker grant its (potentially cluster-admin) permissions to a controlled subject.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/clusterroles/escalate/action":{"id":"Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/clusterroles/escalate/action","name":"Kubernetes cluster roles (AKS Fleet)","scope":"CRITICAL","parent":{"notes":"ClusterRoles are cluster-wide access-control definitions; control over them (and the ability to bind/escalate them) can lead to full cluster-admin, the canonical CRITICAL RBAC asset.","description":"Kubernetes ClusterRole objects in an AKS Fleet cluster, defining cluster-wide RBAC permission rules (verbs on resources) that grant authorization when bound to subjects via (Cluster)RoleBindings."},"risks":["escalation:privilege"],"notes":"The escalate verb explicitly bypasses Kubernetes privilege-escalation prevention, letting the holder grant a ClusterRole permissions exceeding their own up to cluster-admin.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/clusterroles/delete":{"id":"Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/clusterroles/delete","name":"Kubernetes cluster roles (AKS Fleet)","scope":"CRITICAL","parent":{"notes":"ClusterRoles are cluster-wide access-control definitions; control over them (and the ability to bind/escalate them) can lead to full cluster-admin, the canonical CRITICAL RBAC asset.","description":"Kubernetes ClusterRole objects in an AKS Fleet cluster, defining cluster-wide RBAC permission rules (verbs on resources) that grant authorization when bound to subjects via (Cluster)RoleBindings."},"risks":["destruction:policy","impact:access"],"notes":"Deleting ClusterRoles removes cluster-wide access-control policy, which both tears down RBAC controls and can revoke legitimate operators' authorized access (denial-of-access).","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/clusterroles/write":{"id":"Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/clusterroles/write","name":"Kubernetes cluster roles (AKS Fleet)","scope":"CRITICAL","parent":{"notes":"ClusterRoles are cluster-wide access-control definitions; control over them (and the ability to bind/escalate them) can lead to full cluster-admin, the canonical CRITICAL RBAC asset.","description":"Kubernetes ClusterRole objects in an AKS Fleet cluster, defining cluster-wide RBAC permission rules (verbs on resources) that grant authorization when bound to subjects via (Cluster)RoleBindings."},"risks":["escalation:privilege"],"notes":"Creating/updating a ClusterRole lets an attacker define arbitrary cluster-wide permissions (e.g. all verbs on all resources) that escalate any subject bound to that role.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/rolebindings/delete":{"id":"Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/rolebindings/delete","name":"Kubernetes role bindings (AKS Fleet)","scope":"CRITICAL","parent":{"notes":"RoleBindings are the access-control grants that map identities to RBAC roles; creating them can bind a controlled identity to cluster-admin, an access-control asset treated as CRITICAL.","description":"Kubernetes RoleBinding objects in an AKS Fleet cluster, which grant the permissions of a Role or ClusterRole to subjects (users, groups, service accounts) within a namespace."},"risks":["destruction:policy","impact:access"],"notes":"Deleting RoleBindings removes RBAC grants, destroying access-control policy and revoking legitimate principals' authorized access.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/rolebindings/write":{"id":"Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/rolebindings/write","name":"Kubernetes role bindings (AKS Fleet)","scope":"CRITICAL","parent":{"notes":"RoleBindings are the access-control grants that map identities to RBAC roles; creating them can bind a controlled identity to cluster-admin, an access-control asset treated as CRITICAL.","description":"Kubernetes RoleBinding objects in an AKS Fleet cluster, which grant the permissions of a Role or ClusterRole to subjects (users, groups, service accounts) within a namespace."},"risks":["escalation:privilege"],"notes":"Creating/updating a RoleBinding binds a (possibly admin) role to an attacker-controlled subject, the canonical RBAC privilege-escalation primitive.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/roles/bind/action":{"id":"Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/roles/bind/action","name":"Kubernetes roles (AKS Fleet)","scope":"CRITICAL","parent":{"notes":"Roles are namespaced access-control definitions; combined with bind/escalate they enable privilege escalation, so the RBAC asset class is treated as CRITICAL.","description":"Kubernetes Role objects in an AKS Fleet cluster, defining namespaced RBAC permission rules (verbs on resources) that grant authorization when bound to subjects via RoleBindings."},"risks":["escalation:privilege"],"notes":"The bind verb permits referencing this Role in a binding, letting an attacker grant its permissions to a controlled subject.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/roles/escalate/action":{"id":"Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/roles/escalate/action","name":"Kubernetes roles (AKS Fleet)","scope":"CRITICAL","parent":{"notes":"Roles are namespaced access-control definitions; combined with bind/escalate they enable privilege escalation, so the RBAC asset class is treated as CRITICAL.","description":"Kubernetes Role objects in an AKS Fleet cluster, defining namespaced RBAC permission rules (verbs on resources) that grant authorization when bound to subjects via RoleBindings."},"risks":["escalation:privilege"],"notes":"The escalate verb explicitly bypasses Kubernetes privilege-escalation prevention, letting the holder grant a Role permissions beyond their own within the namespace.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/roles/delete":{"id":"Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/roles/delete","name":"Kubernetes roles (AKS Fleet)","scope":"CRITICAL","parent":{"notes":"Roles are namespaced access-control definitions; combined with bind/escalate they enable privilege escalation, so the RBAC asset class is treated as CRITICAL.","description":"Kubernetes Role objects in an AKS Fleet cluster, defining namespaced RBAC permission rules (verbs on resources) that grant authorization when bound to subjects via RoleBindings."},"risks":["destruction:policy","impact:access"],"notes":"Deleting namespaced Roles removes access-control policy, tearing down RBAC controls and potentially revoking legitimate principals' access.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/roles/write":{"id":"Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/roles/write","name":"Kubernetes roles (AKS Fleet)","scope":"CRITICAL","parent":{"notes":"Roles are namespaced access-control definitions; combined with bind/escalate they enable privilege escalation, so the RBAC asset class is treated as CRITICAL.","description":"Kubernetes Role objects in an AKS Fleet cluster, defining namespaced RBAC permission rules (verbs on resources) that grant authorization when bound to subjects via RoleBindings."},"risks":["escalation:privilege"],"notes":"Creating/updating a Role lets an attacker define arbitrary namespaced permissions that escalate any subject bound to that role.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/fleets/secrets/delete":{"id":"Microsoft.ContainerService/fleets/secrets/delete","name":"Kubernetes secrets (fleet)","scope":"CRITICAL","parent":{"notes":"Holds live credential/cryptographic material; compromise yields identity takeover and lateral movement across the cluster and connected systems.","description":"Kubernetes Secret objects within an AKS fleet namespace, which store credential material such as service-account tokens, TLS keys, passwords, connection strings, and registry credentials consumed by workloads."},"risks":["destruction:crypto","impact:dos"],"notes":"Deleting Secrets destroys stored cryptographic/credential material, breaking authentication for dependent workloads and disrupting the services that consume those secrets.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/fleets/secrets/read":{"id":"Microsoft.ContainerService/fleets/secrets/read","name":"Kubernetes secrets (fleet)","scope":"CRITICAL","parent":{"notes":"Holds live credential/cryptographic material; compromise yields identity takeover and lateral movement across the cluster and connected systems.","description":"Kubernetes Secret objects within an AKS fleet namespace, which store credential material such as service-account tokens, TLS keys, passwords, connection strings, and registry credentials consumed by workloads."},"risks":["exfiltration:crypto","escalation:lateral","takeover:account"],"notes":"Reading Kubernetes Secrets returns the actual credential material (tokens, keys, connection strings, service-account tokens), enabling direct exfiltration of secrets and reuse of those identities for lateral movement and account takeover.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/fleets/secrets/write":{"id":"Microsoft.ContainerService/fleets/secrets/write","name":"Kubernetes secrets (fleet)","scope":"CRITICAL","parent":{"notes":"Holds live credential/cryptographic material; compromise yields identity takeover and lateral movement across the cluster and connected systems.","description":"Kubernetes Secret objects within an AKS fleet namespace, which store credential material such as service-account tokens, TLS keys, passwords, connection strings, and registry credentials consumed by workloads."},"risks":["persistence:account","impact:manipulation","escalation:lateral"],"notes":"Writing Secrets lets an attacker plant or overwrite credential material consumed by workloads, establishing persistence, manipulating trusted configuration, and injecting attacker-controlled credentials to pivot to other identities.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/fleets/serviceaccounts/impersonate/action":{"id":"Microsoft.ContainerService/fleets/serviceaccounts/impersonate/action","name":"Kubernetes service account impersonation (Fleet)","scope":"CRITICAL","parent":{"notes":"ServiceAccount impersonation inherits the RBAC bound to the impersonated workload identity, enabling lateral movement and privilege escalation up to cluster-admin.","description":"The Kubernetes impersonate verb on ServiceAccount identities for an AKS Fleet, allowing the API caller to issue requests as an arbitrary ServiceAccount."},"risks":["escalation:lateral","escalation:privilege"],"notes":"Impersonating a ServiceAccount lets an attacker act as another in-cluster identity, inheriting its (potentially broader) RBAC permissions, directly enabling lateral movement and privilege escalation.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/fleets/serviceaccounts/delete":{"id":"Microsoft.ContainerService/fleets/serviceaccounts/delete","name":"Kubernetes service accounts (fleet)","scope":"CRITICAL","parent":{"notes":"Workload identities are targets for impersonation and credential theft; controlling them enables persistence and privilege escalation across the cluster.","description":"Kubernetes ServiceAccount objects within an AKS fleet namespace, which represent in-cluster workload identities that pods authenticate as and that are bound to RBAC roles."},"risks":["destruction:account","impact:dos"],"notes":"Deleting ServiceAccounts removes cluster workload identities, destroying accounts and breaking authentication for the pods that depend on them, disrupting those services.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/fleets/serviceaccounts/write":{"id":"Microsoft.ContainerService/fleets/serviceaccounts/write","name":"Kubernetes service accounts (fleet)","scope":"CRITICAL","parent":{"notes":"Workload identities are targets for impersonation and credential theft; controlling them enables persistence and privilege escalation across the cluster.","description":"Kubernetes ServiceAccount objects within an AKS fleet namespace, which represent in-cluster workload identities that pods authenticate as and that are bound to RBAC roles."},"risks":["persistence:account","escalation:privilege","escalation:lateral"],"notes":"Creating/updating ServiceAccounts lets an attacker provision new cluster identities or modify existing ones (including bound credentials/annotations), establishing persistence and attaching more capable identities to controlled workloads for privilege escalation and lateral movement.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/fleets/users/impersonate/action":{"id":"Microsoft.ContainerService/fleets/users/impersonate/action","name":"Kubernetes user impersonation (Fleet)","scope":"CRITICAL","parent":{"notes":"Impersonation is a top-tier privilege-escalation primitive: the holder can assume any identity, including cluster-admin, and execute requests with that identity's full RBAC.","description":"The Kubernetes user-impersonation privilege on an AKS Fleet, which allows a caller to issue API requests as any other user identity (the RBAC impersonate verb on users)."},"risks":["escalation:privilege","escalation:lateral"],"notes":"User impersonation lets an attacker act as any user, including cluster-admins, directly escalating privilege and moving laterally to higher-privileged identities.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action":{"id":"Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action","name":"AKS managed cluster access profile (kubeconfig credentials)","scope":"CRITICAL","parent":{"notes":"Returns reusable cluster credentials; clusterAdmin yields full cluster-admin control of the Kubernetes control plane, workloads, and in-cluster secrets/identities.","description":"An AKS managed cluster access profile for a named role (e.g. clusterAdmin/clusterUser), which embeds the kubeconfig containing client certificate/token credential material for authenticating to the Kubernetes API."},"risks":["exfiltration:crypto","escalation:lateral"],"notes":"This listCredential action returns the cluster access profile's kubeconfig credential for a named role, directly exfiltrating secret material that an attacker redeems for full authenticated control of the Kubernetes cluster.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/managedClusters/accessProfiles/read":{"id":"Microsoft.ContainerService/managedClusters/accessProfiles/read","name":"AKS managed cluster access profile (kubeconfig credentials)","scope":"CRITICAL","parent":{"notes":"Returns reusable cluster credentials; clusterAdmin yields full cluster-admin control of the Kubernetes control plane, workloads, and in-cluster secrets/identities.","description":"An AKS managed cluster access profile for a named role (e.g. clusterAdmin/clusterUser), which embeds the kubeconfig containing client certificate/token credential material for authenticating to the Kubernetes API."},"risks":["exfiltration:crypto","escalation:lateral"],"notes":"Getting the access profile by role name returns the embedded kubeconfig credential, exporting reusable certificate/token material that grants direct authenticated Kubernetes API access (often cluster-admin) and pivot into the cluster's workloads and identities.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/managedClusters/admissionregistration.k8s.io/initializerconfigurations/delete":{"id":"Microsoft.ContainerService/managedClusters/admissionregistration.k8s.io/initializerconfigurations/delete","name":"Kubernetes admission initializer configurations (AKS)","scope":"CRITICAL","parent":{"notes":"Admission registration objects are the cluster's enforcement points for security policy; controlling them affects every workload cluster-wide. initializerconfigurations is a deprecated/removed alpha admission mechanism.","description":"Cluster-wide Kubernetes admission control objects (initializerconfigurations) on an AKS managed cluster that intercept API server requests and can gate or initialize objects before they are persisted."},"risks":["destruction:defense","destruction:policy"],"notes":"Deleting initializer configurations removes admission-time enforcement, disabling a cluster-wide defense and the access-control/policy gating applied at admission.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/managedClusters/admissionregistration.k8s.io/initializerconfigurations/write":{"id":"Microsoft.ContainerService/managedClusters/admissionregistration.k8s.io/initializerconfigurations/write","name":"Kubernetes admission initializer configurations (AKS)","scope":"CRITICAL","parent":{"notes":"Admission registration objects are the cluster's enforcement points for security policy; controlling them affects every workload cluster-wide. initializerconfigurations is a deprecated/removed alpha admission mechanism.","description":"Cluster-wide Kubernetes admission control objects (initializerconfigurations) on an AKS managed cluster that intercept API server requests and can gate or initialize objects before they are persisted."},"risks":["destruction:defense","impact:manipulation","escalation:privilege"],"notes":"Creating/updating an initializer configuration lets an attacker intercept and mutate every matching object on admission cluster-wide, injecting privileged changes and disabling/bypassing admission-based security enforcement.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/managedClusters/admissionregistration.k8s.io/mutatingwebhookconfigurations/delete":{"id":"Microsoft.ContainerService/managedClusters/admissionregistration.k8s.io/mutatingwebhookconfigurations/delete","name":"Kubernetes mutating webhook configurations (AKS)","scope":"CRITICAL","parent":{"notes":"Mutating webhooks are a primary admission enforcement and injection mechanism; controlling them is effectively cluster-admin over every workload.","description":"Cluster-wide Kubernetes mutating admission webhook configurations on an AKS managed cluster that intercept and can rewrite API objects before they are persisted."},"risks":["destruction:defense","destruction:policy"],"notes":"Deleting mutating webhook configurations removes cluster-wide admission enforcement (policy/security mutation controllers such as Pod Security or sidecar injection), disabling a defense and the access-control policy it enforced.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/managedClusters/admissionregistration.k8s.io/mutatingwebhookconfigurations/write":{"id":"Microsoft.ContainerService/managedClusters/admissionregistration.k8s.io/mutatingwebhookconfigurations/write","name":"Kubernetes mutating webhook configurations (AKS)","scope":"CRITICAL","parent":{"notes":"Mutating webhooks are a primary admission enforcement and injection mechanism; controlling them is effectively cluster-admin over every workload.","description":"Cluster-wide Kubernetes mutating admission webhook configurations on an AKS managed cluster that intercept and can rewrite API objects before they are persisted."},"risks":["escalation:privilege","escalation:lateral","destruction:defense","impact:manipulation"],"notes":"Creating/updating a mutating webhook lets an attacker silently rewrite every admitted object cluster-wide (inject privileged sidecars/credentials, mount secrets, change service accounts) and point it at an attacker endpoint, yielding cluster-admin-level privilege escalation, lateral movement, and bypass of admission defenses.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/managedClusters/agentPools/deleteMachines/action":{"id":"Microsoft.ContainerService/managedClusters/agentPools/deleteMachines/action","name":"AKS agent pool machine deletion","scope":"CRITICAL","parent":{"notes":"Node pools are the compute substrate a cluster's workloads and kubelets run on. An attacker with only this ARM-layer permission (no Kubernetes RBAC) can provision or reconfigure nodes that join the cluster network and host workloads, or remove the compute backing running workloads, so this is rated in line with the parent managed cluster.","description":"An Azure Kubernetes Service (AKS) node pool, the set of VM-based nodes (VMSS or availability-set backed) that join a managed cluster and run its Kubernetes workloads."},"risks":["destruction:infra","impact:dos"],"notes":"Deletes specific VM instances within an agent pool without deleting the whole pool, letting an attacker selectively evict nodes and the workloads/pods scheduled on them, causing targeted service disruption that is harder to notice than deleting the entire pool.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/managedClusters/agentPools/write":{"id":"Microsoft.ContainerService/managedClusters/agentPools/write","name":"AKS agent pool","scope":"CRITICAL","parent":{"notes":"Node pools are the compute substrate a cluster's workloads and kubelets run on. An attacker with only this ARM-layer permission (no Kubernetes RBAC) can provision or reconfigure nodes that join the cluster network and host workloads, or remove the compute backing running workloads, so this is rated in line with the parent managed cluster.","description":"An Azure Kubernetes Service (AKS) node pool, the set of VM-based nodes (VMSS or availability-set backed) that join a managed cluster and run its Kubernetes workloads."},"risks":["escalation:privilege","escalation:lateral"],"notes":"Creating or updating an agent pool lets an attacker provision new VM nodes (with custom node configuration, extensions, or a custom node image) that join the cluster network, or alter an existing pool's configuration — a path to running attacker-controlled code on a node with network access to other pods, the node's kubelet credentials, and any secrets/volumes mounted on it.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/managedClusters/agentPools/delete":{"id":"Microsoft.ContainerService/managedClusters/agentPools/delete","name":"AKS agent pool","scope":"CRITICAL","parent":{"notes":"Node pools are the compute substrate a cluster's workloads and kubelets run on. An attacker with only this ARM-layer permission (no Kubernetes RBAC) can provision or reconfigure nodes that join the cluster network and host workloads, or remove the compute backing running workloads, so this is rated in line with the parent managed cluster.","description":"An Azure Kubernetes Service (AKS) node pool, the set of VM-based nodes (VMSS or availability-set backed) that join a managed cluster and run its Kubernetes workloads."},"risks":["destruction:infra","impact:dos"],"notes":"Deletes an entire node pool, destroying its VMs and any workloads scheduled on them; if the pool is the cluster's only pool or hosts unreplicated workloads this can disrupt or fully take down the cluster.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/managedClusters/authentication.k8s.io/userextras/impersonate/action":{"id":"Microsoft.ContainerService/managedClusters/authentication.k8s.io/userextras/impersonate/action","name":"Kubernetes userextra impersonation (AKS)","scope":"CRITICAL","parent":{"notes":"Extra attributes used in authorization decisions augment user/group impersonation, helping satisfy authorization rules to assume more-privileged identities.","description":"The Kubernetes userextra-impersonation capability on an AKS managed cluster, allowing the API caller to attach arbitrary extra authentication attributes to impersonated requests."},"risks":["escalation:lateral","escalation:privilege"],"notes":"Impersonating userextras fields lets the attacker forge additional identity attributes used in authorization, augmenting impersonated identities to satisfy authz rules and escalate access.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/managedClusters/certificates.k8s.io/certificatesigningrequests/delete":{"id":"Microsoft.ContainerService/managedClusters/certificates.k8s.io/certificatesigningrequests/delete","name":"Kubernetes CertificateSigningRequests","scope":"CRITICAL","parent":{"notes":"CSRs are a credential-issuance primitive; the certificate-issuance path is a well-known Kubernetes privilege-escalation vector that can mint cluster-admin (system:masters) credentials.","description":"Kubernetes CertificateSigningRequest (CSR) objects in an AKS managed cluster: requests to the cluster CA to sign an X.509 client/serving certificate. Approved CSRs carry the issued certificate in their status.certificate field, and the requested subject (username/groups) determines the identity the certificate authenticates as."},"risks":["destruction:crypto"],"notes":"Deleting CSRs (including DeleteCollection) removes pending/issued certificate-signing objects and their embedded certificate material, destroying credential-issuance artifacts and disrupting legitimate certificate provisioning.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/managedClusters/certificates.k8s.io/certificatesigningrequests/read":{"id":"Microsoft.ContainerService/managedClusters/certificates.k8s.io/certificatesigningrequests/read","name":"Kubernetes CertificateSigningRequests","scope":"CRITICAL","parent":{"notes":"CSRs are a credential-issuance primitive; the certificate-issuance path is a well-known Kubernetes privilege-escalation vector that can mint cluster-admin (system:masters) credentials.","description":"Kubernetes CertificateSigningRequest (CSR) objects in an AKS managed cluster: requests to the cluster CA to sign an X.509 client/serving certificate. Approved CSRs carry the issued certificate in their status.certificate field, and the requested subject (username/groups) determines the identity the certificate authenticates as."},"risks":["exfiltration:crypto","discovery:account"],"notes":"Reading/listing CSRs returns the signed client certificate from status.certificate of approved requests (usable Kubernetes authentication credential) and enumerates the identities/groups requesting certificates.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/managedClusters/certificates.k8s.io/certificatesigningrequests/write":{"id":"Microsoft.ContainerService/managedClusters/certificates.k8s.io/certificatesigningrequests/write","name":"Kubernetes CertificateSigningRequests","scope":"CRITICAL","parent":{"notes":"CSRs are a credential-issuance primitive; the certificate-issuance path is a well-known Kubernetes privilege-escalation vector that can mint cluster-admin (system:masters) credentials.","description":"Kubernetes CertificateSigningRequest (CSR) objects in an AKS managed cluster: requests to the cluster CA to sign an X.509 client/serving certificate. Approved CSRs carry the issued certificate in their status.certificate field, and the requested subject (username/groups) determines the identity the certificate authenticates as."},"risks":["escalation:privilege","persistence:account","escalation:lateral"],"notes":"Creating/updating a CSR (and the status/approval subresource) lets an attacker request a client certificate for an arbitrary username/group (e.g. system:masters) which, once signed, yields durable cluster-admin credentials — the canonical Kubernetes escalation path.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/managedClusters/commandResults/read":{"id":"Microsoft.ContainerService/managedClusters/commandResults/read","name":"AKS cluster command results","scope":"HIGH","parent":{"notes":"Run-command output routinely contains dumped Kubernetes secrets, kubeconfig material, environment variables, and other sensitive cluster data.","description":"Command results hold the captured stdout/stderr output of a previously issued AKS Run Command (command invoke), which executes kubectl/shell commands inside the cluster under a privileged in-cluster context."},"risks":["exfiltration:data"],"notes":"Retrieving a prior command's stored result returns the output of arbitrary in-cluster commands, enabling exfiltration of secrets, config, and cluster-internal data.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/managedClusters/configmaps/delete":{"id":"Microsoft.ContainerService/managedClusters/configmaps/delete","name":"Kubernetes ConfigMaps (AKS)","scope":"HIGH","parent":{"notes":"Although not formal Secrets, ConfigMaps frequently contain sensitive operational data and misplaced credentials/connection strings, and config like CoreDNS or app settings is consumed/executed by pods.","description":"Kubernetes ConfigMaps store non-secret application and cluster configuration (settings, endpoints, scripts) consumed by workloads in an AKS managed cluster."},"risks":["destruction:data","impact:dos"],"notes":"Destroys configuration data that workloads depend on, removing operational data and disrupting dependent services.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/managedClusters/configmaps/read":{"id":"Microsoft.ContainerService/managedClusters/configmaps/read","name":"Kubernetes ConfigMaps (AKS)","scope":"HIGH","parent":{"notes":"Although not formal Secrets, ConfigMaps frequently contain sensitive operational data and misplaced credentials/connection strings, and config like CoreDNS or app settings is consumed/executed by pods.","description":"Kubernetes ConfigMaps store non-secret application and cluster configuration (settings, endpoints, scripts) consumed by workloads in an AKS managed cluster."},"risks":["exfiltration:data"],"notes":"Returns ConfigMap contents, which commonly include sensitive configuration and occasionally misplaced credentials, directly enabling data exfiltration across cluster workloads.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/managedClusters/configmaps/write":{"id":"Microsoft.ContainerService/managedClusters/configmaps/write","name":"Kubernetes ConfigMaps (AKS)","scope":"HIGH","parent":{"notes":"Although not formal Secrets, ConfigMaps frequently contain sensitive operational data and misplaced credentials/connection strings, and config like CoreDNS or app settings is consumed/executed by pods.","description":"Kubernetes ConfigMaps store non-secret application and cluster configuration (settings, endpoints, scripts) consumed by workloads in an AKS managed cluster."},"risks":["impact:manipulation","escalation:lateral"],"notes":"Alters configuration consumed by workloads; tampering with config (CoreDNS, app settings, mounted scripts) can redirect or poison pods and pivot into running workload identities.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/managedClusters/customresources/delete":{"id":"Microsoft.ContainerService/managedClusters/customresources/delete","name":"AKS cluster custom resources","scope":"HIGH","parent":{"notes":"Data-plane access to in-cluster objects for a single cluster function; sensitivity depends on what CRDs the cluster hosts.","description":"Arbitrary Kubernetes custom resources (CRD-backed objects) inside an AKS managed cluster, accessed via the AKS data plane. These objects hold operator state, application configuration, and CRDs that can wrap secret-like or sensitive operational data."},"risks":["destruction:data"],"notes":"Deleting custom resources destroys in-cluster data/configuration objects and the controller state managed via CRDs.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/managedClusters/customresources/read":{"id":"Microsoft.ContainerService/managedClusters/customresources/read","name":"AKS cluster custom resources","scope":"HIGH","parent":{"notes":"Data-plane access to in-cluster objects for a single cluster function; sensitivity depends on what CRDs the cluster hosts.","description":"Arbitrary Kubernetes custom resources (CRD-backed objects) inside an AKS managed cluster, accessed via the AKS data plane. These objects hold operator state, application configuration, and CRDs that can wrap secret-like or sensitive operational data."},"risks":["exfiltration:data","discovery:data"],"notes":"A data-plane read of arbitrary custom resources can both enumerate and return the contents of sensitive CRD-stored objects, enabling exfiltration of in-cluster data.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/managedClusters/customresources/write":{"id":"Microsoft.ContainerService/managedClusters/customresources/write","name":"AKS cluster custom resources","scope":"HIGH","parent":{"notes":"Data-plane access to in-cluster objects for a single cluster function; sensitivity depends on what CRDs the cluster hosts.","description":"Arbitrary Kubernetes custom resources (CRD-backed objects) inside an AKS managed cluster, accessed via the AKS data plane. These objects hold operator state, application configuration, and CRDs that can wrap secret-like or sensitive operational data."},"risks":["impact:manipulation"],"notes":"Creating/updating arbitrary custom resources lets an attacker alter operational cluster state and drive controllers/operators that act on those objects.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/managedClusters/extensions/podsecuritypolicies/delete":{"id":"Microsoft.ContainerService/managedClusters/extensions/podsecuritypolicies/delete","name":"AKS Kubernetes PodSecurityPolicies","scope":"HIGH","parent":{"notes":"PSPs are an admission-time security/access-control defense gating workload privileges; weakening them enables container-escape and node/cluster compromise for a single cluster (organizational function).","description":"In-cluster Kubernetes PodSecurityPolicy admission-control objects that constrain what pods may do (privileged mode, hostPath/hostNetwork, capabilities) in an AKS managed cluster's data plane."},"risks":["destruction:defense","destruction:policy","escalation:privilege"],"notes":"Deleting PodSecurityPolicies removes the admission-control security policy that restricts privileged workloads, disabling a defense, destroying access-control policy, and permitting privileged pods that escalate to the node/host.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/managedClusters/extensions/podsecuritypolicies/write":{"id":"Microsoft.ContainerService/managedClusters/extensions/podsecuritypolicies/write","name":"AKS Kubernetes PodSecurityPolicies","scope":"HIGH","parent":{"notes":"PSPs are an admission-time security/access-control defense gating workload privileges; weakening them enables container-escape and node/cluster compromise for a single cluster (organizational function).","description":"In-cluster Kubernetes PodSecurityPolicy admission-control objects that constrain what pods may do (privileged mode, hostPath/hostNetwork, capabilities) in an AKS managed cluster's data plane."},"risks":["destruction:defense","escalation:privilege"],"notes":"Creating/updating PodSecurityPolicies lets an attacker relax admission constraints to permit privileged/hostPath/hostNetwork pods, disabling a defense and enabling node/cluster privilege escalation via container escape.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/managedClusters/groups/impersonate/action":{"id":"Microsoft.ContainerService/managedClusters/groups/impersonate/action","name":"Kubernetes group impersonation (AKS)","scope":"CRITICAL","parent":{"notes":"Asserting membership in privileged groups (e.g. system:masters) inherits all RBAC bound to those groups — equivalent to broad cluster takeover.","description":"The Kubernetes group-impersonation capability on an AKS managed cluster, allowing the API caller to assert membership in arbitrary groups when issuing requests."},"risks":["escalation:lateral","escalation:privilege"],"notes":"Impersonating groups lets the attacker assume membership in any group (e.g. system:masters), inheriting the aggregated RBAC privileges of that group for lateral movement and privilege escalation.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/managedClusters/jwtAuthenticators/delete":{"id":"Microsoft.ContainerService/managedClusters/jwtAuthenticators/delete","name":"AKS managed cluster JWT authenticators","scope":"CRITICAL","parent":{"notes":"This is the cluster's authentication trust configuration; control over it is effectively cluster-admin-equivalent because it governs which identities can authenticate (and as whom) to the entire cluster.","description":"An AKS managed cluster's JWT authenticator defines how the Kubernetes API server validates external JWT/OIDC tokens, specifying trusted issuers, audiences, and claim-to-user/group mappings that bind external identities to in-cluster Kubernetes principals."},"risks":["destruction:policy","impact:access"],"notes":"Deleting a JWT authenticator tears down the cluster's authentication/identity-mapping configuration, destroying access-control policy and severing legitimate token-based users from their authorized access to the cluster.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/managedClusters/jwtAuthenticators/write":{"id":"Microsoft.ContainerService/managedClusters/jwtAuthenticators/write","name":"AKS managed cluster JWT authenticators","scope":"CRITICAL","parent":{"notes":"This is the cluster's authentication trust configuration; control over it is effectively cluster-admin-equivalent because it governs which identities can authenticate (and as whom) to the entire cluster.","description":"An AKS managed cluster's JWT authenticator defines how the Kubernetes API server validates external JWT/OIDC tokens, specifying trusted issuers, audiences, and claim-to-user/group mappings that bind external identities to in-cluster Kubernetes principals."},"risks":["escalation:privilege","persistence:account"],"notes":"Creating or updating a JWT authenticator lets an attacker register an attacker-controlled trusted token issuer or remap claims so self-minted tokens authenticate as arbitrary high-privilege cluster identities (e.g. system:masters), granting cluster-wide privilege escalation and a durable authentication backdoor.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action":{"id":"Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action","name":"AKS managed cluster","scope":"CRITICAL","parent":{"notes":"AKS clusters are production compute assets that run workloads, hold in-cluster secrets, and act through a cluster identity; credential-listing and command-execution operations on them are effectively cluster-admin grade and warrant CRITICAL scope.","description":"An Azure Kubernetes Service (AKS) managed cluster: the control-plane resource that hosts a Kubernetes cluster, its node pools, networking, RBAC/Azure AD integration, and a managed/service-principal identity used to act on Azure resources."},"risks":["exfiltration:crypto","escalation:lateral","takeover:account"],"notes":"Returns the clusterAdmin kubeconfig with certificate credentials granting full cluster-admin control of the Kubernetes API, bypassing Azure AD/RBAC — full cluster takeover including all in-cluster secrets and data.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/managedClusters/listClusterMonitoringUserCredential/action":{"id":"Microsoft.ContainerService/managedClusters/listClusterMonitoringUserCredential/action","name":"AKS managed cluster","scope":"HIGH","parent":{"notes":"AKS clusters are production compute assets that run workloads, hold in-cluster secrets, and act through a cluster identity; credential-listing and command-execution operations on them are effectively cluster-admin grade and warrant CRITICAL scope.","description":"An Azure Kubernetes Service (AKS) managed cluster: the control-plane resource that hosts a Kubernetes cluster, its node pools, networking, RBAC/Azure AD integration, and a managed/service-principal identity used to act on Azure resources."},"risks":["exfiltration:crypto","escalation:lateral"],"notes":"Returns the clusterMonitoringUser kubeconfig credential granting authenticated, monitoring-scoped access to the cluster API — usable credential material with limited lateral access.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/managedClusters/listClusterUserCredential/action":{"id":"Microsoft.ContainerService/managedClusters/listClusterUserCredential/action","name":"AKS managed cluster","scope":"CRITICAL","parent":{"notes":"AKS clusters are production compute assets that run workloads, hold in-cluster secrets, and act through a cluster identity; credential-listing and command-execution operations on them are effectively cluster-admin grade and warrant CRITICAL scope.","description":"An Azure Kubernetes Service (AKS) managed cluster: the control-plane resource that hosts a Kubernetes cluster, its node pools, networking, RBAC/Azure AD integration, and a managed/service-principal identity used to act on Azure resources."},"risks":["exfiltration:crypto","escalation:lateral"],"notes":"Returns the clusterUser kubeconfig credential for authenticating to the Kubernetes API; privilege depends on AAD/in-cluster RBAC, but for AAD-disabled clusters it is admin-equivalent.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/managedClusters/managedNamespaces/listCredential/action":{"id":"Microsoft.ContainerService/managedClusters/managedNamespaces/listCredential/action","name":"AKS managed namespaces","scope":"CRITICAL","parent":{"notes":"Control-plane configuration of cluster tenancy boundaries; the read returns configuration metadata only, while write/delete and credential listing escalate sharply.","description":"A managed namespace of an AKS managed cluster - an Azure-managed Kubernetes namespace with its quotas, network policy, isolation, and default settings governing how workloads run within that namespace."},"risks":["exfiltration:crypto","escalation:lateral","takeover:account"],"notes":"Returns a usable namespace-scoped kubeconfig, exporting credential material that grants the attacker authenticated in-cluster access and lateral movement as that identity.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/managedClusters/networking.fleet.azure.com/trafficManagerProfiles/delete":{"id":"Microsoft.ContainerService/managedClusters/networking.fleet.azure.com/trafficManagerProfiles/delete","name":"Fleet TrafficManagerProfile resource","scope":"HIGH","parent":{"notes":"Data-plane (isDataAction) resource controlling public DNS-based traffic routing of a domain to fleet service endpoints.","description":"A Kubernetes Fleet networking CRD (TrafficManagerProfile) that defines the Azure Traffic Manager DNS-based global routing configuration (routing method, domain, endpoint list) for fleet services."},"risks":["destruction:network","impact:dos"],"notes":"Deleting removes the DNS routing component entirely so the domain can no longer route traffic to any fleet backend, destroying network routing and denying service.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/managedClusters/networking.fleet.azure.com/trafficManagerProfiles/write":{"id":"Microsoft.ContainerService/managedClusters/networking.fleet.azure.com/trafficManagerProfiles/write","name":"Fleet TrafficManagerProfile resource","scope":"HIGH","parent":{"notes":"Data-plane (isDataAction) resource controlling public DNS-based traffic routing of a domain to fleet service endpoints.","description":"A Kubernetes Fleet networking CRD (TrafficManagerProfile) that defines the Azure Traffic Manager DNS-based global routing configuration (routing method, domain, endpoint list) for fleet services."},"risks":["impact:manipulation","takeover:domain","escalation:network"],"notes":"Creating/updating rewrites DNS-based routing and endpoints for the profile's domain, letting an attacker redirect public domain traffic to attacker-controlled targets, alter routing, and extend network reach.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/managedClusters/pods/exec/action":{"id":"Microsoft.ContainerService/managedClusters/pods/exec/action","name":"Kubernetes Pods","scope":"CRITICAL","parent":{"notes":"Pod specs frequently embed or reference credentials and sensitive configuration, and pods carry service-account tokens granting in-cluster and cloud identity.","description":"Kubernetes Pod objects on an AKS managed cluster, the running unit of workload execution; their specs include container images, command/args, environment variables, and references to mounted secrets, configmaps, volumes, and service accounts."},"risks":["escalation:lateral","exfiltration:data","impact:hijack","impact:manipulation"],"notes":"Exec grants an interactive shell inside a running container, executing code as that pod's service-account/managed identity to read mounted secrets and data, move laterally to whatever the workload can reach, hijack the compute, and tamper with the workload.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/managedClusters/pods/delete":{"id":"Microsoft.ContainerService/managedClusters/pods/delete","name":"Kubernetes Pods","scope":"HIGH","parent":{"notes":"Pod specs frequently embed or reference credentials and sensitive configuration, and pods carry service-account tokens granting in-cluster and cloud identity.","description":"Kubernetes Pod objects on an AKS managed cluster, the running unit of workload execution; their specs include container images, command/args, environment variables, and references to mounted secrets, configmaps, volumes, and service accounts."},"risks":["impact:dos","destruction:infra"],"notes":"Deleting pods terminates running workloads, disrupting the services they host and tearing down the compute units backing applications.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/managedClusters/pods/read":{"id":"Microsoft.ContainerService/managedClusters/pods/read","name":"Kubernetes Pods","scope":"HIGH","parent":{"notes":"Pod specs frequently embed or reference credentials and sensitive configuration, and pods carry service-account tokens granting in-cluster and cloud identity.","description":"Kubernetes Pod objects on an AKS managed cluster, the running unit of workload execution; their specs include container images, command/args, environment variables, and references to mounted secrets, configmaps, volumes, and service accounts."},"risks":["discovery:infra","exfiltration:data"],"notes":"Reading/listing pods inventories running workloads and exposes pod specs whose environment variables and mounted secret/configmap references frequently leak credentials and sensitive operational data.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/managedClusters/pods/write":{"id":"Microsoft.ContainerService/managedClusters/pods/write","name":"Kubernetes Pods","scope":"CRITICAL","parent":{"notes":"Pod specs frequently embed or reference credentials and sensitive configuration, and pods carry service-account tokens granting in-cluster and cloud identity.","description":"Kubernetes Pod objects on an AKS managed cluster, the running unit of workload execution; their specs include container images, command/args, environment variables, and references to mounted secrets, configmaps, volumes, and service accounts."},"risks":["impact:hijack","escalation:lateral","impact:manipulation"],"notes":"Creating/updating pods lets an attacker run arbitrary containers (cryptomining/workloads), mount any secret, service-account token, host path, or the node managed identity to assume cluster/cloud identities and move laterally, and alter the cluster's running workload state.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/managedClusters/podtemplates/delete":{"id":"Microsoft.ContainerService/managedClusters/podtemplates/delete","name":"Kubernetes PodTemplates","scope":"HIGH","parent":{"notes":"PodTemplate specs embed the same sensitive configuration and secret/identity references as pod specs and define how workloads are constructed.","description":"Kubernetes PodTemplate objects on an AKS managed cluster, reusable pod specifications (images, env vars, command, mounted secret/volume/service-account references) that controllers can instantiate into running pods."},"risks":["destruction:infra"],"notes":"Deleting pod templates removes reusable workload definitions, disrupting controllers/operators that rely on them to provision pods.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/managedClusters/podtemplates/read":{"id":"Microsoft.ContainerService/managedClusters/podtemplates/read","name":"Kubernetes PodTemplates","scope":"HIGH","parent":{"notes":"PodTemplate specs embed the same sensitive configuration and secret/identity references as pod specs and define how workloads are constructed.","description":"Kubernetes PodTemplate objects on an AKS managed cluster, reusable pod specifications (images, env vars, command, mounted secret/volume/service-account references) that controllers can instantiate into running pods."},"risks":["discovery:infra","exfiltration:data"],"notes":"Reading/listing pod templates inventories reusable workload definitions and exposes embedded environment variables and secret/identity references that can disclose credentials and sensitive configuration.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/managedClusters/podtemplates/write":{"id":"Microsoft.ContainerService/managedClusters/podtemplates/write","name":"Kubernetes PodTemplates","scope":"HIGH","parent":{"notes":"PodTemplate specs embed the same sensitive configuration and secret/identity references as pod specs and define how workloads are constructed.","description":"Kubernetes PodTemplate objects on an AKS managed cluster, reusable pod specifications (images, env vars, command, mounted secret/volume/service-account references) that controllers can instantiate into running pods."},"risks":["impact:manipulation","escalation:lateral"],"notes":"Creating/updating pod templates injects malicious pod specifications (attacker images, privileged settings, mounted tokens/identities) that controllers later instantiate, manipulating workload definitions and seeding lateral movement when those pods run.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/managedClusters/policy/podsecuritypolicies/use/action":{"id":"Microsoft.ContainerService/managedClusters/policy/podsecuritypolicies/use/action","name":"AKS pod security policies","scope":"CRITICAL","parent":{"notes":"PSPs are a security-enforcement defense mechanism: weakening or removing them lets privileged/host-mounting pods run, which is the standard path to container breakout and node/cluster compromise.","description":"A PodSecurityPolicy is a cluster-wide Kubernetes admission-control object that constrains what pods may run (privileged mode, host namespaces, hostPath/hostNetwork, capabilities). On AKS this is a data-plane resource governing the cluster's pod-security defense posture."},"risks":["escalation:privilege"],"notes":"The PSP 'use' verb authorizes a subject to schedule pods governed by a given (often permissive) policy, letting an attacker launch privileged/host-access containers that break out to the node and escalate toward cluster control.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/managedClusters/policy/podsecuritypolicies/delete":{"id":"Microsoft.ContainerService/managedClusters/policy/podsecuritypolicies/delete","name":"AKS pod security policies","scope":"CRITICAL","parent":{"notes":"PSPs are a security-enforcement defense mechanism: weakening or removing them lets privileged/host-mounting pods run, which is the standard path to container breakout and node/cluster compromise.","description":"A PodSecurityPolicy is a cluster-wide Kubernetes admission-control object that constrains what pods may run (privileged mode, host namespaces, hostPath/hostNetwork, capabilities). On AKS this is a data-plane resource governing the cluster's pod-security defense posture."},"risks":["destruction:defense","destruction:policy"],"notes":"Deleting a PodSecurityPolicy removes the admission-control defense and the security-policy object that restricts pod privileges, lifting constraints that would otherwise block privileged/host-access pods.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/managedClusters/policy/podsecuritypolicies/write":{"id":"Microsoft.ContainerService/managedClusters/policy/podsecuritypolicies/write","name":"AKS pod security policies","scope":"CRITICAL","parent":{"notes":"PSPs are a security-enforcement defense mechanism: weakening or removing them lets privileged/host-mounting pods run, which is the standard path to container breakout and node/cluster compromise.","description":"A PodSecurityPolicy is a cluster-wide Kubernetes admission-control object that constrains what pods may run (privileged mode, host namespaces, hostPath/hostNetwork, capabilities). On AKS this is a data-plane resource governing the cluster's pod-security defense posture."},"risks":["destruction:defense","escalation:privilege","impact:manipulation"],"notes":"Creating/updating a PodSecurityPolicy lets an attacker weaken or replace the admission-control defense (permit privileged/hostPath/hostNetwork pods), disabling a security control and enabling privileged-workload deployment that escalates to node/cluster-admin.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/managedClusters/rbac.authorization.k8s.io/clusterrolebindings/delete":{"id":"Microsoft.ContainerService/managedClusters/rbac.authorization.k8s.io/clusterrolebindings/delete","name":"AKS Kubernetes cluster role bindings","scope":"CRITICAL","parent":{"notes":"Cluster role bindings are the core cluster-wide access-control bindings; the asset is cluster-admin-grade identity and access-control data.","description":"A Kubernetes ClusterRoleBinding grants a ClusterRole's permissions to a subject (user, group, or service account) across the entire cluster. On AKS this is a data-plane RBAC binding controlling cluster-wide authorization."},"risks":["destruction:policy","impact:access"],"notes":"Deleting ClusterRoleBindings removes cluster-wide RBAC grants, destroying access-control policy and revoking legitimate operators' (including responders') cluster access while attacker access can persist.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/managedClusters/rbac.authorization.k8s.io/clusterrolebindings/write":{"id":"Microsoft.ContainerService/managedClusters/rbac.authorization.k8s.io/clusterrolebindings/write","name":"AKS Kubernetes cluster role bindings","scope":"CRITICAL","parent":{"notes":"Cluster role bindings are the core cluster-wide access-control bindings; the asset is cluster-admin-grade identity and access-control data.","description":"A Kubernetes ClusterRoleBinding grants a ClusterRole's permissions to a subject (user, group, or service account) across the entire cluster. On AKS this is a data-plane RBAC binding controlling cluster-wide authorization."},"risks":["escalation:privilege","escalation:lateral","persistence:account"],"notes":"Creating/updating a ClusterRoleBinding lets an attacker bind cluster-admin (or any ClusterRole) to themselves or a controlled subject, the canonical Kubernetes cluster-wide privilege-escalation, lateral-movement, and persistence primitive.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/managedClusters/rbac.authorization.k8s.io/clusterroles/bind/action":{"id":"Microsoft.ContainerService/managedClusters/rbac.authorization.k8s.io/clusterroles/bind/action","name":"AKS Kubernetes cluster roles","scope":"CRITICAL","parent":{"notes":"Cluster roles define cluster-wide permission sets (up to cluster-admin); they are core cluster access-control policy objects.","description":"A Kubernetes ClusterRole defines a set of permissions over cluster-scoped and namespaced resources across the entire cluster. On AKS this is a data-plane RBAC permission definition."},"risks":["escalation:privilege","escalation:lateral"],"notes":"The Kubernetes 'bind' verb authorizes creating bindings that reference a ClusterRole, letting an attacker grant that role's (up to cluster-admin) permissions to a controlled subject and escalate cluster-wide.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/managedClusters/rbac.authorization.k8s.io/clusterroles/escalate/action":{"id":"Microsoft.ContainerService/managedClusters/rbac.authorization.k8s.io/clusterroles/escalate/action","name":"AKS Kubernetes cluster roles","scope":"CRITICAL","parent":{"notes":"Cluster roles define cluster-wide permission sets (up to cluster-admin); they are core cluster access-control policy objects.","description":"A Kubernetes ClusterRole defines a set of permissions over cluster-scoped and namespaced resources across the entire cluster. On AKS this is a data-plane RBAC permission definition."},"risks":["escalation:privilege"],"notes":"The Kubernetes 'escalate' verb explicitly bypasses RBAC's privilege-escalation guard, letting an attacker author/modify a ClusterRole to grant permissions exceeding their own and reach cluster-admin.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/managedClusters/rbac.authorization.k8s.io/clusterroles/delete":{"id":"Microsoft.ContainerService/managedClusters/rbac.authorization.k8s.io/clusterroles/delete","name":"AKS Kubernetes cluster roles","scope":"CRITICAL","parent":{"notes":"Cluster roles define cluster-wide permission sets (up to cluster-admin); they are core cluster access-control policy objects.","description":"A Kubernetes ClusterRole defines a set of permissions over cluster-scoped and namespaced resources across the entire cluster. On AKS this is a data-plane RBAC permission definition."},"risks":["destruction:policy","impact:access"],"notes":"Deleting a ClusterRole destroys a cluster-wide access-control policy definition and breaks every binding referencing it, revoking the permissions of all bound subjects and denying authorized operational access.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/managedClusters/rbac.authorization.k8s.io/clusterroles/write":{"id":"Microsoft.ContainerService/managedClusters/rbac.authorization.k8s.io/clusterroles/write","name":"AKS Kubernetes cluster roles","scope":"CRITICAL","parent":{"notes":"Cluster roles define cluster-wide permission sets (up to cluster-admin); they are core cluster access-control policy objects.","description":"A Kubernetes ClusterRole defines a set of permissions over cluster-scoped and namespaced resources across the entire cluster. On AKS this is a data-plane RBAC permission definition."},"risks":["escalation:privilege"],"notes":"Creating/updating a ClusterRole lets an attacker craft or expand a role's permission set, escalating the cluster-wide privileges of every subject already bound to that role (including controlled identities).","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/managedClusters/rbac.authorization.k8s.io/rolebindings/delete":{"id":"Microsoft.ContainerService/managedClusters/rbac.authorization.k8s.io/rolebindings/delete","name":"Kubernetes RoleBindings (AKS)","scope":"CRITICAL","parent":{"notes":"Cluster RBAC is the primary access-control mechanism for the cluster; binding a subject to a privileged role (e.g. cluster-admin) yields full control of the cluster and its workloads/data.","description":"In-cluster Kubernetes RBAC RoleBinding objects that bind subjects (users, groups, service accounts) to Roles/ClusterRoles within an AKS managed cluster, governing who can perform which actions in the cluster."},"risks":["destruction:policy","impact:access"],"notes":"Deleting RoleBindings tears down RBAC access-control assignments, destroying policy and revoking legitimate principals' authorized access to the cluster.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/managedClusters/rbac.authorization.k8s.io/rolebindings/write":{"id":"Microsoft.ContainerService/managedClusters/rbac.authorization.k8s.io/rolebindings/write","name":"Kubernetes RoleBindings (AKS)","scope":"CRITICAL","parent":{"notes":"Cluster RBAC is the primary access-control mechanism for the cluster; binding a subject to a privileged role (e.g. cluster-admin) yields full control of the cluster and its workloads/data.","description":"In-cluster Kubernetes RBAC RoleBinding objects that bind subjects (users, groups, service accounts) to Roles/ClusterRoles within an AKS managed cluster, governing who can perform which actions in the cluster."},"risks":["escalation:privilege"],"notes":"Creating/updating a RoleBinding lets an attacker bind any subject (including their own identity) to any role up to cluster-admin, the canonical Kubernetes privilege-escalation primitive.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/managedClusters/rbac.authorization.k8s.io/roles/bind/action":{"id":"Microsoft.ContainerService/managedClusters/rbac.authorization.k8s.io/roles/bind/action","name":"Kubernetes Roles (AKS)","scope":"CRITICAL","parent":{"notes":"Roles define the permission surface of the cluster's RBAC; crafting/expanding a role and binding it grants control over cluster resources, workloads, and data.","description":"In-cluster Kubernetes RBAC Role (and ClusterRole) objects that define permission rule sets within an AKS managed cluster; subjects gain these permissions when bound via RoleBindings."},"risks":["escalation:privilege"],"notes":"The Kubernetes bind verb authorizes referencing a role in a RoleBinding even without holding that role's permissions, letting an attacker grant a role's privileges to a controlled subject for direct privilege escalation.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/managedClusters/rbac.authorization.k8s.io/roles/escalate/action":{"id":"Microsoft.ContainerService/managedClusters/rbac.authorization.k8s.io/roles/escalate/action","name":"Kubernetes Roles (AKS)","scope":"CRITICAL","parent":{"notes":"Roles define the permission surface of the cluster's RBAC; crafting/expanding a role and binding it grants control over cluster resources, workloads, and data.","description":"In-cluster Kubernetes RBAC Role (and ClusterRole) objects that define permission rule sets within an AKS managed cluster; subjects gain these permissions when bound via RoleBindings."},"risks":["escalation:privilege"],"notes":"The Kubernetes escalate verb explicitly bypasses RBAC privilege-escalation prevention, allowing creation/update of roles with permissions exceeding the caller's own — a deliberate privilege-escalation primitive.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/managedClusters/rbac.authorization.k8s.io/roles/delete":{"id":"Microsoft.ContainerService/managedClusters/rbac.authorization.k8s.io/roles/delete","name":"Kubernetes Roles (AKS)","scope":"CRITICAL","parent":{"notes":"Roles define the permission surface of the cluster's RBAC; crafting/expanding a role and binding it grants control over cluster resources, workloads, and data.","description":"In-cluster Kubernetes RBAC Role objects that define permission rule sets within an AKS managed cluster; subjects gain these permissions when bound via RoleBindings."},"risks":["destruction:policy","impact:access"],"notes":"Deleting Roles destroys RBAC permission definitions, removing access-control policy and revoking the access that any bound subjects relied upon.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/managedClusters/rbac.authorization.k8s.io/roles/write":{"id":"Microsoft.ContainerService/managedClusters/rbac.authorization.k8s.io/roles/write","name":"Kubernetes Roles (AKS)","scope":"CRITICAL","parent":{"notes":"Roles define the permission surface of the cluster's RBAC; crafting/expanding a role and binding it grants control over cluster resources, workloads, and data.","description":"In-cluster Kubernetes RBAC Role objects that define permission rule sets within an AKS managed cluster; subjects gain these permissions when bound via RoleBindings."},"risks":["escalation:privilege"],"notes":"Creating/updating a Role lets an attacker define or broaden a permission set that all bound subjects inherit, enabling privilege escalation (subject to Kubernetes escalate-verb checks but still alters RBAC policy).","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/managedClusters/resetAADProfile/action":{"id":"Microsoft.ContainerService/managedClusters/resetAADProfile/action","name":"AKS managed cluster","scope":"CRITICAL","parent":{"notes":"AKS clusters are production compute assets that run workloads, hold in-cluster secrets, and act through a cluster identity; credential-listing and command-execution operations on them are effectively cluster-admin grade and warrant CRITICAL scope.","description":"An Azure Kubernetes Service (AKS) managed cluster: the control-plane resource that hosts a Kubernetes cluster, its node pools, networking, RBAC/Azure AD integration, and a managed/service-principal identity used to act on Azure resources."},"risks":["escalation:privilege","impact:access","destruction:defense"],"notes":"Resets the cluster's Azure AD integration/admin-group bindings, letting an attacker designate AAD groups they control as cluster admins, lock out legitimate operators, and weaken the authentication defense.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/managedClusters/resetServicePrincipalProfile/action":{"id":"Microsoft.ContainerService/managedClusters/resetServicePrincipalProfile/action","name":"AKS managed cluster","scope":"CRITICAL","parent":{"notes":"AKS clusters are production compute assets that run workloads, hold in-cluster secrets, and act through a cluster identity; credential-listing and command-execution operations on them are effectively cluster-admin grade and warrant CRITICAL scope.","description":"An Azure Kubernetes Service (AKS) managed cluster: the control-plane resource that hosts a Kubernetes cluster, its node pools, networking, RBAC/Azure AD integration, and a managed/service-principal identity used to act on Azure resources."},"risks":["persistence:account","escalation:lateral","impact:manipulation"],"notes":"Resets the cluster's service principal credentials, letting an attacker bind an identity they control as the cluster's control-plane identity, establishing persistence and pivoting through that identity's Azure access.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/managedClusters/runCommand/action":{"id":"Microsoft.ContainerService/managedClusters/runCommand/action","name":"AKS managed cluster","scope":"CRITICAL","parent":{"notes":"AKS clusters are production compute assets that run workloads, hold in-cluster secrets, and act through a cluster identity; credential-listing and command-execution operations on them are effectively cluster-admin grade and warrant CRITICAL scope.","description":"An Azure Kubernetes Service (AKS) managed cluster: the control-plane resource that hosts a Kubernetes cluster, its node pools, networking, RBAC/Azure AD integration, and a managed/service-principal identity used to act on Azure resources."},"risks":["escalation:lateral","impact:hijack","impact:manipulation","exfiltration:data"],"notes":"RunCommand executes arbitrary commands against the Kubernetes API server from an in-cluster command pod with cluster-admin-equivalent context, enabling code execution to read in-cluster secrets/data, alter workloads, run attacker payloads, and pivot via pod/cluster identities — bypassing network restrictions.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/managedClusters/secrets/delete":{"id":"Microsoft.ContainerService/managedClusters/secrets/delete","name":"Kubernetes Secrets (AKS data plane)","scope":"CRITICAL","parent":{"notes":"Highest-sensitivity in-cluster asset; secrets directly grant identity access and are usable across cluster functions.","description":"Kubernetes Secret objects within an AKS managed cluster holding credential material: service-account tokens, passwords, TLS private keys, connection strings, and registry/pull credentials."},"risks":["destruction:crypto","impact:dos"],"notes":"Deleting Secrets destroys cryptographic/credential material that pods depend on for authentication, causing irrecoverable key loss and outages for dependent workloads.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/managedClusters/secrets/read":{"id":"Microsoft.ContainerService/managedClusters/secrets/read","name":"Kubernetes Secrets (AKS data plane)","scope":"CRITICAL","parent":{"notes":"Highest-sensitivity in-cluster asset; secrets directly grant identity access and are usable across cluster functions.","description":"Kubernetes Secret objects within an AKS managed cluster holding credential material: service-account tokens, passwords, TLS private keys, connection strings, and registry/pull credentials."},"risks":["exfiltration:crypto","escalation:lateral","takeover:account"],"notes":"Reading Secrets returns the actual credential material, enabling direct exfiltration of cryptographic/credential data and reuse of those credentials to assume other identities and take over accounts.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/managedClusters/secrets/write":{"id":"Microsoft.ContainerService/managedClusters/secrets/write","name":"Kubernetes Secrets (AKS data plane)","scope":"CRITICAL","parent":{"notes":"Highest-sensitivity in-cluster asset; secrets directly grant identity access and are usable across cluster functions.","description":"Kubernetes Secret objects within an AKS managed cluster holding credential material: service-account tokens, passwords, TLS private keys, connection strings, and registry/pull credentials."},"risks":["impact:manipulation","persistence:account","escalation:lateral"],"notes":"Creating/updating Secrets lets an attacker plant or overwrite credentials/tokens that workloads mount and consume, establishing persistence and enabling lateral movement as the identities those secrets authenticate.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/managedClusters/serviceaccounts/impersonate/action":{"id":"Microsoft.ContainerService/managedClusters/serviceaccounts/impersonate/action","name":"Kubernetes ServiceAccounts (AKS data plane)","scope":"CRITICAL","parent":{"notes":"ServiceAccounts are workload identities; the ability to impersonate them lets a caller act as that identity with its bound RBAC permissions, which can lead to full cluster compromise.","description":"Kubernetes ServiceAccount objects within an AKS managed cluster representing in-cluster identities that workloads authenticate as and that are bound to RBAC roles."},"risks":["escalation:lateral","escalation:privilege"],"notes":"Impersonating a ServiceAccount lets an attacker act directly as that identity with its bound RBAC permissions, a direct lateral-movement and privilege-escalation primitive (potentially to cluster-admin-bound accounts).","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/managedClusters/serviceaccounts/delete":{"id":"Microsoft.ContainerService/managedClusters/serviceaccounts/delete","name":"Kubernetes ServiceAccounts (AKS data plane)","scope":"CRITICAL","parent":{"notes":"Identities themselves; manipulating or impersonating them is high impact, but plain enumeration of the objects is low-sensitivity.","description":"Kubernetes ServiceAccount objects within an AKS managed cluster representing in-cluster identities that workloads authenticate as and that are bound to RBAC roles."},"risks":["destruction:account","impact:dos"],"notes":"Deleting ServiceAccounts removes the in-cluster identities workloads authenticate with, destroying accounts and breaking dependent controllers/workloads.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/managedClusters/serviceaccounts/write":{"id":"Microsoft.ContainerService/managedClusters/serviceaccounts/write","name":"Kubernetes ServiceAccounts (AKS data plane)","scope":"CRITICAL","parent":{"notes":"Identities themselves; manipulating or impersonating them is high impact, but plain enumeration of the objects is low-sensitivity.","description":"Kubernetes ServiceAccount objects within an AKS managed cluster representing in-cluster identities that workloads authenticate as and that are bound to RBAC roles."},"risks":["persistence:account","escalation:lateral","escalation:privilege"],"notes":"Creating/updating ServiceAccounts lets an attacker mint new in-cluster identities (and configure their tokens/annotations, e.g. workload-identity bindings) for durable persistence and lateral movement, and to position identities for privileged access.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/delete":{"id":"Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/delete","name":"AKS trusted access role bindings","scope":"CRITICAL","parent":{"notes":"These bindings control privileged, potentially cluster-admin access into AKS, making the asset highly sensitive.","description":"AKS trusted access role bindings grant an Azure source resource's managed identity a chosen Kubernetes RBAC role inside a managed cluster, establishing cross-resource access into the cluster."},"risks":["destruction:policy","impact:access"],"notes":"Deleting trusted access role bindings removes the RBAC grants tying Azure identities to the cluster, destroying access-control policy and revoking legitimate services' and operators' authorized cluster access.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/write":{"id":"Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/write","name":"AKS trusted access role bindings","scope":"CRITICAL","parent":{"notes":"These bindings control privileged, potentially cluster-admin access into AKS, making the asset highly sensitive.","description":"AKS trusted access role bindings grant an Azure source resource's managed identity a chosen Kubernetes RBAC role inside a managed cluster, establishing cross-resource access into the cluster."},"risks":["escalation:privilege","escalation:lateral"],"notes":"Creating/updating a trusted access role binding grants an Azure resource's managed identity a chosen RBAC role inside the cluster, directly escalating privilege and enabling lateral movement into the AKS control plane via a controlled identity.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ContainerService/managedClusters/users/impersonate/action":{"id":"Microsoft.ContainerService/managedClusters/users/impersonate/action","name":"Kubernetes user impersonation (AKS)","scope":"CRITICAL","parent":{"notes":"Impersonation lets the holder act as any other identity (including cluster-admins), inheriting that identity's full RBAC privileges — equivalent to broad cluster takeover.","description":"The Kubernetes user-impersonation capability on an AKS managed cluster, allowing the API caller to issue requests as an arbitrary cluster user identity."},"risks":["escalation:lateral","escalation:privilege"],"notes":"Impersonating a user lets the attacker act as any other cluster identity, acquiring that identity's privileges for both lateral movement and privilege escalation up to cluster-admin.","links":["https://azure.permissions.cloud/iam/Microsoft.ContainerService","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.DataProtection/backupVaults/backupInstances/restore/action":{"id":"Microsoft.DataProtection/backupVaults/backupInstances/restore/action","name":"Backup Instance","scope":"HIGH","parent":{"notes":"These are control-plane (management) operations. Backup instances are the recoverability defense and the store of recovery points that mitigate data destruction and ransomware for a single protected workload.","description":"A backup instance in an Azure Data Protection backup vault represents the protection configuration that ties a data source (e.g. a disk, database, blob storage account) to a backup policy, governing which recovery points are created and retained."},"risks":["exfiltration:data","impact:manipulation"],"notes":"Triggers a restore that writes backup contents (which may include sensitive production data) to a target the attacker can influence, enabling exfiltration of backed-up data and overwriting/manipulation of the restore target.","links":["https://azure.permissions.cloud/iam/Microsoft.DataProtection","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.DataProtection/subscriptions/resourceGroups/providers/Locations/crossRegionRestore/action":{"id":"Microsoft.DataProtection/subscriptions/resourceGroups/providers/Locations/crossRegionRestore/action","name":"Backup Vault cross-region restore (Backup Jobs)","scope":"HIGH","parent":{"notes":"Backup data can include full copies of production databases, VMs, and files; the ability to enumerate and restore it from the secondary region is effectively access to the organization's recoverable data.","description":"Location-scoped cross-region restore operations on a Backup Vault, used to enumerate recovery points and trigger/validate/track restores of protected backup data from the paired secondary region."},"risks":["exfiltration:data","impact:manipulation","impact:spend"],"notes":"Triggers an actual cross-region restore of a backup instance, re-materializing backed-up (potentially production) data into a restore target the attacker can reach (exfiltration), can overwrite/alter live data when restoring to an existing location (manipulation), and provisions costly restore resources (spend).","links":["https://azure.permissions.cloud/iam/Microsoft.DataProtection","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.DocumentDB/Locations/restorableDatabaseAccounts/restore/action":{"id":"Microsoft.DocumentDB/Locations/restorableDatabaseAccounts/restore/action","name":"Cosmos DB restorable database account","scope":"HIGH","parent":{"notes":"Exposes recovery-estate metadata (account IDs, regions, creation/deletion timestamps, restore windows) but not the underlying database contents; the restore action that consumes it is the high-impact capability.","description":"A restorable (backup) record of an Azure Cosmos DB database account, capturing point-in-time-restore metadata for existing and previously-deleted accounts in a region."},"risks":["exfiltration:data","impact:spend"],"notes":"Submitting a point-in-time restore rehydrates the backed-up Cosmos DB account's full contents into a new, attacker-controllable account, materializing organizational data for exfiltration while provisioning a costly new database account.","links":["https://azure.permissions.cloud/iam/Microsoft.DocumentDB","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.DocumentDB/cassandraClusters/commands/read":{"id":"Microsoft.DocumentDB/cassandraClusters/commands/read","name":"Managed Cassandra cluster command output","scope":"HIGH","parent":{"notes":"Command output can contain query results, configuration, and operational data from a production database supporting a single organizational function.","description":"Azure Managed Instance for Apache Cassandra is a managed NoSQL database; this resource type exposes the data-plane read of output from commands previously run on the cluster."},"risks":["exfiltration:data"],"notes":"Reading the output of previously-run commands can return query results and operational/database data, enabling exfiltration.","links":["https://azure.permissions.cloud/iam/Microsoft.DocumentDB","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.DocumentDB/databaseAccounts/PrivateEndpointConnectionsApproval/action":{"id":"Microsoft.DocumentDB/databaseAccounts/PrivateEndpointConnectionsApproval/action","name":"Cosmos DB database account","scope":"CRITICAL","parent":{"notes":"Account master keys are root-equivalent data-plane credentials granting full read/write access to all data in the account, which makes this resource type security-sensitive.","description":"An Azure Cosmos DB (DocumentDB) database account, the top-level control-plane resource that hosts databases and containers and governs endpoints, regions, consistency, networking, identity, and backup configuration. It is a primary production data store."},"risks":["escalation:network","exfiltration:data"],"notes":"Approves (or manages) a private endpoint connection request against the account. An attacker who controls or requests a malicious private endpoint can approve their own connection, granting it a private network path directly to the data plane that bypasses firewall and public-network-access restrictions.","links":["https://azure.permissions.cloud/iam/Microsoft.DocumentDB","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.DocumentDB/databaseAccounts/backup/action":{"id":"Microsoft.DocumentDB/databaseAccounts/backup/action","name":"Cosmos DB database account","scope":"HIGH","parent":{"notes":"Account master keys are root-equivalent data-plane credentials granting full read/write access to all data in the account, which makes this resource type security-sensitive.","description":"An Azure Cosmos DB (DocumentDB) database account, the top-level control-plane resource that hosts databases and containers and governs endpoints, regions, consistency, networking, identity, and backup configuration. It is a primary production data store."},"risks":["collection:data","exfiltration:data"],"notes":"Triggers an external backup that copies the account's contents to a backup target, enabling automated collection and potential exfiltration of organizational data.","links":["https://azure.permissions.cloud/iam/Microsoft.DocumentDB","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.DocumentDB/databaseAccounts/changeResourceGroup/action":{"id":"Microsoft.DocumentDB/databaseAccounts/changeResourceGroup/action","name":"Cosmos DB database account","scope":"CRITICAL","parent":{"notes":"Account master keys are root-equivalent data-plane credentials granting full read/write access to all data in the account, which makes this resource type security-sensitive.","description":"An Azure Cosmos DB (DocumentDB) database account, the top-level control-plane resource that hosts databases and containers and governs endpoints, regions, consistency, networking, identity, and backup configuration. It is a primary production data store."},"risks":["escalation:privilege","destruction:policy"],"notes":"Moves the account to a different resource group, potentially shifting it out from under resource-group-scoped RBAC role assignments and Azure Policy controls into a less-restrictive resource group, weakening access governance over the account.","links":["https://azure.permissions.cloud/iam/Microsoft.DocumentDB","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.DocumentDB/databaseAccounts/chaosFault/action":{"id":"Microsoft.DocumentDB/databaseAccounts/chaosFault/action","name":"Cosmos DB database account","scope":"CRITICAL","parent":{"notes":"Account master keys are root-equivalent data-plane credentials granting full read/write access to all data in the account, which makes this resource type security-sensitive.","description":"An Azure Cosmos DB (DocumentDB) database account, the top-level control-plane resource that hosts databases and containers and governs endpoints, regions, consistency, networking, identity, and backup configuration. It is a primary production data store."},"risks":["impact:dos"],"notes":"Enables, disables, or checks the status of chaos-engineering fault injection against the live account. An attacker can enable faults to deliberately degrade or crash the database as a denial-of-service or as a distraction during a broader attack.","links":["https://azure.permissions.cloud/iam/Microsoft.DocumentDB","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.DocumentDB/databaseAccounts/copyJobs/write":{"id":"Microsoft.DocumentDB/databaseAccounts/copyJobs/write","name":"Cosmos DB container copy jobs","scope":"HIGH","parent":{"notes":"Although the job resource is control-plane configuration, the write operation moves the actual production database data, so this resource type sits close to a production data store.","description":"Container copy jobs are Cosmos DB data-movement operations that copy or migrate the contents of a container between containers or database accounts."},"risks":["exfiltration:data","collection:data","impact:manipulation","impact:spend"],"notes":"Creating a copy job can replicate production container data to an attacker-influenced destination account (bulk exfiltration / automated collection), writes into the target container (manipulation), and consumes throughput/RU cost.","links":["https://azure.permissions.cloud/iam/Microsoft.DocumentDB","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.DocumentDB/databaseAccounts/dataTransferJobs/write":{"id":"Microsoft.DocumentDB/databaseAccounts/dataTransferJobs/write","name":"Container copy jobs","scope":"HIGH","parent":{"notes":"Job definitions reference source and destination containers and govern bulk movement of production database data.","description":"Container copy (data transfer) jobs that move/replicate data between Azure Cosmos DB containers, accounts, or external stores within a database account."},"risks":["exfiltration:data","impact:manipulation"],"notes":"Creating a container copy job can duplicate a production container's contents to an attacker-chosen destination (another account/container/store), enabling bulk data exfiltration, and writes/overwrites data at the destination.","links":["https://azure.permissions.cloud/iam/Microsoft.DocumentDB","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.DocumentDB/databaseAccounts/disableLongTermProtection/action":{"id":"Microsoft.DocumentDB/databaseAccounts/disableLongTermProtection/action","name":"Cosmos DB database account","scope":"CRITICAL","parent":{"notes":"Account master keys are root-equivalent data-plane credentials granting full read/write access to all data in the account, which makes this resource type security-sensitive.","description":"An Azure Cosmos DB (DocumentDB) database account, the top-level control-plane resource that hosts databases and containers and governs endpoints, regions, consistency, networking, identity, and backup configuration. It is a primary production data store."},"risks":["destruction:defense"],"notes":"Disables long-term/immutable backup retention protection, removing a ransomware-recovery safety net. An attacker can disable this before destroying or encrypting data to eliminate the immutable-backup recovery path.","links":["https://azure.permissions.cloud/iam/Microsoft.DocumentDB","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.DocumentDB/databaseAccounts/failoverPriorityChange/action":{"id":"Microsoft.DocumentDB/databaseAccounts/failoverPriorityChange/action","name":"Cosmos DB database account","scope":"CRITICAL","parent":{"notes":"Account master keys are root-equivalent data-plane credentials granting full read/write access to all data in the account, which makes this resource type security-sensitive.","description":"An Azure Cosmos DB (DocumentDB) database account, the top-level control-plane resource that hosts databases and containers and governs endpoints, regions, consistency, networking, identity, and backup configuration. It is a primary production data store."},"risks":["impact:dos"],"notes":"Changes the failover priority ordering of the account's regions, triggering a manual failover. Forcing failover to an unintended or lagging region can disrupt availability and durability guarantees for the account's applications.","links":["https://azure.permissions.cloud/iam/Microsoft.DocumentDB","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.DocumentDB/databaseAccounts/getBackupPolicy/action":{"id":"Microsoft.DocumentDB/databaseAccounts/getBackupPolicy/action","name":"Cosmos DB database account","scope":"LOW","parent":{"notes":"Account master keys are root-equivalent data-plane credentials granting full read/write access to all data in the account, which makes this resource type security-sensitive.","description":"An Azure Cosmos DB (DocumentDB) database account, the top-level control-plane resource that hosts databases and containers and governs endpoints, regions, consistency, networking, identity, and backup configuration. It is a primary production data store."},"risks":["discovery:metadata"],"notes":"Reads the account's backup policy configuration (type, interval, retention). Reveals backup posture useful for reconnaissance but discloses no data or credentials on its own.","links":["https://azure.permissions.cloud/iam/Microsoft.DocumentDB","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.DocumentDB/databaseAccounts/joinPerimeter/action":{"id":"Microsoft.DocumentDB/databaseAccounts/joinPerimeter/action","name":"Cosmos DB database account","scope":"CRITICAL","parent":{"notes":"Account master keys are root-equivalent data-plane credentials granting full read/write access to all data in the account, which makes this resource type security-sensitive.","description":"An Azure Cosmos DB (DocumentDB) database account, the top-level control-plane resource that hosts databases and containers and governs endpoints, regions, consistency, networking, identity, and backup configuration. It is a primary production data store."},"risks":["escalation:network"],"notes":"Joins the account to a Network Security Perimeter, changing which network trust boundary governs access to the resource. Joining it to a perimeter with looser member/inbound rules can widen the set of networks able to reach the account.","links":["https://azure.permissions.cloud/iam/Microsoft.DocumentDB","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.DocumentDB/databaseAccounts/listConnectionStrings/action":{"id":"Microsoft.DocumentDB/databaseAccounts/listConnectionStrings/action","name":"Cosmos DB database account","scope":"CRITICAL","parent":{"notes":"Account master keys are root-equivalent data-plane credentials granting full read/write access to all data in the account, which makes this resource type security-sensitive.","description":"An Azure Cosmos DB (DocumentDB) database account, the top-level control-plane resource that hosts databases and containers and governs endpoints, regions, consistency, networking, identity, and backup configuration. It is a primary production data store."},"risks":["exfiltration:crypto","exfiltration:data","takeover:account"],"notes":"Returns connection strings that embed the master keys, providing ready-to-use full-access credentials for the entire data plane and effective account takeover.","links":["https://azure.permissions.cloud/iam/Microsoft.DocumentDB","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.DocumentDB/databaseAccounts/listKeys/action":{"id":"Microsoft.DocumentDB/databaseAccounts/listKeys/action","name":"Cosmos DB database account","scope":"CRITICAL","parent":{"notes":"Account master keys are root-equivalent data-plane credentials granting full read/write access to all data in the account, which makes this resource type security-sensitive.","description":"An Azure Cosmos DB (DocumentDB) database account, the top-level control-plane resource that hosts databases and containers and governs endpoints, regions, consistency, networking, identity, and backup configuration. It is a primary production data store."},"risks":["exfiltration:crypto","exfiltration:data","takeover:account"],"notes":"Returns the read-write master keys, exfiltrating credential material that grants complete data-plane access to (and effective takeover of) the entire account.","links":["https://azure.permissions.cloud/iam/Microsoft.DocumentDB","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.DocumentDB/databaseAccounts/mongodbRoleDefinitions/delete":{"id":"Microsoft.DocumentDB/databaseAccounts/mongodbRoleDefinitions/delete","name":"Cosmos DB MongoDB role definition","scope":"HIGH","parent":{"notes":"Defines the data-plane access-control model for a single database account's data store.","description":"A MongoDB Role Definition is a data-plane RBAC role for the Cosmos DB for MongoDB API, specifying the set of database privileges (actions/resources) that can be granted to user definitions."},"risks":["destruction:policy","impact:access"],"notes":"Deleting a MongoDB role definition removes a data-plane access-control policy object and breaks every user assignment referencing it, revoking authorized database access and disrupting the RBAC model.","links":["https://azure.permissions.cloud/iam/Microsoft.DocumentDB","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.DocumentDB/databaseAccounts/mongodbRoleDefinitions/write":{"id":"Microsoft.DocumentDB/databaseAccounts/mongodbRoleDefinitions/write","name":"Cosmos DB MongoDB role definition","scope":"CRITICAL","parent":{"notes":"Defines the data-plane access-control model for a single database account's data store.","description":"A MongoDB Role Definition is a data-plane RBAC role for the Cosmos DB for MongoDB API, specifying the set of database privileges (actions/resources) that can be granted to user definitions."},"risks":["escalation:privilege"],"notes":"Creating or updating a MongoDB role definition lets an attacker craft or broaden a role's privileges (e.g. readWriteAnyDatabase), escalating the access of any user bound to that role within the database account.","links":["https://azure.permissions.cloud/iam/Microsoft.DocumentDB","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/delete":{"id":"Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/delete","name":"Cosmos DB MongoDB user definition","scope":"HIGH","parent":{"notes":"Represents a credentialed data-plane identity for a single database account's data store.","description":"A MongoDB User Definition is a data-plane database user account for the Cosmos DB for MongoDB API, holding the username, credential (password set on write, not returned on read), and the role definitions assigned to it."},"risks":["destruction:account","impact:access"],"notes":"Deleting a MongoDB user definition removes a database account, destroying the identity and denying that user authorized access to the data plane.","links":["https://azure.permissions.cloud/iam/Microsoft.DocumentDB","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/write":{"id":"Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/write","name":"Cosmos DB MongoDB user definition","scope":"CRITICAL","parent":{"notes":"Represents a credentialed data-plane identity for a single database account's data store.","description":"A MongoDB User Definition is a data-plane database user account for the Cosmos DB for MongoDB API, holding the username, credential (password set on write, not returned on read), and the role definitions assigned to it."},"risks":["persistence:account","escalation:privilege"],"notes":"Creating or updating a MongoDB user definition lets an attacker provision a database user with a chosen password and attach privileged roles, establishing persistent credentialed data-plane access and escalating privilege.","links":["https://azure.permissions.cloud/iam/Microsoft.DocumentDB","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.DocumentDB/databaseAccounts/notebookWorkspaces/listConnectionInfo/action":{"id":"Microsoft.DocumentDB/databaseAccounts/notebookWorkspaces/listConnectionInfo/action","name":"Notebook workspace","scope":"MEDIUM","parent":{"notes":"Supporting compute asset; can run arbitrary code/workloads and incur metered spend.","description":"A managed Jupyter notebook workspace (hosted compute environment) attached to a Cosmos DB account, used to run notebooks against the account's data."},"risks":["exfiltration:crypto","escalation:lateral"],"notes":"Returns the notebook workspace connection endpoint and authentication token, exporting reusable credential material that lets an attacker connect to and execute code in the notebook compute environment.","links":["https://azure.permissions.cloud/iam/Microsoft.DocumentDB","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.DocumentDB/databaseAccounts/offlineRegion/action":{"id":"Microsoft.DocumentDB/databaseAccounts/offlineRegion/action","name":"Cosmos DB database account","scope":"CRITICAL","parent":{"notes":"Account master keys are root-equivalent data-plane credentials granting full read/write access to all data in the account, which makes this resource type security-sensitive.","description":"An Azure Cosmos DB (DocumentDB) database account, the top-level control-plane resource that hosts databases and containers and governs endpoints, regions, consistency, networking, identity, and backup configuration. It is a primary production data store."},"risks":["impact:dos"],"notes":"Takes a region of the account offline, a real regional outage that can disrupt read/write availability for applications routed to or reliant on that region.","links":["https://azure.permissions.cloud/iam/Microsoft.DocumentDB","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.DocumentDB/databaseAccounts/onlineRegion/action":{"id":"Microsoft.DocumentDB/databaseAccounts/onlineRegion/action","name":"Cosmos DB database account","scope":"CRITICAL","parent":{"notes":"Account master keys are root-equivalent data-plane credentials granting full read/write access to all data in the account, which makes this resource type security-sensitive.","description":"An Azure Cosmos DB (DocumentDB) database account, the top-level control-plane resource that hosts databases and containers and governs endpoints, regions, consistency, networking, identity, and backup configuration. It is a primary production data store."},"risks":["impact:dos"],"notes":"Brings a region of the account back online. Misuse (e.g. prematurely onlining a region mid-maintenance or mid-failover) can disrupt consistency and availability guarantees during region topology changes.","links":["https://azure.permissions.cloud/iam/Microsoft.DocumentDB","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.DocumentDB/databaseAccounts/preBackup/action":{"id":"Microsoft.DocumentDB/databaseAccounts/preBackup/action","name":"Cosmos DB database account","scope":"CRITICAL","parent":{"notes":"Account master keys are root-equivalent data-plane credentials granting full read/write access to all data in the account, which makes this resource type security-sensitive.","description":"An Azure Cosmos DB (DocumentDB) database account, the top-level control-plane resource that hosts databases and containers and governs endpoints, regions, consistency, networking, identity, and backup configuration. It is a primary production data store."},"risks":["exfiltration:data"],"notes":"Prepares an on-demand external backup operation, the precursor step to producing a fresh exportable copy of the account's data outside normal data-plane access controls.","links":["https://azure.permissions.cloud/iam/Microsoft.DocumentDB","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.DocumentDB/databaseAccounts/preRestore/action":{"id":"Microsoft.DocumentDB/databaseAccounts/preRestore/action","name":"Cosmos DB database account","scope":"CRITICAL","parent":{"notes":"Account master keys are root-equivalent data-plane credentials granting full read/write access to all data in the account, which makes this resource type security-sensitive.","description":"An Azure Cosmos DB (DocumentDB) database account, the top-level control-plane resource that hosts databases and containers and governs endpoints, regions, consistency, networking, identity, and backup configuration. It is a primary production data store."},"risks":["exfiltration:data"],"notes":"Prepares an on-demand external restore operation, the precursor step to resurrecting an old backup, potentially containing since-deleted sensitive records or data predating a security fix, into an accessible location.","links":["https://azure.permissions.cloud/iam/Microsoft.DocumentDB","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.DocumentDB/databaseAccounts/readonlykeys/action":{"id":"Microsoft.DocumentDB/databaseAccounts/readonlykeys/action","name":"Cosmos DB database account","scope":"CRITICAL","parent":{"notes":"Account master keys are root-equivalent data-plane credentials granting full read/write access to all data in the account, which makes this resource type security-sensitive.","description":"An Azure Cosmos DB (DocumentDB) database account, the top-level control-plane resource that hosts databases and containers and governs endpoints, regions, consistency, networking, identity, and backup configuration. It is a primary production data store."},"risks":["exfiltration:crypto","exfiltration:data"],"notes":"Returns the read-only master keys, reusable bearer credentials that grant full read access to all data in the account; can be exfiltrated and replayed to read all data.","links":["https://azure.permissions.cloud/iam/Microsoft.DocumentDB","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.DocumentDB/databaseAccounts/readonlykeys/read":{"id":"Microsoft.DocumentDB/databaseAccounts/readonlykeys/read","name":"Cosmos DB account read-only keys","scope":"CRITICAL","parent":{"notes":"Account master keys are root-equivalent data-plane credentials granting full read/write access to all data in the account, which makes this resource type security-sensitive.","description":"An Azure Cosmos DB (DocumentDB) database account, the top-level control-plane resource that hosts databases and containers and governs endpoints, regions, consistency, networking, identity, and backup configuration. It is a primary production data store."},"risks":["exfiltration:crypto","exfiltration:data"],"notes":"Despite the /read verb, this returns the actual read-only account keys (secret credential material) usable to connect and bulk-read every document in the account, so it is credential exfiltration that directly enables data exfiltration, not mere discovery.","links":["https://azure.permissions.cloud/iam/Microsoft.DocumentDB","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.DocumentDB/databaseAccounts/regenerateKey/action":{"id":"Microsoft.DocumentDB/databaseAccounts/regenerateKey/action","name":"Cosmos DB database account","scope":"CRITICAL","parent":{"notes":"Account master keys are root-equivalent data-plane credentials granting full read/write access to all data in the account, which makes this resource type security-sensitive.","description":"An Azure Cosmos DB (DocumentDB) database account, the top-level control-plane resource that hosts databases and containers and governs endpoints, regions, consistency, networking, identity, and backup configuration. It is a primary production data store."},"risks":["impact:dos"],"notes":"Regenerates one of the account's master keys, invalidating the copy held by legitimate applications and administrators and cutting off their access (denial of service). Note that regeneration invalidates the rotated key rather than granting the attacker any durable new credential.","links":["https://azure.permissions.cloud/iam/Microsoft.DocumentDB","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.DocumentDB/databaseAccounts/restore/action":{"id":"Microsoft.DocumentDB/databaseAccounts/restore/action","name":"Cosmos DB database account","scope":"CRITICAL","parent":{"notes":"Account master keys are root-equivalent data-plane credentials granting full read/write access to all data in the account, which makes this resource type security-sensitive.","description":"An Azure Cosmos DB (DocumentDB) database account, the top-level control-plane resource that hosts databases and containers and governs endpoints, regions, consistency, networking, identity, and backup configuration. It is a primary production data store."},"risks":["exfiltration:data"],"notes":"Restores an old backup into a new or existing account, resurrecting stale data that may contain since-deleted sensitive records or predate a security fix, making it newly accessible and exportable outside the original access controls.","links":["https://azure.permissions.cloud/iam/Microsoft.DocumentDB","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/delete":{"id":"Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/delete","name":"Cosmos DB SQL role assignment","scope":"CRITICAL","parent":{"notes":"Access-control binding governing which identities can read and write the production database's data plane; creating/deleting these directly controls data access.","description":"A Cosmos DB native (SQL API) data-plane RBAC role assignment binding a principal to a SQL role definition at a scope within a database account."},"risks":["destruction:policy","impact:access"],"notes":"Deleting a SQL role assignment destroys a data-plane access binding, stripping legitimate principals of access (denial-of-access) and tearing down grants that would otherwise constrain the attacker.","links":["https://azure.permissions.cloud/iam/Microsoft.DocumentDB","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/write":{"id":"Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/write","name":"Cosmos DB SQL role assignment","scope":"CRITICAL","parent":{"notes":"Access-control binding governing which identities can read and write the production database's data plane; creating/deleting these directly controls data access.","description":"A Cosmos DB native (SQL API) data-plane RBAC role assignment binding a principal to a SQL role definition at a scope within a database account."},"risks":["escalation:privilege","escalation:lateral","persistence:account"],"notes":"Creating/updating a SQL role assignment binds a controlled principal or managed identity to a data-plane role, the headline primitive that grants the attacker (or another identity) read/write access to the database, enables lateral movement, and establishes durable access.","links":["https://azure.permissions.cloud/iam/Microsoft.DocumentDB","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/delete":{"id":"Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/delete","name":"Cosmos DB SQL role definition","scope":"CRITICAL","parent":{"notes":"Access-control policy governing data-plane access to a production database; reading/altering these definitions affects who can read and write the account's data.","description":"A Cosmos DB native (SQL API) data-plane RBAC role definition specifying a set of data actions and assignable scopes within a database account."},"risks":["destruction:policy","impact:access"],"notes":"Deleting a SQL role definition destroys an access-control policy object and breaks every assignment referencing it, revoking legitimate principals' data-plane access to the account.","links":["https://azure.permissions.cloud/iam/Microsoft.DocumentDB","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/write":{"id":"Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/write","name":"Cosmos DB SQL role definition","scope":"CRITICAL","parent":{"notes":"Access-control policy governing data-plane access to a production database; reading/altering these definitions affects who can read and write the account's data.","description":"A Cosmos DB native (SQL API) data-plane RBAC role definition specifying a set of data actions and assignable scopes within a database account."},"risks":["escalation:privilege"],"notes":"Creating or updating a SQL role definition lets an attacker inject arbitrary data-plane permissions, escalating the access of every principal bound to that role within the database account.","links":["https://azure.permissions.cloud/iam/Microsoft.DocumentDB","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.DocumentDB/databaseAccounts/write":{"id":"Microsoft.DocumentDB/databaseAccounts/write","name":"Cosmos DB database account","scope":"CRITICAL","parent":{"notes":"Account master keys are root-equivalent data-plane credentials granting full read/write access to all data in the account, which makes this resource type security-sensitive.","description":"An Azure Cosmos DB (DocumentDB) database account, the top-level control-plane resource that hosts databases and containers and governs endpoints, regions, consistency, networking, identity, and backup configuration. It is a primary production data store."},"risks":["escalation:privilege","destruction:policy"],"notes":"Updates the account's ARM-level configuration, including public network access, IP firewall rules, whether Azure AD/local-auth is enforced, and CORS rules. An attacker can weaken or disable these controls to open a network or authentication path to the data plane.","links":["https://azure.permissions.cloud/iam/Microsoft.DocumentDB","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.DocumentDB/databaseAccounts/delete":{"id":"Microsoft.DocumentDB/databaseAccounts/delete","name":"Cosmos DB database account","scope":"CRITICAL","parent":{"notes":"Account master keys are root-equivalent data-plane credentials granting full read/write access to all data in the account, which makes this resource type security-sensitive.","description":"An Azure Cosmos DB (DocumentDB) database account, the top-level control-plane resource that hosts databases and containers and governs endpoints, regions, consistency, networking, identity, and backup configuration. It is a primary production data store."},"risks":["destruction:data"],"notes":"Destroys the entire Cosmos account and all databases and containers within it, permanently destroying every dataset the account holds. Cosmos accounts are frequently shared across an entire application or multiple tenants, so impact is typically organization-wide.","links":["https://azure.permissions.cloud/iam/Microsoft.DocumentDB","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.DocumentDB/garnetClusters/acl/bzmpop/delete":{"id":"Microsoft.DocumentDB/garnetClusters/acl/bzmpop/delete","name":"Garnet cluster sorted-set data","scope":"HIGH","parent":{"notes":"Holds production application data (caches, sessions, queues, sorted sets) for a single organizational function; data-plane access reads/writes/deletes the stored records directly.","description":"Azure Managed Garnet is a Redis-compatible in-memory data store; this resource type is the data-plane (ACL-scoped) command surface over sorted sets and other structures held in the cluster."},"risks":["destruction:data","exfiltration:data"],"notes":"BZMPOP blocks, removes, and returns the highest/lowest-score element(s) from sorted set(s), both destroying the data and disclosing the popped member value to the caller.","links":["https://azure.permissions.cloud/iam/Microsoft.DocumentDB","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.DocumentDB/garnetClusters/acl/bzpopmax/delete":{"id":"Microsoft.DocumentDB/garnetClusters/acl/bzpopmax/delete","name":"Garnet cluster sorted-set data","scope":"HIGH","parent":{"notes":"Holds production application data (caches, sessions, queues, sorted sets) for a single organizational function; data-plane access reads/writes/deletes the stored records directly.","description":"Azure Managed Garnet is a Redis-compatible in-memory data store; this resource type is the data-plane (ACL-scoped) command surface over sorted sets and other structures held in the cluster."},"risks":["destruction:data","exfiltration:data"],"notes":"BZPOPMAX blocks, removes, and returns the highest-score element from sorted set(s), both destroying the data and disclosing the popped member to the caller.","links":["https://azure.permissions.cloud/iam/Microsoft.DocumentDB","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.DocumentDB/garnetClusters/acl/bzpopmin/delete":{"id":"Microsoft.DocumentDB/garnetClusters/acl/bzpopmin/delete","name":"Garnet cluster sorted-set data","scope":"HIGH","parent":{"notes":"Holds production application data (caches, sessions, queues, sorted sets) for a single organizational function; data-plane access reads/writes/deletes the stored records directly.","description":"Azure Managed Garnet is a Redis-compatible in-memory data store; this resource type is the data-plane (ACL-scoped) command surface over sorted sets and other structures held in the cluster."},"risks":["destruction:data","exfiltration:data"],"notes":"BZPOPMIN blocks, removes, and returns the lowest-score element from sorted set(s), both destroying the data and disclosing the popped member to the caller.","links":["https://azure.permissions.cloud/iam/Microsoft.DocumentDB","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.DocumentDB/garnetClusters/acl/get/read":{"id":"Microsoft.DocumentDB/garnetClusters/acl/get/read","name":"Garnet cluster cached data","scope":"HIGH","parent":{"notes":"A production cache cluster typically holds operational data for a single organizational function (sessions, counters, cached query results), which can include sensitive content; it is a single-function production data store (HIGH).","description":"Microsoft Garnet is a high-performance, Redis-compatible cache/in-memory data store offered under Microsoft.DocumentDB. These data-plane operations execute Redis-style commands directly against the keyspace, reading, writing, or deleting the values stored in the cluster."},"risks":["exfiltration:data"],"notes":"GET returns the actual stored value for a key, allowing an attacker to read and exfiltrate cached organizational data.","links":["https://azure.permissions.cloud/iam/Microsoft.DocumentDB","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.DocumentDB/garnetClusters/acl/getdel/delete":{"id":"Microsoft.DocumentDB/garnetClusters/acl/getdel/delete","name":"Garnet cluster cached data","scope":"HIGH","parent":{"notes":"A production cache cluster typically holds operational data for a single organizational function (sessions, counters, cached query results), which can include sensitive content; it is a single-function production data store (HIGH).","description":"Microsoft Garnet is a high-performance, Redis-compatible cache/in-memory data store offered under Microsoft.DocumentDB. These data-plane operations execute Redis-style commands directly against the keyspace, reading, writing, or deleting the values stored in the cluster."},"risks":["exfiltration:data","destruction:data"],"notes":"GETDEL atomically returns the stored value (exfiltration) and deletes the key (destruction) in one operation.","links":["https://azure.permissions.cloud/iam/Microsoft.DocumentDB","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.DocumentDB/garnetClusters/acl/getex/read":{"id":"Microsoft.DocumentDB/garnetClusters/acl/getex/read","name":"Garnet cluster cached data","scope":"HIGH","parent":{"notes":"A production cache cluster typically holds operational data for a single organizational function (sessions, counters, cached query results), which can include sensitive content; it is a single-function production data store (HIGH).","description":"Microsoft Garnet is a high-performance, Redis-compatible cache/in-memory data store offered under Microsoft.DocumentDB. These data-plane operations execute Redis-style commands directly against the keyspace, reading, writing, or deleting the values stored in the cluster."},"risks":["exfiltration:data","impact:manipulation"],"notes":"GETEX returns the stored value (exfiltration) and also sets/alters the key's expiration TTL, manipulating the data's lifecycle (which can force data loss on expiry).","links":["https://azure.permissions.cloud/iam/Microsoft.DocumentDB","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.DocumentDB/garnetClusters/acl/getrange/read":{"id":"Microsoft.DocumentDB/garnetClusters/acl/getrange/read","name":"Garnet cluster cached data","scope":"HIGH","parent":{"notes":"A production cache cluster typically holds operational data for a single organizational function (sessions, counters, cached query results), which can include sensitive content; it is a single-function production data store (HIGH).","description":"Microsoft Garnet is a high-performance, Redis-compatible cache/in-memory data store offered under Microsoft.DocumentDB. These data-plane operations execute Redis-style commands directly against the keyspace, reading, writing, or deleting the values stored in the cluster."},"risks":["exfiltration:data"],"notes":"GETRANGE returns a substring of a stored value, allowing an attacker to read and exfiltrate cached data content.","links":["https://azure.permissions.cloud/iam/Microsoft.DocumentDB","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.DocumentDB/garnetClusters/acl/getset/write":{"id":"Microsoft.DocumentDB/garnetClusters/acl/getset/write","name":"Garnet cluster cached data","scope":"HIGH","parent":{"notes":"A production cache cluster typically holds operational data for a single organizational function (sessions, counters, cached query results), which can include sensitive content; it is a single-function production data store (HIGH).","description":"Microsoft Garnet is a high-performance, Redis-compatible cache/in-memory data store offered under Microsoft.DocumentDB. These data-plane operations execute Redis-style commands directly against the keyspace, reading, writing, or deleting the values stored in the cluster."},"risks":["impact:manipulation","exfiltration:data"],"notes":"GETSET atomically overwrites a key's value (manipulation) and returns its prior value (exfiltration).","links":["https://azure.permissions.cloud/iam/Microsoft.DocumentDB","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.DocumentDB/garnetClusters/acl/hget/read":{"id":"Microsoft.DocumentDB/garnetClusters/acl/hget/read","name":"Garnet cluster cache data","scope":"HIGH","parent":{"notes":"Production cache data stores typically hold session state, application data, and sometimes sensitive values; access is scoped to a single organizational function.","description":"Garnet is a Redis-compatible in-memory cache/data store offered under Azure Cosmos DB (Microsoft.DocumentDB). These ACL-scoped data-plane operations read, write, and delete keys/values held in the cluster."},"risks":["exfiltration:data"],"notes":"HGET returns the value of a hash field, allowing an attacker to read out cached data.","links":["https://azure.permissions.cloud/iam/Microsoft.DocumentDB","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.DocumentDB/garnetClusters/acl/hgetall/read":{"id":"Microsoft.DocumentDB/garnetClusters/acl/hgetall/read","name":"Garnet cluster cache data","scope":"HIGH","parent":{"notes":"Production cache data stores typically hold session state, application data, and sometimes sensitive values; access is scoped to a single organizational function.","description":"Garnet is a Redis-compatible in-memory cache/data store offered under Azure Cosmos DB (Microsoft.DocumentDB). These ACL-scoped data-plane operations read, write, and delete keys/values held in the cluster."},"risks":["exfiltration:data"],"notes":"HGETALL returns all fields and values of a hash, enabling bulk read-out of stored data.","links":["https://azure.permissions.cloud/iam/Microsoft.DocumentDB","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.DocumentDB/garnetClusters/acl/hmget/read":{"id":"Microsoft.DocumentDB/garnetClusters/acl/hmget/read","name":"Garnet cluster hash data","scope":"HIGH","parent":{"notes":"Garnet clusters are production in-memory data stores holding operational/application data for a single organizational function; data-plane access touches the records themselves.","description":"A hash data structure within a Microsoft DocumentDB Garnet cluster, a Redis-compatible in-memory data store. This is a data-plane (isDataAction) operation on the actual cached records."},"risks":["exfiltration:data"],"notes":"HMGET returns the values of multiple specified hash fields, directly reading and exfiltrating stored data.","links":["https://azure.permissions.cloud/iam/Microsoft.DocumentDB","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.DocumentDB/garnetClusters/acl/hrandfield/read":{"id":"Microsoft.DocumentDB/garnetClusters/acl/hrandfield/read","name":"Garnet cluster data (hash)","scope":"HIGH","parent":{"notes":"Production cache data store supporting a single application function; its contents can include session, application, and potentially sensitive cached data.","description":"A Garnet cluster is a Microsoft Redis-compatible in-memory data store; this is a data-plane operation governed by an ACL on the cached data it holds."},"risks":["exfiltration:data"],"notes":"HRANDFIELD returns actual field names (and optionally values) from a hash, exporting stored cached data.","links":["https://azure.permissions.cloud/iam/Microsoft.DocumentDB","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.DocumentDB/garnetClusters/acl/hscan/read":{"id":"Microsoft.DocumentDB/garnetClusters/acl/hscan/read","name":"Garnet cluster hash data","scope":"HIGH","parent":{"notes":"Garnet clusters are production in-memory data stores holding operational/application data for a single organizational function; data-plane access touches the records themselves.","description":"A hash data structure within a Microsoft DocumentDB Garnet cluster, a Redis-compatible in-memory data store. This is a data-plane (isDataAction) operation on the actual cached records."},"risks":["exfiltration:data"],"notes":"HSCAN iterates and returns hash field-value pairs, exposing actual stored values and enabling bulk data exfiltration.","links":["https://azure.permissions.cloud/iam/Microsoft.DocumentDB","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.DocumentDB/garnetClusters/acl/hvals/read":{"id":"Microsoft.DocumentDB/garnetClusters/acl/hvals/read","name":"Garnet cluster hash data","scope":"HIGH","parent":{"notes":"Garnet clusters are production in-memory data stores holding operational/application data for a single organizational function; data-plane access touches the records themselves.","description":"A hash data structure within a Microsoft DocumentDB Garnet cluster, a Redis-compatible in-memory data store. This is a data-plane (isDataAction) operation on the actual cached records."},"risks":["exfiltration:data"],"notes":"HVALS returns all values stored in a hash, directly enabling exfiltration of the underlying data.","links":["https://azure.permissions.cloud/iam/Microsoft.DocumentDB","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.DocumentDB/garnetClusters/acl/lcs/read":{"id":"Microsoft.DocumentDB/garnetClusters/acl/lcs/read","name":"Garnet cluster cached data","scope":"HIGH","parent":{"notes":"A production cache cluster typically holds operational data for a single organizational function (sessions, counters, cached query results), which can include sensitive content; it is a single-function production data store (HIGH).","description":"Microsoft Garnet is a high-performance, Redis-compatible cache/in-memory data store offered under Microsoft.DocumentDB. These data-plane operations execute Redis-style commands directly against the keyspace, reading, writing, or deleting the values stored in the cluster."},"risks":["exfiltration:data"],"notes":"LCS reads the content of stored string keys to compute their longest common substring, leaking stored data values to the caller.","links":["https://azure.permissions.cloud/iam/Microsoft.DocumentDB","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.DocumentDB/garnetClusters/acl/mget/read":{"id":"Microsoft.DocumentDB/garnetClusters/acl/mget/read","name":"Garnet Cluster cache data","scope":"HIGH","parent":{"notes":"A production in-memory data store backing a single application function; it commonly holds session tokens, cached PII, and other sensitive application state.","description":"Microsoft Azure Cosmos DB for Garnet (a Redis-compatible in-memory cache/data store). These data-plane ACL command permissions govern individual key/value operations against the cluster's stored data."},"risks":["exfiltration:data"],"notes":"MGET returns the actual string values stored under multiple keys, directly exporting cached organizational data.","links":["https://azure.permissions.cloud/iam/Microsoft.DocumentDB","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.DocumentDB/garnetClusters/acl/psubscribe/action":{"id":"Microsoft.DocumentDB/garnetClusters/acl/psubscribe/action","name":"Garnet cluster (Redis-compatible cache)","scope":"HIGH","parent":{"notes":"Holds cached organizational data and carries application pub/sub message streams; treated as a production data store supporting a single function.","description":"Microsoft DocumentDB Garnet clusters are a Redis-compatible in-memory cache/data store. The acl child resource scopes data-plane commands executed against the cluster keyspace and pub/sub system."},"risks":["exfiltration:data"],"notes":"PSUBSCRIBE attaches a pattern-matched listener to pub/sub channels, letting an attacker passively intercept all messages flowing across matching channels.","links":["https://azure.permissions.cloud/iam/Microsoft.DocumentDB","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.DocumentDB/garnetClusters/acl/scripteval/action":{"id":"Microsoft.DocumentDB/garnetClusters/acl/scripteval/action","name":"Garnet cluster (Redis-compatible cache)","scope":"HIGH","parent":{"notes":"Holds cached organizational data and carries application pub/sub message streams; treated as a production data store supporting a single function.","description":"Microsoft DocumentDB Garnet clusters are a Redis-compatible in-memory cache/data store. The acl child resource scopes data-plane commands executed against the cluster keyspace and pub/sub system."},"risks":["exfiltration:data","impact:manipulation","destruction:data"],"notes":"EVAL runs an arbitrary server-side Lua script with full keyspace access, letting an attacker read, modify, and delete any cached data.","links":["https://azure.permissions.cloud/iam/Microsoft.DocumentDB","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.DocumentDB/garnetClusters/acl/scriptevalsha/action":{"id":"Microsoft.DocumentDB/garnetClusters/acl/scriptevalsha/action","name":"Garnet cluster (Redis-compatible cache)","scope":"HIGH","parent":{"notes":"Holds cached organizational data and carries application pub/sub message streams; treated as a production data store supporting a single function.","description":"Microsoft DocumentDB Garnet clusters are a Redis-compatible in-memory cache/data store. The acl child resource scopes data-plane commands executed against the cluster keyspace and pub/sub system."},"risks":["exfiltration:data","impact:manipulation","destruction:data"],"notes":"EVALSHA executes a previously loaded script by its SHA with the same full read/modify/delete reach over the keyspace as EVAL.","links":["https://azure.permissions.cloud/iam/Microsoft.DocumentDB","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.DocumentDB/garnetClusters/acl/sdiff/read":{"id":"Microsoft.DocumentDB/garnetClusters/acl/sdiff/read","name":"Garnet cluster data (set)","scope":"HIGH","parent":{"notes":"Production cache data store supporting a single application function; its contents can include session, application, and potentially sensitive cached data.","description":"A Garnet cluster is a Microsoft Redis-compatible in-memory data store; this is a data-plane operation governed by an ACL on the cached data it holds."},"risks":["exfiltration:data"],"notes":"SDIFF returns the actual differing member values of sets, exporting stored cached data.","links":["https://azure.permissions.cloud/iam/Microsoft.DocumentDB","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.DocumentDB/garnetClusters/acl/sinter/read":{"id":"Microsoft.DocumentDB/garnetClusters/acl/sinter/read","name":"Garnet cluster data (set)","scope":"HIGH","parent":{"notes":"Production cache data store supporting a single application function; its contents can include session, application, and potentially sensitive cached data.","description":"A Garnet cluster is a Microsoft Redis-compatible in-memory data store; this is a data-plane operation governed by an ACL on the cached data it holds."},"risks":["exfiltration:data"],"notes":"SINTER returns the actual intersecting member values across sets, exporting stored cached data.","links":["https://azure.permissions.cloud/iam/Microsoft.DocumentDB","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.DocumentDB/garnetClusters/acl/smembers/read":{"id":"Microsoft.DocumentDB/garnetClusters/acl/smembers/read","name":"Garnet cluster data (set)","scope":"HIGH","parent":{"notes":"Production cache data store supporting a single application function; its contents can include session, application, and potentially sensitive cached data.","description":"A Garnet cluster is a Microsoft Redis-compatible in-memory data store; this is a data-plane operation governed by an ACL on the cached data it holds."},"risks":["exfiltration:data"],"notes":"SMEMBERS returns all members of a set, fully exporting the stored set contents from the cache.","links":["https://azure.permissions.cloud/iam/Microsoft.DocumentDB","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.DocumentDB/garnetClusters/acl/spop/delete":{"id":"Microsoft.DocumentDB/garnetClusters/acl/spop/delete","name":"Garnet cluster data (set)","scope":"HIGH","parent":{"notes":"Production cache data store supporting a single application function; its contents can include session, application, and potentially sensitive cached data.","description":"A Garnet cluster is a Microsoft Redis-compatible in-memory data store; this is a data-plane operation governed by an ACL on the cached data it holds."},"risks":["destruction:data","exfiltration:data"],"notes":"SPOP both removes random members from a set (destroying cached data) and returns those member values to the caller (exfiltrating them) in a single operation.","links":["https://azure.permissions.cloud/iam/Microsoft.DocumentDB","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.DocumentDB/garnetClusters/acl/srandmember/read":{"id":"Microsoft.DocumentDB/garnetClusters/acl/srandmember/read","name":"Garnet cluster set data","scope":"HIGH","parent":{"notes":"Production cache data store supporting a single organizational function; data-plane operations read or mutate the cached organizational data directly.","description":"Garnet is a Redis-compatible in-memory cache/data store offered under Azure Cosmos DB (Microsoft.DocumentDB). This operation acts on set data structures held within a Garnet cluster's data plane."},"risks":["exfiltration:data"],"notes":"SRANDMEMBER returns actual member values from a set, exposing stored organizational data to an attacker (data-plane read of values, not mere enumeration).","links":["https://azure.permissions.cloud/iam/Microsoft.DocumentDB","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.DocumentDB/garnetClusters/acl/sscan/read":{"id":"Microsoft.DocumentDB/garnetClusters/acl/sscan/read","name":"Garnet cluster set data","scope":"HIGH","parent":{"notes":"Production cache data store supporting a single organizational function; data-plane operations read or mutate the cached organizational data directly.","description":"Garnet is a Redis-compatible in-memory cache/data store offered under Azure Cosmos DB (Microsoft.DocumentDB). This operation acts on set data structures held within a Garnet cluster's data plane."},"risks":["exfiltration:data"],"notes":"SSCAN iterates and returns the actual member values of a set, enabling bulk exfiltration of stored set data.","links":["https://azure.permissions.cloud/iam/Microsoft.DocumentDB","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.DocumentDB/garnetClusters/acl/subscribe/action":{"id":"Microsoft.DocumentDB/garnetClusters/acl/subscribe/action","name":"Garnet cluster (Redis-compatible cache)","scope":"HIGH","parent":{"notes":"Holds cached organizational data and carries application pub/sub message streams; treated as a production data store supporting a single function.","description":"Microsoft DocumentDB Garnet clusters are a Redis-compatible in-memory cache/data store. The acl child resource scopes data-plane commands executed against the cluster keyspace and pub/sub system."},"risks":["exfiltration:data"],"notes":"SUBSCRIBE attaches a listener to named channels, letting an attacker passively intercept all messages published to those pub/sub channels.","links":["https://azure.permissions.cloud/iam/Microsoft.DocumentDB","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.DocumentDB/garnetClusters/acl/substr/read":{"id":"Microsoft.DocumentDB/garnetClusters/acl/substr/read","name":"Garnet cluster cache data","scope":"HIGH","parent":{"notes":"Production cache data stores typically hold session state, application data, and sometimes sensitive values; access is scoped to a single organizational function.","description":"Garnet is a Redis-compatible in-memory cache/data store offered under Azure Cosmos DB (Microsoft.DocumentDB). These ACL-scoped data-plane operations read, write, and delete keys/values held in the cluster."},"risks":["exfiltration:data"],"notes":"SUBSTR returns actual stored string content (a substring), allowing an attacker to read out cached data.","links":["https://azure.permissions.cloud/iam/Microsoft.DocumentDB","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.DocumentDB/garnetClusters/acl/sunion/read":{"id":"Microsoft.DocumentDB/garnetClusters/acl/sunion/read","name":"Garnet cluster set data","scope":"HIGH","parent":{"notes":"Production cache data store supporting a single organizational function; data-plane operations read or mutate the cached organizational data directly.","description":"Garnet is a Redis-compatible in-memory cache/data store offered under Azure Cosmos DB (Microsoft.DocumentDB). This operation acts on set data structures held within a Garnet cluster's data plane."},"risks":["exfiltration:data"],"notes":"SUNION returns the combined member values across multiple sets, exposing stored data to an attacker.","links":["https://azure.permissions.cloud/iam/Microsoft.DocumentDB","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.DocumentDB/garnetClusters/acl/vemb/read":{"id":"Microsoft.DocumentDB/garnetClusters/acl/vemb/read","name":"Garnet cluster vector set","scope":"HIGH","parent":{"notes":"Production database resource holding organizational data (embeddings and their payloads); these are data-plane (isDataAction) operations on the stored vectors.","description":"A vector set inside an Azure Cosmos DB for Garnet cluster, a Redis-compatible in-memory data store used to hold vector embeddings and associated attributes for similarity search / retrieval workloads."},"risks":["exfiltration:data"],"notes":"Returns the actual stored embedding values for a vector, directly exfiltrating sensitive organizational data (embeddings can reconstruct underlying content).","links":["https://azure.permissions.cloud/iam/Microsoft.DocumentDB","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.DocumentDB/garnetClusters/acl/vgetattr/read":{"id":"Microsoft.DocumentDB/garnetClusters/acl/vgetattr/read","name":"Garnet cluster vector set","scope":"HIGH","parent":{"notes":"Production database resource holding organizational data (embeddings and their payloads); these are data-plane (isDataAction) operations on the stored vectors.","description":"A vector set inside an Azure Cosmos DB for Garnet cluster, a Redis-compatible in-memory data store used to hold vector embeddings and associated attributes for similarity search / retrieval workloads."},"risks":["exfiltration:data"],"notes":"Returns the attribute payload (often source text/metadata) attached to a stored vector, directly exfiltrating organizational data.","links":["https://azure.permissions.cloud/iam/Microsoft.DocumentDB","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.DocumentDB/garnetClusters/acl/vlinks/read":{"id":"Microsoft.DocumentDB/garnetClusters/acl/vlinks/read","name":"Garnet cluster vector set","scope":"HIGH","parent":{"notes":"Production database resource holding organizational data (embeddings and their payloads); these are data-plane (isDataAction) operations on the stored vectors.","description":"A vector set inside an Azure Cosmos DB for Garnet cluster, a Redis-compatible in-memory data store used to hold vector embeddings and associated attributes for similarity search / retrieval workloads."},"risks":["exfiltration:data"],"notes":"Returns the HNSW graph neighbor links of a vector, exposing the stored relationship structure and identifiers of related stored elements (relationship data of the set).","links":["https://azure.permissions.cloud/iam/Microsoft.DocumentDB","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.DocumentDB/garnetClusters/acl/vrandmember/read":{"id":"Microsoft.DocumentDB/garnetClusters/acl/vrandmember/read","name":"Garnet cluster vector set","scope":"HIGH","parent":{"notes":"Production database resource holding organizational data (embeddings and their payloads); these are data-plane (isDataAction) operations on the stored vectors.","description":"A vector set inside an Azure Cosmos DB for Garnet cluster, a Redis-compatible in-memory data store used to hold vector embeddings and associated attributes for similarity search / retrieval workloads."},"risks":["exfiltration:data"],"notes":"Returns actual member element(s) from the vector set, enabling repeated sampling to extract stored organizational data.","links":["https://azure.permissions.cloud/iam/Microsoft.DocumentDB","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.DocumentDB/garnetClusters/acl/vsim/read":{"id":"Microsoft.DocumentDB/garnetClusters/acl/vsim/read","name":"Garnet cluster vector set","scope":"HIGH","parent":{"notes":"Production database resource holding organizational data (embeddings and their payloads); these are data-plane (isDataAction) operations on the stored vectors.","description":"A vector set inside an Azure Cosmos DB for Garnet cluster, a Redis-compatible in-memory data store used to hold vector embeddings and associated attributes for similarity search / retrieval workloads."},"risks":["exfiltration:data"],"notes":"Performs a similarity search returning matching stored vector members (and optionally scores/attributes), enabling an attacker to query out and extract the stored data.","links":["https://azure.permissions.cloud/iam/Microsoft.DocumentDB","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.DocumentDB/garnetClusters/acl/zdiff/read":{"id":"Microsoft.DocumentDB/garnetClusters/acl/zdiff/read","name":"Garnet cluster sorted-set data","scope":"HIGH","parent":{"notes":"Production cache data store supporting a single organizational function; data-plane operations read or mutate the cached organizational data directly.","description":"Garnet is a Redis-compatible in-memory cache/data store offered under Azure Cosmos DB (Microsoft.DocumentDB). This operation acts on sorted-set data structures held within a Garnet cluster's data plane."},"risks":["exfiltration:data"],"notes":"ZDIFF returns the actual member values differing between sorted sets, exposing stored data contents.","links":["https://azure.permissions.cloud/iam/Microsoft.DocumentDB","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.DocumentDB/garnetClusters/acl/zinter/read":{"id":"Microsoft.DocumentDB/garnetClusters/acl/zinter/read","name":"Garnet cluster sorted-set data","scope":"HIGH","parent":{"notes":"Production cache data store supporting a single organizational function; data-plane operations read or mutate the cached organizational data directly.","description":"Garnet is a Redis-compatible in-memory cache/data store offered under Azure Cosmos DB (Microsoft.DocumentDB). This operation acts on sorted-set data structures held within a Garnet cluster's data plane."},"risks":["exfiltration:data"],"notes":"ZINTER returns the actual member values in the intersection of sorted sets, exposing stored data contents.","links":["https://azure.permissions.cloud/iam/Microsoft.DocumentDB","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.DocumentDB/garnetClusters/acl/zmpop/delete":{"id":"Microsoft.DocumentDB/garnetClusters/acl/zmpop/delete","name":"Garnet cluster sorted-set data","scope":"HIGH","parent":{"notes":"Production in-memory data store supporting a single organizational function; sorted-set entries may contain sensitive application data such as session, ranking, or queue state.","description":"A data-plane sorted-set command surface on an Azure Managed Garnet (Redis-compatible) cache cluster, holding cached/operational key-value data for an application."},"risks":["destruction:data","exfiltration:data"],"notes":"ZMPOP atomically removes members from multiple sorted sets and returns the popped members, both destroying and exfiltrating stored data.","links":["https://azure.permissions.cloud/iam/Microsoft.DocumentDB","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.DocumentDB/garnetClusters/acl/zmscore/read":{"id":"Microsoft.DocumentDB/garnetClusters/acl/zmscore/read","name":"Garnet cluster sorted-set data","scope":"HIGH","parent":{"notes":"Production in-memory data store supporting a single organizational function; sorted-set entries may contain sensitive application data such as session, ranking, or queue state.","description":"A data-plane sorted-set command surface on an Azure Managed Garnet (Redis-compatible) cache cluster, holding cached/operational key-value data for an application."},"risks":["exfiltration:data"],"notes":"Returns the actual stored scores for specified members, disclosing organizational data values.","links":["https://azure.permissions.cloud/iam/Microsoft.DocumentDB","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.DocumentDB/garnetClusters/acl/zpopmax/delete":{"id":"Microsoft.DocumentDB/garnetClusters/acl/zpopmax/delete","name":"Garnet cluster sorted-set data","scope":"HIGH","parent":{"notes":"Production in-memory data store supporting a single organizational function; sorted-set entries may contain sensitive application data such as session, ranking, or queue state.","description":"A data-plane sorted-set command surface on an Azure Managed Garnet (Redis-compatible) cache cluster, holding cached/operational key-value data for an application."},"risks":["destruction:data","exfiltration:data"],"notes":"Removes the highest-scored members and returns their values, both destroying and exfiltrating stored data.","links":["https://azure.permissions.cloud/iam/Microsoft.DocumentDB","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.DocumentDB/garnetClusters/acl/zpopmin/delete":{"id":"Microsoft.DocumentDB/garnetClusters/acl/zpopmin/delete","name":"Garnet cluster sorted-set data","scope":"HIGH","parent":{"notes":"Production in-memory data store supporting a single organizational function; sorted-set entries may contain sensitive application data such as session, ranking, or queue state.","description":"A data-plane sorted-set command surface on an Azure Managed Garnet (Redis-compatible) cache cluster, holding cached/operational key-value data for an application."},"risks":["destruction:data","exfiltration:data"],"notes":"Removes the lowest-scored members and returns their values, both destroying and exfiltrating stored data.","links":["https://azure.permissions.cloud/iam/Microsoft.DocumentDB","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.DocumentDB/garnetClusters/acl/zrandmember/read":{"id":"Microsoft.DocumentDB/garnetClusters/acl/zrandmember/read","name":"Garnet cluster sorted-set data","scope":"HIGH","parent":{"notes":"Production in-memory data store supporting a single organizational function; sorted-set entries may contain sensitive application data such as session, ranking, or queue state.","description":"A data-plane sorted-set command surface on an Azure Managed Garnet (Redis-compatible) cache cluster, holding cached/operational key-value data for an application."},"risks":["exfiltration:data"],"notes":"Returns actual member values from a sorted set, disclosing stored organizational data.","links":["https://azure.permissions.cloud/iam/Microsoft.DocumentDB","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.DocumentDB/garnetClusters/acl/zrange/read":{"id":"Microsoft.DocumentDB/garnetClusters/acl/zrange/read","name":"Garnet cluster sorted-set data","scope":"HIGH","parent":{"notes":"Production in-memory data store supporting a single organizational function; sorted-set entries may contain sensitive application data such as session, ranking, or queue state.","description":"A data-plane sorted-set command surface on an Azure Managed Garnet (Redis-compatible) cache cluster, holding cached/operational key-value data for an application."},"risks":["exfiltration:data"],"notes":"Returns a range of members (optionally with scores) and can iterate the full set to dump its contents.","links":["https://azure.permissions.cloud/iam/Microsoft.DocumentDB","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.DocumentDB/garnetClusters/acl/zrangebylex/read":{"id":"Microsoft.DocumentDB/garnetClusters/acl/zrangebylex/read","name":"Garnet cluster sorted-set data","scope":"HIGH","parent":{"notes":"Production in-memory data store supporting a single organizational function; sorted-set entries may contain sensitive application data such as session, ranking, or queue state.","description":"A data-plane sorted-set command surface on an Azure Managed Garnet (Redis-compatible) cache cluster, holding cached/operational key-value data for an application."},"risks":["exfiltration:data"],"notes":"Returns member values within a lexicographical range, disclosing stored organizational data.","links":["https://azure.permissions.cloud/iam/Microsoft.DocumentDB","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.DocumentDB/garnetClusters/acl/zrangebyscore/read":{"id":"Microsoft.DocumentDB/garnetClusters/acl/zrangebyscore/read","name":"Garnet cluster sorted-set data","scope":"HIGH","parent":{"notes":"Production in-memory data store supporting a single organizational function; sorted-set entries may contain sensitive application data such as session, ranking, or queue state.","description":"A data-plane sorted-set command surface on an Azure Managed Garnet (Redis-compatible) cache cluster, holding cached/operational key-value data for an application."},"risks":["exfiltration:data"],"notes":"Returns member values within a score range, disclosing stored organizational data.","links":["https://azure.permissions.cloud/iam/Microsoft.DocumentDB","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.DocumentDB/garnetClusters/acl/zrevrange/read":{"id":"Microsoft.DocumentDB/garnetClusters/acl/zrevrange/read","name":"Garnet cluster sorted-set data","scope":"HIGH","parent":{"notes":"Holds production application data (caches, sessions, queues, sorted sets) for a single organizational function; data-plane access reads/writes/deletes the stored records directly.","description":"Azure Managed Garnet is a Redis-compatible in-memory data store; this resource type is the data-plane (ACL-scoped) command surface over sorted sets and other structures held in the cluster."},"risks":["exfiltration:data"],"notes":"ZREVRANGE returns the actual stored member values from a sorted set in reverse order, enabling exfiltration of stored data.","links":["https://azure.permissions.cloud/iam/Microsoft.DocumentDB","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.DocumentDB/garnetClusters/acl/zrevrangebylex/read":{"id":"Microsoft.DocumentDB/garnetClusters/acl/zrevrangebylex/read","name":"Garnet cluster sorted-set data","scope":"HIGH","parent":{"notes":"Holds production application data (caches, sessions, queues, sorted sets) for a single organizational function; data-plane access reads/writes/deletes the stored records directly.","description":"Azure Managed Garnet is a Redis-compatible in-memory data store; this resource type is the data-plane (ACL-scoped) command surface over sorted sets and other structures held in the cluster."},"risks":["exfiltration:data"],"notes":"ZREVRANGEBYLEX returns stored sorted-set member values within a lexicographical range, enabling data exfiltration.","links":["https://azure.permissions.cloud/iam/Microsoft.DocumentDB","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.DocumentDB/garnetClusters/acl/zrevrangebyscore/read":{"id":"Microsoft.DocumentDB/garnetClusters/acl/zrevrangebyscore/read","name":"Garnet cluster sorted-set data","scope":"HIGH","parent":{"notes":"Holds production application data (caches, sessions, queues, sorted sets) for a single organizational function; data-plane access reads/writes/deletes the stored records directly.","description":"Azure Managed Garnet is a Redis-compatible in-memory data store; this resource type is the data-plane (ACL-scoped) command surface over sorted sets and other structures held in the cluster."},"risks":["exfiltration:data"],"notes":"ZREVRANGEBYSCORE returns stored sorted-set member values within a score range, enabling data exfiltration.","links":["https://azure.permissions.cloud/iam/Microsoft.DocumentDB","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.DocumentDB/garnetClusters/acl/zscan/read":{"id":"Microsoft.DocumentDB/garnetClusters/acl/zscan/read","name":"Garnet cluster sorted-set data","scope":"HIGH","parent":{"notes":"Holds production application data (caches, sessions, queues, sorted sets) for a single organizational function; data-plane access reads/writes/deletes the stored records directly.","description":"Azure Managed Garnet is a Redis-compatible in-memory data store; this resource type is the data-plane (ACL-scoped) command surface over sorted sets and other structures held in the cluster."},"risks":["exfiltration:data"],"notes":"ZSCAN iterates over and returns the members and scores of a sorted set, enabling bulk enumeration and exfiltration of stored data.","links":["https://azure.permissions.cloud/iam/Microsoft.DocumentDB","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.DocumentDB/garnetClusters/acl/zscore/read":{"id":"Microsoft.DocumentDB/garnetClusters/acl/zscore/read","name":"Garnet cluster sorted-set data","scope":"HIGH","parent":{"notes":"Holds production application data (caches, sessions, queues, sorted sets) for a single organizational function; data-plane access reads/writes/deletes the stored records directly.","description":"Azure Managed Garnet is a Redis-compatible in-memory data store; this resource type is the data-plane (ACL-scoped) command surface over sorted sets and other structures held in the cluster."},"risks":["exfiltration:data"],"notes":"ZSCORE returns the stored numeric score value associated with a member, disclosing actual stored data from the sorted set.","links":["https://azure.permissions.cloud/iam/Microsoft.DocumentDB","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.DocumentDB/garnetClusters/acl/zunion/read":{"id":"Microsoft.DocumentDB/garnetClusters/acl/zunion/read","name":"Garnet cluster sorted-set data","scope":"HIGH","parent":{"notes":"Holds production application data (caches, sessions, queues, sorted sets) for a single organizational function; data-plane access reads/writes/deletes the stored records directly.","description":"Azure Managed Garnet is a Redis-compatible in-memory data store; this resource type is the data-plane (ACL-scoped) command surface over sorted sets and other structures held in the cluster."},"risks":["exfiltration:data"],"notes":"ZUNION computes and returns the combined members across multiple sorted sets, exposing stored data for exfiltration.","links":["https://azure.permissions.cloud/iam/Microsoft.DocumentDB","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.DocumentDB/mongoClusters/listConnectionStrings/action":{"id":"Microsoft.DocumentDB/mongoClusters/listConnectionStrings/action","name":"Mongo Cluster","scope":"CRITICAL","parent":{"notes":"A production data store supporting a single organizational function; its data plane holds organizational data and its connection strings are credentials.","description":"An Azure Cosmos DB for MongoDB (vCore) Mongo Cluster — a managed, production MongoDB-compatible database cluster resource and its control-plane configuration (SKU, node topology, networking, settings)."},"risks":["exfiltration:crypto","escalation:lateral","exfiltration:data"],"notes":"Returns connection strings embedding cluster credentials; an attacker redeems them for direct authenticated access to read and exfiltrate all database contents, mirroring the listKeys precedent.","links":["https://azure.permissions.cloud/iam/Microsoft.DocumentDB","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.DocumentDB/mongoClusters/users/delete":{"id":"Microsoft.DocumentDB/mongoClusters/users/delete","name":"Mongo Cluster users","scope":"HIGH","parent":{"notes":"These are the database identities that authenticate to and authorize access against the production data store.","description":"Database users (data-plane accounts) defined on an Azure Cosmos DB for MongoDB (vCore) Mongo Cluster, including their roles/privileges on the cluster's databases."},"risks":["destruction:account","impact:access"],"notes":"Deleting a database user destroys that cluster account and denies the legitimate principal its authorized access to the production database.","links":["https://azure.permissions.cloud/iam/Microsoft.DocumentDB","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.DocumentDB/mongoClusters/users/write":{"id":"Microsoft.DocumentDB/mongoClusters/users/write","name":"Mongo Cluster users","scope":"HIGH","parent":{"notes":"These are the database identities that authenticate to and authorize access against the production data store.","description":"Database users (data-plane accounts) defined on an Azure Cosmos DB for MongoDB (vCore) Mongo Cluster, including their roles/privileges on the cluster's databases."},"risks":["persistence:account","escalation:privilege"],"notes":"Create/update of a database user lets an attacker mint a new credentialed account, reset an existing user's password, or grant elevated database roles, establishing persistent privileged data-plane access.","links":["https://azure.permissions.cloud/iam/Microsoft.DocumentDB","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Insights/Components/ApiKeys/Action":{"id":"Microsoft.Insights/Components/ApiKeys/Action","name":"Application Insights components","scope":"MEDIUM","parent":{"notes":"Monitoring/diagnostics asset whose data underpins detection and incident response.","description":"An Application Insights component is the Azure Monitor resource that ingests, stores, and retains application telemetry (requests, traces, exceptions, dependencies, metrics)."},"risks":["exfiltration:crypto","persistence:account"],"notes":"Verified: generating an API key returns a usable X-API-Key credential that authorizes reading telemetry via api.applicationinsights.io; this exports secret material and establishes a standalone persistent access credential.","links":["https://azure.permissions.cloud/iam/Microsoft.Insights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Insights/Components/ApiKeys/Delete":{"id":"Microsoft.Insights/Components/ApiKeys/Delete","name":"Application Insights API key","scope":"MEDIUM","parent":{"notes":"Monitoring/diagnostics asset whose data underpins detection and incident response.","description":"An Application Insights component is the Azure Monitor resource that ingests, stores, and retains application telemetry (requests, traces, exceptions, dependencies, metrics)."},"risks":["impact:access"],"notes":"Deletes an API key, revoking the credential and denying legitimate integrations/dashboards their programmatic access to telemetry, without granting the attacker anything.","links":["https://azure.permissions.cloud/iam/Microsoft.Insights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Insights/Components/ApiKeys/Read":{"id":"Microsoft.Insights/Components/ApiKeys/Read","name":"Application Insights API key","scope":"CRITICAL","parent":{"notes":"Monitoring/diagnostics asset whose data underpins detection and incident response.","description":"An Application Insights component is the Azure Monitor resource that ingests, stores, and retains application telemetry (requests, traces, exceptions, dependencies, metrics)."},"risks":["exfiltration:crypto","escalation:lateral"],"notes":"Reading the API key resource is treated as returning usable credential material that grants programmatic telemetry/query access under an alternate identity; an attacker holding this can read the component's data plane out-of-band.","links":["https://azure.permissions.cloud/iam/Microsoft.Insights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Insights/Components/Events/Read":{"id":"Microsoft.Insights/Components/Events/Read","name":"Application Insights events (telemetry)","scope":"MEDIUM","parent":{"notes":"Telemetry routinely contains sensitive data: request URLs/parameters, user identifiers, exception details, and sometimes PII or tokens. isDataAction read.","description":"The Events data-plane endpoint returns stored Application Insights telemetry records (requests, dependencies, exceptions, traces, custom events) via OData query."},"risks":["exfiltration:logs","exfiltration:data"],"notes":"Data-plane read that exports raw telemetry/log records which frequently contain sensitive request and user data, enabling log and data exfiltration.","links":["https://azure.permissions.cloud/iam/Microsoft.Insights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Insights/Components/GetToken/Read":{"id":"Microsoft.Insights/Components/GetToken/Read","name":"Application Insights component token","scope":"CRITICAL","parent":{"notes":"The returned token is reusable credential material granting query access to the component's telemetry.","description":"GetToken returns a read access token (bearer credential) scoped to the Application Insights component's telemetry data plane."},"risks":["exfiltration:crypto","escalation:lateral"],"notes":"Returns a usable access token for the component, exporting credential material an attacker can replay to read the telemetry data plane as that identity.","links":["https://azure.permissions.cloud/iam/Microsoft.Insights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Insights/Components/Query/Read":{"id":"Microsoft.Insights/Components/Query/Read","name":"Application Insights query (logs)","scope":"MEDIUM","parent":{"notes":"Arbitrary queries can extract any stored telemetry, which may include PII, request payloads, identifiers, and tokens. isDataAction read.","description":"The Query data-plane endpoint runs arbitrary analytics queries against the full Application Insights log/telemetry store."},"risks":["exfiltration:logs","exfiltration:data"],"notes":"Runs arbitrary queries over the entire log store, enabling broad export of telemetry that may contain sensitive application and user data.","links":["https://azure.permissions.cloud/iam/Microsoft.Insights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Insights/Logs/Read":{"id":"Microsoft.Insights/Logs/Read","name":"Log Analytics logs (data plane)","scope":"MEDIUM","parent":{"notes":"A workspace aggregates operational, security, and identity telemetry from many sources, so broad read access can expose sensitive data well beyond ordinary logs.","description":"Data-plane access to the content of all tables in a Log Analytics workspace, the central store of ingested logs and telemetry from across the monitored environment."},"risks":["exfiltration:logs","exfiltration:data"],"notes":"Data-plane read of ALL Log Analytics tables, enabling wholesale export of collected telemetry that can contain sensitive operational, security, and identity data across the entire workspace.","links":["https://azure.permissions.cloud/iam/Microsoft.Insights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Insights/Snapshots/Read":{"id":"Microsoft.Insights/Snapshots/Read","name":"Snapshot Debugger snapshots","scope":"MEDIUM","parent":{"notes":"Diagnostic memory captures of a single monitored application; commonly contain in-memory secrets, tokens, connection strings, and PII.","description":"Snapshots produced by the Application Insights Snapshot Debugger, which capture an application's in-memory state (local variables, call stack, heap contents) at exception time."},"risks":["exfiltration:data"],"notes":"Reading snapshots exposes captured runtime memory of a monitored application, exfiltrating potentially sensitive in-process data and credentials.","links":["https://azure.permissions.cloud/iam/Microsoft.Insights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Insights/Webtests/GetToken/Read":{"id":"Microsoft.Insights/Webtests/GetToken/Read","name":"Webtest token","scope":"MEDIUM","parent":{"notes":"Returning the token discloses reusable credential material.","description":"An authentication token associated with an Application Insights webtest, used to author and authenticate webtest/synthetic-monitor operations."},"risks":["exfiltration:crypto"],"notes":"This read returns webtest token credential material rather than mere configuration, so in isolation it exfiltrates reusable secret material.","links":["https://azure.permissions.cloud/iam/Microsoft.Insights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Insights/generateLiveToken/Read":{"id":"Microsoft.Insights/generateLiveToken/Read","name":"Application Insights Live Metrics token","scope":"MEDIUM","parent":{"notes":"Live Metrics exposes near-real-time request, dependency, exception and performance telemetry that can contain sensitive operational and request data.","description":"An action that issues an authentication token granting access to the Application Insights Live Metrics real-time telemetry stream."},"risks":["exfiltration:crypto","exfiltration:logs"],"notes":"Despite the /Read verb, this returns a usable Live Metrics auth token (credential material) whose effect is to grant the holder access to live application telemetry, so it both exports secret material and enables log/telemetry exfiltration.","links":["https://azure.permissions.cloud/iam/Microsoft.Insights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.KeyVault/Vaults/accessPolicies/write":{"id":"Microsoft.KeyVault/Vaults/accessPolicies/write","name":"Key Vault access policy","scope":"CRITICAL","parent":{"notes":"Controls who can read/use all cryptographic and credential material in the vault, so it is a CRITICAL access-control asset.","description":"A Key Vault access policy granting a principal data-plane permissions over the vault's keys, secrets, and certificates."},"risks":["escalation:privilege","impact:access"],"notes":"Adds or merges/replaces a vault access policy, letting an attacker grant their own identity full key/secret/certificate permissions (escalation) and, via replace, remove legitimate principals' access (denial-of-access).","links":["https://azure.permissions.cloud/iam/Microsoft.KeyVault","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.KeyVault/Vaults/certificatecas/delete":{"id":"Microsoft.KeyVault/Vaults/certificatecas/delete","name":"Key Vault certificate issuer","scope":"CRITICAL","parent":{"notes":"The issuer holds CA account credentials (account ID and API key/password) and controls how trusted certificates are minted for dependent services; it lives in the CRITICAL-sensitivity Key Vault data plane.","description":"A certificate issuer (certificatecas) is a data-plane object in a Key Vault that stores the configuration and CA account credentials used to enroll and renew certificates through an external certificate authority (e.g. DigiCert, GlobalSign)."},"risks":["destruction:data","impact:dos"],"notes":"Deleting the certificate issuer removes the data-plane object the vault uses to enroll/renew certificates, destroying stored issuer configuration/credentials and disrupting automated certificate issuance and renewal.","links":["https://azure.permissions.cloud/iam/Microsoft.KeyVault","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.KeyVault/Vaults/certificatecas/read":{"id":"Microsoft.KeyVault/Vaults/certificatecas/read","name":"Key Vault certificate issuer","scope":"CRITICAL","parent":{"notes":"The issuer holds CA account credentials (account ID and API key/password) and controls how trusted certificates are minted for dependent services; it lives in the CRITICAL-sensitivity Key Vault data plane.","description":"A certificate issuer (certificatecas) is a data-plane object in a Key Vault that stores the configuration and CA account credentials used to enroll and renew certificates through an external certificate authority (e.g. DigiCert, GlobalSign)."},"risks":["exfiltration:crypto"],"notes":"The Key Vault GetCertificateIssuer data action returns the issuer's credentials object (account ID and password/API key) used to authenticate to the external CA, exposing usable secret material that could be abused to mint certificates.","links":["https://azure.permissions.cloud/iam/Microsoft.KeyVault","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.KeyVault/Vaults/certificatecas/write":{"id":"Microsoft.KeyVault/Vaults/certificatecas/write","name":"Key Vault certificate issuer","scope":"CRITICAL","parent":{"notes":"The issuer holds CA account credentials (account ID and API key/password) and controls how trusted certificates are minted for dependent services; it lives in the CRITICAL-sensitivity Key Vault data plane.","description":"A certificate issuer (certificatecas) is a data-plane object in a Key Vault that stores the configuration and CA account credentials used to enroll and renew certificates through an external certificate authority (e.g. DigiCert, GlobalSign)."},"risks":["impact:manipulation","persistence:account"],"notes":"Writing the certificate issuer lets an attacker create or repoint the CA configuration (including attacker-controlled CA credentials/endpoint), tampering with how certificates are issued and establishing a foothold to mint trusted certificates for persistence.","links":["https://azure.permissions.cloud/iam/Microsoft.KeyVault","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.KeyVault/Vaults/certificates/backup/action":{"id":"Microsoft.KeyVault/Vaults/certificates/backup/action","name":"Key Vault certificate","scope":"CRITICAL","parent":{"notes":"Certificates contain private key material; compromise enables impersonation/MITM of dependent services. Vaults are CRITICAL-sensitivity assets per the scope guide.","description":"An Azure Key Vault certificate is a managed X.509 certificate object that bundles a private key, the certificate (public) material, and an issuance/lifecycle policy. It is a credential used by applications and services for TLS, signing, and authentication."},"risks":["exfiltration:crypto"],"notes":"Produces a portable backup blob containing the certificate and its private key that can be restored into another vault in the same subscription, exporting cryptographic credential material.","links":["https://azure.permissions.cloud/iam/Microsoft.KeyVault","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.KeyVault/Vaults/certificates/create/action":{"id":"Microsoft.KeyVault/Vaults/certificates/create/action","name":"Key Vault certificate","scope":"CRITICAL","parent":{"notes":"Certificates contain private key material; compromise enables impersonation/MITM of dependent services. Vaults are CRITICAL-sensitivity assets per the scope guide.","description":"An Azure Key Vault certificate is a managed X.509 certificate object that bundles a private key, the certificate (public) material, and an issuance/lifecycle policy. It is a credential used by applications and services for TLS, signing, and authentication."},"risks":["escalation:privilege","persistence:account"],"notes":"Creates a new certificate, or a new version of an existing certificate, letting an attacker have the vault generate a certificate under a trusted identity that a dependent application or TLS endpoint will subsequently present and trust for impersonation.","links":["https://azure.permissions.cloud/iam/Microsoft.KeyVault","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.KeyVault/Vaults/certificates/import/action":{"id":"Microsoft.KeyVault/Vaults/certificates/import/action","name":"Key Vault certificate","scope":"CRITICAL","parent":{"notes":"Certificates contain private key material; compromise enables impersonation/MITM of dependent services. Vaults are CRITICAL-sensitivity assets per the scope guide.","description":"An Azure Key Vault certificate is a managed X.509 certificate object that bundles a private key, the certificate (public) material, and an issuance/lifecycle policy. It is a credential used by applications and services for TLS, signing, and authentication."},"risks":["escalation:privilege","persistence:account"],"notes":"Imports an externally created certificate (PFX or PEM) containing a private key the attacker already possesses, letting an attacker plant a certificate of their own choosing for an application or TLS endpoint to trust, enabling impersonation.","links":["https://azure.permissions.cloud/iam/Microsoft.KeyVault","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.KeyVault/Vaults/certificates/purge/action":{"id":"Microsoft.KeyVault/Vaults/certificates/purge/action","name":"Key Vault certificate","scope":"CRITICAL","parent":{"notes":"Certificates contain private key material; compromise enables impersonation/MITM of dependent services. Vaults are CRITICAL-sensitivity assets per the scope guide.","description":"An Azure Key Vault certificate is a managed X.509 certificate object that bundles a private key, the certificate (public) material, and an issuance/lifecycle policy. It is a credential used by applications and services for TLS, signing, and authentication."},"risks":["destruction:crypto"],"notes":"Permanently and irrecoverably erases a soft-deleted certificate, bypassing soft-delete recovery and destroying the private key and certificate material with no possibility of restoration.","links":["https://azure.permissions.cloud/iam/Microsoft.KeyVault","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.KeyVault/Vaults/certificates/recover/action":{"id":"Microsoft.KeyVault/Vaults/certificates/recover/action","name":"Key Vault certificate","scope":"CRITICAL","parent":{"notes":"Certificates contain private key material; compromise enables impersonation/MITM of dependent services. Vaults are CRITICAL-sensitivity assets per the scope guide.","description":"An Azure Key Vault certificate is a managed X.509 certificate object that bundles a private key, the certificate (public) material, and an issuance/lifecycle policy. It is a credential used by applications and services for TLS, signing, and authentication."},"risks":["persistence:account"],"notes":"Reverses a soft-delete on a certificate, letting an attacker restore a previously deleted certificate (e.g. one they planted and that was later removed) back into active use.","links":["https://azure.permissions.cloud/iam/Microsoft.KeyVault","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.KeyVault/Vaults/certificates/release/action":{"id":"Microsoft.KeyVault/Vaults/certificates/release/action","name":"Key Vault certificate","scope":"CRITICAL","parent":{"notes":"Certificates contain private key material; compromise enables impersonation/MITM of dependent services. Vaults are CRITICAL-sensitivity assets per the scope guide.","description":"An Azure Key Vault certificate is a managed X.509 certificate object that bundles a private key, the certificate (public) material, and an issuance/lifecycle policy. It is a credential used by applications and services for TLS, signing, and authentication."},"risks":["exfiltration:crypto"],"notes":"Secure key release exports an exportable certificate's private key wrapped to a KEK from an attestation token, enabling the holder to extract the private cryptographic material out of the vault's protection boundary.","links":["https://azure.permissions.cloud/iam/Microsoft.KeyVault","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.KeyVault/Vaults/certificates/restore/action":{"id":"Microsoft.KeyVault/Vaults/certificates/restore/action","name":"Key Vault certificate","scope":"CRITICAL","parent":{"notes":"Certificates contain private key material; compromise enables impersonation/MITM of dependent services. Vaults are CRITICAL-sensitivity assets per the scope guide.","description":"An Azure Key Vault certificate is a managed X.509 certificate object that bundles a private key, the certificate (public) material, and an issuance/lifecycle policy. It is a credential used by applications and services for TLS, signing, and authentication."},"risks":["escalation:privilege","persistence:account"],"notes":"Restores a certificate and all its versions from a backup file, letting an attacker reintroduce certificate and private key material (potentially exfiltrated from another vault via Backup) into a vault an application or TLS endpoint trusts.","links":["https://azure.permissions.cloud/iam/Microsoft.KeyVault","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.KeyVault/Vaults/certificates/update/action":{"id":"Microsoft.KeyVault/Vaults/certificates/update/action","name":"Key Vault certificate","scope":"CRITICAL","parent":{"notes":"Certificates contain private key material; compromise enables impersonation/MITM of dependent services. Vaults are CRITICAL-sensitivity assets per the scope guide.","description":"An Azure Key Vault certificate is a managed X.509 certificate object that bundles a private key, the certificate (public) material, and an issuance/lifecycle policy. It is a credential used by applications and services for TLS, signing, and authentication."},"risks":["impact:manipulation"],"notes":"Updates attributes (such as enabled state or policy) of an existing certificate without changing its key material, letting an attacker re-enable a disabled certificate or alter its issuance/renewal policy.","links":["https://azure.permissions.cloud/iam/Microsoft.KeyVault","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.KeyVault/Vaults/certificates/read":{"id":"Microsoft.KeyVault/Vaults/certificates/read","name":"Key Vault certificate","scope":"CRITICAL","parent":{"notes":"Certificates contain private key material; compromise enables impersonation/MITM of dependent services. Vaults are CRITICAL-sensitivity assets per the scope guide.","description":"An Azure Key Vault certificate is a managed X.509 certificate object that bundles a private key, the certificate (public) material, and an issuance/lifecycle policy. It is a credential used by applications and services for TLS, signing, and authentication."},"risks":["discovery:metadata"],"notes":"Lists certificates in the vault or gets information about a certificate; returns the public portion and metadata only, not the private key, so exposure is limited to asset inventory and configuration.","links":["https://azure.permissions.cloud/iam/Microsoft.KeyVault","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.KeyVault/Vaults/certificates/delete":{"id":"Microsoft.KeyVault/Vaults/certificates/delete","name":"Key Vault certificate","scope":"CRITICAL","parent":{"notes":"Certificates contain private key material; compromise enables impersonation/MITM of dependent services. Vaults are CRITICAL-sensitivity assets per the scope guide.","description":"An Azure Key Vault certificate is a managed X.509 certificate object that bundles a private key, the certificate (public) material, and an issuance/lifecycle policy. It is a credential used by applications and services for TLS, signing, and authentication."},"risks":["destruction:crypto"],"notes":"Deletes a certificate and all its versions, destroying the stored private key and certificate material (recoverable only while soft-delete retention holds).","links":["https://azure.permissions.cloud/iam/Microsoft.KeyVault","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.KeyVault/Vaults/deploy/action":{"id":"Microsoft.KeyVault/Vaults/deploy/action","name":"Key Vault","scope":"CRITICAL","parent":{"notes":"Key Vaults are CRITICAL-tier assets: they centralize credentials and cryptographic material relied on across many organizational functions.","description":"An Azure Key Vault is a managed secrets store holding cryptographic keys, secrets, and certificates and their access/network configuration."},"risks":["exfiltration:crypto","escalation:lateral"],"notes":"Enables access to vault secrets during Azure resource deployment, letting an attacker reference and surface secret/credential material into a deployment context and reuse it to pivot to other identities and resources.","links":["https://azure.permissions.cloud/iam/Microsoft.KeyVault","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.KeyVault/Vaults/keys/backup/action":{"id":"Microsoft.KeyVault/Vaults/keys/backup/action","name":"Azure Key Vault keys","scope":"CRITICAL","parent":{"notes":"Key Vault keys are among the most sensitive assets in a cloud tenant: they underpin envelope encryption, disk/storage/database encryption, and code/token signing. Private key material is non-exportable via normal reads, so the headline risk varies sharply by operation (read vs. crypto-oracle vs. export).","description":"A cryptographic key stored in an Azure Key Vault (software- or HSM-protected). These keys are used for encryption, decryption, signing, key wrapping, and as customer-managed encryption keys (CMK) protecting downstream services and data."},"risks":["exfiltration:crypto"],"notes":"Produces a portable backup file of the key (including private material in encrypted, restorable form) that can be restored into another vault in the subscription, exporting the cryptographic asset out of its original boundary.","links":["https://azure.permissions.cloud/iam/Microsoft.KeyVault","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.KeyVault/Vaults/keys/create/action":{"id":"Microsoft.KeyVault/Vaults/keys/create/action","name":"Azure Key Vault keys","scope":"CRITICAL","parent":{"notes":"Key Vault keys are among the most sensitive assets in a cloud tenant: they underpin envelope encryption, disk/storage/database encryption, and code/token signing. Private key material is non-exportable via normal reads, so the headline risk varies sharply by operation (read vs. crypto-oracle vs. export).","description":"A cryptographic key stored in an Azure Key Vault (software- or HSM-protected). These keys are used for encryption, decryption, signing, key wrapping, and as customer-managed encryption keys (CMK) protecting downstream services and data."},"risks":["impact:manipulation","persistence:account"],"notes":"Creates a new key, or a new version of an existing key, letting an attacker plant or silently swap key material that a dependent application will subsequently trust for encryption or signing (manipulation, persistence).","links":["https://azure.permissions.cloud/iam/Microsoft.KeyVault","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.KeyVault/Vaults/keys/decrypt/action":{"id":"Microsoft.KeyVault/Vaults/keys/decrypt/action","name":"Azure Key Vault keys","scope":"CRITICAL","parent":{"notes":"Key Vault keys are among the most sensitive assets in a cloud tenant: they underpin envelope encryption, disk/storage/database encryption, and code/token signing. Private key material is non-exportable via normal reads, so the headline risk varies sharply by operation (read vs. crypto-oracle vs. export).","description":"A cryptographic key stored in an Azure Key Vault (software- or HSM-protected). These keys are used for encryption, decryption, signing, key wrapping, and as customer-managed encryption keys (CMK) protecting downstream services and data."},"risks":["exfiltration:data"],"notes":"Uses the key as a decryption oracle to recover plaintext from ciphertext protected by the key, directly enabling data exfiltration without exporting the key itself.","links":["https://azure.permissions.cloud/iam/Microsoft.KeyVault","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.KeyVault/Vaults/keys/encrypt/action":{"id":"Microsoft.KeyVault/Vaults/keys/encrypt/action","name":"Azure Key Vault keys","scope":"CRITICAL","parent":{"notes":"Key Vault keys are among the most sensitive assets in a cloud tenant: they underpin envelope encryption, disk/storage/database encryption, and code/token signing. Private key material is non-exportable via normal reads, so the headline risk varies sharply by operation (read vs. crypto-oracle vs. export).","description":"A cryptographic key stored in an Azure Key Vault (software- or HSM-protected). These keys are used for encryption, decryption, signing, key wrapping, and as customer-managed encryption keys (CMK) protecting downstream services and data."},"risks":["impact:spend"],"notes":"Encrypts attacker-supplied plaintext with the key. This is a low-risk operation (for asymmetric keys it can be performed with only read access to the public portion) that consumes billed cryptographic operations but exposes no key material or plaintext.","links":["https://azure.permissions.cloud/iam/Microsoft.KeyVault","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.KeyVault/Vaults/keys/import/action":{"id":"Microsoft.KeyVault/Vaults/keys/import/action","name":"Azure Key Vault keys","scope":"CRITICAL","parent":{"notes":"Key Vault keys are among the most sensitive assets in a cloud tenant: they underpin envelope encryption, disk/storage/database encryption, and code/token signing. Private key material is non-exportable via normal reads, so the headline risk varies sharply by operation (read vs. crypto-oracle vs. export).","description":"A cryptographic key stored in an Azure Key Vault (software- or HSM-protected). These keys are used for encryption, decryption, signing, key wrapping, and as customer-managed encryption keys (CMK) protecting downstream services and data."},"risks":["impact:manipulation","persistence:account"],"notes":"Imports externally created key material into the vault, letting an attacker plant a key of their own choosing (whose private component they retain) for an application to trust, undermining the guarantee that Key Vault generated and exclusively holds the key.","links":["https://azure.permissions.cloud/iam/Microsoft.KeyVault","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.KeyVault/Vaults/keys/purge/action":{"id":"Microsoft.KeyVault/Vaults/keys/purge/action","name":"Azure Key Vault keys","scope":"CRITICAL","parent":{"notes":"Key Vault keys are among the most sensitive assets in a cloud tenant: they underpin envelope encryption, disk/storage/database encryption, and code/token signing. Private key material is non-exportable via normal reads, so the headline risk varies sharply by operation (read vs. crypto-oracle vs. export).","description":"A cryptographic key stored in an Azure Key Vault (software- or HSM-protected). These keys are used for encryption, decryption, signing, key wrapping, and as customer-managed encryption keys (CMK) protecting downstream services and data."},"risks":["destruction:crypto"],"notes":"Permanently and irrecoverably erases a soft-deleted key, bypassing soft-delete recovery and destroying cryptographic material with no possibility of restoration.","links":["https://azure.permissions.cloud/iam/Microsoft.KeyVault","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.KeyVault/Vaults/keys/recover/action":{"id":"Microsoft.KeyVault/Vaults/keys/recover/action","name":"Azure Key Vault keys","scope":"CRITICAL","parent":{"notes":"Key Vault keys are among the most sensitive assets in a cloud tenant: they underpin envelope encryption, disk/storage/database encryption, and code/token signing. Private key material is non-exportable via normal reads, so the headline risk varies sharply by operation (read vs. crypto-oracle vs. export).","description":"A cryptographic key stored in an Azure Key Vault (software- or HSM-protected). These keys are used for encryption, decryption, signing, key wrapping, and as customer-managed encryption keys (CMK) protecting downstream services and data."},"risks":["persistence:account"],"notes":"Reverses a soft-delete on a key, letting an attacker restore previously deleted key material (e.g. a key they planted and that was later removed) back into active use.","links":["https://azure.permissions.cloud/iam/Microsoft.KeyVault","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.KeyVault/Vaults/keys/release/action":{"id":"Microsoft.KeyVault/Vaults/keys/release/action","name":"Azure Key Vault keys","scope":"CRITICAL","parent":{"notes":"Key Vault keys are among the most sensitive assets in a cloud tenant: they underpin envelope encryption, disk/storage/database encryption, and code/token signing. Private key material is non-exportable via normal reads, so the headline risk varies sharply by operation (read vs. crypto-oracle vs. export).","description":"A cryptographic key stored in an Azure Key Vault (software- or HSM-protected). These keys are used for encryption, decryption, signing, key wrapping, and as customer-managed encryption keys (CMK) protecting downstream services and data."},"risks":["exfiltration:crypto"],"notes":"Secure Key Release exports the exportable key material out of the vault/HSM boundary, wrapped to a KEK from an attestation token, delivering the actual private key to the requesting environment.","links":["https://azure.permissions.cloud/iam/Microsoft.KeyVault","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.KeyVault/Vaults/keys/restore/action":{"id":"Microsoft.KeyVault/Vaults/keys/restore/action","name":"Azure Key Vault keys","scope":"CRITICAL","parent":{"notes":"Key Vault keys are among the most sensitive assets in a cloud tenant: they underpin envelope encryption, disk/storage/database encryption, and code/token signing. Private key material is non-exportable via normal reads, so the headline risk varies sharply by operation (read vs. crypto-oracle vs. export).","description":"A cryptographic key stored in an Azure Key Vault (software- or HSM-protected). These keys are used for encryption, decryption, signing, key wrapping, and as customer-managed encryption keys (CMK) protecting downstream services and data."},"risks":["impact:manipulation","persistence:account"],"notes":"Restores a key and all its versions from a backup file, letting an attacker reintroduce key material (potentially exfiltrated from another vault via Backup) into a vault an application trusts.","links":["https://azure.permissions.cloud/iam/Microsoft.KeyVault","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.KeyVault/Vaults/keys/rotate/action":{"id":"Microsoft.KeyVault/Vaults/keys/rotate/action","name":"Azure Key Vault keys","scope":"CRITICAL","parent":{"notes":"Key Vault keys are among the most sensitive assets in a cloud tenant: they underpin envelope encryption, disk/storage/database encryption, and code/token signing. Private key material is non-exportable via normal reads, so the headline risk varies sharply by operation (read vs. crypto-oracle vs. export).","description":"A cryptographic key stored in an Azure Key Vault (software- or HSM-protected). These keys are used for encryption, decryption, signing, key wrapping, and as customer-managed encryption keys (CMK) protecting downstream services and data."},"risks":["impact:manipulation","persistence:account"],"notes":"Creates a new version of an existing key using the same parameters, letting an attacker force an out-of-cycle rotation to a new key version they can then further manipulate (e.g. import/backup timing), or disrupt applications pinned to a specific key version.","links":["https://azure.permissions.cloud/iam/Microsoft.KeyVault","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.KeyVault/Vaults/keys/sign/action":{"id":"Microsoft.KeyVault/Vaults/keys/sign/action","name":"Azure Key Vault keys","scope":"CRITICAL","parent":{"notes":"Key Vault keys are among the most sensitive assets in a cloud tenant: they underpin envelope encryption, disk/storage/database encryption, and code/token signing. Private key material is non-exportable via normal reads, so the headline risk varies sharply by operation (read vs. crypto-oracle vs. export).","description":"A cryptographic key stored in an Azure Key Vault (software- or HSM-protected). These keys are used for encryption, decryption, signing, key wrapping, and as customer-managed encryption keys (CMK) protecting downstream services and data."},"risks":["impact:manipulation","escalation:privilege"],"notes":"Uses the key as a signing oracle without needing the raw private key material, letting an attacker forge signatures over attacker-chosen digests (e.g. tokens, code, or documents) that downstream verifiers will trust as authentic.","links":["https://azure.permissions.cloud/iam/Microsoft.KeyVault","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.KeyVault/Vaults/keys/unwrap/action":{"id":"Microsoft.KeyVault/Vaults/keys/unwrap/action","name":"Azure Key Vault keys","scope":"CRITICAL","parent":{"notes":"Key Vault keys are among the most sensitive assets in a cloud tenant: they underpin envelope encryption, disk/storage/database encryption, and code/token signing. Private key material is non-exportable via normal reads, so the headline risk varies sharply by operation (read vs. crypto-oracle vs. export).","description":"A cryptographic key stored in an Azure Key Vault (software- or HSM-protected). These keys are used for encryption, decryption, signing, key wrapping, and as customer-managed encryption keys (CMK) protecting downstream services and data."},"risks":["exfiltration:crypto","exfiltration:data"],"notes":"Unwraps (decrypts) a wrapped symmetric key, returning the cleartext data-encryption key (DEK) to the caller; recovering this key material both exfiltrates crypto and unlocks the downstream data it protects.","links":["https://azure.permissions.cloud/iam/Microsoft.KeyVault","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.KeyVault/Vaults/keys/update/action":{"id":"Microsoft.KeyVault/Vaults/keys/update/action","name":"Azure Key Vault keys","scope":"CRITICAL","parent":{"notes":"Key Vault keys are among the most sensitive assets in a cloud tenant: they underpin envelope encryption, disk/storage/database encryption, and code/token signing. Private key material is non-exportable via normal reads, so the headline risk varies sharply by operation (read vs. crypto-oracle vs. export).","description":"A cryptographic key stored in an Azure Key Vault (software- or HSM-protected). These keys are used for encryption, decryption, signing, key wrapping, and as customer-managed encryption keys (CMK) protecting downstream services and data."},"risks":["impact:manipulation"],"notes":"Updates attributes (such as enabled state, expiry, or allowed operations) of an existing key without changing the key material itself, letting an attacker re-enable a disabled key, extend its validity, or widen its permitted operations.","links":["https://azure.permissions.cloud/iam/Microsoft.KeyVault","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.KeyVault/Vaults/keys/verify/action":{"id":"Microsoft.KeyVault/Vaults/keys/verify/action","name":"Azure Key Vault keys","scope":"LOW","parent":{"notes":"Key Vault keys are among the most sensitive assets in a cloud tenant: they underpin envelope encryption, disk/storage/database encryption, and code/token signing. Private key material is non-exportable via normal reads, so the headline risk varies sharply by operation (read vs. crypto-oracle vs. export).","description":"A cryptographic key stored in an Azure Key Vault (software- or HSM-protected). These keys are used for encryption, decryption, signing, key wrapping, and as customer-managed encryption keys (CMK) protecting downstream services and data."},"risks":["discovery:metadata"],"notes":"Verifies a signature against the key. For asymmetric keys this can be performed with only read access to the public portion, and on its own only confirms signature validity rather than exposing new material.","links":["https://azure.permissions.cloud/iam/Microsoft.KeyVault","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.KeyVault/Vaults/keys/wrap/action":{"id":"Microsoft.KeyVault/Vaults/keys/wrap/action","name":"Azure Key Vault keys","scope":"LOW","parent":{"notes":"Key Vault keys are among the most sensitive assets in a cloud tenant: they underpin envelope encryption, disk/storage/database encryption, and code/token signing. Private key material is non-exportable via normal reads, so the headline risk varies sharply by operation (read vs. crypto-oracle vs. export).","description":"A cryptographic key stored in an Azure Key Vault (software- or HSM-protected). These keys are used for encryption, decryption, signing, key wrapping, and as customer-managed encryption keys (CMK) protecting downstream services and data."},"risks":["impact:spend"],"notes":"Wraps an attacker-supplied symmetric key using this key. This is a low-risk operation (for asymmetric keys it can be performed with only read access to the public portion) that consumes billed cryptographic operations but exposes no key material.","links":["https://azure.permissions.cloud/iam/Microsoft.KeyVault","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.KeyVault/Vaults/keys/read":{"id":"Microsoft.KeyVault/Vaults/keys/read","name":"Azure Key Vault keys","scope":"CRITICAL","parent":{"notes":"Key Vault keys are among the most sensitive assets in a cloud tenant: they underpin envelope encryption, disk/storage/database encryption, and code/token signing. Private key material is non-exportable via normal reads, so the headline risk varies sharply by operation (read vs. crypto-oracle vs. export).","description":"A cryptographic key stored in an Azure Key Vault (software- or HSM-protected). These keys are used for encryption, decryption, signing, key wrapping, and as customer-managed encryption keys (CMK) protecting downstream services and data."},"risks":["discovery:metadata"],"notes":"Lists keys in the vault or reads a key's public portion/attributes and metadata; does not return private key material, but reveals which cryptographic assets exist and how they are configured.","links":["https://azure.permissions.cloud/iam/Microsoft.KeyVault","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.KeyVault/Vaults/keys/write":{"id":"Microsoft.KeyVault/Vaults/keys/write","name":"Azure Key Vault keys","scope":"CRITICAL","parent":{"notes":"Key Vault keys are among the most sensitive assets in a cloud tenant: they underpin envelope encryption, disk/storage/database encryption, and code/token signing. Private key material is non-exportable via normal reads, so the headline risk varies sharply by operation (read vs. crypto-oracle vs. export).","description":"A cryptographic key stored in an Azure Key Vault (software- or HSM-protected). These keys are used for encryption, decryption, signing, key wrapping, and as customer-managed encryption keys (CMK) protecting downstream services and data."},"risks":["impact:manipulation","persistence:account"],"notes":"Creates the first version of a new key, letting an attacker plant attacker-controlled key material that an application will subsequently trust for encryption or signing (manipulation, persistence). Does not update existing keys or create subsequent versions.","links":["https://azure.permissions.cloud/iam/Microsoft.KeyVault","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.KeyVault/Vaults/keys/delete":{"id":"Microsoft.KeyVault/Vaults/keys/delete","name":"Azure Key Vault keys","scope":"CRITICAL","parent":{"notes":"Key Vault keys are among the most sensitive assets in a cloud tenant: they underpin envelope encryption, disk/storage/database encryption, and code/token signing. Private key material is non-exportable via normal reads, so the headline risk varies sharply by operation (read vs. crypto-oracle vs. export).","description":"A cryptographic key stored in an Azure Key Vault (software- or HSM-protected). These keys are used for encryption, decryption, signing, key wrapping, and as customer-managed encryption keys (CMK) protecting downstream services and data."},"risks":["destruction:crypto"],"notes":"Deletes a key and all its versions, destroying cryptographic material (recoverable only while soft-delete retention holds).","links":["https://azure.permissions.cloud/iam/Microsoft.KeyVault","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.KeyVault/Vaults/secrets/backup/action":{"id":"Microsoft.KeyVault/Vaults/secrets/backup/action","name":"Key Vault secret","scope":"CRITICAL","parent":{"notes":"Secrets are credential-bearing material; access to them frequently yields downstream identity access, so the asset is inherently CRITICAL.","description":"A secret stored in an Azure Key Vault, typically holding credentials such as passwords, connection strings, API keys, or tokens used by applications and services."},"risks":["exfiltration:crypto"],"notes":"Produces a backup file containing the secret's restorable material, effectively exporting the credential out of the vault.","links":["https://azure.permissions.cloud/iam/Microsoft.KeyVault","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.KeyVault/Vaults/secrets/getSecret/action":{"id":"Microsoft.KeyVault/Vaults/secrets/getSecret/action","name":"Key Vault secret","scope":"CRITICAL","parent":{"notes":"Secrets are credential-bearing material; access to them frequently yields downstream identity access, so the asset is inherently CRITICAL.","description":"A secret stored in an Azure Key Vault, typically holding credentials such as passwords, connection strings, API keys, or tokens used by applications and services."},"risks":["exfiltration:crypto","escalation:lateral","takeover:account"],"notes":"Returns the actual secret value (password, connection string, token), exporting credential material that typically yields usable identity access and lateral movement into the systems the secret protects.","links":["https://azure.permissions.cloud/iam/Microsoft.KeyVault","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.KeyVault/Vaults/secrets/setSecret/action":{"id":"Microsoft.KeyVault/Vaults/secrets/setSecret/action","name":"Key Vault secret","scope":"CRITICAL","parent":{"notes":"Secrets are credential-bearing material; access to them frequently yields downstream identity access, so the asset is inherently CRITICAL.","description":"A secret stored in an Azure Key Vault, typically holding credentials such as passwords, connection strings, API keys, or tokens used by applications and services."},"risks":["impact:manipulation","persistence:account"],"notes":"Data-plane write that sets/creates a secret value, letting an attacker overwrite credentials consumed by downstream services (manipulation) or plant attacker-controlled secrets for persistence.","links":["https://azure.permissions.cloud/iam/Microsoft.KeyVault","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.KeyVault/Vaults/storageAccounts/backup/action":{"id":"Microsoft.KeyVault/Vaults/storageAccounts/backup/action","name":"Key Vault managed storage account","scope":"CRITICAL","parent":{"notes":"This is a deprecated Key Vault feature that nonetheless mediates storage-account credentials; objects here govern credential issuance for the backing storage account, making the asset credential-management-sensitive (CRITICAL).","description":"A Key Vault managed storage account is a vault object that links Key Vault to an Azure Storage account so the vault manages (and auto-regenerates) the storage account's access keys and issues SAS tokens on its behalf. The object holds the storage account resource ID, the active key name, and the auto-regeneration period."},"risks":["exfiltration:crypto"],"notes":"Produces a backup file bundling the managed storage account definition together with its SAS material, exporting credential-bearing data that can be restored or replayed to obtain access to the backing storage account.","links":["https://azure.permissions.cloud/iam/Microsoft.KeyVault","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.KeyVault/Vaults/storageAccounts/sas/set/action":{"id":"Microsoft.KeyVault/Vaults/storageAccounts/sas/set/action","name":"Key Vault managed storage account SAS definition","scope":"CRITICAL","parent":{"notes":"Controlling a SAS definition controls what delegated access tokens the vault issues for the underlying storage account's data, making it a CRITICAL credential-issuance asset.","description":"A SAS definition is a template under a Key Vault managed storage account that specifies the type, permissions, and validity of the Shared Access Signature tokens the vault mints for the backing storage account; the resulting tokens are exposed as vault secrets."},"risks":["escalation:lateral","impact:manipulation","persistence:account"],"notes":"Creates or updates a SAS definition, letting an attacker mint a SAS template with attacker-chosen permissions and validity over the backing storage account, establishing a durable self-service credential and a path to the underlying storage data.","links":["https://azure.permissions.cloud/iam/Microsoft.KeyVault","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.KeyVault/Vaults/delete":{"id":"Microsoft.KeyVault/Vaults/delete","name":"Key Vault","scope":"CRITICAL","parent":{"notes":"Key Vaults are CRITICAL-tier assets: they centralize credentials and cryptographic material relied on across many organizational functions.","description":"An Azure Key Vault is a managed secrets store holding cryptographic keys, secrets, and certificates and their access/network configuration."},"risks":["destruction:crypto","impact:dos"],"notes":"Deleting a key vault destroys the keys, secrets, and certificates it contains (cryptographic destruction) and removes a service that dependent production workloads rely on (denial of service).","links":["https://azure.permissions.cloud/iam/Microsoft.KeyVault","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.KeyVault/Vaults/write":{"id":"Microsoft.KeyVault/Vaults/write","name":"Key Vault","scope":"CRITICAL","parent":{"notes":"Key Vaults are CRITICAL-tier assets: they centralize credentials and cryptographic material relied on across many organizational functions.","description":"An Azure Key Vault is a managed secrets store holding cryptographic keys, secrets, and certificates and their access/network configuration."},"risks":["escalation:privilege","impact:manipulation","destruction:defense"],"notes":"Creating/updating a vault lets an attacker rewrite access policies (or switch to RBAC) to grant themselves data-plane access to keys and secrets (escalation), relax network ACLs/firewall and protection settings (defense destruction), and alter operational configuration (manipulation).","links":["https://azure.permissions.cloud/iam/Microsoft.KeyVault","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.KeyVault/vaults/secrets/delete":{"id":"Microsoft.KeyVault/vaults/secrets/delete","name":"Key Vault secret","scope":"CRITICAL","parent":{"notes":"Secrets are credential-bearing material; access to them frequently yields downstream identity access, so the asset is inherently CRITICAL.","description":"A secret stored in an Azure Key Vault, typically holding credentials such as passwords, connection strings, API keys, or tokens used by applications and services."},"risks":["destruction:crypto"],"notes":"Deletes a secret and all its versions, destroying secret/credential material (recoverable only while soft-delete retention holds).","links":["https://azure.permissions.cloud/iam/Microsoft.KeyVault","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.KeyVault/vaults/secrets/write":{"id":"Microsoft.KeyVault/vaults/secrets/write","name":"Key Vault secret","scope":"CRITICAL","parent":{"notes":"Secrets are credential-bearing material; access to them frequently yields downstream identity access, so the asset is inherently CRITICAL.","description":"A secret stored in an Azure Key Vault, typically holding credentials such as passwords, connection strings, API keys, or tokens used by applications and services."},"risks":["impact:manipulation","persistence:account"],"notes":"Creating or overwriting a secret value lets an attacker poison credentials consumed by downstream services (manipulation) and plant attacker-controlled credential material for persistence.","links":["https://azure.permissions.cloud/iam/Microsoft.KeyVault","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Kubernetes/connectedClusters/admissionregistration.k8s.io/mutatingwebhookconfigurations/delete":{"id":"Microsoft.Kubernetes/connectedClusters/admissionregistration.k8s.io/mutatingwebhookconfigurations/delete","name":"Kubernetes mutating webhook configurations (admission control)","scope":"CRITICAL","parent":{"notes":"A mutating webhook can rewrite any admitted object cluster-wide (inject sidecars/credentials, alter privileges), so write over these objects is effectively a cluster-admin-equivalent primitive; this is a data-plane (in-cluster) resource of an Arc-connected production cluster.","description":"Mutating webhook configurations are in-cluster admissionregistration.k8s.io objects that register webhooks intercepting and rewriting every matching Kubernetes API object on create/update. They are a core admission-control and security-policy-enforcement mechanism for the cluster."},"risks":["destruction:defense"],"notes":"Deleting mutating webhook configurations removes cluster-wide admission-control mutation/enforcement, disabling defensive policy-enforcement webhooks (e.g. policy/security mutators) so non-compliant or malicious objects pass unmodified.","links":["https://azure.permissions.cloud/iam/Microsoft.Kubernetes","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Kubernetes/connectedClusters/admissionregistration.k8s.io/mutatingwebhookconfigurations/write":{"id":"Microsoft.Kubernetes/connectedClusters/admissionregistration.k8s.io/mutatingwebhookconfigurations/write","name":"Kubernetes mutating webhook configurations (admission control)","scope":"CRITICAL","parent":{"notes":"A mutating webhook can rewrite any admitted object cluster-wide (inject sidecars/credentials, alter privileges), so write over these objects is effectively a cluster-admin-equivalent primitive; this is a data-plane (in-cluster) resource of an Arc-connected production cluster.","description":"Mutating webhook configurations are in-cluster admissionregistration.k8s.io objects that register webhooks intercepting and rewriting every matching Kubernetes API object on create/update. They are a core admission-control and security-policy-enforcement mechanism for the cluster."},"risks":["escalation:privilege","impact:manipulation","destruction:defense"],"notes":"Creating/updating a mutating webhook lets an attacker intercept and rewrite every admitted Kubernetes object (e.g. inject privileged sidecars, mount secrets, alter RBAC-bound pods) and redirect admission traffic, a cluster-wide privilege-escalation, tampering, and defense-bypass primitive.","links":["https://azure.permissions.cloud/iam/Microsoft.Kubernetes","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Kubernetes/connectedClusters/authentication.k8s.io/userextras/impersonate/action":{"id":"Microsoft.Kubernetes/connectedClusters/authentication.k8s.io/userextras/impersonate/action","name":"Kubernetes userextras impersonation (Arc-connected cluster)","scope":"CRITICAL","parent":{"notes":"Impersonation is an identity-spoofing primitive: holding it on users/groups/userextras effectively grants the union of all identities' permissions, up to cluster-admin (system:masters). This is among the most powerful capabilities in a cluster.","description":"The Kubernetes impersonate verb on user-extra attributes for an Azure Arc-connected cluster. It allows the holder to assert arbitrary extra authentication attributes (Impersonate-Extra headers, e.g. scopes/claims) that authorizers and admission webhooks consume in authorization decisions."},"risks":["escalation:privilege","escalation:lateral"],"notes":"Impersonating user-extra attributes lets an attacker forge additional authorization-relevant claims, completing the impersonation chain to assume privileged identities and move laterally.","links":["https://azure.permissions.cloud/iam/Microsoft.Kubernetes","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Kubernetes/connectedClusters/certificates.k8s.io/certificatesigningrequests/delete":{"id":"Microsoft.Kubernetes/connectedClusters/certificates.k8s.io/certificatesigningrequests/delete","name":"Kubernetes certificate signing requests (Arc-connected cluster)","scope":"CRITICAL","parent":{"notes":"CSRs are the cluster's credential-issuance mechanism. The signed certificate embedded in an approved CSR is a usable cluster authentication credential, and CSRs can request arbitrary identities up to system:masters (cluster-admin), making this an identity/credential asset.","description":"Kubernetes CertificateSigningRequest (CSR) objects on an Azure Arc-connected cluster. A CSR requests a signed X.509 client certificate for a named user/group identity; once approved its status carries the issued, signed certificate."},"risks":["destruction:crypto"],"notes":"Deleting CSRs removes pending requests and the embedded signed certificate material, destroying cryptographic credential artifacts and disrupting cert issuance/rotation.","links":["https://azure.permissions.cloud/iam/Microsoft.Kubernetes","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Kubernetes/connectedClusters/certificates.k8s.io/certificatesigningrequests/read":{"id":"Microsoft.Kubernetes/connectedClusters/certificates.k8s.io/certificatesigningrequests/read","name":"Kubernetes certificate signing requests (Arc-connected cluster)","scope":"CRITICAL","parent":{"notes":"CSRs are the cluster's credential-issuance mechanism. The signed certificate embedded in an approved CSR is a usable cluster authentication credential, and CSRs can request arbitrary identities up to system:masters (cluster-admin), making this an identity/credential asset.","description":"Kubernetes CertificateSigningRequest (CSR) objects on an Azure Arc-connected cluster. A CSR requests a signed X.509 client certificate for a named user/group identity; once approved its status carries the issued, signed certificate."},"risks":["exfiltration:crypto","discovery:policy"],"notes":"Reading/listing CSRs returns the issued signed client certificate stored in status.certificate (usable identity credential = crypto exfiltration) and enumerates the identities/groups requesting cluster access (policy recon).","links":["https://azure.permissions.cloud/iam/Microsoft.Kubernetes","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Kubernetes/connectedClusters/certificates.k8s.io/certificatesigningrequests/write":{"id":"Microsoft.Kubernetes/connectedClusters/certificates.k8s.io/certificatesigningrequests/write","name":"Kubernetes certificate signing requests (Arc-connected cluster)","scope":"CRITICAL","parent":{"notes":"CSRs are the cluster's credential-issuance mechanism. The signed certificate embedded in an approved CSR is a usable cluster authentication credential, and CSRs can request arbitrary identities up to system:masters (cluster-admin), making this an identity/credential asset.","description":"Kubernetes CertificateSigningRequest (CSR) objects on an Azure Arc-connected cluster. A CSR requests a signed X.509 client certificate for a named user/group identity; once approved its status carries the issued, signed certificate."},"risks":["escalation:privilege","persistence:account","escalation:lateral"],"notes":"Creating/updating CSRs (including writing the status to inject a signed cert) lets an attacker mint client certificates for arbitrary identities such as system:masters, granting elevated, persistent, impersonatable cluster credentials.","links":["https://azure.permissions.cloud/iam/Microsoft.Kubernetes","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Kubernetes/connectedClusters/configmaps/delete":{"id":"Microsoft.Kubernetes/connectedClusters/configmaps/delete","name":"Kubernetes ConfigMaps (Arc-connected cluster)","scope":"HIGH","parent":{"notes":"Though intended for non-secret config, ConfigMaps in practice frequently contain sensitive values (endpoints, tokens, connection strings, CA bundles) and drive runtime behavior of workloads.","description":"Kubernetes ConfigMap objects on an Azure Arc-connected cluster, holding non-secret application and component configuration consumed by workloads and controllers."},"risks":["destruction:data","impact:dos"],"notes":"Deleting configmaps removes configuration that workloads and controllers depend on, destroying operational data and breaking or crashing dependent services.","links":["https://azure.permissions.cloud/iam/Microsoft.Kubernetes","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Kubernetes/connectedClusters/configmaps/read":{"id":"Microsoft.Kubernetes/connectedClusters/configmaps/read","name":"Kubernetes ConfigMaps (Arc-connected cluster)","scope":"HIGH","parent":{"notes":"Though intended for non-secret config, ConfigMaps in practice frequently contain sensitive values (endpoints, tokens, connection strings, CA bundles) and drive runtime behavior of workloads.","description":"Kubernetes ConfigMap objects on an Azure Arc-connected cluster, holding non-secret application and component configuration consumed by workloads and controllers."},"risks":["exfiltration:data"],"notes":"Reading/listing configmaps exports application and cluster configuration that commonly contains sensitive values misplaced outside Secrets, enabling data exfiltration.","links":["https://azure.permissions.cloud/iam/Microsoft.Kubernetes","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Kubernetes/connectedClusters/configmaps/write":{"id":"Microsoft.Kubernetes/connectedClusters/configmaps/write","name":"Kubernetes ConfigMaps (Arc-connected cluster)","scope":"HIGH","parent":{"notes":"Though intended for non-secret config, ConfigMaps in practice frequently contain sensitive values (endpoints, tokens, connection strings, CA bundles) and drive runtime behavior of workloads.","description":"Kubernetes ConfigMap objects on an Azure Arc-connected cluster, holding non-secret application and component configuration consumed by workloads and controllers."},"risks":["impact:manipulation"],"notes":"Writing configmaps alters configuration consumed by workloads and controllers, allowing injection of malicious config (e.g. CA bundles, kubelet/admission config) to tamper with operational behavior.","links":["https://azure.permissions.cloud/iam/Microsoft.Kubernetes","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Kubernetes/connectedClusters/extensions/podsecuritypolicies/delete":{"id":"Microsoft.Kubernetes/connectedClusters/extensions/podsecuritypolicies/delete","name":"Kubernetes pod security policies","scope":"HIGH","parent":{"notes":"Acts as a defense mechanism: relaxing or removing it enables privileged pod deployment and node/cluster breakout.","description":"PodSecurityPolicies are cluster-scoped Kubernetes admission-control objects that constrain what pods may do (privileged mode, host namespaces, volume types, capabilities). They are a security-enforcement guardrail for the connected (Azure Arc) Kubernetes cluster."},"risks":["destruction:defense","destruction:policy"],"notes":"Deleting a PodSecurityPolicy removes a cluster-wide admission-control guardrail, disabling a security defense and tearing down the admission policy that would otherwise block privileged pods.","links":["https://azure.permissions.cloud/iam/Microsoft.Kubernetes","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Kubernetes/connectedClusters/extensions/podsecuritypolicies/write":{"id":"Microsoft.Kubernetes/connectedClusters/extensions/podsecuritypolicies/write","name":"Kubernetes pod security policies","scope":"HIGH","parent":{"notes":"Acts as a defense mechanism: relaxing or removing it enables privileged pod deployment and node/cluster breakout.","description":"PodSecurityPolicies are cluster-scoped Kubernetes admission-control objects that constrain what pods may do (privileged mode, host namespaces, volume types, capabilities). They are a security-enforcement guardrail for the connected (Azure Arc) Kubernetes cluster."},"risks":["destruction:defense","escalation:privilege"],"notes":"Creating/updating a PodSecurityPolicy can relax admission controls to permit privileged/hostPath/host-namespace pods, disabling a defense and enabling escalation to privileged workloads and node breakout.","links":["https://azure.permissions.cloud/iam/Microsoft.Kubernetes","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Kubernetes/connectedClusters/groups/impersonate/action":{"id":"Microsoft.Kubernetes/connectedClusters/groups/impersonate/action","name":"Kubernetes group impersonation (Arc-connected cluster)","scope":"CRITICAL","parent":{"notes":"Impersonation is an identity-spoofing primitive: holding it on users/groups/userextras effectively grants the union of all identities' permissions, up to cluster-admin (system:masters). This is among the most powerful capabilities in a cluster.","description":"The Kubernetes impersonate verb on group identities for an Azure Arc-connected cluster. It allows the holder to assert arbitrary group memberships (via Impersonate-Group headers) when making API requests, inheriting the RBAC bound to those groups."},"risks":["escalation:privilege","escalation:lateral"],"notes":"Group impersonation lets the holder assume membership in privileged groups such as system:masters, inheriting their RBAC for full privilege escalation and lateral movement.","links":["https://azure.permissions.cloud/iam/Microsoft.Kubernetes","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action":{"id":"Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action","name":"Arc-connected Kubernetes clusters","scope":"CRITICAL","parent":{"notes":"Arc-connected clusters back production container workloads; control over the connectedCluster resource and its credential actions can yield in-cluster access, so the asset is high-to-critical sensitivity.","description":"An Azure Arc connectedCluster is the Azure-side control-plane projection of an external/on-prem Kubernetes cluster, holding onboarding configuration, agent settings, distribution metadata, and an optional system-assigned managed identity. Through it Azure manages, governs, and brokers credentialed access to a production Kubernetes cluster."},"risks":["exfiltration:crypto","escalation:lateral","takeover:account"],"notes":"Returns the clusterUser kubeconfig credential for the Arc-connected cluster (GA), exporting usable credential material that yields direct in-cluster API access for lateral movement and identity takeover.","links":["https://azure.permissions.cloud/iam/Microsoft.Kubernetes","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Kubernetes/connectedClusters/pods/exec/action":{"id":"Microsoft.Kubernetes/connectedClusters/pods/exec/action","name":"Azure Arc connected-cluster Kubernetes pods","scope":"CRITICAL","parent":{"notes":"Pods are the unit of cluster code execution; creating pods or exec'ing into them can run arbitrary code, assume service-account identities, and reach mounted secrets and data, making write/exec on pods effectively cluster code execution.","description":"Pod objects in the Kubernetes data plane of an Azure Arc-enabled (connected) cluster, representing running workload instances, their container specs, images, environment, mounted volumes/secret references, and service-account bindings."},"risks":["escalation:lateral","exfiltration:data","impact:hijack"],"notes":"Exec grants an interactive shell inside a running container, allowing the attacker to run arbitrary code as the pod's identity, read in-container data and mounted secrets/service-account tokens (lateral movement), and exfiltrate data.","links":["https://azure.permissions.cloud/iam/Microsoft.Kubernetes","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Kubernetes/connectedClusters/policy/podsecuritypolicies/use/action":{"id":"Microsoft.Kubernetes/connectedClusters/policy/podsecuritypolicies/use/action","name":"Kubernetes pod security policies (Arc-connected cluster)","scope":"HIGH","parent":{"notes":"PSPs are a defensive admission control; their configuration reveals where privileged-pod restrictions are weak.","description":"PodSecurityPolicies are Kubernetes admission-control objects in an Azure Arc-connected cluster that constrain the security context of pods (e.g. privileged mode, hostPath, host namespaces, runAsRoot), acting as a cluster security/defense mechanism."},"risks":["escalation:privilege","impact:hijack"],"notes":"The 'use' verb authorizes a subject to admit pods under a given PSP; targeting a permissive policy lets an attacker launch privileged/host-access containers to escalate from container to node/cluster control and run arbitrary workloads.","links":["https://azure.permissions.cloud/iam/Microsoft.Kubernetes","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Kubernetes/connectedClusters/policy/podsecuritypolicies/delete":{"id":"Microsoft.Kubernetes/connectedClusters/policy/podsecuritypolicies/delete","name":"Kubernetes pod security policies (Arc-connected cluster)","scope":"HIGH","parent":{"notes":"PSPs are a defensive admission control; their configuration reveals where privileged-pod restrictions are weak.","description":"PodSecurityPolicies are Kubernetes admission-control objects in an Azure Arc-connected cluster that constrain the security context of pods (e.g. privileged mode, hostPath, host namespaces, runAsRoot), acting as a cluster security/defense mechanism."},"risks":["destruction:defense"],"notes":"Deleting a PSP removes a pod admission-control defense, lifting restrictions that otherwise block privileged or host-accessing workloads.","links":["https://azure.permissions.cloud/iam/Microsoft.Kubernetes","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Kubernetes/connectedClusters/policy/podsecuritypolicies/write":{"id":"Microsoft.Kubernetes/connectedClusters/policy/podsecuritypolicies/write","name":"Kubernetes pod security policies (Arc-connected cluster)","scope":"HIGH","parent":{"notes":"PSPs are a defensive admission control; their configuration reveals where privileged-pod restrictions are weak.","description":"PodSecurityPolicies are Kubernetes admission-control objects in an Azure Arc-connected cluster that constrain the security context of pods (e.g. privileged mode, hostPath, host namespaces, runAsRoot), acting as a cluster security/defense mechanism."},"risks":["destruction:defense","escalation:privilege"],"notes":"Creating/updating a PSP lets an attacker author or weaken a permissive admission policy (permit privileged/hostPath/host-namespace pods), disabling a cluster defense and enabling container breakout to node/cluster escalation.","links":["https://azure.permissions.cloud/iam/Microsoft.Kubernetes","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/clusterrolebindings/delete":{"id":"Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/clusterrolebindings/delete","name":"Kubernetes cluster role bindings (Arc-connected cluster)","scope":"CRITICAL","parent":{"notes":"These are the cluster's primary cluster-wide access-control grants; writing them is the canonical Kubernetes privilege-escalation path.","description":"ClusterRoleBindings are Kubernetes RBAC objects in an Azure Arc-connected cluster that bind subjects (users, groups, service accounts) to cluster-wide ClusterRoles, including cluster-admin, governing cluster-wide authorization."},"risks":["destruction:policy","impact:access"],"notes":"Deleting ClusterRoleBindings removes cluster-wide RBAC grants, destroying access-control policy (which can strip away grants that would otherwise deny the attacker) and revoking other principals'/admins' authorized access.","links":["https://azure.permissions.cloud/iam/Microsoft.Kubernetes","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/clusterrolebindings/write":{"id":"Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/clusterrolebindings/write","name":"Kubernetes cluster role bindings (Arc-connected cluster)","scope":"CRITICAL","parent":{"notes":"These are the cluster's primary cluster-wide access-control grants; writing them is the canonical Kubernetes privilege-escalation path.","description":"ClusterRoleBindings are Kubernetes RBAC objects in an Azure Arc-connected cluster that bind subjects (users, groups, service accounts) to cluster-wide ClusterRoles, including cluster-admin, governing cluster-wide authorization."},"risks":["escalation:privilege","persistence:account"],"notes":"Creating/updating a ClusterRoleBinding lets an attacker bind any subject (including their own identity/service account) to cluster-admin, granting full cluster-wide privilege escalation and a durable privileged foothold.","links":["https://azure.permissions.cloud/iam/Microsoft.Kubernetes","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/clusterroles/bind/action":{"id":"Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/clusterroles/bind/action","name":"Kubernetes cluster roles (Arc connected cluster)","scope":"CRITICAL","parent":{"notes":"Cluster-scoped RBAC governs access to all namespaces and cluster resources; a ClusterRole can confer cluster-admin, making this the access-control backbone of the entire cluster.","description":"ClusterRole objects in the Kubernetes RBAC API of an Azure Arc connected cluster. They define cluster-wide sets of permissions over the Kubernetes API that can be granted to subjects via (cluster)role bindings."},"risks":["escalation:privilege"],"notes":"The bind verb authorizes referencing a ClusterRole in a binding, letting an attacker grant that role's cluster-wide privileges (potentially cluster-admin) to a controlled subject.","links":["https://azure.permissions.cloud/iam/Microsoft.Kubernetes","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/clusterroles/escalate/action":{"id":"Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/clusterroles/escalate/action","name":"Kubernetes cluster roles (Arc connected cluster)","scope":"CRITICAL","parent":{"notes":"Cluster-scoped RBAC governs access to all namespaces and cluster resources; a ClusterRole can confer cluster-admin, making this the access-control backbone of the entire cluster.","description":"ClusterRole objects in the Kubernetes RBAC API of an Azure Arc connected cluster. They define cluster-wide sets of permissions over the Kubernetes API that can be granted to subjects via (cluster)role bindings."},"risks":["escalation:privilege"],"notes":"The escalate verb explicitly bypasses Kubernetes privilege-escalation prevention, letting a principal grant a ClusterRole permissions exceeding its own up to cluster-admin.","links":["https://azure.permissions.cloud/iam/Microsoft.Kubernetes","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/clusterroles/delete":{"id":"Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/clusterroles/delete","name":"Kubernetes cluster roles (Arc connected cluster)","scope":"CRITICAL","parent":{"notes":"Cluster-scoped RBAC governs access to all namespaces and cluster resources; a ClusterRole can confer cluster-admin, making this the access-control backbone of the entire cluster.","description":"ClusterRole objects in the Kubernetes RBAC API of an Azure Arc connected cluster. They define cluster-wide sets of permissions over the Kubernetes API that can be granted to subjects via (cluster)role bindings."},"risks":["destruction:policy","impact:access"],"notes":"Deleting a ClusterRole removes cluster-wide access-control policy, which can strip authorized principals of their access and disrupt RBAC enforcement.","links":["https://azure.permissions.cloud/iam/Microsoft.Kubernetes","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/clusterroles/write":{"id":"Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/clusterroles/write","name":"Kubernetes cluster roles (Arc connected cluster)","scope":"CRITICAL","parent":{"notes":"Cluster-scoped RBAC governs access to all namespaces and cluster resources; a ClusterRole can confer cluster-admin, making this the access-control backbone of the entire cluster.","description":"ClusterRole objects in the Kubernetes RBAC API of an Azure Arc connected cluster. They define cluster-wide sets of permissions over the Kubernetes API that can be granted to subjects via (cluster)role bindings."},"risks":["escalation:privilege"],"notes":"Creating or updating a ClusterRole lets an attacker define or expand cluster-wide permission sets (up to cluster-admin) that can be bound to a controlled principal.","links":["https://azure.permissions.cloud/iam/Microsoft.Kubernetes","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/rolebindings/delete":{"id":"Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/rolebindings/delete","name":"Kubernetes role bindings (Arc connected cluster)","scope":"CRITICAL","parent":{"notes":"RoleBindings are the assignment graph mapping identities to permissions; modifying them directly changes who holds what access in the cluster.","description":"RoleBinding objects in the Kubernetes RBAC API of an Azure Arc connected cluster. They grant the permissions of a (cluster)role to specific subjects (users, groups, service accounts) within a namespace."},"risks":["destruction:policy","impact:access"],"notes":"Deleting a RoleBinding removes an RBAC grant, destroying access-control policy and revoking authorized principals' access (denial-of-access).","links":["https://azure.permissions.cloud/iam/Microsoft.Kubernetes","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/rolebindings/write":{"id":"Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/rolebindings/write","name":"Kubernetes role bindings (Arc connected cluster)","scope":"CRITICAL","parent":{"notes":"RoleBindings are the assignment graph mapping identities to permissions; modifying them directly changes who holds what access in the cluster.","description":"RoleBinding objects in the Kubernetes RBAC API of an Azure Arc connected cluster. They grant the permissions of a (cluster)role to specific subjects (users, groups, service accounts) within a namespace."},"risks":["escalation:privilege"],"notes":"Creating or updating a RoleBinding binds a role (including a ClusterRole) to an attacker-chosen subject, directly granting elevated privileges to a controlled identity.","links":["https://azure.permissions.cloud/iam/Microsoft.Kubernetes","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/bind/action":{"id":"Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/bind/action","name":"Kubernetes roles (Arc connected cluster)","scope":"CRITICAL","parent":{"notes":"Namespaced RBAC governs access within a namespace, which may host sensitive production workloads and secrets; roles are part of the cluster's access-control fabric.","description":"Role objects in the Kubernetes RBAC API of an Azure Arc connected cluster. They define namespace-scoped sets of permissions over the Kubernetes API that can be granted to subjects via role bindings."},"risks":["escalation:privilege"],"notes":"The bind verb authorizes referencing a Role in a binding, letting an attacker grant that role's namespace permissions to a controlled subject.","links":["https://azure.permissions.cloud/iam/Microsoft.Kubernetes","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/escalate/action":{"id":"Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/escalate/action","name":"Kubernetes roles (Arc connected cluster)","scope":"CRITICAL","parent":{"notes":"Namespaced RBAC governs access within a namespace, which may host sensitive production workloads and secrets; roles are part of the cluster's access-control fabric.","description":"Role objects in the Kubernetes RBAC API of an Azure Arc connected cluster. They define namespace-scoped sets of permissions over the Kubernetes API that can be granted to subjects via role bindings."},"risks":["escalation:privilege"],"notes":"The escalate verb bypasses Kubernetes privilege-escalation prevention, letting a principal grant a namespaced Role permissions beyond those it currently holds.","links":["https://azure.permissions.cloud/iam/Microsoft.Kubernetes","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/delete":{"id":"Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/delete","name":"Kubernetes roles (Arc connected cluster)","scope":"CRITICAL","parent":{"notes":"Namespaced RBAC governs access within a namespace, which may host sensitive production workloads and secrets; roles are part of the cluster's access-control fabric.","description":"Role objects in the Kubernetes RBAC API of an Azure Arc connected cluster. They define namespace-scoped sets of permissions over the Kubernetes API that can be granted to subjects via role bindings."},"risks":["destruction:policy","impact:access"],"notes":"Deleting a namespaced Role removes access-control policy and can strip authorized principals of their access within the namespace.","links":["https://azure.permissions.cloud/iam/Microsoft.Kubernetes","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/write":{"id":"Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/write","name":"Kubernetes roles (Arc connected cluster)","scope":"CRITICAL","parent":{"notes":"Namespaced RBAC governs access within a namespace, which may host sensitive production workloads and secrets; roles are part of the cluster's access-control fabric.","description":"Role objects in the Kubernetes RBAC API of an Azure Arc connected cluster. They define namespace-scoped sets of permissions over the Kubernetes API that can be granted to subjects via role bindings."},"risks":["escalation:privilege"],"notes":"Creating or updating a namespaced Role lets an attacker define or expand permissions that, once bound, grant elevated privileges within the namespace.","links":["https://azure.permissions.cloud/iam/Microsoft.Kubernetes","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Kubernetes/connectedClusters/secrets/delete":{"id":"Microsoft.Kubernetes/connectedClusters/secrets/delete","name":"Kubernetes secrets","scope":"CRITICAL","parent":{"notes":"Secret reads return raw credential material in cleartext, making this resource type a primary target for credential theft, identity takeover, and lateral movement.","description":"Kubernetes Secret objects in an Azure Arc-connected cluster. Secrets store sensitive credential material such as service-account tokens, passwords, TLS private keys, registry credentials, and connection strings used by workloads."},"risks":["destruction:crypto","impact:dos"],"notes":"Deleting secrets destroys cryptographic/credential material (keys, tokens, certificates) and breaks the workloads that mount them, causing denial of service.","links":["https://azure.permissions.cloud/iam/Microsoft.Kubernetes","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Kubernetes/connectedClusters/secrets/read":{"id":"Microsoft.Kubernetes/connectedClusters/secrets/read","name":"Kubernetes secrets","scope":"CRITICAL","parent":{"notes":"Secret reads return raw credential material in cleartext, making this resource type a primary target for credential theft, identity takeover, and lateral movement.","description":"Kubernetes Secret objects in an Azure Arc-connected cluster. Secrets store sensitive credential material such as service-account tokens, passwords, TLS private keys, registry credentials, and connection strings used by workloads."},"risks":["exfiltration:crypto","escalation:lateral","takeover:account"],"notes":"Data-plane read returns the actual secret material (service-account tokens, keys, passwords, connection strings), enabling credential exfiltration, lateral movement via the disclosed identities, and account takeover.","links":["https://azure.permissions.cloud/iam/Microsoft.Kubernetes","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Kubernetes/connectedClusters/secrets/write":{"id":"Microsoft.Kubernetes/connectedClusters/secrets/write","name":"Kubernetes secrets","scope":"CRITICAL","parent":{"notes":"Secret reads return raw credential material in cleartext, making this resource type a primary target for credential theft, identity takeover, and lateral movement.","description":"Kubernetes Secret objects in an Azure Arc-connected cluster. Secrets store sensitive credential material such as service-account tokens, passwords, TLS private keys, registry credentials, and connection strings used by workloads."},"risks":["persistence:account","escalation:lateral","impact:manipulation"],"notes":"Creating/updating secrets lets an attacker plant or overwrite credential material consumed by workloads, establishing persistent attacker-controlled credentials, enabling lateral movement, and poisoning trusted secrets.","links":["https://azure.permissions.cloud/iam/Microsoft.Kubernetes","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Kubernetes/connectedClusters/serviceaccounts/impersonate/action":{"id":"Microsoft.Kubernetes/connectedClusters/serviceaccounts/impersonate/action","name":"Kubernetes service accounts (connected cluster)","scope":"CRITICAL","parent":{"notes":"Service accounts are identities; a service account bound to a privileged ClusterRole can be cluster-admin equivalent, so this asset can be highly sensitive.","description":"Kubernetes ServiceAccount objects on an Azure Arc-enabled (connected) cluster. These are in-cluster workload identities that pods authenticate as and that are bound to RBAC roles governing what they can do in the cluster."},"risks":["escalation:lateral","escalation:privilege"],"notes":"The Kubernetes impersonate verb lets the caller act directly as a target service account, assuming its full RBAC permissions — a direct lateral-movement and privilege-escalation primitive to potentially cluster-admin-equivalent identities.","links":["https://azure.permissions.cloud/iam/Microsoft.Kubernetes","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Kubernetes/connectedClusters/serviceaccounts/delete":{"id":"Microsoft.Kubernetes/connectedClusters/serviceaccounts/delete","name":"Kubernetes service accounts (connected cluster)","scope":"CRITICAL","parent":{"notes":"Service accounts are identities; a service account bound to a privileged ClusterRole can be cluster-admin equivalent, so this asset can be highly sensitive.","description":"Kubernetes ServiceAccount objects on an Azure Arc-enabled (connected) cluster. These are in-cluster workload identities that pods authenticate as and that are bound to RBAC roles governing what they can do in the cluster."},"risks":["destruction:account","impact:access"],"notes":"Deleting service accounts destroys in-cluster identities, breaking legitimate workloads' authentication and denying authorized operational access.","links":["https://azure.permissions.cloud/iam/Microsoft.Kubernetes","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Kubernetes/connectedClusters/serviceaccounts/write":{"id":"Microsoft.Kubernetes/connectedClusters/serviceaccounts/write","name":"Kubernetes service accounts (connected cluster)","scope":"CRITICAL","parent":{"notes":"Service accounts are identities; a service account bound to a privileged ClusterRole can be cluster-admin equivalent, so this asset can be highly sensitive.","description":"Kubernetes ServiceAccount objects on an Azure Arc-enabled (connected) cluster. These are in-cluster workload identities that pods authenticate as and that are bound to RBAC roles governing what they can do in the cluster."},"risks":["persistence:account","escalation:privilege"],"notes":"Creating/updating service accounts lets an attacker mint new in-cluster identities (and their tokens) for persistence and obtain principals that can be attached to workloads to gain elevated privileges.","links":["https://azure.permissions.cloud/iam/Microsoft.Kubernetes","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Kubernetes/connectedClusters/users/impersonate/action":{"id":"Microsoft.Kubernetes/connectedClusters/users/impersonate/action","name":"Kubernetes user impersonation (Arc-connected cluster)","scope":"CRITICAL","parent":{"notes":"Impersonation is an identity-spoofing primitive: holding it on users/groups/userextras effectively grants the union of all identities' permissions, up to cluster-admin (system:masters). This is among the most powerful capabilities in a cluster.","description":"The Kubernetes impersonate verb on user identities for an Azure Arc-connected cluster. It allows the holder to make API requests acting as an arbitrary user identity (via the Impersonate-User header), assuming that user's RBAC permissions."},"risks":["escalation:privilege","escalation:lateral"],"notes":"User impersonation lets the holder act as any user including cluster-admin, a direct privilege-escalation and lateral-identity-takeover primitive.","links":["https://azure.permissions.cloud/iam/Microsoft.Kubernetes","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Logic/automationProjects/principals/write":{"id":"Microsoft.Logic/automationProjects/principals/write","name":"Automation project principal","scope":"HIGH","parent":{"notes":"This is an access-control binding analogous to an Azure role assignment, but scoped to a single Logic automation project rather than tenant/subscription-wide; the asset is the access-control configuration of one integration function.","description":"An automation project principal is the identity/access-control binding that grants a security principal (user, group, service principal, or managed identity) access to a Logic Apps automation project. It functions as a scoped RBAC-style binding on a single integration workload."},"risks":["escalation:privilege","escalation:lateral","persistence:account"],"notes":"Creating or updating the principal binding grants a controlled identity access to the project (escalation:privilege), binds/uses identities the automation runs as for lateral movement (escalation:lateral), and establishes a durable access grant (persistence:account), analogous to a role assignment write scoped to a single Logic automation resource.","links":["https://azure.permissions.cloud/iam/Microsoft.Logic","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Logic/integrationAccounts/agreements/listContentCallbackUrl/action":{"id":"Microsoft.Logic/integrationAccounts/agreements/listContentCallbackUrl/action","name":"Integration Account Agreement","scope":"MEDIUM","parent":{"notes":"Supporting integration infrastructure for a single B2B/integration function; configuration can reveal partner identities and message-processing details.","description":"A B2B trading-partner agreement in an Azure Logic Apps Integration Account, defining how messages are exchanged with a partner (AS2/X12/EDIFACT protocol settings, partner identities, send/receive routing)."},"risks":["exfiltration:data"],"notes":"Returns a pre-authenticated callback URL granting direct access to the agreement's raw content, letting an attacker export the trading-partner agreement data (partner/protocol details) without further authorization.","links":["https://azure.permissions.cloud/iam/Microsoft.Logic","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Logic/integrationAccounts/listCallbackUrl/action":{"id":"Microsoft.Logic/integrationAccounts/listCallbackUrl/action","name":"Integration Account","scope":"HIGH","parent":{"notes":"Supporting integration resource scoped to a single integration function; can hold certificate/key references and access keys, but is not a primary org-wide data store.","description":"A Logic Apps Integration Account: a container for B2B/EDI artifacts (partners, agreements, schemas, maps, certificates) that supports enterprise integration workflows."},"risks":["exfiltration:crypto"],"notes":"Returns the callback URL containing an embedded SAS-style signature, a pre-authenticated credential granting invocation access to the integration account endpoint.","links":["https://azure.permissions.cloud/iam/Microsoft.Logic","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Logic/integrationAccounts/partners/listContentCallbackUrl/action":{"id":"Microsoft.Logic/integrationAccounts/partners/listContentCallbackUrl/action","name":"Integration Account Partner","scope":"HIGH","parent":{"notes":"Configuration sub-resource of the integration account; defines partner identity metadata, not secret material.","description":"A B2B trading-partner definition within a Logic Apps Integration Account, holding partner business identities/qualifiers used to route and validate EDI messages."},"risks":["exfiltration:crypto"],"notes":"Returns a callback URL for the partner content that embeds a signed SAS-style token, a pre-authenticated credential granting direct access to the partner content endpoint.","links":["https://azure.permissions.cloud/iam/Microsoft.Logic","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Logic/integrationAccounts/regenerateAccessKey/action":{"id":"Microsoft.Logic/integrationAccounts/regenerateAccessKey/action","name":"Integration Account","scope":"HIGH","parent":{"notes":"Supporting integration resource scoped to a single integration function; can hold certificate/key references and access keys, but is not a primary org-wide data store.","description":"A Logic Apps Integration Account: a container for B2B/EDI artifacts (partners, agreements, schemas, maps, certificates) that supports enterprise integration workflows."},"risks":["exfiltration:crypto","impact:access"],"notes":"Regenerating the access key returns the new key secret in the response (usable credential material) while invalidating the prior key, locking out legitimate consumers.","links":["https://azure.permissions.cloud/iam/Microsoft.Logic","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Logic/integrationAccounts/schemas/listContentCallbackUrl/action":{"id":"Microsoft.Logic/integrationAccounts/schemas/listContentCallbackUrl/action","name":"Integration Account Schema","scope":"MEDIUM","parent":{"notes":"Supporting integration metadata for a single integration function; describes message structure rather than holding secrets.","description":"A message schema (XSD/EDI flat-file definition) in an Azure Logic Apps Integration Account used to validate and transform B2B/integration messages."},"risks":["exfiltration:data"],"notes":"Returns a pre-authenticated callback URL granting direct access to the schema's raw content, letting an attacker export the message-structure definitions without further authorization.","links":["https://azure.permissions.cloud/iam/Microsoft.Logic","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Logic/integrationAccounts/usageConfigurations/listCallbackUrl/action":{"id":"Microsoft.Logic/integrationAccounts/usageConfigurations/listCallbackUrl/action","name":"Integration Account usage configuration","scope":"HIGH","parent":{"notes":"A supporting configuration object on an integration account (EDI/B2B integration); not a primary data store, though it controls operational integration behavior.","description":"The usage configuration sub-resource of a Logic Apps integration account, which governs usage/quota monitoring settings for the integration account."},"risks":["exfiltration:crypto"],"notes":"Returns a callback URL embedding a SAS-style signature/access token that grants authenticated invocation of the endpoint without further credentials, exporting credential-bearing material.","links":["https://azure.permissions.cloud/iam/Microsoft.Logic","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Logic/workflows/accessKeys/list/action":{"id":"Microsoft.Logic/workflows/accessKeys/list/action","name":"Logic App workflow access key","scope":"HIGH","parent":{"notes":"Access keys are secret credentials scoped to a single workflow; their list/regenerate operations return secret values while the control-plane read returns only key metadata.","description":"An access key for a Logic App workflow, used to sign callback URLs and authorize invocation of and access to workflow runs. The key is credential material."},"risks":["exfiltration:crypto","escalation:lateral"],"notes":"Explicitly lists the access key secrets, returning credential material an attacker can use to sign callback URLs and invoke the workflow as a trusted caller.","links":["https://azure.permissions.cloud/iam/Microsoft.Logic","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Logic/workflows/accessKeys/regenerate/action":{"id":"Microsoft.Logic/workflows/accessKeys/regenerate/action","name":"Logic App workflow access key","scope":"HIGH","parent":{"notes":"Access keys are secret credentials scoped to a single workflow; their list/regenerate operations return secret values while the control-plane read returns only key metadata.","description":"An access key for a Logic App workflow, used to sign callback URLs and authorize invocation of and access to workflow runs. The key is credential material."},"risks":["exfiltration:crypto","impact:access"],"notes":"Regenerating returns new secret key material to the attacker while simultaneously invalidating the existing key, denying access to legitimate callers using the prior secret.","links":["https://azure.permissions.cloud/iam/Microsoft.Logic","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Logic/workflows/accessKeys/delete":{"id":"Microsoft.Logic/workflows/accessKeys/delete","name":"Logic App workflow access key","scope":"HIGH","parent":{"notes":"Access keys are secret credentials scoped to a single workflow; their list/regenerate operations return secret values while the control-plane read returns only key metadata.","description":"An access key for a Logic App workflow, used to sign callback URLs and authorize invocation of and access to workflow runs. The key is credential material."},"risks":["destruction:crypto","impact:access"],"notes":"Deleting an access key destroys credential material and revokes legitimate callers' ability to authenticate/invoke the workflow, denying authorized access.","links":["https://azure.permissions.cloud/iam/Microsoft.Logic","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Logic/workflows/accessKeys/write":{"id":"Microsoft.Logic/workflows/accessKeys/write","name":"Logic App workflow access key","scope":"HIGH","parent":{"notes":"Access keys are secret credentials scoped to a single workflow; their list/regenerate operations return secret values while the control-plane read returns only key metadata.","description":"An access key for a Logic App workflow, used to sign callback URLs and authorize invocation of and access to workflow runs. The key is credential material."},"risks":["persistence:account","impact:manipulation"],"notes":"Creating or updating an access key lets an attacker plant a credential they control to sign callback URLs and persistently invoke the workflow, while altering the auth configuration.","links":["https://azure.permissions.cloud/iam/Microsoft.Logic","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Logic/workflows/listCallbackUrl/action":{"id":"Microsoft.Logic/workflows/listCallbackUrl/action","name":"Logic Apps workflow","scope":"CRITICAL","parent":{"notes":"Workflows commonly hold a managed identity and connection references granting broad downstream access; the control-plane definition reveals integration logic, while access keys/callback URLs are bearer credentials that can invoke the workflow.","description":"An Azure Logic Apps workflow: a managed automation/integration resource that orchestrates triggers and actions across connected systems, often running under a managed identity with connections to downstream services."},"risks":["exfiltration:crypto","escalation:lateral"],"notes":"Returns the callback URL containing an embedded SAS signature that is a bearer credential, letting an attacker trigger the workflow out-of-band without further Azure permissions, which executes its actions under the workflow's managed identity (lateral movement into connected systems).","links":["https://azure.permissions.cloud/iam/Microsoft.Logic","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Logic/workflows/runs/actions/listExpressionTraces/action":{"id":"Microsoft.Logic/workflows/runs/actions/listExpressionTraces/action","name":"Logic App workflow run action","scope":"MEDIUM","parent":{"notes":"Action inputs/outputs commonly carry the actual sensitive business data, API responses, and payloads flowing between workflow steps.","description":"A workflow run action represents a single executed step within a Logic App run, including links to that step's inputs and outputs."},"risks":["exfiltration:data"],"notes":"Expression traces reveal the evaluated runtime values of an action's expressions, exposing concrete intermediate data (and potentially secrets) flowing through the workflow.","links":["https://azure.permissions.cloud/iam/Microsoft.Logic","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Logic/workflows/runs/actions/repetitions/listExpressionTraces/action":{"id":"Microsoft.Logic/workflows/runs/actions/repetitions/listExpressionTraces/action","name":"Logic App workflow run action repetition","scope":"MEDIUM","parent":{"notes":"Per-iteration inputs/outputs carry the sensitive per-item data the workflow processed in each loop pass.","description":"A workflow run action repetition is a single iteration of a looped action (e.g. For_each/Until) within a Logic App run, including that iteration's inputs and outputs."},"risks":["exfiltration:data"],"notes":"Repetition expression traces expose the evaluated expression values for each loop iteration, leaking the concrete data the workflow handled.","links":["https://azure.permissions.cloud/iam/Microsoft.Logic","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Logic/workflows/runs/actions/repetitions/requestHistories/read":{"id":"Microsoft.Logic/workflows/runs/actions/repetitions/requestHistories/read","name":"Logic App workflow run action request history","scope":"HIGH","parent":{"notes":"Request histories capture the actual data that flowed through the integration, frequently including sensitive business data and credentials carried in headers.","description":"The recorded request/response payloads (HTTP bodies, headers, query parameters) that a Logic App workflow run action exchanged with endpoints during execution."},"risks":["exfiltration:data"],"notes":"Per-repetition (loop/retry iteration) variant; reading it discloses the actual request/response payloads of each iteration, leaking sensitive workflow data.","links":["https://azure.permissions.cloud/iam/Microsoft.Logic","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Logic/workflows/runs/actions/repetitions/read":{"id":"Microsoft.Logic/workflows/runs/actions/repetitions/read","name":"Logic App workflow run action repetition","scope":"MEDIUM","parent":{"notes":"Per-iteration inputs/outputs carry the sensitive per-item data the workflow processed in each loop pass.","description":"A workflow run action repetition is a single iteration of a looped action (e.g. For_each/Until) within a Logic App run, including that iteration's inputs and outputs."},"risks":["exfiltration:data"],"notes":"Reading an action repetition exposes that loop iteration's inputs/outputs, leaking the sensitive data processed in that pass.","links":["https://azure.permissions.cloud/iam/Microsoft.Logic","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Logic/workflows/runs/actions/requestHistories/read":{"id":"Microsoft.Logic/workflows/runs/actions/requestHistories/read","name":"Logic App workflow run action request history","scope":"HIGH","parent":{"notes":"Request histories capture the actual data that flowed through the integration, frequently including sensitive business data and credentials carried in headers.","description":"The recorded request/response payloads (HTTP bodies, headers, query parameters) that a Logic App workflow run action exchanged with endpoints during execution."},"risks":["exfiltration:data"],"notes":"Reading the run action request history returns the concrete request/response payloads processed by the workflow, exposing sensitive integration data and any credentials in headers.","links":["https://azure.permissions.cloud/iam/Microsoft.Logic","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Logic/workflows/runs/actions/scoperepetitions/read":{"id":"Microsoft.Logic/workflows/runs/actions/scoperepetitions/read","name":"Logic App workflow run action scope repetition","scope":"MEDIUM","parent":{"notes":"Scoped per-iteration inputs/outputs carry the sensitive data the workflow processed within that scope.","description":"A workflow run action scope repetition is a single iteration of a scoped action (e.g. For_each/Until scope) within a Logic App run, including that scoped iteration's inputs and outputs."},"risks":["exfiltration:data"],"notes":"Reading a scope repetition exposes the inputs/outputs of that scoped iteration, revealing the sensitive data processed within the scope.","links":["https://azure.permissions.cloud/iam/Microsoft.Logic","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Logic/workflows/runs/actions/read":{"id":"Microsoft.Logic/workflows/runs/actions/read","name":"Logic App workflow run action","scope":"MEDIUM","parent":{"notes":"Action inputs/outputs commonly carry the actual sensitive business data, API responses, and payloads flowing between workflow steps.","description":"A workflow run action represents a single executed step within a Logic App run, including links to that step's inputs and outputs."},"risks":["exfiltration:data"],"notes":"Reading a run action exposes that step's inputs/outputs (or links to them), which frequently contain the sensitive data processed by the workflow.","links":["https://azure.permissions.cloud/iam/Microsoft.Logic","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Logic/workflows/triggers/histories/read":{"id":"Microsoft.Logic/workflows/triggers/histories/read","name":"Logic App workflow trigger history","scope":"HIGH","parent":{"notes":"Trigger history payloads can contain the actual business data the workflow processed, making them sensitive beyond mere operational status.","description":"The execution history of a Logic App workflow trigger, recording past trigger firings along with their input and output payloads, status, and timestamps."},"risks":["exfiltration:data","discovery:infra"],"notes":"Reading trigger histories exposes past firing records including inputs/outputs, which can contain the sensitive business data processed by the workflow.","links":["https://azure.permissions.cloud/iam/Microsoft.Logic","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Logic/workflows/triggers/listCallbackUrl/action":{"id":"Microsoft.Logic/workflows/triggers/listCallbackUrl/action","name":"Logic App workflow trigger","scope":"HIGH","parent":{"notes":"Triggers control workflow invocation; reading is reconnaissance, while run/reset/setState actions alter execution behavior of the automation.","description":"A trigger for a Logic App workflow that defines how and when the workflow is invoked (schedule, conditions, type) and tracks its execution state."},"risks":["exfiltration:crypto","escalation:lateral"],"notes":"Returns the live trigger callback URL with embedded SAS signature; an attacker can use it to invoke the workflow unauthenticated, running it under the Logic App's identity/connections.","links":["https://azure.permissions.cloud/iam/Microsoft.Logic","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Logic/workflows/versions/triggers/listCallbackUrl/action":{"id":"Microsoft.Logic/workflows/versions/triggers/listCallbackUrl/action","name":"Logic App workflow trigger callback URL","scope":"HIGH","parent":{"notes":"The callback URL is credential-equivalent: anyone holding it can invoke the workflow, which then runs under the Logic App's identity and connections.","description":"The callback URL for a Logic App workflow trigger, containing an embedded SAS signature that authorizes invoking (firing) the workflow trigger without further authentication."},"risks":["exfiltration:crypto","escalation:lateral"],"notes":"Returns the trigger callback URL with embedded SAS signature; an attacker can use it to invoke the workflow unauthenticated, driving it under the Logic App's identity/connections.","links":["https://azure.permissions.cloud/iam/Microsoft.Logic","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ManagedIdentity/userAssignedIdentities/assign/action":{"id":"Microsoft.ManagedIdentity/userAssignedIdentities/assign/action","name":"User Assigned Identities","scope":"CRITICAL","parent":{"notes":"Managed identities are first-class security principals; controlling or attaching them is a direct path to lateral movement and privilege escalation.","description":"Azure user-assigned managed identities: standalone identity principals (with clientId/principalId) that can be granted RBAC roles and attached to compute resources to authenticate as that identity."},"risks":["escalation:lateral","escalation:privilege"],"notes":"Assigning an existing user-assigned identity to a resource lets an attacker attach a potentially more-privileged identity to compute they control and act as it, the canonical Azure lateral-movement and privilege-escalation primitive.","links":["https://azure.permissions.cloud/iam/Microsoft.ManagedIdentity","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/delete":{"id":"Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/delete","name":"Federated identity credentials","scope":"CRITICAL","parent":{"notes":"These are credential-less trust relationships on an identity that may hold arbitrary RBAC; controlling them enables direct impersonation and persistence, so the asset is identity/credential-tier CRITICAL.","description":"Federated identity credentials configure OIDC trust bindings (external issuer/subject/audience) on a user-assigned managed identity, allowing an external workload to obtain Azure tokens as that identity without any secret."},"risks":["destruction:policy","impact:access"],"notes":"Deleting a FIC removes the OIDC trust binding (an access-control policy) that legitimate federated workloads rely on, both destroying the trust policy and denying those workloads their authorized access.","links":["https://azure.permissions.cloud/iam/Microsoft.ManagedIdentity","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/write":{"id":"Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/write","name":"Federated identity credentials","scope":"CRITICAL","parent":{"notes":"These are credential-less trust relationships on an identity that may hold arbitrary RBAC; controlling them enables direct impersonation and persistence, so the asset is identity/credential-tier CRITICAL.","description":"Federated identity credentials configure OIDC trust bindings (external issuer/subject/audience) on a user-assigned managed identity, allowing an external workload to obtain Azure tokens as that identity without any secret."},"risks":["persistence:account","escalation:lateral"],"notes":"Adding/updating a FIC lets an attacker register an external OIDC issuer/subject they control as trusted, minting tokens as the managed identity for durable secretless persistence and lateral movement into that identity's privileges.","links":["https://azure.permissions.cloud/iam/Microsoft.ManagedIdentity","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ManagedIdentity/userAssignedIdentities/delete":{"id":"Microsoft.ManagedIdentity/userAssignedIdentities/delete","name":"User Assigned Identities","scope":"CRITICAL","parent":{"notes":"Managed identities are first-class security principals; controlling or attaching them is a direct path to lateral movement and privilege escalation.","description":"Azure user-assigned managed identities: standalone identity principals (with clientId/principalId) that can be granted RBAC roles and attached to compute resources to authenticate as that identity."},"risks":["destruction:account","impact:dos"],"notes":"Deleting a user-assigned identity destroys an identity principal and breaks authentication for every resource bound to it, denying service to dependent workloads.","links":["https://azure.permissions.cloud/iam/Microsoft.ManagedIdentity","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.ManagedIdentity/userAssignedIdentities/write":{"id":"Microsoft.ManagedIdentity/userAssignedIdentities/write","name":"User Assigned Identities","scope":"CRITICAL","parent":{"notes":"Managed identities are first-class security principals; controlling or attaching them is a direct path to lateral movement and privilege escalation.","description":"Azure user-assigned managed identities: standalone identity principals (with clientId/principalId) that can be granted RBAC roles and attached to compute resources to authenticate as that identity."},"risks":["persistence:account"],"notes":"Creating a new user-assigned identity establishes an attacker-controlled principal that can later be granted roles and attached to resources, a durable persistence foothold; updating an existing one only changes tags.","links":["https://azure.permissions.cloud/iam/Microsoft.ManagedIdentity","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Management/managementGroups/delete":{"id":"Microsoft.Management/managementGroups/delete","name":"Management groups","scope":"CRITICAL","parent":{"notes":"The management-group hierarchy defines tenant-wide governance structure; control over it has org-wide blast radius.","description":"Management groups are tenant-scope governance containers above subscriptions that organize the subscription hierarchy and provide the scopes through which Azure Policy and RBAC role assignments are inherited."},"risks":["destruction:infra","impact:access"],"notes":"Deleting a management group destroys a tenant-wide governance container and removes the RBAC role assignments, policies, and locks scoped to it, disrupting governance (DoS-like) and denying authorized operational access that depended on that scope.","links":["https://azure.permissions.cloud/iam/Microsoft.Management","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Management/managementGroups/write":{"id":"Microsoft.Management/managementGroups/write","name":"Management groups","scope":"CRITICAL","parent":{"notes":"The management-group hierarchy defines tenant-wide governance structure; control over it has org-wide blast radius.","description":"Management groups are tenant-scope governance containers above subscriptions that organize the subscription hierarchy and provide the scopes through which Azure Policy and RBAC role assignments are inherited."},"risks":["escalation:privilege","impact:manipulation"],"notes":"Creating or updating a management group can re-parent subscriptions/groups and restructure the hierarchy, altering which RBAC role assignments and Azure Policy are inherited — enabling privilege escalation and weakening of inherited controls (manipulation of org-wide governance).","links":["https://azure.permissions.cloud/iam/Microsoft.Management","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/attachWafPolicyToAgc/action":{"id":"Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/attachWafPolicyToAgc/action","name":"Application Gateway WAF policy","scope":"HIGH","parent":{"notes":"A WAF policy is the security control filtering traffic to public applications; weakening or removing it exposes the fronted apps to attack, so mutation of the policy is a defense/policy concern.","description":"An Application Gateway Web Application Firewall (WAF) policy is the managed rule engine that inspects and filters HTTP/S traffic to internet-facing applications fronted by an Application Gateway, blocking common web attacks."},"risks":["escalation:network"],"notes":"Attaches a WAF policy to an Application Gateway for Containers, letting an attacker bind the gateway to an attacker-chosen/weaker policy and bypass the intended filtering posture.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/detachWafPolicyFromAgc/action":{"id":"Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/detachWafPolicyFromAgc/action","name":"Application Gateway WAF policy","scope":"HIGH","parent":{"notes":"A WAF policy is the security control filtering traffic to public applications; weakening or removing it exposes the fronted apps to attack, so mutation of the policy is a defense/policy concern.","description":"An Application Gateway Web Application Firewall (WAF) policy is the managed rule engine that inspects and filters HTTP/S traffic to internet-facing applications fronted by an Application Gateway, blocking common web attacks."},"risks":["destruction:defense","destruction:policy"],"notes":"Detaches the WAF policy from an Application Gateway for Containers, stripping the traffic-filtering security control off the gateway entirely and leaving the fronted applications unprotected.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/join/action":{"id":"Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/join/action","name":"Application Gateway WAF policy","scope":"HIGH","parent":{"notes":"A WAF policy is the security control filtering traffic to public applications; weakening or removing it exposes the fronted apps to attack, so mutation of the policy is a defense/policy concern.","description":"An Application Gateway Web Application Firewall (WAF) policy is the managed rule engine that inspects and filters HTTP/S traffic to internet-facing applications fronted by an Application Gateway, blocking common web attacks."},"risks":["escalation:network"],"notes":"Joining a WAF policy binds a gateway/resource to an attacker-chosen (potentially weaker) policy rather than the intended one, bypassing segmentation/policy controls; flagged Not Alertable.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/write":{"id":"Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/write","name":"Application Gateway WAF policy","scope":"HIGH","parent":{"notes":"A WAF policy is the security control filtering traffic to public applications; weakening or removing it exposes the fronted apps to attack, so mutation of the policy is a defense/policy concern.","description":"An Application Gateway Web Application Firewall (WAF) policy is the managed rule engine that inspects and filters HTTP/S traffic to internet-facing applications fronted by an Application Gateway, blocking common web attacks."},"risks":["destruction:policy","destruction:defense","impact:manipulation"],"notes":"Creating/updating the policy lets an attacker rewrite or disable WAF rules (e.g. flip to detection-only or drop rules), removing the security control filtering traffic to the fronted applications.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/delete":{"id":"Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/delete","name":"Application Gateway WAF policy","scope":"HIGH","parent":{"notes":"A WAF policy is the security control filtering traffic to public applications; weakening or removing it exposes the fronted apps to attack, so mutation of the policy is a defense/policy concern.","description":"An Application Gateway Web Application Firewall (WAF) policy is the managed rule engine that inspects and filters HTTP/S traffic to internet-facing applications fronted by an Application Gateway, blocking common web attacks."},"risks":["destruction:policy","destruction:defense"],"notes":"Deleting the policy removes the WAF rule set entirely, tearing down the security control that inspects traffic to the fronted applications.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/BastionHosts/createShareableLinks/action":{"id":"Microsoft.Network/BastionHosts/createShareableLinks/action","name":"Bastion Host","scope":"HIGH","parent":{"notes":"A production secure-access entry point into a private network; controlling or observing it affects reachability of all VMs behind it.","description":"Azure Bastion is a managed PaaS jump host deployed in a VNet that brokers secure browser-based RDP/SSH connectivity to VMs without exposing public IPs on those VMs."},"risks":["escalation:network","persistence:account"],"notes":"Creating shareable URLs mints durable, RBAC-less links granting browser-based access to internal VMs through the Bastion, providing both network movement and a persistent backdoor access path.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/BastionHosts/deleteShareableLinks/action":{"id":"Microsoft.Network/BastionHosts/deleteShareableLinks/action","name":"Bastion Host","scope":"HIGH","parent":{"notes":"A production secure-access entry point into a private network; controlling or observing it affects reachability of all VMs behind it.","description":"Azure Bastion is a managed PaaS jump host deployed in a VNet that brokers secure browser-based RDP/SSH connectivity to VMs without exposing public IPs on those VMs."},"risks":["destruction:defense"],"notes":"Can be used by an attacker to cover their tracks after abusing a shareable link they created, removing evidence of the link's existence; minor severity since it revokes rather than grants access.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/BastionHosts/deleteShareableLinksByToken/action":{"id":"Microsoft.Network/BastionHosts/deleteShareableLinksByToken/action","name":"Bastion Host","scope":"HIGH","parent":{"notes":"A production secure-access entry point into a private network; controlling or observing it affects reachability of all VMs behind it.","description":"Azure Bastion is a managed PaaS jump host deployed in a VNet that brokers secure browser-based RDP/SSH connectivity to VMs without exposing public IPs on those VMs."},"risks":["destruction:defense"],"notes":"Can be used by an attacker to cover their tracks after abusing a shareable link they created, removing evidence of the link's existence; minor severity since it revokes rather than grants access.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/BastionHosts/disconnectactivesessions/action":{"id":"Microsoft.Network/BastionHosts/disconnectactivesessions/action","name":"Bastion Host","scope":"HIGH","parent":{"notes":"A production secure-access entry point into a private network; controlling or observing it affects reachability of all VMs behind it.","description":"Azure Bastion is a managed PaaS jump host deployed in a VNet that brokers secure browser-based RDP/SSH connectivity to VMs without exposing public IPs on those VMs."},"risks":["impact:dos"],"notes":"Lets an attacker forcibly terminate another user's active Bastion session, including kicking a legitimate administrator off mid-session, disrupting incident response or ongoing legitimate work.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/BastionHosts/getShareableLinks/action":{"id":"Microsoft.Network/BastionHosts/getShareableLinks/action","name":"Bastion Host","scope":"HIGH","parent":{"notes":"A production secure-access entry point into a private network; controlling or observing it affects reachability of all VMs behind it.","description":"Azure Bastion is a managed PaaS jump host deployed in a VNet that brokers secure browser-based RDP/SSH connectivity to VMs without exposing public IPs on those VMs."},"risks":["escalation:network","exfiltration:crypto"],"notes":"Returning existing shareable URLs hands the attacker tokenized, RBAC-less links that grant browser-based RDP/SSH access to specific internal VMs, both yielding usable access tokens and enabling reach into the network.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/BastionHosts/getactivesessions/action":{"id":"Microsoft.Network/BastionHosts/getactivesessions/action","name":"Bastion Host","scope":"HIGH","parent":{"notes":"A production secure-access entry point into a private network; controlling or observing it affects reachability of all VMs behind it.","description":"Azure Bastion is a managed PaaS jump host deployed in a VNet that brokers secure browser-based RDP/SSH connectivity to VMs without exposing public IPs on those VMs."},"risks":["discovery:account"],"notes":"Exposes active administrative/remote sessions in real time, letting an attacker identify which accounts currently hold interactive access to which VMs, useful for timing further attacks or identifying high-value targets to follow up on.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/BastionHosts/getsessionrecordingsasurl/action":{"id":"Microsoft.Network/BastionHosts/getsessionrecordingsasurl/action","name":"Bastion Host","scope":"HIGH","parent":{"notes":"A production secure-access entry point into a private network; controlling or observing it affects reachability of all VMs behind it.","description":"Azure Bastion is a managed PaaS jump host deployed in a VNet that brokers secure browser-based RDP/SSH connectivity to VMs without exposing public IPs on those VMs."},"risks":["exfiltration:crypto","exfiltration:logs"],"notes":"Getting the session-recording SAS URL returns a credential-bearing tokenized storage URL granting direct access to recorded administrative sessions, exfiltrating both the SAS token and the sensitive recordings.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/BastionHosts/getsessionrecordingsasurl/read":{"id":"Microsoft.Network/BastionHosts/getsessionrecordingsasurl/read","name":"Bastion Host session recording SAS URL","scope":"HIGH","parent":{"notes":"A production secure-access entry point into a private network; controlling or observing it affects reachability of all VMs behind it.","description":"Azure Bastion is a managed PaaS jump host deployed in a VNet that brokers secure browser-based RDP/SSH connectivity to VMs without exposing public IPs on those VMs."},"risks":["exfiltration:crypto","exfiltration:logs"],"notes":"Returns the SAS URL (a bearer credential token) that grants direct access to the storage holding recorded RDP/SSH privileged sessions, exposing both the credential token and the sensitive session audit recordings.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/BastionHosts/setsessionrecordingsasurl/action":{"id":"Microsoft.Network/BastionHosts/setsessionrecordingsasurl/action","name":"Bastion Host","scope":"HIGH","parent":{"notes":"A production secure-access entry point into a private network; controlling or observing it affects reachability of all VMs behind it.","description":"Azure Bastion is a managed PaaS jump host deployed in a VNet that brokers secure browser-based RDP/SSH connectivity to VMs without exposing public IPs on those VMs."},"risks":["destruction:defense"],"notes":"Redirecting session recordings to an attacker-controlled or otherwise inaccessible storage location silently defeats the session-recording audit trail, an evasion technique that lets subsequent privileged-session abuse go unrecorded.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/BastionHosts/delete":{"id":"Microsoft.Network/BastionHosts/delete","name":"Bastion Host","scope":"HIGH","parent":{"notes":"A production secure-access entry point into a private network; controlling or observing it affects reachability of all VMs behind it.","description":"Azure Bastion is a managed PaaS jump host deployed in a VNet that brokers secure browser-based RDP/SSH connectivity to VMs without exposing public IPs on those VMs."},"risks":["destruction:infra","impact:dos"],"notes":"Removes legitimate secure remote-access infrastructure, cutting off browser-based RDP/SSH access to VMs behind it; lower severity than the session/link risks on this resource since it degrades availability rather than granting access.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/BastionHosts/write":{"id":"Microsoft.Network/BastionHosts/write","name":"Bastion Host","scope":"HIGH","parent":{"notes":"A production secure-access entry point into a private network; controlling or observing it affects reachability of all VMs behind it.","description":"Azure Bastion is a managed PaaS jump host deployed in a VNet that brokers secure browser-based RDP/SSH connectivity to VMs without exposing public IPs on those VMs."},"risks":["escalation:network","persistence:account"],"notes":"Reconfiguring an existing Bastion (e.g. enabling IP-based connection, native client support, or weakening its associated network restrictions) can broaden how it may be reached (network escalation); standing up a new Bastion Host gives an attacker a durable, sanctioned-looking remote-access foothold into the VNet (persistence).","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/applicationGateways/getListenerCertificateMetadata/action":{"id":"Microsoft.Network/applicationGateways/getListenerCertificateMetadata/action","name":"Application Gateway listener certificate metadata","scope":"HIGH","parent":{"notes":"Read-only reconnaissance action inherited from the application gateway's HIGH scope.","description":"Returns metadata about the TLS certificate bound to an application gateway listener."},"risks":["discovery:network"],"notes":"Discloses which TLS certificate/domain is bound to a listener, revealing which applications are fronted by the gateway and aiding targeting of a subsequent attack.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/applicationGateways/delete":{"id":"Microsoft.Network/applicationGateways/delete","name":"Application Gateway","scope":"HIGH","parent":{"notes":"Sits directly in the path of live production HTTP(S) traffic and frequently terminates TLS for the fronted application; write access lets an attacker redirect or intercept that traffic, including decrypted content. Rated HIGH rather than CRITICAL because impact is scoped to the traffic/applications routed through this specific gateway rather than whole-network segmentation.","description":"Azure Application Gateway is a layer-7 (HTTP/HTTPS) load balancer and web-traffic router that terminates TLS, evaluates listener/routing rules, and forwards requests to backend pools; it commonly holds the TLS certificate for the fronted application."},"risks":["destruction:network","impact:dos"],"notes":"Deletes the application gateway, removing the routing/TLS-termination front end and causing outage for every backend it serves.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/applicationGateways/write":{"id":"Microsoft.Network/applicationGateways/write","name":"Application Gateway","scope":"HIGH","parent":{"notes":"Sits directly in the path of live production HTTP(S) traffic and frequently terminates TLS for the fronted application; write access lets an attacker redirect or intercept that traffic, including decrypted content. Rated HIGH rather than CRITICAL because impact is scoped to the traffic/applications routed through this specific gateway rather than whole-network segmentation.","description":"Azure Application Gateway is a layer-7 (HTTP/HTTPS) load balancer and web-traffic router that terminates TLS, evaluates listener/routing rules, and forwards requests to backend pools; it commonly holds the TLS certificate for the fronted application."},"risks":["exfiltration:data","escalation:network"],"notes":"Creating or updating listener rules, backend pools, or HTTP settings lets an attacker redirect or intercept live production traffic, including TLS-terminated traffic since the gateway typically holds the bound certificate.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/applicationSecurityGroups/joinIpConfiguration/action":{"id":"Microsoft.Network/applicationSecurityGroups/joinIpConfiguration/action","name":"Application security group","scope":"HIGH","parent":{"notes":"An ASG is a perimeter/segmentation control referenced by NSG rules; membership in one determines which firewall rules apply to a given interface, so misuse indirectly controls network access the same way an NSG does. Rated consistent with the other network-segmentation resources documented alongside it.","description":"An Application Security Group (ASG) is a logical grouping of network interfaces (by application role) that can be referenced as the source/destination of NSG rules, instead of explicit IP ranges, to scope firewall rules to a set of VMs."},"risks":["escalation:network"],"notes":"Azure requires this permission on the ASG itself before a principal can add an interface's IP configuration as a member, specifically so that a principal with only narrow \"create resource\" rights cannot silently opt their own interface into (or leave it out of) the firewall rules that reference this group. Holding join lets an attacker enroll an attacker-controlled interface into a trusted ASG (inheriting the access that ASG's membership grants in NSG rules) or withhold a sanctioned interface from a restrictive ASG, bypassing intended segmentation.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/applicationSecurityGroups/joinNetworkSecurityRule/action":{"id":"Microsoft.Network/applicationSecurityGroups/joinNetworkSecurityRule/action","name":"Application security group","scope":"HIGH","parent":{"notes":"An ASG is a perimeter/segmentation control referenced by NSG rules; membership in one determines which firewall rules apply to a given interface, so misuse indirectly controls network access the same way an NSG does. Rated consistent with the other network-segmentation resources documented alongside it.","description":"An Application Security Group (ASG) is a logical grouping of network interfaces (by application role) that can be referenced as the source/destination of NSG rules, instead of explicit IP ranges, to scope firewall rules to a set of VMs."},"risks":["escalation:network"],"notes":"Azure requires this permission on the ASG itself before a principal can reference it as the source/destination of an NSG security rule, specifically so that a principal with only narrow rule-authoring rights cannot silently scope a rule to a group they don't control. Holding join lets an attacker wire an attacker-controlled ASG into a security rule (or wire a sanctioned ASG into an attacker-authored rule) to open or evade intended firewall segmentation.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/applicationSecurityGroups/listAddressPrefixSets/action":{"id":"Microsoft.Network/applicationSecurityGroups/listAddressPrefixSets/action","name":"Application security group","scope":"HIGH","parent":{"notes":"An ASG is a perimeter/segmentation control referenced by NSG rules; membership in one determines which firewall rules apply to a given interface, so misuse indirectly controls network access the same way an NSG does. Rated consistent with the other network-segmentation resources documented alongside it.","description":"An Application Security Group (ASG) is a logical grouping of network interfaces (by application role) that can be referenced as the source/destination of NSG rules, instead of explicit IP ranges, to scope firewall rules to a set of VMs."},"risks":["discovery:network"],"notes":"Lists the resolved address prefixes backing the ASG's members, revealing the actual IP ranges that firewall rules referencing this group apply to; aids reconnaissance of the network segmentation topology ahead of an attack on the hosts it covers.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/applicationSecurityGroups/listIpConfigurations/action":{"id":"Microsoft.Network/applicationSecurityGroups/listIpConfigurations/action","name":"Application security group","scope":"HIGH","parent":{"notes":"An ASG is a perimeter/segmentation control referenced by NSG rules; membership in one determines which firewall rules apply to a given interface, so misuse indirectly controls network access the same way an NSG does. Rated consistent with the other network-segmentation resources documented alongside it.","description":"An Application Security Group (ASG) is a logical grouping of network interfaces (by application role) that can be referenced as the source/destination of NSG rules, instead of explicit IP ranges, to scope firewall rules to a set of VMs."},"risks":["discovery:network"],"notes":"Lists the IP configurations (interfaces/VMs) that are members of the ASG, revealing which hosts belong to a given application tier and are therefore in scope for any NSG rule that references this group; useful for mapping which hosts to target to inherit or evade that rule's access.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/applicationSecurityGroups/delete":{"id":"Microsoft.Network/applicationSecurityGroups/delete","name":"Application security group","scope":"HIGH","parent":{"notes":"An ASG is a perimeter/segmentation control referenced by NSG rules; membership in one determines which firewall rules apply to a given interface, so misuse indirectly controls network access the same way an NSG does. Rated consistent with the other network-segmentation resources documented alongside it.","description":"An Application Security Group (ASG) is a logical grouping of network interfaces (by application role) that can be referenced as the source/destination of NSG rules, instead of explicit IP ranges, to scope firewall rules to a set of VMs."},"risks":["destruction:policy","impact:dos"],"notes":"Deleting an ASG invalidates any NSG rule that references it as a source/destination, silently disabling those rules (opening the traffic they were meant to restrict) or breaking rules that were permitting required traffic.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/applicationSecurityGroups/write":{"id":"Microsoft.Network/applicationSecurityGroups/write","name":"Application security group","scope":"HIGH","parent":{"notes":"An ASG is a perimeter/segmentation control referenced by NSG rules; membership in one determines which firewall rules apply to a given interface, so misuse indirectly controls network access the same way an NSG does. Rated consistent with the other network-segmentation resources documented alongside it.","description":"An Application Security Group (ASG) is a logical grouping of network interfaces (by application role) that can be referenced as the source/destination of NSG rules, instead of explicit IP ranges, to scope firewall rules to a set of VMs."},"risks":["escalation:network"],"notes":"Creating or updating an ASG definition is a prerequisite for controlling which interfaces inherit the firewall rules written against that group; combined with join rights on member interfaces/rules, it lets an attacker reshape which traffic reaches a given application tier.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/authorizationPolicies/delete":{"id":"Microsoft.Network/authorizationPolicies/delete","name":"Network authorization policies","scope":"HIGH","parent":{"notes":"Writing/deleting alters which principals/resources can associate with network resources, making this access-control policy security-relevant.","description":"A network authorization policy defines access-control rules governing which principals or resources may connect to, join, or associate with a network resource."},"risks":["destruction:policy"],"notes":"Deleting the policy removes the access-control rules constraining network association, lifting deny restrictions that would otherwise block attacker connectivity.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/authorizationPolicies/write":{"id":"Microsoft.Network/authorizationPolicies/write","name":"Network authorization policies","scope":"HIGH","parent":{"notes":"Writing/deleting alters which principals/resources can associate with network resources, making this access-control policy security-relevant.","description":"A network authorization policy defines access-control rules governing which principals or resources may connect to, join, or associate with a network resource."},"risks":["escalation:privilege","escalation:network","impact:manipulation"],"notes":"Creating/updating the policy lets an attacker grant additional principals/resources permission to connect, which is both a privilege grant (escalation:privilege) and expansion of reachable network (escalation:network), while manipulating the access-control config (impact:manipulation).","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/azureFirewalls/packetCapture/action":{"id":"Microsoft.Network/azureFirewalls/packetCapture/action","name":"Azure Firewall","scope":"HIGH","parent":{"notes":"Acts as a network-perimeter defense for a single organizational function; its configuration reveals defensive posture and it can record in-transit traffic.","description":"Azure Firewall is a managed, stateful network firewall appliance that filters and inspects traffic for a virtual network, enforcing network/application/NAT rule collections and threat intelligence."},"risks":["exfiltration:data"],"notes":"Triggering a packet capture records live network traffic traversing the firewall to a capture file, allowing an attacker to capture and exfiltrate sensitive in-transit data and credentials.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/azureFirewalls/packetCaptureOperation/action":{"id":"Microsoft.Network/azureFirewalls/packetCaptureOperation/action","name":"Azure Firewall","scope":"HIGH","parent":{"notes":"Acts as a network-perimeter defense for a single organizational function; its configuration reveals defensive posture and it can record in-transit traffic.","description":"Azure Firewall is a managed, stateful network firewall appliance that filters and inspects traffic for a virtual network, enforcing network/application/NAT rule collections and threat intelligence."},"risks":["exfiltration:data"],"notes":"Same firewall packet-capture capability under an alternate operation name: records live traffic flowing through the firewall, enabling exfiltration of sensitive in-transit data.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/connections/sharedKey/read":{"id":"Microsoft.Network/connections/sharedKey/read","name":"Virtual network gateway connection shared key","scope":"CRITICAL","parent":{"notes":"The PSK is the credential securing the VPN tunnel; exporting it lets an attacker impersonate or man-in-the-middle the tunnel and reach the connected network.","description":"The shared key of a VirtualNetworkGatewayConnection is the IPsec pre-shared key (PSK) credential that authenticates the site-to-site VPN tunnel between the Azure gateway and its peer."},"risks":["exfiltration:crypto","escalation:network"],"notes":"Reads the connection's sharedKey sub-resource, returning the IPsec pre-shared credential and enabling export of secret material usable to authenticate, impersonate, or intercept the tunnel.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/connections/sharedKey/write":{"id":"Microsoft.Network/connections/sharedKey/write","name":"Virtual network gateway connection shared key","scope":"CRITICAL","parent":{"notes":"The PSK is the credential securing the VPN tunnel; exporting it lets an attacker impersonate or man-in-the-middle the tunnel and reach the connected network.","description":"The shared key of a VirtualNetworkGatewayConnection is the IPsec pre-shared key (PSK) credential that authenticates the site-to-site VPN tunnel between the Azure gateway and its peer."},"risks":["impact:manipulation","impact:dos"],"notes":"Creates or updates the connection's shared key, letting an attacker set a key they control (enabling tunnel impersonation/hijack) or overwrite the existing PSK to break the legitimate peer's authentication (DoS).","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/connections/sharedKey/action":{"id":"Microsoft.Network/connections/sharedKey/action","name":"Virtual network gateway connection","scope":"CRITICAL","parent":{"notes":"The PSK is the credential securing the VPN tunnel; exporting it lets an attacker impersonate or man-in-the-middle the tunnel and reach the connected network.","description":"The shared key of a VirtualNetworkGatewayConnection is the IPsec pre-shared key (PSK) credential that authenticates the site-to-site VPN tunnel between the Azure gateway and its peer."},"risks":["exfiltration:crypto","escalation:network"],"notes":"Despite the /action naming, this GET returns the connection's IPsec pre-shared key (credential material), enabling exfiltration of the secret and, by reuse, establishing/impersonating the tunnel to reach the connected network.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/connections/startpacketcapture/action":{"id":"Microsoft.Network/connections/startpacketcapture/action","name":"Virtual network gateway connection","scope":"HIGH","parent":{"notes":"These connections bridge Azure VNets with on-premises or partner networks; compromise can expose the IPsec pre-shared key, intercept tunnel traffic, or sever connectivity for dependent workloads.","description":"A VirtualNetworkGatewayConnection links a virtual network gateway to a peer (another gateway, a local network gateway for site-to-site VPN, or an ExpressRoute circuit), establishing cross-premises or cross-network IPsec/ExpressRoute connectivity."},"risks":["collection:data","exfiltration:data"],"notes":"Starts a packet capture on the gateway connection, recording traffic traversing the tunnel and enabling collection and eventual exfiltration of potentially sensitive in-transit data.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/connections/stoppacketcapture/action":{"id":"Microsoft.Network/connections/stoppacketcapture/action","name":"Virtual network gateway connection","scope":"HIGH","parent":{"notes":"These connections bridge Azure VNets with on-premises or partner networks; compromise can expose the IPsec pre-shared key, intercept tunnel traffic, or sever connectivity for dependent workloads.","description":"A VirtualNetworkGatewayConnection links a virtual network gateway to a peer (another gateway, a local network gateway for site-to-site VPN, or an ExpressRoute circuit), establishing cross-premises or cross-network IPsec/ExpressRoute connectivity."},"risks":["exfiltration:data"],"notes":"Stops an in-progress packet capture and finalizes/outputs the captured traffic to the configured sink (e.g. a SAS URL), completing retrieval of the intercepted in-transit network data.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/connections/vpndeviceconfigurationscript/action":{"id":"Microsoft.Network/connections/vpndeviceconfigurationscript/action","name":"Virtual network gateway connection","scope":"CRITICAL","parent":{"notes":"These connections bridge Azure VNets with on-premises or partner networks; compromise can expose the IPsec pre-shared key, intercept tunnel traffic, or sever connectivity for dependent workloads.","description":"A VirtualNetworkGatewayConnection links a virtual network gateway to a peer (another gateway, a local network gateway for site-to-site VPN, or an ExpressRoute circuit), establishing cross-premises or cross-network IPsec/ExpressRoute connectivity."},"risks":["exfiltration:crypto","discovery:network"],"notes":"Generates the VPN device configuration script, which embeds the connection's pre-shared key and tunnel/topology parameters, exposing credential material and detailed network configuration.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/dnszones/A/delete":{"id":"Microsoft.Network/dnszones/A/delete","name":"DNS A record set","scope":"HIGH","parent":{"notes":"Write access enables repointing traffic (domain takeover); delete breaks resolution (DoS).","description":"Azure DNS A record set mapping a hostname to one or more IPv4 addresses within a DNS zone. Controls public name resolution to IPv4 endpoints for the domain."},"risks":["destruction:network","impact:dos"],"notes":"Deleting the A record set removes IPv4 name resolution for the hostname, destroying a network component and denying service to whatever it fronts.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/dnszones/A/write":{"id":"Microsoft.Network/dnszones/A/write","name":"DNS A record set","scope":"HIGH","parent":{"notes":"Write access enables repointing traffic (domain takeover); delete breaks resolution (DoS).","description":"Azure DNS A record set mapping a hostname to one or more IPv4 addresses within a DNS zone. Controls public name resolution to IPv4 endpoints for the domain."},"risks":["takeover:domain","impact:defacement","impact:manipulation"],"notes":"Creating/replacing the A record set repoints a hostname's IPv4 traffic to attacker-controlled infrastructure, enabling domain/subdomain takeover, defacement of public-facing services, and manipulation of routing config.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/dnszones/AAAA/delete":{"id":"Microsoft.Network/dnszones/AAAA/delete","name":"DNS AAAA record set","scope":"HIGH","parent":{"notes":"Write access enables repointing traffic (domain takeover); delete breaks resolution (DoS).","description":"Azure DNS AAAA record set mapping a hostname to one or more IPv6 addresses within a DNS zone. Controls public name resolution to IPv6 endpoints for the domain."},"risks":["destruction:network","impact:dos"],"notes":"Deleting the AAAA record set removes IPv6 name resolution for the hostname, destroying a network component and denying service.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/dnszones/AAAA/write":{"id":"Microsoft.Network/dnszones/AAAA/write","name":"DNS AAAA record set","scope":"HIGH","parent":{"notes":"Write access enables repointing traffic (domain takeover); delete breaks resolution (DoS).","description":"Azure DNS AAAA record set mapping a hostname to one or more IPv6 addresses within a DNS zone. Controls public name resolution to IPv6 endpoints for the domain."},"risks":["takeover:domain","impact:defacement","impact:manipulation"],"notes":"Creating/replacing the AAAA record set repoints a hostname's IPv6 traffic to attacker-controlled infrastructure, enabling domain takeover, defacement, and routing manipulation.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/dnszones/CAA/delete":{"id":"Microsoft.Network/dnszones/CAA/delete","name":"DNS CAA record set","scope":"HIGH","parent":{"notes":"DNS zones govern a single organizational function's public name resolution and certificate-issuance trust; the CAA restriction is a defense against fraudulent certificate issuance.","description":"A CAA (Certification Authority Authorization) record set within an Azure public DNS zone. CAA records declare which certificate authorities are permitted to issue TLS certificates for the domain, acting as a DNS-level trust control."},"risks":["destruction:network","destruction:defense","takeover:domain"],"notes":"Deleting the CAA record set removes a DNS network component and tears down the restriction on which CAs may issue certificates for the domain, re-enabling any CA to issue certs.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/dnszones/CAA/write":{"id":"Microsoft.Network/dnszones/CAA/write","name":"DNS CAA record set","scope":"HIGH","parent":{"notes":"DNS zones govern a single organizational function's public name resolution and certificate-issuance trust; the CAA restriction is a defense against fraudulent certificate issuance.","description":"A CAA (Certification Authority Authorization) record set within an Azure public DNS zone. CAA records declare which certificate authorities are permitted to issue TLS certificates for the domain, acting as a DNS-level trust control."},"risks":["takeover:domain","destruction:defense","impact:manipulation"],"notes":"Create/update replaces the existing CAA records, letting an attacker authorize a CA they control to issue certificates for the domain (subverting the cert-issuance trust control) and otherwise manipulate the domain's DNS authorization data.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/dnszones/CNAME/delete":{"id":"Microsoft.Network/dnszones/CNAME/delete","name":"DNS CNAME record set","scope":"HIGH","parent":{"notes":"DNS record data is published and resolvable by design (public); CNAME aliases pointing at deprovisioned targets are the classic dangling-subdomain-takeover vector.","description":"An authoritative DNS CNAME record set within an Azure public DNS zone. A CNAME aliases a hostname to a canonical target name."},"risks":["destruction:network"],"notes":"Deleting the CNAME record set breaks resolution for the aliased subdomain (DoS).","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/dnszones/CNAME/write":{"id":"Microsoft.Network/dnszones/CNAME/write","name":"DNS CNAME record set","scope":"HIGH","parent":{"notes":"DNS record data is published and resolvable by design (public); CNAME aliases pointing at deprovisioned targets are the classic dangling-subdomain-takeover vector.","description":"An authoritative DNS CNAME record set within an Azure public DNS zone. A CNAME aliases a hostname to a canonical target name."},"risks":["takeover:domain","impact:defacement","impact:manipulation"],"notes":"Creating/replacing the CNAME alias repoints a subdomain to attacker-controlled infrastructure, the classic subdomain-takeover and traffic-interception primitive that also enables defacement of the public-facing endpoint.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/dnszones/DS/delete":{"id":"Microsoft.Network/dnszones/DS/delete","name":"DNS DS record set","scope":"HIGH","parent":{"notes":"Public-facing authoritative DNS for a single domain function; write/delete affects DNSSEC validation and resolution trust for delegated subdomains.","description":"A DS (Delegation Signer) record set in an Azure public DNS zone. DS records publish the hash of a delegated child zone's signing key, anchoring the DNSSEC chain of trust for that delegation."},"risks":["destruction:network","destruction:defense"],"notes":"Deleting the DS record set removes a public DNS network component and the DNSSEC delegation trust anchor, breaking validation for delegated subzones and enabling spoofing/redirection.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/dnszones/DS/write":{"id":"Microsoft.Network/dnszones/DS/write","name":"DNS DS record set","scope":"HIGH","parent":{"notes":"Public-facing authoritative DNS for a single domain function; write/delete affects DNSSEC validation and resolution trust for delegated subdomains.","description":"A DS (Delegation Signer) record set in an Azure public DNS zone. DS records publish the hash of a delegated child zone's signing key, anchoring the DNSSEC chain of trust for that delegation."},"risks":["takeover:domain","impact:manipulation","destruction:defense"],"notes":"Creating/updating DS records alters the DNSSEC chain of trust for delegated subzones, enabling an attacker to control/subvert secure resolution of the delegated domain and tamper with the validation defense.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/dnszones/MX/delete":{"id":"Microsoft.Network/dnszones/MX/delete","name":"DNS MX record set","scope":"HIGH","parent":{"notes":"Write access reroutes inbound mail to attacker-controlled servers (mail-flow hijack); delete denies inbound email.","description":"Azure DNS MX record set defining the mail-exchange servers that handle inbound email for the domain. Controls public mail routing for the domain."},"risks":["destruction:network","impact:dos"],"notes":"Deleting the MX record set removes mail routing for the domain, destroying a network component and denying inbound email delivery.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/dnszones/MX/write":{"id":"Microsoft.Network/dnszones/MX/write","name":"DNS MX record set","scope":"HIGH","parent":{"notes":"Write access reroutes inbound mail to attacker-controlled servers (mail-flow hijack); delete denies inbound email.","description":"Azure DNS MX record set defining the mail-exchange servers that handle inbound email for the domain. Controls public mail routing for the domain."},"risks":["takeover:domain","impact:manipulation"],"notes":"Creating/replacing the MX record set redirects the domain's inbound email to attacker-controlled mail servers, hijacking mail flow and enabling interception/manipulation of communications.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/dnszones/NS/delete":{"id":"Microsoft.Network/dnszones/NS/delete","name":"DNS NS record set","scope":"HIGH","parent":{"notes":"DNS record data is published and resolvable by design (public); NS delegation control hands full authoritative control over an entire namespace subtree.","description":"An authoritative DNS NS record set within an Azure public DNS zone. NS records delegate authority for the zone or a child subdomain to a set of nameservers."},"risks":["destruction:network"],"notes":"Deleting the NS delegation record set breaks resolution for the delegated subdomain, making everything hosted under it unresolvable (DoS).","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/dnszones/NS/write":{"id":"Microsoft.Network/dnszones/NS/write","name":"DNS NS record set","scope":"HIGH","parent":{"notes":"DNS record data is published and resolvable by design (public); NS delegation control hands full authoritative control over an entire namespace subtree.","description":"An authoritative DNS NS record set within an Azure public DNS zone. NS records delegate authority for the zone or a child subdomain to a set of nameservers."},"risks":["takeover:domain","impact:manipulation"],"notes":"Creating/replacing NS records re-delegates a (sub)zone to attacker-controlled nameservers, handing the attacker full authoritative control over all names beneath that delegation — the strongest DNS-takeover primitive.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/dnszones/PTR/delete":{"id":"Microsoft.Network/dnszones/PTR/delete","name":"DNS PTR record set","scope":"HIGH","parent":{"notes":"Write access lets an attacker control reverse-DNS resolution to spoof identity/bypass reverse-lookup checks; delete disrupts reverse-lookup-dependent services.","description":"Azure DNS PTR (reverse-DNS) record set mapping IP addresses back to hostnames within a DNS zone. Used for reverse lookups that services such as mail acceptance rely on."},"risks":["destruction:network","impact:dos"],"notes":"Deleting the PTR record set removes reverse-DNS resolution, destroying a network component and disrupting services (e.g. mail acceptance) that depend on reverse lookups.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/dnszones/PTR/write":{"id":"Microsoft.Network/dnszones/PTR/write","name":"DNS PTR record set","scope":"HIGH","parent":{"notes":"Write access lets an attacker control reverse-DNS resolution to spoof identity/bypass reverse-lookup checks; delete disrupts reverse-lookup-dependent services.","description":"Azure DNS PTR (reverse-DNS) record set mapping IP addresses back to hostnames within a DNS zone. Used for reverse lookups that services such as mail acceptance rely on."},"risks":["takeover:domain","impact:manipulation"],"notes":"Creating/replacing the PTR record set lets an attacker control reverse-DNS resolution to spoof trusted hostnames (e.g. for mail reputation/FCrDNS) and manipulate routing-adjacent trust data.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/dnszones/SRV/delete":{"id":"Microsoft.Network/dnszones/SRV/delete","name":"DNS SRV record set","scope":"HIGH","parent":{"notes":"DNS record data is published and resolvable by design (public); write/delete control determines where service-discovery clients are routed.","description":"An authoritative DNS SRV record set within an Azure public DNS zone. SRV records advertise the host and port that back named services (e.g. SIP, LDAP, autodiscover) for the domain."},"risks":["destruction:network"],"notes":"Deleting the SRV record set removes service-location records so dependent clients can no longer resolve the named services, causing denial-of-service.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/dnszones/SRV/write":{"id":"Microsoft.Network/dnszones/SRV/write","name":"DNS SRV record set","scope":"HIGH","parent":{"notes":"DNS record data is published and resolvable by design (public); write/delete control determines where service-discovery clients are routed.","description":"An authoritative DNS SRV record set within an Azure public DNS zone. SRV records advertise the host and port that back named services (e.g. SIP, LDAP, autodiscover) for the domain."},"risks":["takeover:domain","impact:manipulation"],"notes":"Creating/replacing SRV records repoints service-discovery lookups to attacker-controlled hosts/ports, hijacking how clients locate and reach the domain's services.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/dnszones/TLSA/delete":{"id":"Microsoft.Network/dnszones/TLSA/delete","name":"DNS TLSA record set","scope":"HIGH","parent":{"notes":"Public-facing authoritative DNS for a single domain function; write/delete affects which TLS certificates are accepted for the domain's services.","description":"A TLSA (DANE) record set in an Azure public DNS zone. TLSA records publish which TLS certificate/public-key is trusted for a service name on the domain."},"risks":["destruction:network","destruction:defense"],"notes":"Deleting the TLSA record set removes a public DNS network component and the DANE certificate-pinning defense, weakening TLS trust enforcement and enabling certificate substitution.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/dnszones/TLSA/write":{"id":"Microsoft.Network/dnszones/TLSA/write","name":"DNS TLSA record set","scope":"HIGH","parent":{"notes":"Public-facing authoritative DNS for a single domain function; write/delete affects which TLS certificates are accepted for the domain's services.","description":"A TLSA (DANE) record set in an Azure public DNS zone. TLSA records publish which TLS certificate/public-key is trusted for a service name on the domain."},"risks":["takeover:domain","impact:manipulation","destruction:defense"],"notes":"Creating/updating TLSA/DANE records rebinds which TLS certificate is trusted for the domain, letting an attacker authorize a rogue certificate to intercept/hijack TLS connections and tamper with the certificate-pinning defense.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/dnszones/TXT/delete":{"id":"Microsoft.Network/dnszones/TXT/delete","name":"DNS TXT record set","scope":"HIGH","parent":{"notes":"DNS record data is published and resolvable by design (public), but write/delete control over it governs how an organizational domain attests trust and routes mail/services.","description":"An authoritative DNS TXT record set within an Azure public DNS zone. TXT records hold free-form text used for SPF/DKIM/DMARC email-authentication policy and third-party domain-ownership verification tokens."},"risks":["destruction:network"],"notes":"Deleting the TXT record set removes SPF/DKIM/DMARC and verification records, breaking email authentication and domain-validation flows for the domain (a DoS against the affected functions).","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/dnszones/TXT/write":{"id":"Microsoft.Network/dnszones/TXT/write","name":"DNS TXT record set","scope":"HIGH","parent":{"notes":"DNS record data is published and resolvable by design (public), but write/delete control over it governs how an organizational domain attests trust and routes mail/services.","description":"An authoritative DNS TXT record set within an Azure public DNS zone. TXT records hold free-form text used for SPF/DKIM/DMARC email-authentication policy and third-party domain-ownership verification tokens."},"risks":["takeover:domain","impact:manipulation"],"notes":"Creating/replacing TXT records lets an attacker forge domain-ownership verification tokens (to issue certs or claim SaaS tenants) and rewrite SPF/DKIM/DMARC, asserting control over the domain's trust attestation and email-auth posture.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/dnszones/delete":{"id":"Microsoft.Network/dnszones/delete","name":"DNS zone","scope":"HIGH","parent":{"notes":"Control over a DNS zone governs name resolution for the domain and thus traffic destination for every service under it.","description":"An Azure public DNS zone is the authoritative DNS hosting resource for a domain or subdomain, containing the record sets that resolve names for that namespace."},"risks":["destruction:network","impact:dos","takeover:domain"],"notes":"Deleting the zone destroys all authoritative DNS for the domain (taking down every record set), causing resolution outage and freeing the namespace for dangling-domain re-registration/takeover.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/dnszones/write":{"id":"Microsoft.Network/dnszones/write","name":"DNS zone","scope":"HIGH","parent":{"notes":"Control over a DNS zone governs name resolution for the domain and thus traffic destination for every service under it.","description":"An Azure public DNS zone is the authoritative DNS hosting resource for a domain or subdomain, containing the record sets that resolve names for that namespace."},"risks":["takeover:domain","impact:manipulation"],"notes":"Create-or-update lets an attacker provision or control the authoritative zone for a domain, enabling control over how that domain/subdomain is resolved (domain takeover) and manipulation of zone configuration; note this operation alters only zone-level properties/tags, not the record sets (a separate operation).","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/expressRouteCircuits/authorizations/addAuthorization/action":{"id":"Microsoft.Network/expressRouteCircuits/authorizations/addAuthorization/action","name":"ExpressRoute circuit authorizations","scope":"HIGH","parent":{"notes":"Authorization keys are connection credentials: holding one lets a party peer their own gateway onto the private circuit, so they are sensitive credential material for a single production network function.","description":"An ExpressRoute circuit authorization is a grant (with an associated authorization key) that permits a virtual network gateway to link into a private ExpressRoute circuit, providing hybrid/private connectivity between Azure and on-premises or other networks."},"risks":["escalation:network","persistence:account","impact:manipulation"],"notes":"Creates a new authorization, generating a redeemable authorization key that lets an attacker link their own gateway/VNet into the private circuit and establish a durable connectivity grant.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/expressRouteCircuits/authorizations/authorizationKey/action":{"id":"Microsoft.Network/expressRouteCircuits/authorizations/authorizationKey/action","name":"ExpressRoute circuit authorizations","scope":"CRITICAL","parent":{"notes":"Authorization keys are connection credentials: holding one lets a party peer their own gateway onto the private circuit, so they are sensitive credential material for a single production network function.","description":"An ExpressRoute circuit authorization is a grant (with an associated authorization key) that permits a virtual network gateway to link into a private ExpressRoute circuit, providing hybrid/private connectivity between Azure and on-premises or other networks."},"risks":["exfiltration:crypto","escalation:network"],"notes":"This action returns the secret authorization key — credential material an attacker redeems to attach their own gateway onto the private circuit and reach the connected network.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/expressRouteCircuits/authorizations/getAuthorization/action":{"id":"Microsoft.Network/expressRouteCircuits/authorizations/getAuthorization/action","name":"ExpressRoute circuit authorizations","scope":"CRITICAL","parent":{"notes":"Authorization keys are connection credentials: holding one lets a party peer their own gateway onto the private circuit, so they are sensitive credential material for a single production network function.","description":"An ExpressRoute circuit authorization is a grant (with an associated authorization key) that permits a virtual network gateway to link into a private ExpressRoute circuit, providing hybrid/private connectivity between Azure and on-premises or other networks."},"risks":["exfiltration:crypto","escalation:network"],"notes":"Returns the authorization together with its authorization key (displayName explicitly 'with Authorization Key'), disclosing the credential an attacker uses to attach a gateway onto the private circuit.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/expressRouteCircuits/authorizations/listKeys/action":{"id":"Microsoft.Network/expressRouteCircuits/authorizations/listKeys/action","name":"ExpressRoute circuit authorizations","scope":"CRITICAL","parent":{"notes":"Authorization keys are connection credentials: holding one lets a party peer their own gateway onto the private circuit, so they are sensitive credential material for a single production network function.","description":"An ExpressRoute circuit authorization is a grant (with an associated authorization key) that permits a virtual network gateway to link into a private ExpressRoute circuit, providing hybrid/private connectivity between Azure and on-premises or other networks."},"risks":["exfiltration:crypto","escalation:network"],"notes":"A listKeys-style action returning the secret authorization key — credential material an attacker redeems to peer their own gateway onto the private circuit.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/expressRouteCircuits/authorizations/delete":{"id":"Microsoft.Network/expressRouteCircuits/authorizations/delete","name":"ExpressRoute circuit authorizations","scope":"HIGH","parent":{"notes":"Authorization keys are connection credentials: holding one lets a party peer their own gateway onto the private circuit, so they are sensitive credential material for a single production network function.","description":"An ExpressRoute circuit authorization is a grant (with an associated authorization key) that permits a virtual network gateway to link into a private ExpressRoute circuit, providing hybrid/private connectivity between Azure and on-premises or other networks."},"risks":["destruction:network","impact:dos"],"notes":"Deleting an authorization removes the connectivity grant, severing legitimate gateway connections that depend on it and disrupting the private/hybrid link.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/expressRouteCircuits/authorizations/write":{"id":"Microsoft.Network/expressRouteCircuits/authorizations/write","name":"ExpressRoute circuit authorizations","scope":"HIGH","parent":{"notes":"Authorization keys are connection credentials: holding one lets a party peer their own gateway onto the private circuit, so they are sensitive credential material for a single production network function.","description":"An ExpressRoute circuit authorization is a grant (with an associated authorization key) that permits a virtual network gateway to link into a private ExpressRoute circuit, providing hybrid/private connectivity between Azure and on-premises or other networks."},"risks":["escalation:network","impact:manipulation","persistence:account"],"notes":"Creating/updating an authorization mints a new authorization key an attacker can redeem to link their own gateway/VNet onto the private circuit, granting network movement and establishing a durable connectivity grant.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/expressRouteCircuits/listAuthorizations/action":{"id":"Microsoft.Network/expressRouteCircuits/listAuthorizations/action","name":"ExpressRoute circuit","scope":"HIGH","parent":{"notes":"Production hybrid-connectivity infrastructure supporting a single organizational function's network reach; its authorization keys are connectivity credentials.","description":"An ExpressRoute circuit is a dedicated private connectivity resource linking on-premises networks to Azure through a connectivity provider, bypassing the public internet."},"risks":["exfiltration:crypto","escalation:network"],"notes":"Returns the circuit authorization keys (credential material) that let an external party peer their own VNet/gateway onto the circuit, enabling credential exfiltration and unauthorized network movement onto the connected network.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/expressRouteLags/authorizations/listKeys/action":{"id":"Microsoft.Network/expressRouteLags/authorizations/listKeys/action","name":"ExpressRoute LAG authorizations","scope":"HIGH","parent":{"notes":"The authorization key is a credential that lets a circuit link into the private network; the authorization object's read path returns only metadata, not the key.","description":"ExpressRoute LAG authorizations are authorization objects (with associated authorization keys) that permit circuits to cross-connect into a dedicated ExpressRoute LAG."},"risks":["exfiltration:crypto","escalation:network"],"notes":"This action returns the ExpressRoute AuthorizationKey, credential material an attacker can export and redeem to cross-connect a circuit into the organization's private network.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/expressRoutePorts/authorizations/authorizationKey/action":{"id":"Microsoft.Network/expressRoutePorts/authorizations/authorizationKey/action","name":"ExpressRoute Ports authorizations","scope":"HIGH","parent":{"notes":"The authorization key is effectively a network-access credential: holding it lets a party attach a circuit and gain access onto the organization's private ExpressRoute connectivity.","description":"An ExpressRoute Ports authorization is a grant on a dedicated ExpressRoute port that permits an ExpressRoute circuit to be linked to that port; it carries an authorization key used to redeem the link."},"risks":["exfiltration:crypto","escalation:network"],"notes":"Returns the authorization key, a credential that can be redeemed to connect a circuit to the port, enabling network movement onto the private connectivity.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/expressRoutePorts/authorizations/getAuthorization/action":{"id":"Microsoft.Network/expressRoutePorts/authorizations/getAuthorization/action","name":"ExpressRoute Ports authorizations","scope":"HIGH","parent":{"notes":"The authorization key is effectively a network-access credential: holding it lets a party attach a circuit and gain access onto the organization's private ExpressRoute connectivity.","description":"An ExpressRoute Ports authorization is a grant on a dedicated ExpressRoute port that permits an ExpressRoute circuit to be linked to that port; it carries an authorization key used to redeem the link."},"risks":["exfiltration:crypto","escalation:network"],"notes":"Retrieves the authorization together with its authorization key, exposing the credential needed to attach a circuit to the port and move onto the private network.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/expressRoutePorts/authorizations/listKeys/action":{"id":"Microsoft.Network/expressRoutePorts/authorizations/listKeys/action","name":"ExpressRoute Ports authorizations","scope":"HIGH","parent":{"notes":"The authorization key is effectively a network-access credential: holding it lets a party attach a circuit and gain access onto the organization's private ExpressRoute connectivity.","description":"An ExpressRoute Ports authorization is a grant on a dedicated ExpressRoute port that permits an ExpressRoute circuit to be linked to that port; it carries an authorization key used to redeem the link."},"risks":["exfiltration:crypto","escalation:network"],"notes":"Returns the authorization key secret, which can be redeemed to connect a circuit to the port, enabling network movement onto the private connectivity.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/expressRoutePorts/listAuthorizations/action":{"id":"Microsoft.Network/expressRoutePorts/listAuthorizations/action","name":"ExpressRoute ports","scope":"CRITICAL","parent":{"notes":"Production hybrid-connectivity infrastructure supporting a single organizational function; compromise can disrupt or expose private network traffic.","description":"ExpressRoute ports (ExpressRoute Direct) are dedicated physical network connectivity resources that provide high-bandwidth private links between an organization's on-premises network and Azure at a peering location."},"risks":["exfiltration:crypto","escalation:network"],"notes":"Returns ExpressRoute port authorization keys — credential material that lets an attacker provision and peer their own circuits onto the dedicated private network fabric.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/firewallPolicies/certificates/action":{"id":"Microsoft.Network/firewallPolicies/certificates/action","name":"Firewall Policy","scope":"HIGH","parent":{"notes":"The policy is the enforced network access-control and defense ruleset protecting a network function; its configuration and associated certificate material are security-sensitive.","description":"An Azure Firewall Policy is the centralized configuration of network/application rule collections, NAT rules, threat intelligence, and TLS-inspection settings governing traffic for one or more Azure Firewalls."},"risks":["exfiltration:crypto"],"notes":"Generates the intermediate CA/TLS-inspection certificate material the firewall trusts, exposing cryptographic material usable to intercept and decrypt inspected TLS traffic.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/frontDoors/frontendEndpoints/delete":{"id":"Microsoft.Network/frontDoors/frontendEndpoints/delete","name":"Front Door frontend endpoints","scope":"HIGH","parent":{"notes":"Frontend endpoints are the public ingress/domain binding of the edge; controlling them governs domain routing and the public-facing presence of an application.","description":"A Front Door frontend endpoint defines the public hostnames/custom domains and TLS configuration that the Azure Front Door edge answers for."},"risks":["destruction:network","impact:dos"],"notes":"Deleting a frontend endpoint removes the public entry hostname/domain binding, making the service unreachable (DoS).","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/frontDoors/frontendEndpoints/write":{"id":"Microsoft.Network/frontDoors/frontendEndpoints/write","name":"Front Door frontend endpoints","scope":"HIGH","parent":{"notes":"Frontend endpoints are the public ingress/domain binding of the edge; controlling them governs domain routing and the public-facing presence of an application.","description":"A Front Door frontend endpoint defines the public hostnames/custom domains and TLS configuration that the Azure Front Door edge answers for."},"risks":["takeover:domain","impact:defacement","impact:manipulation"],"notes":"Creating/updating a frontend endpoint binds/alters the custom domains/hostnames Front Door answers for, enabling domain/subdomain hijack and alteration of the public-facing surface.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/frontDoors/delete":{"id":"Microsoft.Network/frontDoors/delete","name":"Front Door","scope":"HIGH","parent":{"notes":"A public-facing edge/routing layer; write access can hijack or deface traffic for the fronted application.","description":"Azure Front Door (classic) is a global edge/CDN application-delivery service that manages public-facing routing rules, frontend endpoints/custom domains, and backend pools."},"risks":["destruction:network","impact:dos"],"notes":"Deleting a Front Door removes the global edge/routing/CDN front-end, tearing down a network component and causing denial of service for the fronted public application.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/frontDoors/write":{"id":"Microsoft.Network/frontDoors/write","name":"Front Door","scope":"HIGH","parent":{"notes":"A public-facing edge/routing layer; write access can hijack or deface traffic for the fronted application.","description":"Azure Front Door (classic) is a global edge/CDN application-delivery service that manages public-facing routing rules, frontend endpoints/custom domains, and backend pools."},"risks":["impact:manipulation","takeover:domain","impact:defacement"],"notes":"Creating/updating a Front Door lets an attacker alter routing rules, frontend endpoints/custom domains, and backend pools, enabling traffic rerouting (domain takeover), defacement of public content, and manipulation of delivery configuration.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/ipGroups/join/action":{"id":"Microsoft.Network/ipGroups/join/action","name":"IP Group","scope":"HIGH","parent":{"notes":"An IP Group is referenced by firewall/NSG rules; changing its ranges silently reshapes every rule that references it, making it a policy-bearing object.","description":"An IP Group is a reusable named set of IP addresses/ranges referenced by Azure Firewall and NSG rules, letting many rules share a single maintained address list."},"risks":["escalation:network"],"notes":"Joining an IP Group lets a principal reference/attach the group into firewall or NSG rules it does not otherwise control, bypassing the segmentation control that gates which address lists a rule may use; flagged Not Alertable.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/ipGroups/write":{"id":"Microsoft.Network/ipGroups/write","name":"IP Group","scope":"HIGH","parent":{"notes":"An IP Group is referenced by firewall/NSG rules; changing its ranges silently reshapes every rule that references it, making it a policy-bearing object.","description":"An IP Group is a reusable named set of IP addresses/ranges referenced by Azure Firewall and NSG rules, letting many rules share a single maintained address list."},"risks":["destruction:policy","impact:manipulation"],"notes":"Creating/updating an IP Group rewrites the address ranges that referencing firewall/NSG rules enforce; an attacker can silently widen an allow-list (e.g. add attacker IPs) across every rule that consumes the group, weakening the effective policy.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/ipGroups/delete":{"id":"Microsoft.Network/ipGroups/delete","name":"IP Group","scope":"HIGH","parent":{"notes":"An IP Group is referenced by firewall/NSG rules; changing its ranges silently reshapes every rule that references it, making it a policy-bearing object.","description":"An IP Group is a reusable named set of IP addresses/ranges referenced by Azure Firewall and NSG rules, letting many rules share a single maintained address list."},"risks":["impact:dos"],"notes":"Deleting an IP Group removes the address list that referencing firewall/NSG rules depend on, breaking or degrading those rules and the traffic they govern.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/loadBalancers/backendAddressPools/join/action":{"id":"Microsoft.Network/loadBalancers/backendAddressPools/join/action","name":"Load balancer backend address pool","scope":"HIGH","parent":{"notes":"The backend pool determines where a load balancer forwards traffic; altering its membership can redirect client traffic to attacker-controlled targets or remove legitimate ones.","description":"A backend address pool is the set of target addresses (VMs, NICs, or IPs) that an Azure load balancer distributes incoming traffic to."},"risks":["escalation:network"],"notes":"Joining a backend address pool lets a principal attach a resource (e.g. an attacker-controlled NIC/VM) into the pool it does not otherwise control, placing it behind the load balancer to receive fronted traffic; flagged Not Alertable.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/loadBalancers/backendAddressPools/updateAdminState/action":{"id":"Microsoft.Network/loadBalancers/backendAddressPools/updateAdminState/action","name":"Load balancer backend address pool","scope":"HIGH","parent":{"notes":"The backend pool determines where a load balancer forwards traffic; altering its membership can redirect client traffic to attacker-controlled targets or remove legitimate ones.","description":"A backend address pool is the set of target addresses (VMs, NICs, or IPs) that an Azure load balancer distributes incoming traffic to."},"risks":["impact:dos"],"notes":"Updates the admin state of backend addresses, letting an attacker forcibly mark legitimate backends down so the load balancer stops forwarding to them, denying service.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/loadBalancers/backendAddressPools/write":{"id":"Microsoft.Network/loadBalancers/backendAddressPools/write","name":"Load balancer backend address pool","scope":"HIGH","parent":{"notes":"The backend pool determines where a load balancer forwards traffic; altering its membership can redirect client traffic to attacker-controlled targets or remove legitimate ones.","description":"A backend address pool is the set of target addresses (VMs, NICs, or IPs) that an Azure load balancer distributes incoming traffic to."},"risks":["escalation:network","exfiltration:data","impact:manipulation"],"notes":"Creating/updating the pool lets an attacker add attacker-controlled backends (receiving client traffic fronted by the load balancer) or remove legitimate backends, enabling traffic redirection/interception and manipulation of which targets serve the service.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/loadBalancers/backendAddressPools/delete":{"id":"Microsoft.Network/loadBalancers/backendAddressPools/delete","name":"Load balancer backend address pool","scope":"HIGH","parent":{"notes":"The backend pool determines where a load balancer forwards traffic; altering its membership can redirect client traffic to attacker-controlled targets or remove legitimate ones.","description":"A backend address pool is the set of target addresses (VMs, NICs, or IPs) that an Azure load balancer distributes incoming traffic to."},"risks":["impact:dos"],"notes":"Deleting the backend pool removes the set of targets the load balancer forwards to, denying service to the fronted application.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/loadBalancers/delete":{"id":"Microsoft.Network/loadBalancers/delete","name":"Load Balancer","scope":"HIGH","parent":{"notes":"Sits in the path of live production traffic for the backend pool it serves; write access lets an attacker redirect that traffic to attacker-controlled backends. Rated HIGH rather than CRITICAL because impact is scoped to the traffic routed through this specific load balancer rather than whole-network segmentation.","description":"Azure Load Balancer distributes inbound/outbound traffic across a pool of backend instances (VMs) using load-balancing and NAT rules."},"risks":["destruction:network","impact:dos"],"notes":"Deletes the load balancer, removing the traffic-distribution front end and causing outage for every backend it serves.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/loadBalancers/write":{"id":"Microsoft.Network/loadBalancers/write","name":"Load Balancer","scope":"HIGH","parent":{"notes":"Sits in the path of live production traffic for the backend pool it serves; write access lets an attacker redirect that traffic to attacker-controlled backends. Rated HIGH rather than CRITICAL because impact is scoped to the traffic routed through this specific load balancer rather than whole-network segmentation.","description":"Azure Load Balancer distributes inbound/outbound traffic across a pool of backend instances (VMs) using load-balancing and NAT rules."},"risks":["exfiltration:data","escalation:network"],"notes":"Creating or updating load-balancing/NAT rules or backend pool membership lets an attacker redirect live production traffic to attacker-controlled backend instances.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/networkInterfaces/effectiveNetworkSecurityGroups/action":{"id":"Microsoft.Network/networkInterfaces/effectiveNetworkSecurityGroups/action","name":"Network Interface effective network security groups","scope":"MEDIUM","parent":{"notes":"Read-only reconnaissance of security posture; scoped down from the base HIGH rating since it discloses security-group metadata rather than enabling traffic manipulation.","description":"Returns the effective network security groups (NSGs) applied to a network interface, merging subnet- and NIC-level associations."},"risks":["discovery:network"],"notes":"Reveals the live effective NSG rules protecting the VM's network path, exposing which ports/protocols are open and aiding planning of a network-based attack.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/networkInterfaces/effectiveRouteTable/action":{"id":"Microsoft.Network/networkInterfaces/effectiveRouteTable/action","name":"Network Interface effective route table","scope":"MEDIUM","parent":{"notes":"Read-only reconnaissance of routing posture; scoped down from the base HIGH rating since it discloses routing metadata rather than enabling traffic manipulation.","description":"Returns the effective route table applied to the VM attached to a network interface."},"risks":["discovery:network"],"notes":"Reveals the live effective routes for the VM's network path, exposing network topology useful for planning lateral movement or traffic interception.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/networkInterfaces/join/action":{"id":"Microsoft.Network/networkInterfaces/join/action","name":"Network Interface join","scope":"HIGH","parent":{"notes":"Controls which VMs can be attached into the network segment reachable via this NIC's subnet.","description":"Joins a virtual machine to a network interface, attaching that NIC (and its IP configuration/subnet placement) to the VM."},"risks":["escalation:network","escalation:lateral"],"notes":"Holding join rights on a NIC scoped to a shared or sensitive subnet lets an attacker attach an attacker-controlled VM's NIC into that network segment, gaining lateral network access. Not Alertable.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/networkInterfaces/tapConfigurations/delete":{"id":"Microsoft.Network/networkInterfaces/tapConfigurations/delete","name":"Network Interface Tap Configuration","scope":"HIGH","parent":{"notes":"Traffic-mirroring configuration on a production NIC; when created it enables wholesale interception of in-transit data for that interface.","description":"A Network Interface Tap Configuration attaches a Virtual Network TAP to a network interface, causing all of that NIC's traffic to be mirrored to a collector destination."},"risks":["destruction:network"],"notes":"Deleting the tap configuration removes the traffic-mirroring component from the interface, which can also tear down a legitimate monitoring/IDS feed attached to it.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/networkInterfaces/tapConfigurations/write":{"id":"Microsoft.Network/networkInterfaces/tapConfigurations/write","name":"Network Interface Tap Configuration","scope":"HIGH","parent":{"notes":"Traffic-mirroring configuration on a production NIC; when created it enables wholesale interception of in-transit data for that interface.","description":"A Network Interface Tap Configuration attaches a Virtual Network TAP to a network interface, causing all of that NIC's traffic to be mirrored to a collector destination."},"risks":["collection:data","exfiltration:data"],"notes":"Creating the tap configuration mirrors all of the NIC's traffic to an attacker-chosen collector, enabling continuous, automated interception and exfiltration of in-flight data.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/networkInterfaces/delete":{"id":"Microsoft.Network/networkInterfaces/delete","name":"Network Interface","scope":"HIGH","parent":{"notes":"Carries the live IP configuration and security-group binding for a single VM's network attachment; write access can redirect its traffic or strip its security controls. Rated HIGH rather than CRITICAL because impact is scoped to the traffic/VM attached to this specific interface rather than whole-network segmentation.","description":"A network interface (NIC) is the virtual networking component that connects a VM to a subnet, carrying its private/public IP configuration and network security group association."},"risks":["destruction:network","impact:dos"],"notes":"Deletes the network interface, detaching it from its VM and causing loss of network connectivity for that VM.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/networkInterfaces/write":{"id":"Microsoft.Network/networkInterfaces/write","name":"Network Interface","scope":"HIGH","parent":{"notes":"Carries the live IP configuration and security-group binding for a single VM's network attachment; write access can redirect its traffic or strip its security controls. Rated HIGH rather than CRITICAL because impact is scoped to the traffic/VM attached to this specific interface rather than whole-network segmentation.","description":"A network interface (NIC) is the virtual networking component that connects a VM to a subnet, carrying its private/public IP configuration and network security group association."},"risks":["destruction:network","escalation:network"],"notes":"Updating an existing NIC's IP configuration or NSG association can move its traffic to attacker-controlled infrastructure or disable the security-group protections attached to it.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/networkManagers/commit/action":{"id":"Microsoft.Network/networkManagers/commit/action","name":"Network Manager","scope":"CRITICAL","parent":{"notes":"A single manager governs connectivity and security-admin rules across many VNets simultaneously; security-admin rules override per-VNet NSGs, so control of the manager is an org-wide policy/segmentation blast-radius multiplier, warranting CRITICAL.","description":"Azure Virtual Network Manager is a centralized governance layer that authors and pushes connectivity configurations and security-admin rules across many VNets at once within a defined network group scope."},"risks":["escalation:network","destruction:policy","impact:manipulation"],"notes":"Commit deploys the staged connectivity/security-admin configuration across the managed VNet scope, actually taking effect; an attacker can punch connectivity between many VNets (lateral movement) or override per-VNet NSG rules org-wide in a single operation.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/networkManagers/ipamPools/write":{"id":"Microsoft.Network/networkManagers/ipamPools/write","name":"Network Manager IPAM pool","scope":"MEDIUM","parent":{"notes":"Primarily an address-space inventory/management object; abuse is limited to allocation manipulation that can cause routing/overlap problems rather than direct data or policy compromise.","description":"An IPAM pool within Azure Virtual Network Manager is a managed reservation of IP address space from which Azure and non-Azure resources draw non-overlapping allocations."},"risks":["impact:manipulation","impact:dos"],"notes":"Creating/updating a pool alters the managed address space; overlapping or reshaped ranges can break allocation logic and induce routing/addressing conflicts for resources drawing from the pool.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/networkManagers/ipamPools/delete":{"id":"Microsoft.Network/networkManagers/ipamPools/delete","name":"Network Manager IPAM pool","scope":"MEDIUM","parent":{"notes":"Primarily an address-space inventory/management object; abuse is limited to allocation manipulation that can cause routing/overlap problems rather than direct data or policy compromise.","description":"An IPAM pool within Azure Virtual Network Manager is a managed reservation of IP address space from which Azure and non-Azure resources draw non-overlapping allocations."},"risks":["impact:dos"],"notes":"Deleting a pool removes the address-space reservation that dependent resources allocate from, disrupting provisioning and addressing.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/networkManagers/listActiveConnectivityConfigurations/action":{"id":"Microsoft.Network/networkManagers/listActiveConnectivityConfigurations/action","name":"Network Manager","scope":"MEDIUM","parent":{"notes":"A single manager governs connectivity and security-admin rules across many VNets simultaneously; security-admin rules override per-VNet NSGs, so control of the manager is an org-wide policy/segmentation blast-radius multiplier, warranting CRITICAL.","description":"Azure Virtual Network Manager is a centralized governance layer that authors and pushes connectivity configurations and security-admin rules across many VNets at once within a defined network group scope."},"risks":["discovery:network"],"notes":"Lists the connectivity configurations currently in effect across the managed VNet scope, revealing which VNets are meshed/hub-connected and thus the reachable network topology for lateral movement.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/networkManagers/listActiveSecurityAdminRules/action":{"id":"Microsoft.Network/networkManagers/listActiveSecurityAdminRules/action","name":"Network Manager","scope":"MEDIUM","parent":{"notes":"A single manager governs connectivity and security-admin rules across many VNets simultaneously; security-admin rules override per-VNet NSGs, so control of the manager is an org-wide policy/segmentation blast-radius multiplier, warranting CRITICAL.","description":"Azure Virtual Network Manager is a centralized governance layer that authors and pushes connectivity configurations and security-admin rules across many VNets at once within a defined network group scope."},"risks":["discovery:network"],"notes":"Lists the security-admin rules currently in effect across the managed VNet scope, disclosing the org-wide enforced firewall posture an attacker can use to find gaps.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/networkManagers/listActiveSecurityUserRules/action":{"id":"Microsoft.Network/networkManagers/listActiveSecurityUserRules/action","name":"Network Manager","scope":"MEDIUM","parent":{"notes":"A single manager governs connectivity and security-admin rules across many VNets simultaneously; security-admin rules override per-VNet NSGs, so control of the manager is an org-wide policy/segmentation blast-radius multiplier, warranting CRITICAL.","description":"Azure Virtual Network Manager is a centralized governance layer that authors and pushes connectivity configurations and security-admin rules across many VNets at once within a defined network group scope."},"risks":["discovery:network"],"notes":"Lists the security-user rules currently in effect across the managed VNet scope, disclosing the enforced network filtering posture an attacker can use to find gaps.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/networkManagers/write":{"id":"Microsoft.Network/networkManagers/write","name":"Network Manager","scope":"CRITICAL","parent":{"notes":"A single manager governs connectivity and security-admin rules across many VNets simultaneously; security-admin rules override per-VNet NSGs, so control of the manager is an org-wide policy/segmentation blast-radius multiplier, warranting CRITICAL.","description":"Azure Virtual Network Manager is a centralized governance layer that authors and pushes connectivity configurations and security-admin rules across many VNets at once within a defined network group scope."},"risks":["escalation:network","destruction:policy","impact:manipulation"],"notes":"Creating/updating a manager lets an attacker author connectivity and security-admin rule configurations (which override NSGs) across the managed VNet scope; the configuration is staged here and takes effect on commit.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/networkManagers/delete":{"id":"Microsoft.Network/networkManagers/delete","name":"Network Manager","scope":"CRITICAL","parent":{"notes":"A single manager governs connectivity and security-admin rules across many VNets simultaneously; security-admin rules override per-VNet NSGs, so control of the manager is an org-wide policy/segmentation blast-radius multiplier, warranting CRITICAL.","description":"Azure Virtual Network Manager is a centralized governance layer that authors and pushes connectivity configurations and security-admin rules across many VNets at once within a defined network group scope."},"risks":["destruction:policy","impact:dos"],"notes":"Deleting a manager tears down the centralized connectivity/security-admin governance across all managed VNets, removing org-wide security policy and disrupting the connectivity it maintained.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/networkProfiles/removeContainers/action":{"id":"Microsoft.Network/networkProfiles/removeContainers/action","name":"Network Profile","scope":"HIGH","parent":{"notes":"Controls how container workloads are wired into the VNet; manipulation can place attacker workloads on the network or reattach existing ones into different segments.","description":"A Network Profile defines container networking configuration (container network interfaces and their subnet/IP settings) used to attach container workloads to a VNet."},"risks":["impact:dos"],"notes":"Detaches container groups from the profile's network configuration, cutting the network connectivity of the affected container workloads.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/networkProfiles/setContainers/action":{"id":"Microsoft.Network/networkProfiles/setContainers/action","name":"Network Profile","scope":"HIGH","parent":{"notes":"Controls how container workloads are wired into the VNet; manipulation can place attacker workloads on the network or reattach existing ones into different segments.","description":"A Network Profile defines container networking configuration (container network interfaces and their subnet/IP settings) used to attach container workloads to a VNet."},"risks":["escalation:network","impact:manipulation"],"notes":"Attaches container groups to the profile's network configuration, placing container workloads into a chosen VNet segment and thereby gaining network reach; setNetworkInterfaces is an equivalent attach operation at the NIC level carrying the same risk.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/networkProfiles/setNetworkInterfaces/action":{"id":"Microsoft.Network/networkProfiles/setNetworkInterfaces/action","name":"Network Profile","scope":"HIGH","parent":{"notes":"Controls how container workloads are wired into the VNet; manipulation can place attacker workloads on the network or reattach existing ones into different segments.","description":"A Network Profile defines container networking configuration (container network interfaces and their subnet/IP settings) used to attach container workloads to a VNet."},"risks":["escalation:network","impact:manipulation"],"notes":"Sets the container network interfaces bound to the profile, wiring workloads into a chosen VNet segment and altering the intended networking configuration.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/networkProfiles/write":{"id":"Microsoft.Network/networkProfiles/write","name":"Network Profile","scope":"HIGH","parent":{"notes":"Controls how container workloads are wired into the VNet; manipulation can place attacker workloads on the network or reattach existing ones into different segments.","description":"A Network Profile defines container networking configuration (container network interfaces and their subnet/IP settings) used to attach container workloads to a VNet."},"risks":["escalation:network","impact:manipulation"],"notes":"Creating/updating a profile defines the container NIC/subnet wiring; an attacker can attach container workloads into a chosen VNet segment, gaining network reach and altering the intended networking configuration.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/networkProfiles/delete":{"id":"Microsoft.Network/networkProfiles/delete","name":"Network Profile","scope":"HIGH","parent":{"notes":"Controls how container workloads are wired into the VNet; manipulation can place attacker workloads on the network or reattach existing ones into different segments.","description":"A Network Profile defines container networking configuration (container network interfaces and their subnet/IP settings) used to attach container workloads to a VNet."},"risks":["impact:dos"],"notes":"Deleting a profile removes the container networking configuration that dependent container workloads rely on, disrupting their connectivity.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/networkSecurityGroups/join/action":{"id":"Microsoft.Network/networkSecurityGroups/join/action","name":"Network security group join","scope":"HIGH","parent":{"notes":"An NSG is a perimeter/segmentation control, not a data store itself, but it gates network access to every resource attached to it; misconfiguring one can expose or cut off an entire subnet's worth of workloads, so scope is rated on par with other perimeter-control assets in this provider rather than CRITICAL, which is reserved for tenant-wide IAM/policy objects.","description":"A Network Security Group (NSG) is a stateful packet filter that contains ordered allow/deny rules applied to the network interfaces and subnets it is associated with, controlling inbound and outbound traffic for the resources behind it."},"risks":["escalation:network"],"notes":"Azure requires this permission on the NSG itself before a principal can attach a NIC/subnet to it, specifically so that a principal with only narrow \"create resource\" rights cannot silently exempt their own resources from security policy they don't control. Holding join lets an attacker attach an attacker-controlled interface/subnet so it inherits (or is deliberately left out of) that NSG's rules, or attach a sanctioned resource to a weaker/attacker-modified NSG, bypassing intended segmentation.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/networkSecurityGroups/delete":{"id":"Microsoft.Network/networkSecurityGroups/delete","name":"Network security group","scope":"HIGH","parent":{"notes":"An NSG is a perimeter/segmentation control, not a data store itself, but it gates network access to every resource attached to it; misconfiguring one can expose or cut off an entire subnet's worth of workloads, so scope is rated on par with other perimeter-control assets in this provider (traffic-mirroring taps, traffic routing profiles) rather than CRITICAL, which is reserved for tenant-wide IAM/policy objects.","description":"A Network Security Group (NSG) is a stateful packet filter that contains ordered allow/deny rules applied to the network interfaces and subnets it is associated with, controlling inbound and outbound traffic for the resources behind it."},"risks":["destruction:policy","impact:dos"],"notes":"Deleting an NSG removes all its filter rules at once, stripping the associated interfaces/subnets of their access controls (opening them up) or breaking connectivity that depended on an allow rule (denial of service).","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/networkSecurityGroups/write":{"id":"Microsoft.Network/networkSecurityGroups/write","name":"Network security group","scope":"HIGH","parent":{"notes":"An NSG is a perimeter/segmentation control, not a data store itself, but it gates network access to every resource attached to it; misconfiguring one can expose or cut off an entire subnet's worth of workloads, so scope is rated on par with other perimeter-control assets in this provider (traffic-mirroring taps, traffic routing profiles) rather than CRITICAL, which is reserved for tenant-wide IAM/policy objects.","description":"A Network Security Group (NSG) is a stateful packet filter that contains ordered allow/deny rules applied to the network interfaces and subnets it is associated with, controlling inbound and outbound traffic for the resources behind it."},"risks":["destruction:policy","escalation:network"],"notes":"Creating or updating an NSG's rule set lets an attacker open ingress/egress to internal resources that were previously firewalled off, or close rules to disrupt legitimate traffic; opening access to attacker-reachable resources also enables lateral/network escalation into the segment the NSG protects.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/networkVirtualAppliances/getBootDiagnosticLogs/action":{"id":"Microsoft.Network/networkVirtualAppliances/getBootDiagnosticLogs/action","name":"Network Virtual Appliance","scope":"HIGH","parent":{"notes":"An NVA sits in the traffic path inspecting/forwarding production traffic; controlling it enables interception, redirection, or disruption of that traffic.","description":"A Network Virtual Appliance (NVA) is a third-party firewall/router VM appliance that inspects and forwards network traffic in a VNet or Virtual WAN hub."},"risks":["exfiltration:logs"],"notes":"Returns the appliance's boot/serial diagnostic logs, which can leak bootstrap secrets, configuration, or credentials emitted during startup.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/networkVirtualAppliances/reimage/action":{"id":"Microsoft.Network/networkVirtualAppliances/reimage/action","name":"Network Virtual Appliance","scope":"HIGH","parent":{"notes":"An NVA sits in the traffic path inspecting/forwarding production traffic; controlling it enables interception, redirection, or disruption of that traffic.","description":"A Network Virtual Appliance (NVA) is a third-party firewall/router VM appliance that inspects and forwards network traffic in a VNet or Virtual WAN hub."},"risks":["impact:dos","destruction:infra"],"notes":"Reimaging the appliance resets it to a base image, disrupting the traffic it handles and wiping any local appliance state/configuration not preserved externally.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/networkVirtualAppliances/restart/action":{"id":"Microsoft.Network/networkVirtualAppliances/restart/action","name":"Network Virtual Appliance","scope":"HIGH","parent":{"notes":"An NVA sits in the traffic path inspecting/forwarding production traffic; controlling it enables interception, redirection, or disruption of that traffic.","description":"A Network Virtual Appliance (NVA) is a third-party firewall/router VM appliance that inspects and forwards network traffic in a VNet or Virtual WAN hub."},"risks":["impact:dos"],"notes":"Restarting the appliance interrupts the traffic it inspects/forwards, denying service to dependent flows for the duration of the restart.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/networkVirtualAppliances/write":{"id":"Microsoft.Network/networkVirtualAppliances/write","name":"Network Virtual Appliance","scope":"HIGH","parent":{"notes":"An NVA sits in the traffic path inspecting/forwarding production traffic; controlling it enables interception, redirection, or disruption of that traffic.","description":"A Network Virtual Appliance (NVA) is a third-party firewall/router VM appliance that inspects and forwards network traffic in a VNet or Virtual WAN hub."},"risks":["escalation:network","exfiltration:data","impact:manipulation"],"notes":"Creating/updating an NVA lets an attacker reconfigure or replace the appliance sitting in the traffic path, redirecting or mirroring in-flight traffic to attacker-controlled destinations and tampering with the forwarding/inspection configuration.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/networkVirtualAppliances/delete":{"id":"Microsoft.Network/networkVirtualAppliances/delete","name":"Network Virtual Appliance","scope":"HIGH","parent":{"notes":"An NVA sits in the traffic path inspecting/forwarding production traffic; controlling it enables interception, redirection, or disruption of that traffic.","description":"A Network Virtual Appliance (NVA) is a third-party firewall/router VM appliance that inspects and forwards network traffic in a VNet or Virtual WAN hub."},"risks":["destruction:network","impact:dos"],"notes":"Deleting the NVA removes the appliance handling traffic, tearing down a network component and denying service to flows that depend on it.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/networkWatchers/configureFlowLog/action":{"id":"Microsoft.Network/networkWatchers/configureFlowLog/action","name":"Network Watcher flow log configuration","scope":"MEDIUM","parent":{"notes":"Used both to enable flow logging (collection) and to disable it on an existing target, removing the network traffic audit trail.","description":"Configures NSG flow logging for a target resource, controlling whether network traffic flow records are captured and where they are stored."},"risks":["destruction:logs","destruction:defense"],"notes":"Disabling flow logging on an NSG before or during other malicious network activity removes the traffic-level record that would otherwise reveal that activity, a textbook detection-evasion move. Can also redirect logs to an attacker-controlled storage destination.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/networkWatchers/connectivityCheck/action":{"id":"Microsoft.Network/networkWatchers/connectivityCheck/action","name":"Network Watcher connectivity check","scope":"MEDIUM","parent":{"notes":"Read-only, and functionally covers the same recon value as ipFlowVerify (allow/deny check for a specific flow) and nextHop (routing path for a destination), which are not separately documented here as they test the same reachability question from different angles.","description":"Verifies whether a direct TCP connection can be established from a source VM to a given destination (another VM or an arbitrary remote endpoint), reporting reachability, latency, and hop-by-hop path."},"risks":["discovery:network"],"notes":"Lets an attacker use a compromised VM's network position to test reachability to internal or external targets, using Azure's own tooling as a network scanner/pivot-mapping primitive instead of installing scanning tools that might trigger endpoint detection.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/networkWatchers/lenses/Query/action":{"id":"Microsoft.Network/networkWatchers/lenses/Query/action","name":"Network Watcher Lens","scope":"MEDIUM","parent":{"notes":"Monitoring/diagnostic resource; captured traffic can contain sensitive in-transit data, but the asset is a supporting observability component rather than a primary production data store.","description":"A Network Watcher Lens is a network traffic monitoring/capture resource that observes and records traffic flowing through a specified endpoint, part of Azure's network diagnostics tooling."},"risks":["exfiltration:data"],"notes":"Querying a Lens returns captured network traffic contents, which can include sensitive in-transit payloads and metadata, enabling exfiltration of the monitored data.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/networkWatchers/packetCaptures/delete":{"id":"Microsoft.Network/networkWatchers/packetCaptures/delete","name":"Network Watcher packet captures","scope":"MEDIUM","parent":{"notes":"Captured traffic can contain sensitive in-transit data including credentials, tokens, and application payloads, making the create capability effectively a data-interception tool. Status/configuration reads expose only diagnostic metadata, not the captured payload.","description":"A Network Watcher packet capture is a network diagnostic resource that records live network traffic to and from a target VM/endpoint and writes the captured packets to a storage account or local file."},"risks":["destruction:defense"],"notes":"Deleting a packet capture removes the diagnostic/forensic mechanism and any captured traffic records, eliminating network-traffic visibility used for incident response.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/networkWatchers/packetCaptures/write":{"id":"Microsoft.Network/networkWatchers/packetCaptures/write","name":"Network Watcher packet captures","scope":"HIGH","parent":{"notes":"Captured traffic can contain sensitive in-transit data including credentials, tokens, and application payloads, making the create capability effectively a data-interception tool. Status/configuration reads expose only diagnostic metadata, not the captured payload.","description":"A Network Watcher packet capture is a network diagnostic resource that records live network traffic to and from a target VM/endpoint and writes the captured packets to a storage account or local file."},"risks":["exfiltration:data","collection:data","impact:spend"],"notes":"Creating a packet capture records live network traffic from a target resource into attacker-readable storage, enabling interception and automated collection of sensitive in-transit data (credentials, tokens, payloads) while incurring capture/storage cost.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/networkWatchers/securityGroupView/action":{"id":"Microsoft.Network/networkWatchers/securityGroupView/action","name":"Network Watcher security group view","scope":"MEDIUM","parent":{"notes":"Read-only, but exposes the effective (post-merge) firewall posture of a VM without requiring direct read access to every NSG in the chain, making it a higher-value reconnaissance primitive than listing NSGs individually.","description":"Returns both the configured and effective network security group rules applied to a target VM's network interfaces, merging NIC-, subnet-, and default-level rules into the rule set actually enforced."},"risks":["discovery:network"],"notes":"Lets an attacker map exactly which inbound/outbound traffic is actually allowed to/from a VM, identifying reachable ports and segmentation gaps to focus follow-on network attacks, without needing to install or run any scanning tooling.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/networkWatchers/topology/action":{"id":"Microsoft.Network/networkWatchers/topology/action","name":"Network Watcher topology","scope":"MEDIUM","parent":{"notes":"Read-only. Represents the built-in resource-relationship-mapping entry in Network Watcher's recon toolkit; distinct from the securityGroupView/connectivityCheck actions because it operates at the resource-graph level rather than rule- or path-level.","description":"Returns a network-level view of the resources deployed in a resource group and their relationships (VNets, subnets, NICs, NSGs, public IPs, load balancers, and how they connect)."},"risks":["discovery:network","discovery:infra"],"notes":"Gives an attacker a ready-made map of a resource group's network architecture and resource relationships, materially speeding up reconnaissance of an unfamiliar environment compared to enumerating each resource type individually.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/networkWatchers/delete":{"id":"Microsoft.Network/networkWatchers/delete","name":"Network Watcher","scope":"MEDIUM","parent":{"notes":"Network Watcher is a monitoring/diagnostics control-plane resource, not a data store; its main risk is as an evasion vector (disabling flow logging, removing the resource) and as a built-in network reconnaissance toolkit exposed via its action sub-resources.","description":"Azure Network Watcher is a regional network diagnostics and monitoring service that provides flow logging, topology, and connectivity/troubleshooting tools for resources in a virtual network."},"risks":["destruction:defense"],"notes":"Deleting the Network Watcher for a region removes that region's flow-logging, topology, and diagnostic capability entirely, blinding defenders to network activity in the region.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/networkWatchers/write":{"id":"Microsoft.Network/networkWatchers/write","name":"Network Watcher","scope":"MEDIUM","parent":{"notes":"Network Watcher is a monitoring/diagnostics control-plane resource, not a data store; its main risk is as an evasion vector (disabling flow logging, removing the resource) and as a built-in network reconnaissance toolkit exposed via its action sub-resources.","description":"Azure Network Watcher is a regional network diagnostics and monitoring service that provides flow logging, topology, and connectivity/troubleshooting tools for resources in a virtual network."},"risks":["destruction:defense"],"notes":"Creating/updating a Network Watcher can be used to reconfigure or replace the region's network diagnostics resource, similar in effect to deletion if used to disrupt existing monitoring configuration.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/p2sVpnGateways/generateVpnProfile/action":{"id":"Microsoft.Network/p2sVpnGateways/generateVpnProfile/action","name":"Point-to-site VPN gateway","scope":"HIGH","parent":{"notes":"Controls remote-access ingress into the private network; compromise can expose or sever connectivity for a single network function.","description":"A Point-to-Site (P2S) VPN gateway is a virtual-hub network component that provides remote-access VPN connectivity, letting individual clients establish secure tunnels into a virtual network / virtual WAN."},"risks":["exfiltration:crypto","escalation:network"],"notes":"Generating the VPN client profile returns the downloadable connection package with embedded credential/certificate material needed to establish a tunnel into the private VNet.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/privateDnsZones/A/delete":{"id":"Microsoft.Network/privateDnsZones/A/delete","name":"Private DNS A record set","scope":"HIGH","parent":{"notes":"Private (internal) records, not public-facing; supports a single organizational network function.","description":"An A record set maps internal hostnames to IPv4 addresses within an Azure Private DNS zone, used for name resolution inside linked virtual networks."},"risks":["destruction:network","impact:dos"],"notes":"Deleting the record set removes name resolution for the host, breaking connectivity to the service it fronts (DoS within the VNet).","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/privateDnsZones/A/write":{"id":"Microsoft.Network/privateDnsZones/A/write","name":"Private DNS A record set","scope":"HIGH","parent":{"notes":"Private (internal) records, not public-facing; supports a single organizational network function.","description":"An A record set maps internal hostnames to IPv4 addresses within an Azure Private DNS zone, used for name resolution inside linked virtual networks."},"risks":["impact:manipulation","takeover:domain"],"notes":"Creating/updating the record set replaces internal hostname-to-IP mappings, letting an attacker repoint internal names to attacker-controlled IPs to route/intercept traffic (DNS hijack within the private zone).","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/privateDnsZones/AAAA/delete":{"id":"Microsoft.Network/privateDnsZones/AAAA/delete","name":"Private DNS AAAA record set","scope":"HIGH","parent":{"notes":"Private (internal) records, not public-facing; supports a single organizational network function.","description":"An AAAA record set maps internal hostnames to IPv6 addresses within an Azure Private DNS zone, used for name resolution inside linked virtual networks."},"risks":["destruction:network","impact:dos"],"notes":"Deleting the record set removes IPv6 name resolution for the host, breaking connectivity to the service it fronts (DoS within the VNet).","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/privateDnsZones/AAAA/write":{"id":"Microsoft.Network/privateDnsZones/AAAA/write","name":"Private DNS AAAA record set","scope":"HIGH","parent":{"notes":"Private (internal) records, not public-facing; supports a single organizational network function.","description":"An AAAA record set maps internal hostnames to IPv6 addresses within an Azure Private DNS zone, used for name resolution inside linked virtual networks."},"risks":["impact:manipulation","takeover:domain"],"notes":"Creating/updating the record set replaces internal hostname-to-IPv6 mappings, letting an attacker repoint internal names to attacker-controlled addresses to route/intercept traffic within the private zone.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/privateDnsZones/CNAME/delete":{"id":"Microsoft.Network/privateDnsZones/CNAME/delete","name":"Private DNS CNAME record set","scope":"HIGH","parent":{"notes":"Private (internal) records, not public-facing; supports a single organizational network function.","description":"A CNAME record set aliases an internal hostname to a canonical name within an Azure Private DNS zone, used for name resolution inside linked virtual networks."},"risks":["destruction:network","impact:dos"],"notes":"Deleting the record set removes the internal alias resolution, breaking connectivity to the aliased service (DoS within the VNet).","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/privateDnsZones/CNAME/write":{"id":"Microsoft.Network/privateDnsZones/CNAME/write","name":"Private DNS CNAME record set","scope":"HIGH","parent":{"notes":"Private (internal) records, not public-facing; supports a single organizational network function.","description":"A CNAME record set aliases an internal hostname to a canonical name within an Azure Private DNS zone, used for name resolution inside linked virtual networks."},"risks":["impact:manipulation","takeover:domain"],"notes":"Creating/updating the record set re-aliases an internal hostname to an attacker-chosen target, redirecting internal traffic for that name (DNS hijack within the private zone).","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/privateDnsZones/MX/delete":{"id":"Microsoft.Network/privateDnsZones/MX/delete","name":"Private DNS MX record set","scope":"HIGH","parent":{"notes":"Private DNS zones serve name resolution for a single network function; reading records is reconnaissance while writing/deleting can redirect or break internal resolution.","description":"An MX (mail-exchange) record set within an Azure Private DNS zone, which directs internal mail-routing name resolution for resources within linked virtual networks."},"risks":["destruction:network"],"notes":"Deleting the MX record set removes internal mail-routing resolution, causing denial of service for dependent mail services.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/privateDnsZones/MX/write":{"id":"Microsoft.Network/privateDnsZones/MX/write","name":"Private DNS MX record set","scope":"HIGH","parent":{"notes":"Private DNS zones serve name resolution for a single network function; reading records is reconnaissance while writing/deleting can redirect or break internal resolution.","description":"An MX (mail-exchange) record set within an Azure Private DNS zone, which directs internal mail-routing name resolution for resources within linked virtual networks."},"risks":["impact:manipulation","takeover:domain"],"notes":"Creating/replacing MX records overwrites internal mail routing, letting an attacker redirect mail flow to attacker-controlled hosts and arbitrarily route that name within the private zone.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/privateDnsZones/SRV/delete":{"id":"Microsoft.Network/privateDnsZones/SRV/delete","name":"Private DNS SRV record set","scope":"HIGH","parent":{"notes":"SRV records direct service-discovery clients to host/port endpoints; manipulating them can redirect client traffic to attacker-controlled endpoints.","description":"An SRV (service-location) record set within an Azure Private DNS zone, which advertises the host and port of internal services (e.g. LDAP, SIP, Kerberos) for resources in linked virtual networks."},"risks":["destruction:network"],"notes":"Deleting the SRV record set breaks internal service discovery, causing denial of service for dependent applications.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/privateDnsZones/SRV/write":{"id":"Microsoft.Network/privateDnsZones/SRV/write","name":"Private DNS SRV record set","scope":"HIGH","parent":{"notes":"SRV records direct service-discovery clients to host/port endpoints; manipulating them can redirect client traffic to attacker-controlled endpoints.","description":"An SRV (service-location) record set within an Azure Private DNS zone, which advertises the host and port of internal services (e.g. LDAP, SIP, Kerberos) for resources in linked virtual networks."},"risks":["impact:manipulation","takeover:domain"],"notes":"Creating/replacing SRV records redirects internal service discovery to attacker-controlled hosts/ports, manipulating resolution and arbitrarily routing client traffic for that name.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/privateEndpoints/delete":{"id":"Microsoft.Network/privateEndpoints/delete","name":"Private endpoint","scope":"HIGH","parent":{"notes":"A private endpoint is a perimeter/segmentation control that determines how a sensitive backend resource is reached; misconfiguring one changes the network exposure of whatever resource it fronts. Rated consistent with the other network-segmentation resources documented alongside it.","description":"A private endpoint is a network interface, assigned a private IP from a VNet/subnet, that connects privately to a specific PaaS resource (e.g. a storage account or Key Vault) via Azure Private Link, keeping that resource's traffic off the public internet."},"risks":["destruction:network","impact:dos"],"notes":"Deleting a private endpoint removes private connectivity to the backend PaaS resource it fronts; if the resource still allows public access, this can force traffic back over a public path, and if it does not, it denies service to legitimate consumers.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/privateEndpoints/write":{"id":"Microsoft.Network/privateEndpoints/write","name":"Private endpoint","scope":"HIGH","parent":{"notes":"A private endpoint is a perimeter/segmentation control that determines how a sensitive backend resource is reached; misconfiguring one changes the network exposure of whatever resource it fronts. Rated consistent with the other network-segmentation resources documented alongside it.","description":"A private endpoint is a network interface, assigned a private IP from a VNet/subnet, that connects privately to a specific PaaS resource (e.g. a storage account or Key Vault) via Azure Private Link, keeping that resource's traffic off the public internet."},"risks":["escalation:network","destruction:network"],"notes":"Creating or updating a private endpoint attaches a new private, in-VNet connection to a backend PaaS resource; an attacker with subnet access can create one to reach a backend resource that was otherwise network-isolated from them, or repoint/misconfigure an existing endpoint to disrupt intended connectivity.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/publicIPAddresses/dnsAliases/delete":{"id":"Microsoft.Network/publicIPAddresses/dnsAliases/delete","name":"DNS Alias of a Public IP Address","scope":"HIGH","parent":{"notes":"Controls public-facing DNS routing; write/delete enable domain/subdomain takeover and defacement of public-facing assets.","description":"A DNS alias of a public IP address binds a publicly resolvable DNS name/FQDN to an Azure public IP, controlling how that name routes to the endpoint."},"risks":["takeover:domain","impact:dos"],"notes":"Deleting the DNS alias removes the name-to-IP binding, breaking resolution of the public endpoint (DoS) and freeing the name to be re-claimed and re-pointed for a dangling-DNS subdomain takeover.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/publicIPAddresses/dnsAliases/write":{"id":"Microsoft.Network/publicIPAddresses/dnsAliases/write","name":"DNS Alias of a Public IP Address","scope":"HIGH","parent":{"notes":"Controls public-facing DNS routing; write/delete enable domain/subdomain takeover and defacement of public-facing assets.","description":"A DNS alias of a public IP address binds a publicly resolvable DNS name/FQDN to an Azure public IP, controlling how that name routes to the endpoint."},"risks":["takeover:domain","impact:defacement"],"notes":"Creating/updating a DNS alias binds a chosen public DNS name to an IP, letting an attacker redirect traffic for that domain/subdomain to controlled infrastructure and alter the org's public-facing endpoint.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/routeTables/join/action":{"id":"Microsoft.Network/routeTables/join/action","name":"Route table","scope":"HIGH","parent":{"notes":"A route table is a perimeter/segmentation control; it determines the path (and therefore the exposure) of a subnet's traffic. Rated consistent with the other network-segmentation resources documented alongside it, rather than CRITICAL, which is reserved for tenant-wide IAM/policy objects.","description":"A route table holds user-defined routes that override Azure's default system routes for the subnets it is associated with, controlling the next hop that traffic destined for given address prefixes takes."},"risks":["escalation:network"],"notes":"Azure requires this permission on the route table itself before a principal can associate a subnet with it, specifically so that a principal with only narrow \"create resource\" rights cannot silently reroute their own subnet's traffic away from mandated routing (e.g. through a firewall/NVA). Holding join lets an attacker associate an attacker-controlled or victim subnet with a route table that redirects traffic to an attacker-chosen next hop, bypassing intended routing/segmentation control.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/routeTables/delete":{"id":"Microsoft.Network/routeTables/delete","name":"Route table","scope":"HIGH","parent":{"notes":"A route table is a perimeter/segmentation control; it determines the path (and therefore the exposure) of a subnet's traffic. Rated consistent with the other network-segmentation resources documented alongside it, rather than CRITICAL, which is reserved for tenant-wide IAM/policy objects.","description":"A route table holds user-defined routes that override Azure's default system routes for the subnets it is associated with, controlling the next hop that traffic destined for given address prefixes takes."},"risks":["destruction:network","impact:dos"],"notes":"Deleting a route table removes its user-defined routes from every associated subnet, reverting traffic to default system routing (which can bypass an intended network virtual appliance/firewall hop) or breaking connectivity that depended on a custom route.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/routeTables/write":{"id":"Microsoft.Network/routeTables/write","name":"Route table","scope":"HIGH","parent":{"notes":"A route table is a perimeter/segmentation control; it determines the path (and therefore the exposure) of a subnet's traffic. Rated consistent with the other network-segmentation resources documented alongside it, rather than CRITICAL, which is reserved for tenant-wide IAM/policy objects.","description":"A route table holds user-defined routes that override Azure's default system routes for the subnets it is associated with, controlling the next hop that traffic destined for given address prefixes takes."},"risks":["destruction:network","exfiltration:data","escalation:network"],"notes":"Creating or updating routes lets an attacker redirect a subnet's traffic to an attacker-controlled next hop, enabling interception/exfiltration of in-transit data, bypass of an intended firewall/NVA hop (destroying the routing control), or wholesale traffic blackholing.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/securityPartnerProviders/join/action":{"id":"Microsoft.Network/securityPartnerProviders/join/action","name":"Security Partner Provider","scope":"HIGH","parent":{"notes":"Sits in the traffic path as a security-inspection hop; removing or rerouting it disables inspection or diverts traffic away from the intended security service.","description":"A Security Partner Provider routes traffic through a third-party security service (e.g. a cloud-delivered firewall) for inspection before it reaches its destination."},"risks":["escalation:network"],"notes":"Joining a Security Partner Provider lets a principal bind a resource to an attacker-chosen inspection path it does not otherwise control, bypassing the intended segmentation/inspection control; flagged Not Alertable.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/securityPartnerProviders/write":{"id":"Microsoft.Network/securityPartnerProviders/write","name":"Security Partner Provider","scope":"HIGH","parent":{"notes":"Sits in the traffic path as a security-inspection hop; removing or rerouting it disables inspection or diverts traffic away from the intended security service.","description":"A Security Partner Provider routes traffic through a third-party security service (e.g. a cloud-delivered firewall) for inspection before it reaches its destination."},"risks":["escalation:network","destruction:defense","impact:manipulation"],"notes":"Creating/updating the provider lets an attacker reroute the security-inspection path to an attacker-chosen service or reconfigure it, bypassing or disabling third-party inspection of the traffic.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/securityPartnerProviders/delete":{"id":"Microsoft.Network/securityPartnerProviders/delete","name":"Security Partner Provider","scope":"HIGH","parent":{"notes":"Sits in the traffic path as a security-inspection hop; removing or rerouting it disables inspection or diverts traffic away from the intended security service.","description":"A Security Partner Provider routes traffic through a third-party security service (e.g. a cloud-delivered firewall) for inspection before it reaches its destination."},"risks":["destruction:defense","impact:dos"],"notes":"Deleting the provider removes the third-party security-inspection hop from the traffic path, disabling inspection and disrupting flows that route through it.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/trafficManagerProfiles/azureEndpoints/delete":{"id":"Microsoft.Network/trafficManagerProfiles/azureEndpoints/delete","name":"Traffic Manager Azure endpoint","scope":"HIGH","parent":{"notes":"Endpoint configuration determines where a public domain's traffic is directed.","description":"A Traffic Manager Azure endpoint is a configured backend target (an Azure resource) within a Traffic Manager profile that receives DNS-routed traffic. It defines part of a public-facing service's routing."},"risks":["destruction:network","impact:dos"],"notes":"Deleting an endpoint stops Traffic Manager from routing traffic to that backend, removing a network routing target and disrupting service availability for the affected target.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/trafficManagerProfiles/azureEndpoints/write":{"id":"Microsoft.Network/trafficManagerProfiles/azureEndpoints/write","name":"Traffic Manager Azure endpoint","scope":"HIGH","parent":{"notes":"Endpoint configuration determines where a public domain's traffic is directed.","description":"A Traffic Manager Azure endpoint is a configured backend target (an Azure resource) within a Traffic Manager profile that receives DNS-routed traffic. It defines part of a public-facing service's routing."},"risks":["takeover:domain","impact:manipulation","impact:dos"],"notes":"Adding/updating an endpoint changes where the profile's DNS name routes traffic, letting an attacker redirect domain traffic to a controlled target (hijack), alter routing config, or disable a legitimate endpoint to deny service.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/trafficManagerProfiles/externalEndpoints/delete":{"id":"Microsoft.Network/trafficManagerProfiles/externalEndpoints/delete","name":"Traffic Manager external endpoint","scope":"HIGH","parent":{"notes":"Endpoints determine where a profile's domain traffic is routed; altering them redirects traffic for the public-facing service the profile fronts.","description":"A Traffic Manager external endpoint is a routing target (an external FQDN/IP outside Azure) within a Traffic Manager profile that DNS-based load balancing directs end-user traffic to."},"risks":["destruction:network","impact:dos"],"notes":"Deleting an external endpoint removes a routing target so Traffic Manager stops routing traffic to it, destroying a network component and denying service to the fronted backend.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/trafficManagerProfiles/externalEndpoints/write":{"id":"Microsoft.Network/trafficManagerProfiles/externalEndpoints/write","name":"Traffic Manager external endpoint","scope":"HIGH","parent":{"notes":"Endpoints determine where a profile's domain traffic is routed; altering them redirects traffic for the public-facing service the profile fronts.","description":"A Traffic Manager external endpoint is a routing target (an external FQDN/IP outside Azure) within a Traffic Manager profile that DNS-based load balancing directs end-user traffic to."},"risks":["takeover:domain","impact:manipulation"],"notes":"Creating/updating an external endpoint repoints the profile's DNS-based traffic to an attacker-controlled target, hijacking traffic on the profile's domain and manipulating production routing configuration.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/trafficManagerProfiles/nestedEndpoints/delete":{"id":"Microsoft.Network/trafficManagerProfiles/nestedEndpoints/delete","name":"Traffic Manager nested endpoint","scope":"HIGH","parent":{"notes":"Nested endpoints shape the hierarchical routing of a profile's domain traffic; altering them redirects traffic for the public-facing service the profile fronts.","description":"A Traffic Manager nested endpoint is a routing target within a Traffic Manager profile that references a child Traffic Manager profile, used to build hierarchical DNS-based traffic-routing topologies."},"risks":["destruction:network","impact:dos"],"notes":"Deleting a nested endpoint removes a routing target so Traffic Manager stops routing traffic to the nested profile, destroying a network component and denying service to those backends.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/trafficManagerProfiles/nestedEndpoints/write":{"id":"Microsoft.Network/trafficManagerProfiles/nestedEndpoints/write","name":"Traffic Manager nested endpoint","scope":"HIGH","parent":{"notes":"Nested endpoints shape the hierarchical routing of a profile's domain traffic; altering them redirects traffic for the public-facing service the profile fronts.","description":"A Traffic Manager nested endpoint is a routing target within a Traffic Manager profile that references a child Traffic Manager profile, used to build hierarchical DNS-based traffic-routing topologies."},"risks":["takeover:domain","impact:manipulation"],"notes":"Creating/updating a nested endpoint alters which child profile/target receives the profile's DNS traffic, enabling redirection of the profile's domain traffic to attacker-chosen targets and manipulation of routing configuration.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/trafficManagerProfiles/delete":{"id":"Microsoft.Network/trafficManagerProfiles/delete","name":"Traffic Manager profile","scope":"HIGH","parent":{"notes":"Controlling a profile controls where a public domain's traffic resolves, making it a domain/traffic-routing asset.","description":"An Azure Traffic Manager profile is a DNS-based global traffic load balancer that routes client requests for a public DNS name to a set of backend endpoints according to a routing method. It fronts a production internet-facing service."},"risks":["destruction:network","impact:dos"],"notes":"Deleting the profile removes the DNS routing component entirely so the domain can no longer route traffic to any backend, destroying a network component and denying service.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/trafficManagerProfiles/write":{"id":"Microsoft.Network/trafficManagerProfiles/write","name":"Traffic Manager profile","scope":"HIGH","parent":{"notes":"Controlling a profile controls where a public domain's traffic resolves, making it a domain/traffic-routing asset.","description":"An Azure Traffic Manager profile is a DNS-based global traffic load balancer that routes client requests for a public DNS name to a set of backend endpoints according to a routing method. It fronts a production internet-facing service."},"risks":["takeover:domain","impact:manipulation","impact:dos"],"notes":"Creating/updating a profile lets an attacker rewrite DNS-based routing and endpoints, redirecting the profile's domain traffic to attacker-controlled targets (domain hijack) or disabling endpoints to deny service.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/trafficManagerUserMetricsKeys/delete":{"id":"Microsoft.Network/trafficManagerUserMetricsKeys/delete","name":"Traffic Manager Realtime User Metrics key","scope":"MEDIUM","parent":{"notes":"The key is a secret that authorizes RUM telemetry reporting; it does not by itself grant identity or data-plane access, so its blast radius is limited to the metrics/telemetry function.","description":"A subscription-level key used to authenticate client-side Realtime (Real) User Metrics telemetry submission for Traffic Manager."},"risks":["impact:dos"],"notes":"Deleting the subscription-level metrics key disables Realtime User Metrics collection across the subscription, disrupting the telemetry feed used for metric-driven routing.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/trafficManagerUserMetricsKeys/read":{"id":"Microsoft.Network/trafficManagerUserMetricsKeys/read","name":"Traffic Manager Realtime User Metrics key","scope":"MEDIUM","parent":{"notes":"The key is a secret that authorizes RUM telemetry reporting; it does not by itself grant identity or data-plane access, so its blast radius is limited to the metrics/telemetry function.","description":"A subscription-level key used to authenticate client-side Realtime (Real) User Metrics telemetry submission for Traffic Manager."},"risks":["exfiltration:crypto"],"notes":"This get returns the subscription-level RUM collection key (secret material), so it exports cryptographic/credential material rather than merely enumerating it.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/trafficManagerUserMetricsKeys/write":{"id":"Microsoft.Network/trafficManagerUserMetricsKeys/write","name":"Traffic Manager Realtime User Metrics key","scope":"MEDIUM","parent":{"notes":"The key is a secret that authorizes RUM telemetry reporting; it does not by itself grant identity or data-plane access, so its blast radius is limited to the metrics/telemetry function.","description":"A subscription-level key used to authenticate client-side Realtime (Real) User Metrics telemetry submission for Traffic Manager."},"risks":["impact:manipulation"],"notes":"Creating/regenerating the subscription-level metrics key alters the telemetry-collection configuration and can invalidate the existing key, disrupting legitimate Realtime User Metrics reporting.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/virtualHubs/effectiveRoutes/action":{"id":"Microsoft.Network/virtualHubs/effectiveRoutes/action","name":"Virtual Hub","scope":"MEDIUM","parent":{"notes":"The hub is the central routing point of a Virtual WAN; controlling its routing redirects or intercepts traffic across every connected VNet and branch.","description":"A Virtual Hub is the routing core of an Azure Virtual WAN, terminating branch/VNet connections and holding the route tables that steer traffic across the WAN."},"risks":["discovery:network"],"notes":"Returns the effective routes on the hub, disclosing the WAN's reachable topology and next-hops; inboundRoutes and outboundRoutes are equivalent route-disclosure actions carrying the same discovery risk.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/virtualHubs/inboundRoutes/action":{"id":"Microsoft.Network/virtualHubs/inboundRoutes/action","name":"Virtual Hub","scope":"MEDIUM","parent":{"notes":"The hub is the central routing point of a Virtual WAN; controlling its routing redirects or intercepts traffic across every connected VNet and branch.","description":"A Virtual Hub is the routing core of an Azure Virtual WAN, terminating branch/VNet connections and holding the route tables that steer traffic across the WAN."},"risks":["discovery:network"],"notes":"Returns the routes learnt from a Virtual WAN connection, disclosing WAN topology and advertised prefixes usable to plan lateral movement.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/virtualHubs/outboundRoutes/action":{"id":"Microsoft.Network/virtualHubs/outboundRoutes/action","name":"Virtual Hub","scope":"MEDIUM","parent":{"notes":"The hub is the central routing point of a Virtual WAN; controlling its routing redirects or intercepts traffic across every connected VNet and branch.","description":"A Virtual Hub is the routing core of an Azure Virtual WAN, terminating branch/VNet connections and holding the route tables that steer traffic across the WAN."},"risks":["discovery:network"],"notes":"Returns the routes advertised by a Virtual WAN connection, disclosing WAN topology and reachable prefixes usable to plan lateral movement.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/virtualHubs/write":{"id":"Microsoft.Network/virtualHubs/write","name":"Virtual Hub","scope":"HIGH","parent":{"notes":"The hub is the central routing point of a Virtual WAN; controlling its routing redirects or intercepts traffic across every connected VNet and branch.","description":"A Virtual Hub is the routing core of an Azure Virtual WAN, terminating branch/VNet connections and holding the route tables that steer traffic across the WAN."},"risks":["escalation:network","exfiltration:data","impact:manipulation"],"notes":"Creating/updating a hub lets an attacker rewrite the WAN routing that steers traffic between connected VNets and branches, redirecting or intercepting flows across the WAN and tampering with routing configuration.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/virtualHubs/delete":{"id":"Microsoft.Network/virtualHubs/delete","name":"Virtual Hub","scope":"HIGH","parent":{"notes":"The hub is the central routing point of a Virtual WAN; controlling its routing redirects or intercepts traffic across every connected VNet and branch.","description":"A Virtual Hub is the routing core of an Azure Virtual WAN, terminating branch/VNet connections and holding the route tables that steer traffic across the WAN."},"risks":["destruction:network","impact:dos"],"notes":"Deleting the hub removes the routing core of the Virtual WAN, tearing down a network component and cutting connectivity for every VNet and branch attached to it.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/virtualNetworkGateways/disconnectvirtualnetworkgatewayvpnconnections/action":{"id":"Microsoft.Network/virtualNetworkGateways/disconnectvirtualnetworkgatewayvpnconnections/action","name":"Virtual network gateway","scope":"HIGH","parent":{"notes":"A gateway is the trust boundary for a single VNet's hybrid/remote connectivity; control of it can expose or sever access to an entire private network and its hosted services.","description":"An Azure Virtual Network Gateway provides VPN (site-to-site / point-to-site) and ExpressRoute connectivity between an Azure VNet and on-premises or remote networks. It is the production network ingress/egress edge for hybrid connectivity."},"risks":["impact:dos"],"notes":"Forcibly disconnects specified VPN connections on the gateway, cutting off site-to-site or P2S connectivity for the targeted tunnels.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/virtualNetworkGateways/generateVpnProfile/action":{"id":"Microsoft.Network/virtualNetworkGateways/generateVpnProfile/action","name":"Virtual network gateway","scope":"HIGH","parent":{"notes":"A gateway is the trust boundary for a single VNet's hybrid/remote connectivity; control of it can expose or sever access to an entire private network and its hosted services.","description":"An Azure Virtual Network Gateway provides VPN (site-to-site / point-to-site) and ExpressRoute connectivity between an Azure VNet and on-premises or remote networks. It is the production network ingress/egress edge for hybrid connectivity."},"risks":["exfiltration:crypto","escalation:network"],"notes":"Generates a P2S VPN profile package with connection config and embedded credential material, enabling an attacker to establish a tunnel into the private network.","links":["https://azure.permissions.cloud/iam/microsoft.network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/virtualNetworkGateways/generatevpnclientpackage/action":{"id":"Microsoft.Network/virtualNetworkGateways/generatevpnclientpackage/action","name":"Virtual network gateway","scope":"HIGH","parent":{"notes":"A gateway is the trust boundary for a single VNet's hybrid/remote connectivity; control of it can expose or sever access to an entire private network and its hosted services.","description":"An Azure Virtual Network Gateway provides VPN (site-to-site / point-to-site) and ExpressRoute connectivity between an Azure VNet and on-premises or remote networks. It is the production network ingress/egress edge for hybrid connectivity."},"risks":["exfiltration:crypto","escalation:network"],"notes":"Generates a downloadable P2S VPN client package containing connection config and certificate/credential material, enabling an attacker to connect into the private network.","links":["https://azure.permissions.cloud/iam/microsoft.network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/virtualNetworkGateways/getbgppeerstatus/action":{"id":"Microsoft.Network/virtualNetworkGateways/getbgppeerstatus/action","name":"Virtual network gateway","scope":"HIGH","parent":{"notes":"A gateway is the trust boundary for a single VNet's hybrid/remote connectivity; control of it can expose or sever access to an entire private network and its hosted services.","description":"An Azure Virtual Network Gateway provides VPN (site-to-site / point-to-site) and ExpressRoute connectivity between an Azure VNet and on-premises or remote networks. It is the production network ingress/egress edge for hybrid connectivity."},"risks":["discovery:network"],"notes":"Returns the status of BGP peers connected to the gateway, revealing the identity and reachability of peer routers in the connected on-prem/remote network. Read-only, but useful reconnaissance for planning lateral movement beyond Azure; functionally near-identical to this gateway's other BGP/routing-table-disclosure actions, which are treated the same way.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/virtualNetworkGateways/geteffectiveroutes/action":{"id":"Microsoft.Network/virtualNetworkGateways/geteffectiveroutes/action","name":"Virtual network gateway","scope":"HIGH","parent":{"notes":"A gateway is the trust boundary for a single VNet's hybrid/remote connectivity; control of it can expose or sever access to an entire private network and its hosted services.","description":"An Azure Virtual Network Gateway provides VPN (site-to-site / point-to-site) and ExpressRoute connectivity between an Azure VNet and on-premises or remote networks. It is the production network ingress/egress edge for hybrid connectivity."},"risks":["discovery:network"],"notes":"Returns the gateway's effective route table, disclosing the full set of connected subnets and peer network ranges reachable through the gateway. Read-only, but reveals the entire bridged network topology; one of several BGP/route-disclosure actions on this gateway treated with the same risk reasoning.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/virtualNetworkGateways/getvpnprofilepackageurl/action":{"id":"Microsoft.Network/virtualNetworkGateways/getvpnprofilepackageurl/action","name":"Virtual network gateway","scope":"HIGH","parent":{"notes":"A gateway is the trust boundary for a single VNet's hybrid/remote connectivity; control of it can expose or sever access to an entire private network and its hosted services.","description":"An Azure Virtual Network Gateway provides VPN (site-to-site / point-to-site) and ExpressRoute connectivity between an Azure VNet and on-premises or remote networks. It is the production network ingress/egress edge for hybrid connectivity."},"risks":["exfiltration:crypto","escalation:network"],"notes":"Returns the URL of a pre-generated VPN client profile package containing credential/connection material, enabling an attacker to obtain access into the private network.","links":["https://azure.permissions.cloud/iam/microsoft.network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/virtualNetworkGateways/listAllRadiusServersSecrets/action":{"id":"Microsoft.Network/virtualNetworkGateways/listAllRadiusServersSecrets/action","name":"Virtual network gateway","scope":"CRITICAL","parent":{"notes":"A gateway is the trust boundary for a single VNet's hybrid/remote connectivity; control of it can expose or sever access to an entire private network and its hosted services.","description":"An Azure Virtual Network Gateway provides VPN (site-to-site / point-to-site) and ExpressRoute connectivity between an Azure VNet and on-premises or remote networks. It is the production network ingress/egress edge for hybrid connectivity."},"risks":["exfiltration:crypto","escalation:lateral"],"notes":"Returns the RADIUS server shared secrets used for VPN authentication, exposing reusable credential material that lets an attacker impersonate the gateway/RADIUS trust and pivot to the authentication backend.","links":["https://azure.permissions.cloud/iam/microsoft.network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/virtualNetworkGateways/reset/action":{"id":"Microsoft.Network/virtualNetworkGateways/reset/action","name":"Virtual network gateway","scope":"HIGH","parent":{"notes":"A gateway is the trust boundary for a single VNet's hybrid/remote connectivity; control of it can expose or sever access to an entire private network and its hosted services.","description":"An Azure Virtual Network Gateway provides VPN (site-to-site / point-to-site) and ExpressRoute connectivity between an Azure VNet and on-premises or remote networks. It is the production network ingress/egress edge for hybrid connectivity."},"risks":["impact:dos"],"notes":"Resets the gateway instance, briefly interrupting all VPN/ExpressRoute connectivity that traverses it while it restarts.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/virtualNetworkGateways/resetvpnclientsharedkey/action":{"id":"Microsoft.Network/virtualNetworkGateways/resetvpnclientsharedkey/action","name":"Virtual network gateway","scope":"HIGH","parent":{"notes":"A gateway is the trust boundary for a single VNet's hybrid/remote connectivity; control of it can expose or sever access to an entire private network and its hosted services.","description":"An Azure Virtual Network Gateway provides VPN (site-to-site / point-to-site) and ExpressRoute connectivity between an Azure VNet and on-premises or remote networks. It is the production network ingress/egress edge for hybrid connectivity."},"risks":["impact:dos"],"notes":"Resets the P2S VPN client shared key, invalidating it for all existing point-to-site clients and disrupting their connectivity until they re-provision.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/virtualNetworkGateways/setvpnclientipsecparameters/action":{"id":"Microsoft.Network/virtualNetworkGateways/setvpnclientipsecparameters/action","name":"Virtual network gateway","scope":"HIGH","parent":{"notes":"A gateway is the trust boundary for a single VNet's hybrid/remote connectivity; control of it can expose or sever access to an entire private network and its hosted services.","description":"An Azure Virtual Network Gateway provides VPN (site-to-site / point-to-site) and ExpressRoute connectivity between an Azure VNet and on-premises or remote networks. It is the production network ingress/egress edge for hybrid connectivity."},"risks":["destruction:defense","escalation:network"],"notes":"Sets the IPsec/IKE cipher, integrity, and lifetime parameters used by the gateway's P2S VPN clients. An attacker can downgrade these to weak/deprecated algorithms, enabling interception or decryption of P2S client traffic into the private network.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/virtualNetworkGateways/startpacketcapture/action":{"id":"Microsoft.Network/virtualNetworkGateways/startpacketcapture/action","name":"Virtual network gateway","scope":"HIGH","parent":{"notes":"A gateway is the trust boundary for a single VNet's hybrid/remote connectivity; control of it can expose or sever access to an entire private network and its hosted services.","description":"An Azure Virtual Network Gateway provides VPN (site-to-site / point-to-site) and ExpressRoute connectivity between an Azure VNet and on-premises or remote networks. It is the production network ingress/egress edge for hybrid connectivity."},"risks":["collection:data","exfiltration:data"],"notes":"Starts a packet capture on the gateway, enabling collection and subsequent exfiltration of in-transit network traffic that may contain sensitive data.","links":["https://azure.permissions.cloud/iam/microsoft.network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/virtualNetworkGateways/stoppacketcapture/action":{"id":"Microsoft.Network/virtualNetworkGateways/stoppacketcapture/action","name":"Virtual network gateway","scope":"HIGH","parent":{"notes":"A gateway is the trust boundary for a single VNet's hybrid/remote connectivity; control of it can expose or sever access to an entire private network and its hosted services.","description":"An Azure Virtual Network Gateway provides VPN (site-to-site / point-to-site) and ExpressRoute connectivity between an Azure VNet and on-premises or remote networks. It is the production network ingress/egress edge for hybrid connectivity."},"risks":["exfiltration:data","collection:data"],"notes":"Stops the packet capture and writes the captured traffic to the specified output (SAS URL), finalizing exfiltration of intercepted network data.","links":["https://azure.permissions.cloud/iam/microsoft.network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/virtualNetworkGateways/delete":{"id":"Microsoft.Network/virtualNetworkGateways/delete","name":"Virtual network gateway","scope":"HIGH","parent":{"notes":"A gateway is the trust boundary for a single VNet's hybrid/remote connectivity; control of it can expose or sever access to an entire private network and its hosted services.","description":"An Azure Virtual Network Gateway provides VPN (site-to-site / point-to-site) and ExpressRoute connectivity between an Azure VNet and on-premises or remote networks. It is the production network ingress/egress edge for hybrid connectivity."},"risks":["destruction:network","impact:dos"],"notes":"Deletes the gateway, severing the VPN/ExpressRoute connection and causing an outage for hybrid connectivity to the bridged network.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/virtualNetworkGateways/write":{"id":"Microsoft.Network/virtualNetworkGateways/write","name":"Virtual network gateway","scope":"HIGH","parent":{"notes":"A gateway is the trust boundary for a single VNet's hybrid/remote connectivity; control of it can expose or sever access to an entire private network and its hosted services.","description":"An Azure Virtual Network Gateway provides VPN (site-to-site / point-to-site) and ExpressRoute connectivity between an Azure VNet and on-premises or remote networks. It is the production network ingress/egress edge for hybrid connectivity."},"risks":["escalation:network","impact:manipulation"],"notes":"Creating or updating the gateway lets an attacker reconfigure routing, VPN, or IPsec/BGP settings, redirecting or exposing traffic between Azure and the connected on-prem/remote network to an attacker-controlled endpoint.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/virtualNetworkTaps/Join/action":{"id":"Microsoft.Network/virtualNetworkTaps/Join/action","name":"Virtual network taps","scope":"HIGH","parent":{"notes":"Touches the in-flight network traffic of production VMs; misuse enables silent interception of potentially sensitive data.","description":"A VirtualNetworkTap is a traffic-mirroring (terminal access point) resource that continuously copies a source VM network interface's live traffic, encapsulated via VXLAN, to a collector destination (a VM NIC or internal load balancer) in the same or a peered VNet."},"risks":["exfiltration:data","collection:data","escalation:network"],"notes":"Joining a NIC to a tap causes that interface's live traffic to be mirrored to the tap's collector, enabling silent, continuous interception/exfiltration of in-flight data and ongoing centralized collection; the action is flagged Not Alertable, making it stealthy.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/virtualNetworkTaps/networkInterfaceTapConfigurationProxies/delete":{"id":"Microsoft.Network/virtualNetworkTaps/networkInterfaceTapConfigurationProxies/delete","name":"Network Interface Tap Configuration Proxy","scope":"HIGH","parent":{"notes":"The proxy view of traffic-mirroring associations; managing it controls which NICs' in-transit traffic is intercepted to the tap.","description":"A Network Interface Tap Configuration Proxy represents, from the Virtual Network TAP side, the association binding network interfaces to the tap so their traffic is mirrored to a collector."},"risks":["destruction:network"],"notes":"Deleting the proxy removes the traffic-mirroring association from the virtual network tap, a network-component deletion that can also disrupt legitimate monitoring feeds.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/virtualNetworkTaps/networkInterfaceTapConfigurationProxies/write":{"id":"Microsoft.Network/virtualNetworkTaps/networkInterfaceTapConfigurationProxies/write","name":"Network Interface Tap Configuration Proxy","scope":"HIGH","parent":{"notes":"The proxy view of traffic-mirroring associations; managing it controls which NICs' in-transit traffic is intercepted to the tap.","description":"A Network Interface Tap Configuration Proxy represents, from the Virtual Network TAP side, the association binding network interfaces to the tap so their traffic is mirrored to a collector."},"risks":["collection:data","exfiltration:data"],"notes":"Creating or updating the proxy attaches NIC traffic mirroring to the virtual network tap, enabling continuous, automated collection and exfiltration of mirrored in-transit traffic.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/virtualNetworks/ddosProtectionStatus/action":{"id":"Microsoft.Network/virtualNetworks/ddosProtectionStatus/action","name":"Virtual network","scope":"LOW","parent":{"notes":"The VNet is the primary network-segmentation boundary in Azure; control-plane privileges on it — altering peerings, address space, or security-group associations, or attaching unauthorized resources into it — can enable significant privilege escalation via lateral network access (per the CRITICAL definition in services/README.md).","description":"An Azure virtual network (VNet) is the fundamental L3 network-isolation boundary in Azure, defining the address space, subnets, peerings, and security policy scope for all resources deployed into it."},"risks":["discovery:network"],"notes":"Read-only reconnaissance that reveals whether DDoS protection is enabled for the VNet, letting an attacker identify under-protected targets before launching a volumetric attack.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/virtualNetworks/join/action":{"id":"Microsoft.Network/virtualNetworks/join/action","name":"Virtual network","scope":"CRITICAL","parent":{"notes":"The VNet is the primary network-segmentation boundary in Azure; control-plane privileges on it — altering peerings, address space, or security-group associations, or attaching unauthorized resources into it — can enable significant privilege escalation via lateral network access (per the CRITICAL definition in services/README.md).","description":"An Azure virtual network (VNet) is the fundamental L3 network-isolation boundary in Azure, defining the address space, subnets, peerings, and security policy scope for all resources deployed into it."},"risks":["escalation:network","escalation:lateral"],"notes":"Azure requires this permission on the VNet before a principal may attach a new resource (e.g. a VM NIC) into it, specifically to stop principals with only resource-create rights from freely attaching into network segments they don't otherwise control. Holding join therefore lets an attacker deploy attacker-controlled resources directly into the VNet, bypassing the intended segmentation boundary and gaining network-level access to everything else attached to it.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/virtualNetworks/joinLoadBalancer/action":{"id":"Microsoft.Network/virtualNetworks/joinLoadBalancer/action","name":"Virtual network","scope":"CRITICAL","parent":{"notes":"The VNet is the primary network-segmentation boundary in Azure; control-plane privileges on it — altering peerings, address space, or security-group associations, or attaching unauthorized resources into it — can enable significant privilege escalation via lateral network access (per the CRITICAL definition in services/README.md).","description":"An Azure virtual network (VNet) is the fundamental L3 network-isolation boundary in Azure, defining the address space, subnets, peerings, and security policy scope for all resources deployed into it."},"risks":["escalation:network"],"notes":"Required to attach a load balancer front end into the VNet's address space. Lets an attacker insert an attacker-controlled load balancer in front of, or alongside, existing VNet traffic, enabling interception or redirection of traffic destined for resources in the VNet.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/virtualNetworks/peer/action":{"id":"Microsoft.Network/virtualNetworks/peer/action","name":"Virtual network","scope":"CRITICAL","parent":{"notes":"The VNet is the primary network-segmentation boundary in Azure; control-plane privileges on it — altering peerings, address space, or security-group associations, or attaching unauthorized resources into it — can enable significant privilege escalation via lateral network access (per the CRITICAL definition in services/README.md).","description":"An Azure virtual network (VNet) is the fundamental L3 network-isolation boundary in Azure, defining the address space, subnets, peerings, and security policy scope for all resources deployed into it."},"risks":["escalation:network","escalation:lateral"],"notes":"Peers the VNet with another VNet, bridging the two address spaces. Lets an attacker who controls a separate (e.g. lower-trust or attacker-owned) VNet bridge it directly into this one, extending network reachability across a segmentation boundary that was meant to isolate the two environments.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/virtualNetworks/removeAdminNetworkSecurityGroup/action":{"id":"Microsoft.Network/virtualNetworks/removeAdminNetworkSecurityGroup/action","name":"Virtual network","scope":"CRITICAL","parent":{"notes":"The VNet is the primary network-segmentation boundary in Azure; control-plane privileges on it — altering peerings, address space, or security-group associations, or attaching unauthorized resources into it — can enable significant privilege escalation via lateral network access (per the CRITICAL definition in services/README.md).","description":"An Azure virtual network (VNet) is the fundamental L3 network-isolation boundary in Azure, defining the address space, subnets, peerings, and security policy scope for all resources deployed into it."},"risks":["destruction:policy","escalation:network"],"notes":"Removes the Admin Network Security Group reference from the VNet, stripping the centrally enforced security policy. Lets an attacker delete the org-mandated traffic-restriction layer entirely, removing a security control that was blocking otherwise-open network paths.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/virtualNetworks/setAdminNetworkSecurityGroup/action":{"id":"Microsoft.Network/virtualNetworks/setAdminNetworkSecurityGroup/action","name":"Virtual network","scope":"CRITICAL","parent":{"notes":"The VNet is the primary network-segmentation boundary in Azure; control-plane privileges on it — altering peerings, address space, or security-group associations, or attaching unauthorized resources into it — can enable significant privilege escalation via lateral network access (per the CRITICAL definition in services/README.md).","description":"An Azure virtual network (VNet) is the fundamental L3 network-isolation boundary in Azure, defining the address space, subnets, peerings, and security policy scope for all resources deployed into it."},"risks":["destruction:policy","escalation:network"],"notes":"Sets or overrides the Admin Network Security Group (a tenant/network-manager-level security policy) applied to the VNet. Lets an attacker replace the centrally enforced NSG policy with an attacker-controlled one, overriding org-mandated traffic restrictions and opening network paths the admin policy was meant to block.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/virtualNetworks/subnets/join/action":{"id":"Microsoft.Network/virtualNetworks/subnets/join/action","name":"Virtual network subnet","scope":"CRITICAL","parent":{"notes":"Subnets are the unit of network segmentation within a VNet; control-plane privileges on it — altering address ranges, NSG/route-table associations, delegations, or attaching unauthorized resources into it — can enable significant privilege escalation via lateral network access (per the CRITICAL definition in services/README.md).","description":"A subnet is a segment of a virtual network's address space, used to isolate groups of resources and as the attachment point for NSGs, route tables, service endpoints, and delegated services."},"risks":["escalation:network","escalation:lateral"],"notes":"Azure requires this permission on the subnet before a principal may attach a new resource (e.g. a VM NIC) into it, specifically to stop principals with only resource-create rights from freely attaching into subnets they don't otherwise control. Holding join therefore lets an attacker deploy attacker-controlled resources directly into a specific, potentially sensitive subnet, bypassing the intended segmentation boundary and gaining network-level access to everything else on that subnet.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/virtualNetworks/subnets/joinLoadBalancer/action":{"id":"Microsoft.Network/virtualNetworks/subnets/joinLoadBalancer/action","name":"Virtual network subnet","scope":"CRITICAL","parent":{"notes":"Subnets are the unit of network segmentation within a VNet; control-plane privileges on it — altering address ranges, NSG/route-table associations, delegations, or attaching unauthorized resources into it — can enable significant privilege escalation via lateral network access (per the CRITICAL definition in services/README.md).","description":"A subnet is a segment of a virtual network's address space, used to isolate groups of resources and as the attachment point for NSGs, route tables, service endpoints, and delegated services."},"risks":["escalation:network"],"notes":"Required to attach a load balancer front end into the subnet. Lets an attacker insert an attacker-controlled load balancer into a specific subnet, enabling interception or redirection of traffic destined for resources on it.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action":{"id":"Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action","name":"Virtual network subnet","scope":"CRITICAL","parent":{"notes":"Subnets are the unit of network segmentation within a VNet; control-plane privileges on it — altering address ranges, NSG/route-table associations, delegations, or attaching unauthorized resources into it — can enable significant privilege escalation via lateral network access (per the CRITICAL definition in services/README.md).","description":"A subnet is a segment of a virtual network's address space, used to isolate groups of resources and as the attachment point for NSGs, route tables, service endpoints, and delegated services."},"risks":["escalation:network"],"notes":"Required to bind a service (e.g. a storage account or SQL database) to the subnet via a service endpoint. Lets an attacker attach a service endpoint that exposes an attacker-controlled or attacker-accessible PaaS resource directly on the subnet's private address space, or conversely bind a sensitive PaaS resource's network ACL to a subnet the attacker already controls, extending network-level reach into that service.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action":{"id":"Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action","name":"Virtual network subnet","scope":"CRITICAL","parent":{"notes":"Subnets are the unit of network segmentation within a VNet; control-plane privileges on it — altering address ranges, NSG/route-table associations, delegations, or attaching unauthorized resources into it — can enable significant privilege escalation via lateral network access (per the CRITICAL definition in services/README.md).","description":"A subnet is a segment of a virtual network's address space, used to isolate groups of resources and as the attachment point for NSGs, route tables, service endpoints, and delegated services."},"risks":["destruction:policy","escalation:network"],"notes":"Removes the network policies (NSG/route-table enforcement) that a delegated service applied to the subnet, stripping a security control that was restricting traffic to/from delegated resources on it.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/virtualNetworks/subnets/delete":{"id":"Microsoft.Network/virtualNetworks/subnets/delete","name":"Virtual network subnet","scope":"CRITICAL","parent":{"notes":"Subnets are the unit of network segmentation within a VNet; control-plane privileges on it — altering address ranges, NSG/route-table associations, delegations, or attaching unauthorized resources into it — can enable significant privilege escalation via lateral network access (per the CRITICAL definition in services/README.md).","description":"A subnet is a segment of a virtual network's address space, used to isolate groups of resources and as the attachment point for NSGs, route tables, service endpoints, and delegated services."},"risks":["destruction:network","impact:dos"],"notes":"Deletes the subnet, disconnecting every resource attached to it and removing its NSG/route-table/service-endpoint configuration.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/virtualNetworks/subnets/write":{"id":"Microsoft.Network/virtualNetworks/subnets/write","name":"Virtual network subnet","scope":"CRITICAL","parent":{"notes":"Subnets are the unit of network segmentation within a VNet; control-plane privileges on it — altering address ranges, NSG/route-table associations, delegations, or attaching unauthorized resources into it — can enable significant privilege escalation via lateral network access (per the CRITICAL definition in services/README.md).","description":"A subnet is a segment of a virtual network's address space, used to isolate groups of resources and as the attachment point for NSGs, route tables, service endpoints, and delegated services."},"risks":["escalation:network","impact:manipulation"],"notes":"Creating or updating a subnet lets an attacker change its address range, detach or swap its NSG/route-table association, or add service endpoints/delegations, weakening the isolation the subnet was meant to enforce.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/virtualNetworks/delete":{"id":"Microsoft.Network/virtualNetworks/delete","name":"Virtual network","scope":"CRITICAL","parent":{"notes":"The VNet is the primary network-segmentation boundary in Azure; control-plane privileges on it — altering peerings, address space, or security-group associations, or attaching unauthorized resources into it — can enable significant privilege escalation via lateral network access (per the CRITICAL definition in services/README.md).","description":"An Azure virtual network (VNet) is the fundamental L3 network-isolation boundary in Azure, defining the address space, subnets, peerings, and security policy scope for all resources deployed into it."},"risks":["destruction:network","impact:dos"],"notes":"Deletes the virtual network, tearing down the address space, subnets, and peerings defined within it and causing outage for every resource attached to it.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/virtualNetworks/write":{"id":"Microsoft.Network/virtualNetworks/write","name":"Virtual network","scope":"CRITICAL","parent":{"notes":"The VNet is the primary network-segmentation boundary in Azure; control-plane privileges on it — altering peerings, address space, or security-group associations, or attaching unauthorized resources into it — can enable significant privilege escalation via lateral network access (per the CRITICAL definition in services/README.md).","description":"An Azure virtual network (VNet) is the fundamental L3 network-isolation boundary in Azure, defining the address space, subnets, peerings, and security policy scope for all resources deployed into it."},"risks":["escalation:network","impact:manipulation"],"notes":"Creating or updating a VNet lets an attacker alter its address space, subnet layout, DNS servers, or peering/security associations, enabling traffic redirection or weakened segmentation across every resource in the VNet.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/virtualWans/generateVpnProfile/action":{"id":"Microsoft.Network/virtualWans/generateVpnProfile/action","name":"Virtual WAN","scope":"HIGH","parent":{"notes":"Acts as the connectivity fabric for a single organizational network function; compromise affects routing and reachability across all attached hubs and sites.","description":"A Virtual WAN is the top-level Azure networking construct that aggregates and interconnects virtual hubs, VNets, site-to-site/point-to-site VPN, and ExpressRoute connectivity into a managed SD-WAN backbone."},"risks":["exfiltration:crypto","escalation:network"],"notes":"Generates a downloadable point-to-site VPN client profile containing certificate/credential material that lets an attacker authenticate and tunnel directly into the WAN's private network.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/virtualWans/vpnconfiguration/action":{"id":"Microsoft.Network/virtualWans/vpnconfiguration/action","name":"Virtual WAN","scope":"HIGH","parent":{"notes":"Acts as the connectivity fabric for a single organizational network function; compromise affects routing and reachability across all attached hubs and sites.","description":"A Virtual WAN is the top-level Azure networking construct that aggregates and interconnects virtual hubs, VNets, site-to-site/point-to-site VPN, and ExpressRoute connectivity into a managed SD-WAN backbone."},"risks":["exfiltration:crypto","escalation:network"],"notes":"Gets a VPN configuration that returns connection profile material including pre-shared keys/credentials, letting an attacker establish a tunnel into the private network.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/vpnGateways/getbgppeerstatus/action":{"id":"Microsoft.Network/vpnGateways/getbgppeerstatus/action","name":"Azure VPN gateway","scope":"HIGH","parent":{"notes":"Production network connectivity infrastructure for a single organizational function (hybrid/site-to-site connectivity); compromise can extend reach into peered/on-prem networks or sever connectivity.","description":"A VpnGateway is an Azure Virtual WAN site-to-site VPN gateway resource that provides cross-premises/hybrid network connectivity, including VPN connections, BGP routing, and IP configuration."},"risks":["discovery:network"],"notes":"Returns the status of BGP peers connected to the gateway, revealing the identity and reachability of peer routers in the connected on-prem/remote network. Read-only, but useful reconnaissance for planning lateral movement beyond Azure. getlearnedroutes and getadvertisedroutes are functionally near-identical (same BGP/routing-table disclosure) and are treated the same way.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/vpnGateways/reset/action":{"id":"Microsoft.Network/vpnGateways/reset/action","name":"Azure VPN gateway","scope":"HIGH","parent":{"notes":"Production network connectivity infrastructure for a single organizational function (hybrid/site-to-site connectivity); compromise can extend reach into peered/on-prem networks or sever connectivity.","description":"A VpnGateway is an Azure Virtual WAN site-to-site VPN gateway resource that provides cross-premises/hybrid network connectivity, including VPN connections, BGP routing, and IP configuration."},"risks":["impact:dos"],"notes":"Resets the VPN gateway instance, briefly interrupting all site-to-site VPN connectivity that traverses it while it restarts.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/vpnGateways/startpacketcapture/action":{"id":"Microsoft.Network/vpnGateways/startpacketcapture/action","name":"Azure VPN gateway","scope":"HIGH","parent":{"notes":"Production network connectivity infrastructure for a single organizational function (hybrid/site-to-site connectivity); compromise can extend reach into peered/on-prem networks or sever connectivity.","description":"A VpnGateway is an Azure Virtual WAN site-to-site VPN gateway resource that provides cross-premises/hybrid network connectivity, including VPN connections, BGP routing, and IP configuration."},"risks":["collection:data","exfiltration:data"],"notes":"Starting packet capture records live traffic traversing the VPN tunnels, enabling automated collection and later exfiltration of potentially sensitive in-transit data.","links":["https://azure.permissions.cloud/iam/microsoft.network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/vpnGateways/stoppacketcapture/action":{"id":"Microsoft.Network/vpnGateways/stoppacketcapture/action","name":"Azure VPN gateway","scope":"HIGH","parent":{"notes":"Production network connectivity infrastructure for a single organizational function (hybrid/site-to-site connectivity); compromise can extend reach into peered/on-prem networks or sever connectivity.","description":"A VpnGateway is an Azure Virtual WAN site-to-site VPN gateway resource that provides cross-premises/hybrid network connectivity, including VPN connections, BGP routing, and IP configuration."},"risks":["exfiltration:data"],"notes":"Stopping packet capture finalizes the capture and returns a SAS URL to the captured traffic file, yielding the recorded in-transit network data for exfiltration.","links":["https://azure.permissions.cloud/iam/microsoft.network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/vpnGateways/vpnConnections/startpacketcapture/action":{"id":"Microsoft.Network/vpnGateways/vpnConnections/startpacketcapture/action","name":"VPN gateway connections","scope":"HIGH","parent":{"notes":"Production network connectivity component supporting a single organizational function; controls cross-premises reachability.","description":"A VPN connection on an Azure VPN Gateway represents a site-to-site (or VNet-to-VNet) IPsec/IKE tunnel linking an Azure virtual network to an on-premises or remote network. It carries production hybrid-connectivity traffic for the networks it joins."},"risks":["collection:data","exfiltration:data"],"notes":"Starting a packet capture records the traffic traversing the tunnel, enabling collection of potentially sensitive in-transit network data ultimately written out by the paired stop action.","links":["https://azure.permissions.cloud/iam/microsoft.network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/vpnGateways/vpnConnections/stoppacketcapture/action":{"id":"Microsoft.Network/vpnGateways/vpnConnections/stoppacketcapture/action","name":"VPN gateway connections","scope":"HIGH","parent":{"notes":"Production network connectivity component supporting a single organizational function; controls cross-premises reachability.","description":"A VPN connection on an Azure VPN Gateway represents a site-to-site (or VNet-to-VNet) IPsec/IKE tunnel linking an Azure virtual network to an on-premises or remote network. It carries production hybrid-connectivity traffic for the networks it joins."},"risks":["exfiltration:data"],"notes":"Stopping the capture takes a caller-supplied SAS URL and writes the captured PCAP of tunnel traffic to that (attacker-controlled) storage container, completing exfiltration of in-transit network data.","links":["https://azure.permissions.cloud/iam/microsoft.network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/vpnGateways/vpnConnections/vpnLinkConnections/sharedKeys/default/listSharedKey/action":{"id":"Microsoft.Network/vpnGateways/vpnConnections/vpnLinkConnections/sharedKeys/default/listSharedKey/action","name":"VPN link connection shared key","scope":"HIGH","parent":{"notes":"The shared key is a tunnel-authenticating credential; exposure or control of it directly impacts connectivity to and the security of the bridged network.","description":"The IPsec pre-shared key (PSK) for a VPN link connection within a site-to-site VPN gateway connection. This secret authenticates the IPsec tunnel between the Azure VPN gateway and the peer (on-prem/remote) endpoint."},"risks":["exfiltration:crypto","escalation:network"],"notes":"This listSharedKey action returns the VPN link connection's IPsec PSK value (crypto exfiltration); the credential is reusable to impersonate the peer and join the tunnel into the connected network. Semantically identical to the /read operation.","links":["https://azure.permissions.cloud/iam/microsoft.network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/vpnGateways/vpnConnections/vpnLinkConnections/sharedKeys/default/read":{"id":"Microsoft.Network/vpnGateways/vpnConnections/vpnLinkConnections/sharedKeys/default/read","name":"VPN link connection shared key","scope":"HIGH","parent":{"notes":"The shared key is a tunnel-authenticating credential; exposure or control of it directly impacts connectivity to and the security of the bridged network.","description":"The IPsec pre-shared key (PSK) for a VPN link connection within a site-to-site VPN gateway connection. This secret authenticates the IPsec tunnel between the Azure VPN gateway and the peer (on-prem/remote) endpoint."},"risks":["exfiltration:crypto","escalation:network"],"notes":"Despite the /read verb, this returns the VPN tunnel's IPsec pre-shared key (credential material), enabling crypto exfiltration; with the PSK an attacker can impersonate the peer and stand up a tunnel to reach the connected network.","links":["https://azure.permissions.cloud/iam/microsoft.network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/vpnGateways/vpnConnections/vpnLinkConnections/sharedKeys/default/write":{"id":"Microsoft.Network/vpnGateways/vpnConnections/vpnLinkConnections/sharedKeys/default/write","name":"VPN link connection shared key","scope":"HIGH","parent":{"notes":"The shared key is a tunnel-authenticating credential; exposure or control of it directly impacts connectivity to and the security of the bridged network.","description":"The IPsec pre-shared key (PSK) for a VPN link connection within a site-to-site VPN gateway connection. This secret authenticates the IPsec tunnel between the Azure VPN gateway and the peer (on-prem/remote) endpoint."},"risks":["impact:dos","impact:manipulation","escalation:network"],"notes":"Sets/overwrites the IPsec PSK: rotating it breaks the legitimate site-to-site tunnel (DoS), alters tunnel auth config (manipulation), and lets an attacker pin a known key to bring up a rogue tunnel into the connected network.","links":["https://azure.permissions.cloud/iam/microsoft.network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/vpnGateways/vpnConnections/vpnLinkConnections/sharedKeys/read":{"id":"Microsoft.Network/vpnGateways/vpnConnections/vpnLinkConnections/sharedKeys/read","name":"VPN link connection shared key","scope":"CRITICAL","parent":{"notes":"Credential material that authenticates a tunnel bridging into internal/peer networks.","description":"The IPsec pre-shared key (shared secret) authenticating a site-to-site VPN link connection on an Azure VPN Gateway, securing the tunnel to a connected on-premises or partner network."},"risks":["exfiltration:crypto","escalation:network"],"notes":"This get returns the IPsec pre-shared key, exporting credential material an attacker can use to establish or impersonate the site-to-site tunnel and reach the connected network.","links":["https://azure.permissions.cloud/iam/microsoft.network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/vpnGateways/write":{"id":"Microsoft.Network/vpnGateways/write","name":"Azure VPN gateway","scope":"HIGH","parent":{"notes":"Production network connectivity infrastructure for a single organizational function (hybrid/site-to-site connectivity); compromise can extend reach into peered/on-prem networks or sever connectivity.","description":"A VpnGateway is an Azure Virtual WAN site-to-site VPN gateway resource that provides cross-premises/hybrid network connectivity, including VPN connections, BGP routing, and IP configuration."},"risks":["escalation:network","impact:manipulation"],"notes":"Creating or updating the gateway lets an attacker reconfigure VPN connections, routing, or BGP settings, redirecting or exposing hybrid traffic to an attacker-controlled endpoint.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/vpnGateways/delete":{"id":"Microsoft.Network/vpnGateways/delete","name":"Azure VPN gateway","scope":"HIGH","parent":{"notes":"Production network connectivity infrastructure for a single organizational function (hybrid/site-to-site connectivity); compromise can extend reach into peered/on-prem networks or sever connectivity.","description":"A VpnGateway is an Azure Virtual WAN site-to-site VPN gateway resource that provides cross-premises/hybrid network connectivity, including VPN connections, BGP routing, and IP configuration."},"risks":["destruction:network","impact:dos"],"notes":"Deletes the gateway, severing site-to-site VPN connectivity to the bridged networks.","links":["https://azure.permissions.cloud/iam/Microsoft.Network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Network/vpnServerConfigurations/listAllRadiusServersSecrets/action":{"id":"Microsoft.Network/vpnServerConfigurations/listAllRadiusServersSecrets/action","name":"VPN server configuration","scope":"CRITICAL","parent":{"notes":"Governs remote-access authentication into the network; the RADIUS shared secrets it references are credential material exposed only through the dedicated listAllRadiusServersSecrets action.","description":"A VpnServerConfiguration defines the authentication settings (certificate, RADIUS, and Azure AD) and connection parameters for Point-to-Site (P2S) VPN access into Azure virtual networks via VPN/virtual WAN gateways."},"risks":["exfiltration:crypto"],"notes":"Returns the RADIUS server shared secrets used for VPN authentication, exporting reusable credential material that enables impersonation of the RADIUS trust channel.","links":["https://azure.permissions.cloud/iam/microsoft.network","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.OperationalInsights/clusters/write":{"id":"Microsoft.OperationalInsights/clusters/write","name":"Log Analytics dedicated cluster","scope":"HIGH","parent":{"notes":"A dedicated cluster stores the logs of its linked workspaces and holds their CMK association, so destroying it or changing its key affects the whole log store; HIGH.","description":"A dedicated Log Analytics cluster that provides customer-managed-key (CMK) backed storage for one or more linked workspaces."},"risks":["destruction:crypto","impact:manipulation"],"notes":"Changing the cluster's customer-managed-key association can rotate away or revoke the key protecting stored logs, rendering existing data unreadable or corrupting the encryption configuration.","links":["https://azure.permissions.cloud/iam/Microsoft.OperationalInsights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.OperationalInsights/clusters/delete":{"id":"Microsoft.OperationalInsights/clusters/delete","name":"Log Analytics dedicated cluster","scope":"HIGH","parent":{"notes":"A dedicated cluster stores the logs of its linked workspaces and holds their CMK association, so destroying it or changing its key affects the whole log store; HIGH.","description":"A dedicated Log Analytics cluster that provides customer-managed-key (CMK) backed storage for one or more linked workspaces."},"risks":["destruction:logs","destruction:data"],"notes":"Deleting a dedicated cluster destroys the CMK-backed storage holding its linked workspaces' logs, eliminating that data.","links":["https://azure.permissions.cloud/iam/Microsoft.OperationalInsights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.OperationalInsights/workspaces/Api/Query/action":{"id":"Microsoft.OperationalInsights/workspaces/Api/Query/action","name":"Log Analytics workspace query (Analytics)","scope":"MEDIUM","parent":{"notes":"Workspace logs frequently contain security events, audit trails, and sensitive operational data; querying is the primary data-access path.","description":"The api/query action runs KQL search queries against the data ingested into a Log Analytics workspace, returning the actual log and telemetry records."},"risks":["exfiltration:logs","exfiltration:data"],"notes":"This API-path KQL search returns ingested log/telemetry records, enabling export of potentially sensitive security, audit, and operational data.","links":["https://azure.permissions.cloud/iam/Microsoft.OperationalInsights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.OperationalInsights/workspaces/Query/ABAPTableDataLog/read":{"id":"Microsoft.OperationalInsights/workspaces/Query/ABAPTableDataLog/read","name":"Log Analytics workspace table (ABAPTableDataLog)","scope":"HIGH","parent":{"notes":"Because it logs the contents of SAP ERP business-table changes, this table can contain sensitive organizational data values rather than only operational telemetry.","description":"A single named table within an Azure Log Analytics (Operational Insights) workspace, queried via the data plane. This Microsoft Sentinel for SAP table captures changes to ABAP business/application table data."},"risks":["exfiltration:logs","exfiltration:data"],"notes":"Reading this table exports captured SAP ABAP business-table data change records, exposing both the log records and the underlying organizational/ERP data values they contain.","links":["https://azure.permissions.cloud/iam/Microsoft.OperationalInsights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.OperationalInsights/workspaces/Query/ApiManagementGatewayLlmLog/read":{"id":"Microsoft.OperationalInsights/workspaces/Query/ApiManagementGatewayLlmLog/read","name":"Log Analytics workspace table data (ApiManagementGatewayLlmLog)","scope":"MEDIUM","parent":{"notes":"Monitoring/diagnostics data, but LLM gateway logs can embed captured prompt and completion content, so rows may contain genuinely sensitive application data.","description":"A Log Analytics workspace table queried via the data plane; this table (ApiManagementGatewayLlmLog) holds Azure API Management gateway LLM request/response logging ingested into the Azure Monitor workspace."},"risks":["exfiltration:logs","exfiltration:data"],"notes":"Reads APIM gateway LLM log rows that can include prompt/response payloads, so it exports both monitoring logs and potentially sensitive request/response data.","links":["https://azure.permissions.cloud/iam/Microsoft.OperationalInsights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.OperationalInsights/workspaces/Query/AppEnvSessionConsoleLogs/read":{"id":"Microsoft.OperationalInsights/workspaces/Query/AppEnvSessionConsoleLogs/read","name":"Log Analytics workspace table (AppEnvSessionConsoleLogs)","scope":"HIGH","parent":{"notes":"Console output of running application sessions frequently contains command results, secrets, tokens, or PII printed to the console, making this table prone to holding sensitive data.","description":"A single named table within an Azure Log Analytics (Operational Insights) workspace, queried via the data plane. This table captures Azure Container Apps dynamic-session console (stdout/stderr) output."},"risks":["exfiltration:logs","exfiltration:data"],"notes":"Reading this table exports Container Apps session console output, which commonly contains application data, secrets, or command results, enabling sensitive data exfiltration beyond ordinary telemetry.","links":["https://azure.permissions.cloud/iam/Microsoft.OperationalInsights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.OperationalInsights/workspaces/Query/AppGenAIContent/read":{"id":"Microsoft.OperationalInsights/workspaces/Query/AppGenAIContent/read","name":"Log Analytics workspace table (App GenAI content)","scope":"MEDIUM","parent":{"notes":"GenAI prompt/response content frequently carries sensitive user or business data, exceeding ordinary operational logging.","description":"A Log Analytics workspace data-plane table storing logged generative-AI application content such as prompts and completions. Read access returns the table's records."},"risks":["exfiltration:logs","exfiltration:data"],"notes":"Reading the table exports logged GenAI prompts/responses (exfiltration:logs) that often contain sensitive organizational or user data captured in the content (exfiltration:data).","links":["https://azure.permissions.cloud/iam/Microsoft.OperationalInsights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.OperationalInsights/workspaces/Query/ConfidentialWatchlist/read":{"id":"Microsoft.OperationalInsights/workspaces/Query/ConfidentialWatchlist/read","name":"Log Analytics ConfidentialWatchlist table","scope":"HIGH","parent":{"notes":"Explicitly marked confidential; contents are sensitive security-operations data deliberately curated for detection, so the asset is HIGH sensitivity (consistent with Microsoft.SecurityInsights/ConfidentialWatchlists/read in the catalog).","description":"A Log Analytics workspace data table exposing ConfidentialWatchlist records — Microsoft Sentinel confidential watchlist contents (curated sensitive reference data such as VIP users, terminated employees, sensitive assets/IPs) that analytics rules correlate against."},"risks":["exfiltration:data"],"notes":"Reads the confidential watchlist contents, directly exfiltrating curated sensitive security data useful for targeting and evasion — beyond ordinary log telemetry.","links":["https://azure.permissions.cloud/iam/Microsoft.OperationalInsights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.OperationalInsights/workspaces/Query/LedgerTransactionLogs/read":{"id":"Microsoft.OperationalInsights/workspaces/Query/LedgerTransactionLogs/read","name":"Log Analytics workspace table (Confidential Ledger transaction logs)","scope":"MEDIUM","parent":{"notes":"Confidential Ledger transaction records are tamper-evident business records and may contain sensitive transactional data.","description":"A Log Analytics workspace data-plane table storing Azure Confidential Ledger transaction records. Read access returns the table's records."},"risks":["exfiltration:logs","exfiltration:data"],"notes":"Reading the table exports confidential transaction records (exfiltration:logs) that constitute sensitive business/transactional data (exfiltration:data).","links":["https://azure.permissions.cloud/iam/Microsoft.OperationalInsights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.OperationalInsights/workspaces/Query/LedgerUserDefinedLogs/read":{"id":"Microsoft.OperationalInsights/workspaces/Query/LedgerUserDefinedLogs/read","name":"Log Analytics workspace table (Confidential Ledger user-defined logs)","scope":"MEDIUM","parent":{"notes":"User-defined ledger entries hold application-specific confidential records the ledger was designed to protect.","description":"A Log Analytics workspace data-plane table storing user-defined Azure Confidential Ledger entries. Read access returns the table's records."},"risks":["exfiltration:logs","exfiltration:data"],"notes":"Reading the table exports user-defined ledger records (exfiltration:logs) whose arbitrary application content may carry sensitive organizational data (exfiltration:data).","links":["https://azure.permissions.cloud/iam/Microsoft.OperationalInsights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.OperationalInsights/workspaces/Query/PGSQLQueryStoreQueryText/read":{"id":"Microsoft.OperationalInsights/workspaces/Query/PGSQLQueryStoreQueryText/read","name":"Log Analytics workspace table (PGSQLQueryStoreQueryText)","scope":"MEDIUM","parent":{"notes":"Log Analytics tables are monitoring/diagnostics data stores of MEDIUM sensitivity; captured SQL text can expose schema and embed literal data values or credentials.","description":"A Log Analytics workspace query table holding captured PostgreSQL Query Store SQL statement text. Reading it is a data-plane operation returning the stored query-text rows."},"risks":["exfiltration:logs","exfiltration:data"],"notes":"Captured SQL statement text exposes database schema (table/column names) and frequently embeds literal data values and parameters, disclosing underlying database content as well as log telemetry.","links":["https://azure.permissions.cloud/iam/Microsoft.OperationalInsights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.OperationalInsights/workspaces/Query/read":{"id":"Microsoft.OperationalInsights/workspaces/Query/read","name":"Log Analytics workspace query (all tables)","scope":"MEDIUM","parent":{"notes":"Broadest query capability over the workspace; can return any ingested telemetry, including security alerts, audit/sign-in logs, and any sensitive data captured in logs.","description":"The data-plane capability to run arbitrary KQL queries over ALL data ingested into an Azure Log Analytics workspace, spanning every table the workspace collects."},"risks":["exfiltration:logs","discovery:logs","exfiltration:data"],"notes":"Grants arbitrary queries across every table, enabling wholesale export of all collected logs (exfiltration:logs), full enumeration of what is being logged (discovery:logs), and extraction of sensitive data (credentials, PII, configuration) captured within those logs (exfiltration:data).","links":["https://azure.permissions.cloud/iam/Microsoft.OperationalInsights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.OperationalInsights/workspaces/analytics/Query/action":{"id":"Microsoft.OperationalInsights/workspaces/analytics/Query/action","name":"Log Analytics workspace query (Analytics)","scope":"MEDIUM","parent":{"notes":"Workspace logs frequently contain security events, audit trails, and sensitive operational data; querying is the primary data-access path.","description":"The analytics/query action runs KQL search queries against the data ingested into a Log Analytics workspace, returning the actual log and telemetry records."},"risks":["exfiltration:logs","exfiltration:data"],"notes":"Executing a KQL search returns ingested log/telemetry records, enabling broad export of logs that commonly include security, audit, and sensitive organizational data.","links":["https://azure.permissions.cloud/iam/Microsoft.OperationalInsights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.OperationalInsights/workspaces/dataexports/write":{"id":"Microsoft.OperationalInsights/workspaces/dataexports/write","name":"Log Analytics data export","scope":"HIGH","parent":{"notes":"An export rule streams a live copy of ingested logs to an external destination; it can be abused to exfiltrate all telemetry or, when removed, to cut a downstream SIEM feed; HIGH.","description":"A data export rule that continuously ships ingested log data from selected tables to a destination such as a storage account or Event Hub."},"risks":["exfiltration:logs","exfiltration:data"],"notes":"Creating an export rule can continuously copy all ingested logs to attacker-controlled storage or an Event Hub, exfiltrating telemetry that may contain sensitive organizational data.","links":["https://azure.permissions.cloud/iam/Microsoft.OperationalInsights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.OperationalInsights/workspaces/dataexports/delete":{"id":"Microsoft.OperationalInsights/workspaces/dataexports/delete","name":"Log Analytics data export","scope":"HIGH","parent":{"notes":"An export rule streams a live copy of ingested logs to an external destination; it can be abused to exfiltrate all telemetry or, when removed, to cut a downstream SIEM feed; HIGH.","description":"A data export rule that continuously ships ingested log data from selected tables to a destination such as a storage account or Event Hub."},"risks":["destruction:defense"],"notes":"Deleting an export rule cuts the downstream feed (e.g. to an external SIEM or archive), blinding detections and long-term retention that depend on it.","links":["https://azure.permissions.cloud/iam/Microsoft.OperationalInsights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.OperationalInsights/workspaces/datasources/write":{"id":"Microsoft.OperationalInsights/workspaces/datasources/write","name":"Log Analytics data source","scope":"HIGH","parent":{"notes":"Data sources govern what telemetry is collected, so altering or removing them stops new security logs from arriving; HIGH.","description":"A data source configuration under a workspace that defines what telemetry (event logs, performance counters, syslog, etc.) agents collect and forward into the workspace."},"risks":["destruction:logs","destruction:defense"],"notes":"Reconfiguring a data source can narrow or suppress the telemetry collected, silently creating blind spots in future logging.","links":["https://azure.permissions.cloud/iam/Microsoft.OperationalInsights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.OperationalInsights/workspaces/datasources/delete":{"id":"Microsoft.OperationalInsights/workspaces/datasources/delete","name":"Log Analytics data source","scope":"HIGH","parent":{"notes":"Data sources govern what telemetry is collected, so altering or removing them stops new security logs from arriving; HIGH.","description":"A data source configuration under a workspace that defines what telemetry (event logs, performance counters, syslog, etc.) agents collect and forward into the workspace."},"risks":["destruction:logs","destruction:defense"],"notes":"Removing a data source halts collection of that telemetry, so subsequent activity in its scope goes unlogged.","links":["https://azure.permissions.cloud/iam/Microsoft.OperationalInsights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.OperationalInsights/workspaces/jobs/export/action":{"id":"Microsoft.OperationalInsights/workspaces/jobs/export/action","name":"Log Analytics export job","scope":"HIGH","parent":{"notes":"A bulk read-out of stored log data for arbitrary queries/time ranges; logs may contain sensitive organizational data, so exporting them is HIGH.","description":"Exports data from a workspace for a given query and time range as a one-off bulk job."},"risks":["exfiltration:logs","exfiltration:data"],"notes":"Bulk-exports stored logs by query and time range, pulling out telemetry that can include credentials, tokens, and other sensitive data captured in logs.","links":["https://azure.permissions.cloud/iam/Microsoft.OperationalInsights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.OperationalInsights/workspaces/linkedservices/write":{"id":"Microsoft.OperationalInsights/workspaces/linkedservices/write","name":"Log Analytics linked service","scope":"HIGH","parent":{"notes":"Linked services connect the workspace to the resources that feed and process its telemetry; breaking them disrupts collection; HIGH.","description":"A linked service that binds the workspace to another resource (such as an Automation account or a cluster) used for data collection and processing."},"risks":["destruction:logs","destruction:defense"],"notes":"Re-pointing or altering a linked service can disrupt the collection/processing pipeline it enables, suppressing telemetry.","links":["https://azure.permissions.cloud/iam/Microsoft.OperationalInsights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.OperationalInsights/workspaces/linkedservices/delete":{"id":"Microsoft.OperationalInsights/workspaces/linkedservices/delete","name":"Log Analytics linked service","scope":"HIGH","parent":{"notes":"Linked services connect the workspace to the resources that feed and process its telemetry; breaking them disrupts collection; HIGH.","description":"A linked service that binds the workspace to another resource (such as an Automation account or a cluster) used for data collection and processing."},"risks":["destruction:logs","destruction:defense"],"notes":"Removing a linked service severs the workspace's link to the resource feeding it, halting the associated telemetry.","links":["https://azure.permissions.cloud/iam/Microsoft.OperationalInsights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.OperationalInsights/workspaces/linkedstorageaccounts/write":{"id":"Microsoft.OperationalInsights/workspaces/linkedstorageaccounts/write","name":"Log Analytics linked storage account","scope":"HIGH","parent":{"notes":"Linked storage accounts back specific ingestion/retention paths; removing them can disrupt that data flow and its retained records; HIGH.","description":"A customer-owned storage account linked to the workspace for holding certain data types (custom logs, queries, alerts) under the customer's own storage."},"risks":["destruction:logs","destruction:defense"],"notes":"Re-pointing a linked storage account can redirect or disrupt the data written to it, breaking that ingestion/retention path.","links":["https://azure.permissions.cloud/iam/Microsoft.OperationalInsights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.OperationalInsights/workspaces/linkedstorageaccounts/delete":{"id":"Microsoft.OperationalInsights/workspaces/linkedstorageaccounts/delete","name":"Log Analytics linked storage account","scope":"HIGH","parent":{"notes":"Linked storage accounts back specific ingestion/retention paths; removing them can disrupt that data flow and its retained records; HIGH.","description":"A customer-owned storage account linked to the workspace for holding certain data types (custom logs, queries, alerts) under the customer's own storage."},"risks":["destruction:logs","destruction:defense"],"notes":"Removing a linked storage account cuts the storage backing its data type, disrupting ingestion or retention of those records.","links":["https://azure.permissions.cloud/iam/Microsoft.OperationalInsights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.OperationalInsights/workspaces/listKeys/action":{"id":"Microsoft.OperationalInsights/workspaces/listKeys/action","name":"Log Analytics workspace","scope":"MEDIUM","parent":{"notes":"Monitoring/diagnostics asset; it concentrates security and operational telemetry, so tampering with or destroying it enables anti-forensic evasion, but it is scoped to a monitoring function rather than to primary production data or identity controls.","description":"An Azure Log Analytics workspace is the central data store and management resource for Azure Monitor logs, collecting and retaining telemetry/log data from agents, resources, and Microsoft Sentinel."},"risks":["exfiltration:crypto","impact:manipulation"],"notes":"Returns the workspace ingestion keys exactly like the sharedkeys action, exposing credential material usable to submit falsified log data into the workspace.","links":["https://azure.permissions.cloud/iam/Microsoft.OperationalInsights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.OperationalInsights/workspaces/listKeys/read":{"id":"Microsoft.OperationalInsights/workspaces/listKeys/read","name":"Log Analytics workspace shared keys","scope":"HIGH","parent":{"notes":"Monitoring/diagnostics asset; it concentrates security and operational telemetry, so tampering with or destroying it enables anti-forensic evasion, but it is scoped to a monitoring function rather than to primary production data or identity controls.","description":"An Azure Log Analytics workspace is the central data store and management resource for Azure Monitor logs, collecting and retaining telemetry/log data from agents, resources, and Microsoft Sentinel."},"risks":["exfiltration:crypto","impact:manipulation"],"notes":"Despite the /read suffix this returns the workspace shared keys (credential material), so it is cryptographic exfiltration; the keys let an attacker authenticate as an agent and inject or forge log data into the workspace (impact:manipulation).","links":["https://azure.permissions.cloud/iam/Microsoft.OperationalInsights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.OperationalInsights/workspaces/providers/Microsoft.Insights/diagnosticSettings/Write":{"id":"Microsoft.OperationalInsights/workspaces/providers/Microsoft.Insights/diagnosticSettings/Write","name":"Log Analytics workspace diagnostic setting","scope":"HIGH","parent":{"notes":"This governs the workspace's self-telemetry, including its own audit trail; disabling it hides administrative actions taken against the log store; HIGH.","description":"The diagnostic setting on the workspace itself, controlling whether the workspace's own resource logs and metrics (including audit events) are emitted."},"risks":["destruction:logs","destruction:defense"],"notes":"Overwriting the workspace's diagnostic setting can disable its own diagnostic/audit logging, hiding the attacker's actions against the log store itself.","links":["https://azure.permissions.cloud/iam/Microsoft.OperationalInsights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.OperationalInsights/workspaces/purge/action":{"id":"Microsoft.OperationalInsights/workspaces/purge/action","name":"Log Analytics workspace data purge","scope":"HIGH","parent":{"notes":"Query-targeted deletion of individual log records is the classic anti-forensics primitive; it removes evidence at row granularity, so the operation is HIGH.","description":"Deletes specified data records by query from a Log Analytics workspace."},"risks":["destruction:logs","destruction:defense"],"notes":"Deletes matching log records by query, letting an attacker surgically erase the traces of their own activity and defeat the audit trail.","links":["https://azure.permissions.cloud/iam/Microsoft.OperationalInsights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.OperationalInsights/workspaces/regenerateSharedKey/action":{"id":"Microsoft.OperationalInsights/workspaces/regenerateSharedKey/action","name":"Log Analytics workspace","scope":"MEDIUM","parent":{"notes":"Monitoring/diagnostics asset; it concentrates security and operational telemetry, so tampering with or destroying it enables anti-forensic evasion, but it is scoped to a monitoring function rather than to primary production data or identity controls.","description":"An Azure Log Analytics workspace is the central data store and management resource for Azure Monitor logs, collecting and retaining telemetry/log data from agents, resources, and Microsoft Sentinel."},"risks":["exfiltration:crypto","impact:access"],"notes":"Regenerates the specified shared key and returns the new key in the response (verified against the REST/SDK contract), so it both exfiltrates fresh credential material and invalidates the prior key, cutting off legitimate agents from ingesting data.","links":["https://azure.permissions.cloud/iam/Microsoft.OperationalInsights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.OperationalInsights/workspaces/savedSearches/schedules/actions/write":{"id":"Microsoft.OperationalInsights/workspaces/savedSearches/schedules/actions/write","name":"Log Analytics scheduled search action","scope":"HIGH","parent":{"notes":"Actions are how a triggered alert reaches responders; removing or altering them silences the response even when the detection fires; HIGH.","description":"An action attached to a scheduled saved search that fires when the alert triggers, such as sending a notification or invoking a webhook."},"risks":["impact:manipulation","destruction:defense"],"notes":"Rewriting an alert action can redirect or disable the notification/webhook, so a triggered detection never reaches responders.","links":["https://azure.permissions.cloud/iam/Microsoft.OperationalInsights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.OperationalInsights/workspaces/savedSearches/schedules/actions/delete":{"id":"Microsoft.OperationalInsights/workspaces/savedSearches/schedules/actions/delete","name":"Log Analytics scheduled search action","scope":"HIGH","parent":{"notes":"Actions are how a triggered alert reaches responders; removing or altering them silences the response even when the detection fires; HIGH.","description":"An action attached to a scheduled saved search that fires when the alert triggers, such as sending a notification or invoking a webhook."},"risks":["destruction:defense"],"notes":"Deleting an alert action leaves the detection firing silently with no notification or response.","links":["https://azure.permissions.cloud/iam/Microsoft.OperationalInsights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.OperationalInsights/workspaces/savedSearches/schedules/write":{"id":"Microsoft.OperationalInsights/workspaces/savedSearches/schedules/write","name":"Log Analytics saved search schedule","scope":"HIGH","parent":{"notes":"The schedule is what makes a saved search fire as a detection; disabling or removing it stops the alert from ever running; HIGH.","description":"A schedule attached to a saved search that runs the query on an interval, turning it into a recurring Log Analytics alert rule."},"risks":["impact:manipulation","destruction:defense"],"notes":"Altering a schedule (e.g. disabling it or widening its interval) suppresses how often the detection runs, blinding it.","links":["https://azure.permissions.cloud/iam/Microsoft.OperationalInsights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.OperationalInsights/workspaces/savedSearches/schedules/delete":{"id":"Microsoft.OperationalInsights/workspaces/savedSearches/schedules/delete","name":"Log Analytics saved search schedule","scope":"HIGH","parent":{"notes":"The schedule is what makes a saved search fire as a detection; disabling or removing it stops the alert from ever running; HIGH.","description":"A schedule attached to a saved search that runs the query on an interval, turning it into a recurring Log Analytics alert rule."},"risks":["destruction:defense"],"notes":"Deleting a schedule stops the saved search from running, removing the detection entirely.","links":["https://azure.permissions.cloud/iam/Microsoft.OperationalInsights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.OperationalInsights/workspaces/savedSearches/write":{"id":"Microsoft.OperationalInsights/workspaces/savedSearches/write","name":"Log Analytics saved search","scope":"HIGH","parent":{"notes":"Saved searches back scheduled alert rules, so tampering with or removing them degrades detection logic; HIGH.","description":"A saved search query in a workspace; when paired with a schedule it forms a Log Analytics alert rule that drives detections."},"risks":["impact:manipulation","destruction:defense"],"notes":"Rewriting a saved search can neuter the detection query behind an alert rule so malicious activity no longer matches.","links":["https://azure.permissions.cloud/iam/Microsoft.OperationalInsights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.OperationalInsights/workspaces/savedSearches/delete":{"id":"Microsoft.OperationalInsights/workspaces/savedSearches/delete","name":"Log Analytics saved search","scope":"HIGH","parent":{"notes":"Saved searches back scheduled alert rules, so tampering with or removing them degrades detection logic; HIGH.","description":"A saved search query in a workspace; when paired with a schedule it forms a Log Analytics alert rule that drives detections."},"risks":["destruction:defense"],"notes":"Deleting a saved search removes the query behind a detection, disabling the alert built on it.","links":["https://azure.permissions.cloud/iam/Microsoft.OperationalInsights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.OperationalInsights/workspaces/search/action":{"id":"Microsoft.OperationalInsights/workspaces/search/action","name":"Log Analytics search","scope":"HIGH","parent":{"notes":"Query access reads back stored log data, which can include sensitive records; it is closer to bulk read than to targeted export, so it is HIGH.","description":"Executes a search query against the log data stored in a workspace."},"risks":["exfiltration:logs","discovery:data"],"notes":"Runs arbitrary queries over stored logs, allowing bulk read-out of telemetry and inventory of what data the workspace holds.","links":["https://azure.permissions.cloud/iam/Microsoft.OperationalInsights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.OperationalInsights/workspaces/sharedKeys/action":{"id":"Microsoft.OperationalInsights/workspaces/sharedKeys/action","name":"Log Analytics workspace","scope":"MEDIUM","parent":{"notes":"Monitoring/diagnostics asset; it concentrates security and operational telemetry, so tampering with or destroying it enables anti-forensic evasion, but it is scoped to a monitoring function rather than to primary production data or identity controls.","description":"An Azure Log Analytics workspace is the central data store and management resource for Azure Monitor logs, collecting and retaining telemetry/log data from agents, resources, and Microsoft Sentinel."},"risks":["exfiltration:crypto","impact:manipulation"],"notes":"Retrieves the workspace primary/secondary shared keys (credential material), letting an attacker connect agents and inject or forge log telemetry to poison or mask events.","links":["https://azure.permissions.cloud/iam/Microsoft.OperationalInsights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.OperationalInsights/workspaces/sharedKeys/read":{"id":"Microsoft.OperationalInsights/workspaces/sharedKeys/read","name":"Log Analytics workspace shared keys","scope":"MEDIUM","parent":{"notes":"Monitoring/diagnostics asset; it concentrates security and operational telemetry, so tampering with or destroying it enables anti-forensic evasion, but it is scoped to a monitoring function rather than to primary production data or identity controls.","description":"An Azure Log Analytics workspace is the central data store and management resource for Azure Monitor logs, collecting and retaining telemetry/log data from agents, resources, and Microsoft Sentinel."},"risks":["exfiltration:crypto","impact:manipulation"],"notes":"Despite the /read verb, this returns the actual workspace shared keys (agent-connection credentials) rather than metadata, so it is cryptographic exfiltration that also enables forged data injection.","links":["https://azure.permissions.cloud/iam/Microsoft.OperationalInsights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.OperationalInsights/workspaces/storageinsightconfigs/write":{"id":"Microsoft.OperationalInsights/workspaces/storageinsightconfigs/write","name":"Log Analytics storage insight configuration","scope":"HIGH","parent":{"notes":"These configs are an ingestion path from storage into the workspace; removing them stops that telemetry from being read in; HIGH.","description":"A storage insight configuration that pulls log data from a linked storage account (e.g. diagnostic logs, WAD/LAD tables) into the workspace."},"risks":["destruction:logs","destruction:defense"],"notes":"Altering a storage insight config can stop or narrow the log data pulled from storage, suppressing future telemetry.","links":["https://azure.permissions.cloud/iam/Microsoft.OperationalInsights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.OperationalInsights/workspaces/storageinsightconfigs/delete":{"id":"Microsoft.OperationalInsights/workspaces/storageinsightconfigs/delete","name":"Log Analytics storage insight configuration","scope":"HIGH","parent":{"notes":"These configs are an ingestion path from storage into the workspace; removing them stops that telemetry from being read in; HIGH.","description":"A storage insight configuration that pulls log data from a linked storage account (e.g. diagnostic logs, WAD/LAD tables) into the workspace."},"risks":["destruction:logs","destruction:defense"],"notes":"Deleting a storage insight config stops the workspace reading logs from the storage account, cutting that ingestion source.","links":["https://azure.permissions.cloud/iam/Microsoft.OperationalInsights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.OperationalInsights/workspaces/tables/Data/read":{"id":"Microsoft.OperationalInsights/workspaces/tables/Data/read","name":"Log Analytics workspace data (all tables)","scope":"MEDIUM","parent":{"notes":"Because the workspace can ingest arbitrary custom tables (application/security/PII data) alongside diagnostic logs, this broad read can reach data beyond pure monitoring telemetry; still MEDIUM as the monitoring-data tier, but the breadth raises exfiltration potential.","description":"The Azure Log Analytics (Microsoft.OperationalInsights) workspace data-plane read entitlement, granting read access to workspace data down to fine-grained tables or rows. Unlike a single per-table read, it can cover every table ingested into the workspace."},"risks":["exfiltration:logs","discovery:logs","exfiltration:data"],"notes":"Grants read across all workspace tables/rows, letting an attacker bulk-export and enumerate every ingested log stream and any sensitive application/security data captured in custom tables.","links":["https://azure.permissions.cloud/iam/Microsoft.OperationalInsights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.OperationalInsights/workspaces/tables/deleteData/action":{"id":"Microsoft.OperationalInsights/workspaces/tables/deleteData/action","name":"Log Analytics table data deletion","scope":"HIGH","parent":{"notes":"Table-granular deletion of log records is the same anti-forensics class as workspace purge, applied to a single evidence stream; HIGH.","description":"Deletes data from a table in a Log Analytics workspace."},"risks":["destruction:logs","destruction:defense"],"notes":"Deletes log records from a table, erasing specific evidence and defeating the detections that read from it.","links":["https://azure.permissions.cloud/iam/Microsoft.OperationalInsights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.OperationalInsights/workspaces/tables/write":{"id":"Microsoft.OperationalInsights/workspaces/tables/write","name":"Log Analytics table","scope":"HIGH","parent":{"notes":"A table holds a distinct class of security log evidence and controls its retention, so tampering with or dropping it removes specific detection data; HIGH.","description":"A table within a Log Analytics workspace that stores a specific stream of log records; tables define schema, retention, and ingestion for their data."},"risks":["impact:manipulation","destruction:logs"],"notes":"Updating a table can cut its retention or alter its schema, silently dropping or truncating the log evidence it stores.","links":["https://azure.permissions.cloud/iam/Microsoft.OperationalInsights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.OperationalInsights/workspaces/tables/delete":{"id":"Microsoft.OperationalInsights/workspaces/tables/delete","name":"Log Analytics table","scope":"HIGH","parent":{"notes":"A table holds a distinct class of security log evidence and controls its retention, so tampering with or dropping it removes specific detection data; HIGH.","description":"A table within a Log Analytics workspace that stores a specific stream of log records; tables define schema, retention, and ingestion for their data."},"risks":["destruction:logs","destruction:data"],"notes":"Dropping a table destroys all log records it holds, erasing a whole category of evidence.","links":["https://azure.permissions.cloud/iam/Microsoft.OperationalInsights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.OperationalInsights/workspaces/write":{"id":"Microsoft.OperationalInsights/workspaces/write","name":"Log Analytics workspace","scope":"HIGH","parent":{"notes":"The workspace aggregates security and operational logs across many organizational functions and is the evidence store for incident response, so the resource type is HIGH.","description":"A Log Analytics workspace, the central log store that ingests and retains telemetry for Azure Monitor and Microsoft Sentinel; it holds the security-relevant logs that every downstream detection and investigation depends on."},"risks":["impact:manipulation","destruction:logs"],"notes":"Creating or relinking a workspace and changing its retention/ingestion settings can silently shorten log retention or reroute collection, shrinking the evidence trail.","links":["https://azure.permissions.cloud/iam/Microsoft.OperationalInsights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.OperationalInsights/workspaces/delete":{"id":"Microsoft.OperationalInsights/workspaces/delete","name":"Log Analytics workspace","scope":"HIGH","parent":{"notes":"The workspace aggregates security and operational logs across many organizational functions and is the evidence store for incident response, so the resource type is HIGH.","description":"A Log Analytics workspace, the central log store that ingests and retains telemetry for Azure Monitor and Microsoft Sentinel; it holds the security-relevant logs that every downstream detection and investigation depends on."},"risks":["destruction:logs","destruction:data"],"notes":"Deletes the entire log store, destroying all retained telemetry and the audit trail in one action.","links":["https://azure.permissions.cloud/iam/Microsoft.OperationalInsights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.RecoveryServices/Locations/backupCrossRegionRestore/action":{"id":"Microsoft.RecoveryServices/Locations/backupCrossRegionRestore/action","name":"Recovery Services backup recovery points (location)","scope":"HIGH","parent":{"notes":"Backup recovery points contain copies of protected organizational data (VM disks, files, databases); the cross-region restore surface can surface that data into a secondary region.","description":"Location-scoped Recovery Services backup operations that operate on a vault's protected backup recovery points and cross-region restore workflow in the secondary (paired) region."},"risks":["exfiltration:data","impact:spend"],"notes":"Triggering a cross-region restore reconstitutes protected backup data into a secondary-region target the attacker can influence, exfiltrating organizational data and provisioning billable restore infrastructure.","links":["https://azure.permissions.cloud/iam/Microsoft.RecoveryServices","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.RecoveryServices/Vaults/backupCrossTenantVaultMappings/backupFabrics/protectionContainers/protectedItems/recoveryPoints/restore/action":{"id":"Microsoft.RecoveryServices/Vaults/backupCrossTenantVaultMappings/backupFabrics/protectionContainers/protectedItems/recoveryPoints/restore/action","name":"Cross-tenant backup recovery points","scope":"HIGH","parent":{"notes":"Recovery points are the actual backup data copies; their restore exposes the underlying organizational data.","description":"A recovery point is a stored backup snapshot of a protected item at a point in time, enumerated here through a cross-tenant vault mapping. The list reveals which restorable backup copies of organizational data exist and their timestamps."},"risks":["exfiltration:data","impact:manipulation","impact:spend"],"notes":"Restoring a recovery point reconstitutes the full backed-up data (potentially to an attacker-chosen target across the tenant boundary, exfiltrating it), can overwrite live data via original-location restore (manipulation), and provisions billable restore infrastructure (spend).","links":["https://azure.permissions.cloud/iam/Microsoft.RecoveryServices","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.RecoveryServices/Vaults/backupCrossTenantVaultMappings/vaultCredentials/generate/action":{"id":"Microsoft.RecoveryServices/Vaults/backupCrossTenantVaultMappings/vaultCredentials/generate/action","name":"Cross-tenant vault mapping credentials","scope":"CRITICAL","parent":{"notes":"Vault credentials are usable identity/authentication material; cross-tenant variants enable access into another tenant's recovery vault and its backed-up data.","description":"Recovery Services vault credentials for cross-tenant vault mappings: downloadable credential material that authenticates and registers an agent or identity to a backup vault across tenant trust boundaries."},"risks":["exfiltration:crypto","escalation:lateral"],"notes":"This generate/action produces and returns the cross-tenant vault credential material, exporting usable credentials (exfiltration:crypto) that enable authentication and lateral movement into another tenant's backup vault (escalation:lateral).","links":["https://azure.permissions.cloud/iam/Microsoft.RecoveryServices","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/accessToken/action":{"id":"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/accessToken/action","name":"Backup recovery points","scope":"CRITICAL","parent":{"notes":"Recovery points hold full copies of production organizational data; access to them is equivalent to access to the source data.","description":"Recovery points are point-in-time backup snapshots of protected items (VMs, databases, file shares) stored within a Recovery Services vault."},"risks":["exfiltration:crypto","exfiltration:data"],"notes":"Returns an access token for cross-region restore, disclosing credential material that grants the holder access to the backed-up data copy in the secondary region.","links":["https://azure.permissions.cloud/iam/Microsoft.RecoveryServices","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/provisionInstantItemRecovery/action":{"id":"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/provisionInstantItemRecovery/action","name":"Backup recovery points","scope":"HIGH","parent":{"notes":"Recovery points hold full copies of production organizational data; access to them is equivalent to access to the source data.","description":"Recovery points are point-in-time backup snapshots of protected items (VMs, databases, file shares) stored within a Recovery Services vault."},"risks":["exfiltration:data"],"notes":"Provisioning instant item recovery mounts the recovery point (e.g., as an iSCSI/file target), exposing the backed-up organizational data for direct file-level reading and extraction.","links":["https://azure.permissions.cloud/iam/Microsoft.RecoveryServices","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/restore/action":{"id":"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/restore/action","name":"Backup recovery points","scope":"HIGH","parent":{"notes":"Recovery points hold full copies of production organizational data; access to them is equivalent to access to the source data.","description":"Recovery points are point-in-time backup snapshots of protected items (VMs, databases, file shares) stored within a Recovery Services vault."},"risks":["exfiltration:data","impact:manipulation"],"notes":"Restoring a recovery point materializes the backed-up data to a target the attacker can choose (exfiltration) and can overwrite live data in place with stale backup contents (manipulation).","links":["https://azure.permissions.cloud/iam/Microsoft.RecoveryServices","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.RecoveryServices/Vaults/backupFabrics/restore/action":{"id":"Microsoft.RecoveryServices/Vaults/backupFabrics/restore/action","name":"Recovery Services backup recovery points","scope":"HIGH","parent":{"notes":"Recovery points and the restore machinery around them ultimately gate access to backed-up production data; enumeration is reconnaissance while restore is full data access.","description":"Recovery points (backup snapshots) of protected items managed under a Recovery Services vault's backup fabric, representing point-in-time copies of organizational data."},"risks":["exfiltration:data","impact:manipulation"],"notes":"Triggers an actual restore of recovery points, which can recover backed-up organizational data to an attacker-chosen target (exfiltration) and overwrite/alter live data in place (manipulation); this is the headline data-access capability of a backup vault.","links":["https://azure.permissions.cloud/iam/Microsoft.RecoveryServices","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.RecoveryServices/Vaults/backupSecurityPIN/action":{"id":"Microsoft.RecoveryServices/Vaults/backupSecurityPIN/action","name":"Recovery Services vault","scope":"CRITICAL","parent":{"notes":"The vault itself guards organization-wide recovery data; control-plane reads expose only configuration metadata, while delete/security-PIN operations are far more sensitive.","description":"An Azure Recovery Services vault is the control-plane resource that stores and manages backups and recovery points for VMs, databases, files, and other workloads, serving as the organization's disaster-recovery and ransomware-resilience backstop."},"risks":["exfiltration:crypto","destruction:defense"],"notes":"Returns the vault Security PIN, the credential required to authorize critical/destructive backup operations (stop protection with delete data, shorten retention, disable soft-delete), so obtaining it exfiltrates credential material and defeats the vault's last-line defense control.","links":["https://azure.permissions.cloud/iam/Microsoft.RecoveryServices","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.RecoveryServices/Vaults/certificates/write":{"id":"Microsoft.RecoveryServices/Vaults/certificates/write","name":"Recovery Services vault credential certificate","scope":"CRITICAL","parent":{"notes":"Controls the credential trust used to authenticate to vault backup/replication backend operations.","description":"The vault resource/credential certificate is the authentication trust material used by backup agents and registered clients to authenticate to the Recovery Services vault backend."},"risks":["persistence:account","escalation:lateral"],"notes":"Updating the credential certificate installs attacker-controlled authentication material, letting an attacker enroll their own credential for persistent, reusable authenticated access to the vault backend.","links":["https://azure.permissions.cloud/iam/Microsoft.RecoveryServices","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.RecoveryServices/Vaults/extendedInformation/delete":{"id":"Microsoft.RecoveryServices/Vaults/extendedInformation/delete","name":"Recovery Services vault extended information","scope":"CRITICAL","parent":{"notes":"Holds cryptographic key material tied to vault/agent registration; an asset of CRITICAL inherent sensitivity (keys/secrets).","description":"The vault extended-information object (vaultExtendedInfo) holding the vault's cryptographic registration material: integrityKey, encryptionKey, encryptionKeyThumbprint, and algorithm used in MARS agent registration and backup integrity."},"risks":["destruction:crypto","impact:dos"],"notes":"Deleting the extended-info object removes the vault's stored integrity/encryption key material, destroying cryptographic material and impairing backup agent registration and restore operations.","links":["https://azure.permissions.cloud/iam/Microsoft.RecoveryServices","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.RecoveryServices/Vaults/extendedInformation/read":{"id":"Microsoft.RecoveryServices/Vaults/extendedInformation/read","name":"Recovery Services vault extended information","scope":"CRITICAL","parent":{"notes":"Holds cryptographic key material tied to vault/agent registration; an asset of CRITICAL inherent sensitivity (keys/secrets).","description":"The vault extended-information object (vaultExtendedInfo) holding the vault's cryptographic registration material: integrityKey, encryptionKey, encryptionKeyThumbprint, and algorithm used in MARS agent registration and backup integrity."},"risks":["exfiltration:crypto"],"notes":"GET returns the vault's integrityKey (and the schema includes encryptionKey/encryptionKeyThumbprint) as base64 material; verified the sample response literally returns integrityKey, so this discloses cryptographic key material rather than mere config.","links":["https://azure.permissions.cloud/iam/Microsoft.RecoveryServices","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.RecoveryServices/Vaults/extendedInformation/write":{"id":"Microsoft.RecoveryServices/Vaults/extendedInformation/write","name":"Recovery Services vault extended information","scope":"CRITICAL","parent":{"notes":"Holds cryptographic key material tied to vault/agent registration; an asset of CRITICAL inherent sensitivity (keys/secrets).","description":"The vault extended-information object (vaultExtendedInfo) holding the vault's cryptographic registration material: integrityKey, encryptionKey, encryptionKeyThumbprint, and algorithm used in MARS agent registration and backup integrity."},"risks":["impact:manipulation"],"notes":"PUT/PATCH overwrites the vault's integrityKey/algorithm registration material, tampering with the vault's cryptographic/registration configuration backing backup integrity.","links":["https://azure.permissions.cloud/iam/Microsoft.RecoveryServices","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.RecoveryServices/Vaults/replicationFabrics/reassociateGateway/action":{"id":"Microsoft.RecoveryServices/Vaults/replicationFabrics/reassociateGateway/action","name":"Reassociate Site Recovery fabric gateway","scope":"CRITICAL","parent":{"notes":"Changing the gateway relocates the replication data path; an attacker can redirect it through an attacker-influenced server to intercept or disrupt the flow of replicated workload data.","description":"Reassociates the gateway/process server used by a Site Recovery replication fabric to carry replication traffic between protected workloads and their recovery copies."},"risks":["impact:manipulation","escalation:network"],"notes":"Redirects replication traffic to a different gateway, letting an attacker reroute the DR data path onto infrastructure they control or influence.","links":["https://azure.permissions.cloud/iam/Microsoft.RecoveryServices","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.RecoveryServices/Vaults/replicationFabrics/remove/action":{"id":"Microsoft.RecoveryServices/Vaults/replicationFabrics/remove/action","name":"Remove Site Recovery replication fabric","scope":"CRITICAL","parent":{"notes":"Removing a fabric destroys the replication topology and the protection it provides to every workload hosted on it, defeating disaster recovery; equivalent in effect to deleting the fabric.","description":"Removes a Site Recovery replication fabric and its associated replication topology from the vault."},"risks":["destruction:defense","destruction:infra"],"notes":"Tears down the fabric and its contained protection, eliminating the disaster-recovery copy for the workloads it hosts.","links":["https://azure.permissions.cloud/iam/Microsoft.RecoveryServices","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.RecoveryServices/Vaults/replicationFabrics/removeInfra/action":{"id":"Microsoft.RecoveryServices/Vaults/replicationFabrics/removeInfra/action","name":"Remove Site Recovery fabric infrastructure","scope":"CRITICAL","parent":{"notes":"Dismantling the fabric infrastructure breaks the data path that carries replication, degrading or defeating disaster-recovery protection for workloads on the fabric.","description":"Removes the underlying infrastructure (process servers, gateways, and supporting components) associated with a Site Recovery replication fabric."},"risks":["destruction:defense","destruction:infra"],"notes":"Removes the servers and components underpinning replication, halting the protection path and rendering the DR copy unrecoverable.","links":["https://azure.permissions.cloud/iam/Microsoft.RecoveryServices","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.RecoveryServices/Vaults/replicationFabrics/replicationProtectionContainers/remove/action":{"id":"Microsoft.RecoveryServices/Vaults/replicationFabrics/replicationProtectionContainers/remove/action","name":"Remove Site Recovery protection container","scope":"HIGH","parent":{"notes":"Removing a container dismantles the grouping and mappings that protect its items, defeating disaster recovery for the workloads it holds.","description":"Removes a Site Recovery replication protection container from a fabric."},"risks":["destruction:defense","destruction:infra"],"notes":"Removes the container and the protection mappings within it, eliminating the recovery capability for the contained workloads.","links":["https://azure.permissions.cloud/iam/Microsoft.RecoveryServices","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.RecoveryServices/Vaults/replicationFabrics/replicationProtectionContainers/replicationMigrationItems/migrate/action":{"id":"Microsoft.RecoveryServices/Vaults/replicationFabrics/replicationProtectionContainers/replicationMigrationItems/migrate/action","name":"Migrate Site Recovery migration item","scope":"HIGH","parent":{"notes":"Migration cutover relocates the workload into the configured Azure target; an unauthorized invocation disrupts the source workload and instantiates it in an attacker-influenced target network or resource group.","description":"Performs the migration cutover of a migration item, bringing the workload up in its Azure target from the replicated data."},"risks":["impact:dos","escalation:network"],"notes":"Cuts the workload over to its Azure target, disrupting the source and landing the migrated instance in the configured (possibly attacker-controlled) target network.","links":["https://azure.permissions.cloud/iam/Microsoft.RecoveryServices","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.RecoveryServices/Vaults/replicationFabrics/replicationProtectionContainers/replicationMigrationItems/pauseReplication/action":{"id":"Microsoft.RecoveryServices/Vaults/replicationFabrics/replicationProtectionContainers/replicationMigrationItems/pauseReplication/action","name":"Pause Site Recovery migration item replication","scope":"HIGH","parent":{"notes":"Pausing replication stops the recovery copy from tracking source changes, so recovery points go stale and the protection silently degrades while the item still appears configured.","description":"Pauses ongoing replication for a migration item, halting updates to its replicated copy."},"risks":["destruction:defense"],"notes":"Halts replication so the recovery copy stops updating, quietly eroding recovery readiness without disabling protection outright.","links":["https://azure.permissions.cloud/iam/Microsoft.RecoveryServices","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.RecoveryServices/Vaults/replicationFabrics/replicationProtectionContainers/replicationMigrationItems/testMigrate/action":{"id":"Microsoft.RecoveryServices/Vaults/replicationFabrics/replicationProtectionContainers/replicationMigrationItems/testMigrate/action","name":"Test migrate Site Recovery migration item","scope":"HIGH","parent":{"notes":"A test migration spins up a full running copy of the workload and its data; when directed into an attacker-influenced test network it yields offline access to that data outside production controls.","description":"Performs an isolated test migration of a migration item, instantiating a running copy of the workload in a test network without affecting the source."},"risks":["exfiltration:data","escalation:lateral"],"notes":"Instantiates a live copy of the workload in a chosen test network, letting an attacker access its data and reach it from network positions they control.","links":["https://azure.permissions.cloud/iam/Microsoft.RecoveryServices","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.RecoveryServices/Vaults/replicationFabrics/replicationProtectionContainers/replicationMigrationItems/write":{"id":"Microsoft.RecoveryServices/Vaults/replicationFabrics/replicationProtectionContainers/replicationMigrationItems/write","name":"Site Recovery replication migration item","scope":"HIGH","parent":{"notes":"Migration items hold in-flight replication state and target configuration for a workload's move into Azure; deleting or reconfiguring them disrupts the migration and can misdirect where the workload lands.","description":"A Site Recovery migration item is a workload being replicated for migration into Azure (Azure Migrate scenario), tracking its replication state and migration target configuration."},"risks":["impact:manipulation"],"notes":"Creating or updating a migration item changes its target configuration, which can redirect the workload's migration destination or alter its replication settings.","links":["https://azure.permissions.cloud/iam/Microsoft.RecoveryServices","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.RecoveryServices/Vaults/replicationFabrics/replicationProtectionContainers/replicationMigrationItems/delete":{"id":"Microsoft.RecoveryServices/Vaults/replicationFabrics/replicationProtectionContainers/replicationMigrationItems/delete","name":"Site Recovery replication migration item","scope":"HIGH","parent":{"notes":"Migration items hold in-flight replication state and target configuration for a workload's move into Azure; deleting or reconfiguring them disrupts the migration and can misdirect where the workload lands.","description":"A Site Recovery migration item is a workload being replicated for migration into Azure (Azure Migrate scenario), tracking its replication state and migration target configuration."},"risks":["destruction:defense","destruction:infra"],"notes":"Deleting a migration item discards its replication state, destroying the in-flight migration copy of the workload.","links":["https://azure.permissions.cloud/iam/Microsoft.RecoveryServices","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.RecoveryServices/Vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/plannedFailover/action":{"id":"Microsoft.RecoveryServices/Vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/plannedFailover/action","name":"Site Recovery protected item planned failover","scope":"CRITICAL","parent":{"notes":"A planned failover relocates the live workload to the recovery site; though graceful, an unauthorized invocation disrupts production and moves the workload to the configured recovery network.","description":"Triggers a planned failover of a protected item to its recovery region, gracefully moving the running workload to the recovery site."},"risks":["impact:dos"],"notes":"Moves the running workload to the recovery region, interrupting the production instance.","links":["https://azure.permissions.cloud/iam/Microsoft.RecoveryServices","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.RecoveryServices/Vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/remove/action":{"id":"Microsoft.RecoveryServices/Vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/remove/action","name":"Remove Site Recovery protected item","scope":"CRITICAL","parent":{"notes":"Removing a protected item stops its replication and discards its recovery points, eliminating the DR copy for that workload.","description":"Disables replication for a protected item and removes it from Site Recovery protection."},"risks":["destruction:defense","destruction:infra"],"notes":"Disables replication and removes the item's recovery points, leaving the workload with no disaster-recovery copy; a ransomware precursor.","links":["https://azure.permissions.cloud/iam/Microsoft.RecoveryServices","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.RecoveryServices/Vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/removeDisks/action":{"id":"Microsoft.RecoveryServices/Vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/removeDisks/action","name":"Remove disks from Site Recovery protected item","scope":"CRITICAL","parent":{"notes":"Dropping disks from replication silently narrows what is protected, so the excluded data becomes unrecoverable at failover while the item still appears protected.","description":"Removes one or more disks from the set replicated for a protected item, excluding them from ongoing replication and recovery."},"risks":["destruction:defense"],"notes":"Excludes disks from replication, quietly removing their data from the recovery copy without disabling protection on the item as a whole.","links":["https://azure.permissions.cloud/iam/Microsoft.RecoveryServices","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.RecoveryServices/Vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/testFailover/action":{"id":"Microsoft.RecoveryServices/Vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/testFailover/action","name":"Site Recovery protected item test failover","scope":"CRITICAL","parent":{"notes":"A test failover spins up a full running copy of the production workload and its data; when directed into an attacker-influenced test network it yields offline access to that data outside production controls.","description":"Performs an isolated test failover of a protected item, instantiating a running copy of the workload from its recovery point into a test network without affecting the production source."},"risks":["exfiltration:data","escalation:lateral"],"notes":"Instantiates a live copy of the protected workload in a chosen test network, letting an attacker access the workload's data and reach it from network positions they control.","links":["https://azure.permissions.cloud/iam/Microsoft.RecoveryServices","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.RecoveryServices/Vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/unplannedFailover/action":{"id":"Microsoft.RecoveryServices/Vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/unplannedFailover/action","name":"Site Recovery protected item unplanned failover","scope":"CRITICAL","parent":{"notes":"An unplanned failover forcibly relocates the live workload to the recovery site, which is disruptive to production and can move the workload into an attacker-chosen network or region.","description":"Triggers an unplanned failover of a protected item to its recovery region, bringing the workload up from a recovery point without a graceful shutdown of the source."},"risks":["impact:dos","escalation:network"],"notes":"Forces the workload over to the recovery region, disrupting the running service and relocating it into the configured recovery network the attacker may control.","links":["https://azure.permissions.cloud/iam/Microsoft.RecoveryServices","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.RecoveryServices/Vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/write":{"id":"Microsoft.RecoveryServices/Vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/write","name":"Site Recovery replication protected item","scope":"CRITICAL","parent":{"notes":"Protected items are the actual replicated copies of production workloads and their recovery points; removing or reconfiguring them destroys or misdirects the disaster-recovery copy that gates an organization's ability to recover.","description":"A Site Recovery protected item is an individual workload (typically a VM) that is actively replicated to a recovery region, along with its recovery points, target network, and target resource-group configuration."},"risks":["impact:manipulation","destruction:defense","escalation:network"],"notes":"Updating a protected item can redirect its recovery target network/resource group or shrink recovery-point retention, redirecting where the DR copy lands and reducing the recoverable history available after an attack.","links":["https://azure.permissions.cloud/iam/Microsoft.RecoveryServices","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.RecoveryServices/Vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/delete":{"id":"Microsoft.RecoveryServices/Vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/delete","name":"Site Recovery replication protected item","scope":"CRITICAL","parent":{"notes":"Protected items are the actual replicated copies of production workloads and their recovery points; removing or reconfiguring them destroys or misdirects the disaster-recovery copy that gates an organization's ability to recover.","description":"A Site Recovery protected item is an individual workload (typically a VM) that is actively replicated to a recovery region, along with its recovery points, target network, and target resource-group configuration."},"risks":["destruction:defense","destruction:infra","impact:dos"],"notes":"Deleting a protected item destroys its replication and recovery points, removing the disaster-recovery copy for that workload; a classic precursor to a destructive/ransomware attack.","links":["https://azure.permissions.cloud/iam/Microsoft.RecoveryServices","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.RecoveryServices/Vaults/replicationFabrics/replicationProtectionContainers/replicationProtectionClusters/testFailover/action":{"id":"Microsoft.RecoveryServices/Vaults/replicationFabrics/replicationProtectionContainers/replicationProtectionClusters/testFailover/action","name":"Site Recovery protection cluster test failover","scope":"HIGH","parent":{"notes":"A test failover spins up a full running copy of the clustered workload and its data; when directed into an attacker-influenced test network it yields offline access to that data outside production controls.","description":"Performs an isolated test failover of a protection cluster, instantiating a running copy of the clustered workload into a test network without affecting production."},"risks":["exfiltration:data","escalation:lateral"],"notes":"Instantiates a live copy of the clustered workload in a chosen test network, letting an attacker access its data and reach it from network positions they control.","links":["https://azure.permissions.cloud/iam/Microsoft.RecoveryServices","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.RecoveryServices/Vaults/replicationFabrics/replicationProtectionContainers/replicationProtectionClusters/unplannedFailover/action":{"id":"Microsoft.RecoveryServices/Vaults/replicationFabrics/replicationProtectionContainers/replicationProtectionClusters/unplannedFailover/action","name":"Site Recovery protection cluster unplanned failover","scope":"HIGH","parent":{"notes":"An unplanned cluster failover forcibly relocates the clustered workload to the recovery site, disrupting production and moving it into the configured recovery network.","description":"Triggers an unplanned failover of a protection cluster to its recovery region, bringing the clustered workload up from recovery points without a graceful source shutdown."},"risks":["impact:dos","escalation:network"],"notes":"Forces the clustered workload over to the recovery region, disrupting the running service and relocating it into the configured recovery network the attacker may control.","links":["https://azure.permissions.cloud/iam/Microsoft.RecoveryServices","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.RecoveryServices/Vaults/replicationFabrics/replicationProtectionContainers/replicationProtectionClusters/delete":{"id":"Microsoft.RecoveryServices/Vaults/replicationFabrics/replicationProtectionContainers/replicationProtectionClusters/delete","name":"Site Recovery replication protection cluster","scope":"HIGH","parent":{"notes":"A protection cluster gates coordinated recovery of a clustered workload; deleting it or forcing its failover disrupts or destroys the recovery capability for the whole cluster.","description":"A Site Recovery protection cluster represents a clustered workload replicated as a unit, coordinating failover of its member protected items together."},"risks":["destruction:defense","destruction:infra"],"notes":"Deleting a protection cluster removes coordinated replication for the clustered workload, destroying its disaster-recovery copy.","links":["https://azure.permissions.cloud/iam/Microsoft.RecoveryServices","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.RecoveryServices/Vaults/replicationFabrics/replicationProtectionContainers/write":{"id":"Microsoft.RecoveryServices/Vaults/replicationFabrics/replicationProtectionContainers/write","name":"Site Recovery replication protection container","scope":"HIGH","parent":{"notes":"The container is the grouping layer between a fabric and its protected items; reconfiguring or removing it disrupts the protection of the workloads it holds, but it does not itself store recovery data.","description":"A Site Recovery protection container groups the replicated (protected) items within a fabric and holds the container mappings that define how source workloads map to their recovery targets."},"risks":["impact:manipulation"],"notes":"Creating or updating a protection container changes the mapping that governs how source workloads replicate to their targets, which can misdirect or weaken the protection of the contained items.","links":["https://azure.permissions.cloud/iam/Microsoft.RecoveryServices","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.RecoveryServices/Vaults/replicationFabrics/write":{"id":"Microsoft.RecoveryServices/Vaults/replicationFabrics/write","name":"Site Recovery replication fabric","scope":"CRITICAL","parent":{"notes":"The fabric is the root of the replication topology; deleting it cascades to every protection container and protected item it hosts, so its loss defeats disaster recovery for all workloads replicating through it.","description":"An Azure Site Recovery replication fabric represents a source or target location (Azure region, VMM/Hyper-V site, or on-premises environment) that hosts the replication topology and process/gateway servers linking protected workloads to their disaster-recovery copies."},"risks":["impact:manipulation","destruction:defense"],"notes":"Creating or reconfiguring a fabric alters the replication topology and its gateway/process-server association, which can degrade or misdirect the protection path for workloads that depend on it.","links":["https://azure.permissions.cloud/iam/Microsoft.RecoveryServices","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.RecoveryServices/Vaults/replicationFabrics/delete":{"id":"Microsoft.RecoveryServices/Vaults/replicationFabrics/delete","name":"Site Recovery replication fabric","scope":"CRITICAL","parent":{"notes":"The fabric is the root of the replication topology; deleting it cascades to every protection container and protected item it hosts, so its loss defeats disaster recovery for all workloads replicating through it.","description":"An Azure Site Recovery replication fabric represents a source or target location (Azure region, VMM/Hyper-V site, or on-premises environment) that hosts the replication topology and process/gateway servers linking protected workloads to their disaster-recovery copies."},"risks":["destruction:defense","destruction:infra","impact:dos"],"notes":"Deleting a fabric tears down the replication topology and cascades to all contained protection containers and protected items, destroying disaster-recovery capability for those workloads; a common ransomware precursor.","links":["https://azure.permissions.cloud/iam/Microsoft.RecoveryServices","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.RecoveryServices/Vaults/replicationRecoveryPlans/plannedFailover/action":{"id":"Microsoft.RecoveryServices/Vaults/replicationRecoveryPlans/plannedFailover/action","name":"Site Recovery recovery plan planned failover","scope":"CRITICAL","parent":{"notes":"A planned failover relocates every workload in the plan to the recovery site; though graceful, an unauthorized invocation broadly disrupts production for the whole group.","description":"Triggers a planned failover of all protected items in a recovery plan to their recovery region, gracefully moving the grouped workloads to the recovery site."},"risks":["impact:dos"],"notes":"Moves every workload in the plan to the recovery region, interrupting the production instances across the group.","links":["https://azure.permissions.cloud/iam/Microsoft.RecoveryServices","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.RecoveryServices/Vaults/replicationRecoveryPlans/testFailover/action":{"id":"Microsoft.RecoveryServices/Vaults/replicationRecoveryPlans/testFailover/action","name":"Site Recovery recovery plan test failover","scope":"CRITICAL","parent":{"notes":"A test failover spins up full running copies of every workload in the plan and their data; when directed into an attacker-influenced test network it yields offline access to that data across the group outside production controls.","description":"Performs an isolated test failover of a recovery plan, instantiating running copies of all its protected workloads into a test network without affecting production."},"risks":["exfiltration:data","escalation:lateral"],"notes":"Instantiates live copies of every workload in the plan in a chosen test network, letting an attacker access their data and reach them from network positions they control.","links":["https://azure.permissions.cloud/iam/Microsoft.RecoveryServices","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.RecoveryServices/Vaults/replicationRecoveryPlans/unplannedFailover/action":{"id":"Microsoft.RecoveryServices/Vaults/replicationRecoveryPlans/unplannedFailover/action","name":"Site Recovery recovery plan unplanned failover","scope":"CRITICAL","parent":{"notes":"An unplanned failover of a recovery plan forcibly relocates every workload in the plan to the recovery site at once, a broad disruption that also moves the workloads into their configured recovery networks.","description":"Triggers an unplanned failover of all protected items in a recovery plan to their recovery region, without a graceful source shutdown."},"risks":["impact:dos","escalation:network"],"notes":"Forces every workload in the plan over to the recovery region, causing broad service disruption and relocating them into the configured recovery networks the attacker may control.","links":["https://azure.permissions.cloud/iam/Microsoft.RecoveryServices","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.RecoveryServices/Vaults/replicationRecoveryPlans/write":{"id":"Microsoft.RecoveryServices/Vaults/replicationRecoveryPlans/write","name":"Site Recovery replication recovery plan","scope":"CRITICAL","parent":{"notes":"Recovery plans define the org's coordinated failover orchestration and can invoke automation; manipulating one can sabotage recovery or inject attacker-controlled steps, and deleting one removes the ability to recover the grouped workloads in a coordinated way.","description":"A Site Recovery recovery plan orchestrates failover of a group of protected items in a defined sequence, including pre/post steps such as Azure Automation runbooks and manual actions."},"risks":["impact:manipulation","destruction:defense","escalation:lateral"],"notes":"Editing a recovery plan can reorder or break the failover sequence (defeating orderly recovery) and can add Azure Automation runbook steps that execute in the automation account's context, giving an attacker a code-execution foothold.","links":["https://azure.permissions.cloud/iam/Microsoft.RecoveryServices","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.RecoveryServices/Vaults/replicationRecoveryPlans/delete":{"id":"Microsoft.RecoveryServices/Vaults/replicationRecoveryPlans/delete","name":"Site Recovery replication recovery plan","scope":"CRITICAL","parent":{"notes":"Recovery plans define the org's coordinated failover orchestration and can invoke automation; manipulating one can sabotage recovery or inject attacker-controlled steps, and deleting one removes the ability to recover the grouped workloads in a coordinated way.","description":"A Site Recovery recovery plan orchestrates failover of a group of protected items in a defined sequence, including pre/post steps such as Azure Automation runbooks and manual actions."},"risks":["destruction:defense"],"notes":"Deleting a recovery plan removes the orchestration needed to fail the grouped workloads over in a coordinated way, degrading disaster-recovery capability even though the underlying protected items persist.","links":["https://azure.permissions.cloud/iam/Microsoft.RecoveryServices","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.RecoveryServices/Vaults/vaultTokens/read":{"id":"Microsoft.RecoveryServices/Vaults/vaultTokens/read","name":"Recovery Services vault token","scope":"CRITICAL","parent":{"notes":"Returns reusable credential/secret material granting authenticated access to the vault backend.","description":"The vault token is credential material returned by the Recovery Services vault that is used to authenticate vault-level backend backup and recovery operations."},"risks":["exfiltration:crypto","escalation:lateral"],"notes":"This read returns a vault token (credential material) that an attacker can reuse to authenticate to and act against the vault backend.","links":["https://azure.permissions.cloud/iam/Microsoft.RecoveryServices","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Resources/deploymentStacks/delete":{"id":"Microsoft.Resources/deploymentStacks/delete","name":"Azure deployment stacks","scope":"HIGH","parent":{"notes":"A stack can span an entire resource group, subscription, or management group, can deploy role assignments and managed identities, and can enforce locks on its managed resources, making it a high-leverage control-plane asset.","description":"Deployment Stacks are Azure resources that manage a collection of resources deployed from a template as a single governed unit, with denySettings that apply deny-assignment-like protections to the managed resources."},"risks":["destruction:infra","impact:dos"],"notes":"Deletes a deployment stack and, depending on delete mode, can cascade-delete all of its managed resources, destroying infrastructure and disrupting the services it hosts.","links":["https://azure.permissions.cloud/iam/Microsoft.Resources","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Resources/deploymentStacks/write":{"id":"Microsoft.Resources/deploymentStacks/write","name":"Azure deployment stacks","scope":"HIGH","parent":{"notes":"A stack can span an entire resource group, subscription, or management group, can deploy role assignments and managed identities, and can enforce locks on its managed resources, making it a high-leverage control-plane asset.","description":"Deployment Stacks are Azure resources that manage a collection of resources deployed from a template as a single governed unit, with denySettings that apply deny-assignment-like protections to the managed resources."},"risks":["impact:manipulation","escalation:lateral","escalation:privilege","impact:hijack","impact:spend","impact:access"],"notes":"Creates or updates a deployment stack, deploying arbitrary ARM resources at stack scope: it can provision/run costly compute (hijack, spend), assign and run as managed identities (lateral movement), create role assignments (privilege escalation), broadly alter infrastructure config (manipulation), and apply denySettings that lock other principals out of managed resources (denial-of-access).","links":["https://azure.permissions.cloud/iam/Microsoft.Resources","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Resources/deployments/delete":{"id":"Microsoft.Resources/deployments/delete","name":"ARM deployment","scope":"LOW","parent":{"notes":"The deployment record itself is metadata/history; the dangerous capability is the write path, which executes an arbitrary template that can provision any resource type including role assignments, managed identities, and compute.","description":"An Azure Resource Manager (ARM) deployment is a control-plane record of a template-based provisioning operation at management-group or tenant scope, capturing which resources were deployed and their configuration."},"risks":["destruction:metadata"],"notes":"Deleting a deployment removes only the deployment history record, not the underlying provisioned resources, destroying operational deployment metadata and obscuring prior change activity.","links":["https://azure.permissions.cloud/iam/Microsoft.Resources","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Resources/deployments/write":{"id":"Microsoft.Resources/deployments/write","name":"ARM deployment","scope":"CRITICAL","parent":{"notes":"The deployment record itself is metadata/history; the dangerous capability is the write path, which executes an arbitrary template that can provision any resource type including role assignments, managed identities, and compute.","description":"An Azure Resource Manager (ARM) deployment is a control-plane record of a template-based provisioning operation at management-group or tenant scope, capturing which resources were deployed and their configuration."},"risks":["escalation:privilege","escalation:lateral","impact:manipulation","impact:hijack","impact:spend"],"notes":"Creating/updating an ARM deployment executes an arbitrary template that can create role assignments (privilege escalation), assign and act as managed identities (lateral movement), rewrite configuration (manipulation), and provision costly compute (hijack/spend).","links":["https://azure.permissions.cloud/iam/Microsoft.Resources","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Resources/subscriptions/resourceGroups/deployments/write":{"id":"Microsoft.Resources/subscriptions/resourceGroups/deployments/write","name":"ARM deployment (resource group)","scope":"CRITICAL","parent":{"notes":"The deployment record itself is metadata/history; the dangerous capability is the write path, which executes an arbitrary template that can provision any resource type including role assignments, managed identities, and compute.","description":"A resource-group-scoped Azure Resource Manager (ARM) deployment is the control-plane record of a template-based provisioning operation within a resource group, capturing which resources were deployed and their configuration."},"risks":["escalation:privilege","escalation:lateral","impact:manipulation","impact:hijack","impact:spend"],"notes":"Creating/updating a resource-group deployment executes an arbitrary template that can create role assignments (privilege escalation), assign/act as managed identities (lateral movement), rewrite configuration (manipulation), and provision costly compute (hijack/spend).","links":["https://azure.permissions.cloud/iam/Microsoft.Resources","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Security/alertsSuppressionRules/write":{"id":"Microsoft.Security/alertsSuppressionRules/write","name":"Security alert suppression rules","scope":"MEDIUM","parent":{"notes":"These rules govern which detections reach responders; they affect threat-detection visibility rather than production data directly.","description":"Rules in Microsoft Defender for Cloud that automatically dismiss or suppress security alerts matching defined criteria, preventing matching future alerts from surfacing to responders."},"risks":["destruction:defense","destruction:logs"],"notes":"Pre-creating a suppression rule matching the attacker's own activity ensures future alerts on that activity are auto-dismissed, silently evading detection and preventing those alerts from being recorded/actioned.","links":["https://azure.permissions.cloud/iam/Microsoft.Security","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Security/alertsSuppressionRules/delete":{"id":"Microsoft.Security/alertsSuppressionRules/delete","name":"Security alert suppression rules","scope":"MEDIUM","parent":{"notes":"These rules govern which detections reach responders; they affect threat-detection visibility rather than production data directly.","description":"Rules in Microsoft Defender for Cloud that automatically dismiss or suppress security alerts matching defined criteria, preventing matching future alerts from surfacing to responders."},"risks":["impact:manipulation"],"notes":"Deleting a suppression rule alters detection configuration; primarily a tampering primitive against the alert-handling ruleset.","links":["https://azure.permissions.cloud/iam/Microsoft.Security","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Security/assessments/write":{"id":"Microsoft.Security/assessments/write","name":"Security assessments","scope":"MEDIUM","parent":{"notes":"Assessment state is the security posture record; falsifying it misleads responders and auditors but does not alter production data.","description":"The results of Microsoft Defender for Cloud security assessments (recommendation findings and their healthy/unhealthy status) recorded against resources at the scope."},"risks":["impact:manipulation","destruction:defense"],"notes":"Writing assessment results lets an attacker fabricate a healthy/passing status for a resource, hiding a real finding of their misconfiguration from responders and dashboards.","links":["https://azure.permissions.cloud/iam/Microsoft.Security","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Security/automations/write":{"id":"Microsoft.Security/automations/write","name":"Defender for Cloud workflow automations","scope":"MEDIUM","parent":{"notes":"These drive automated response and downstream export of security events; tampering affects response/telemetry flow rather than production data.","description":"Automation configurations that route Microsoft Defender for Cloud alerts, recommendations, and assessment events to targets such as Logic Apps, Event Hubs, or Log Analytics for automated SOAR-style response and export."},"risks":["destruction:defense","exfiltration:logs"],"notes":"Editing an automation can disable automated response to the attacker's activity, or repoint the export target to an attacker-controlled Event Hub/endpoint to siphon off security alert and event data.","links":["https://azure.permissions.cloud/iam/Microsoft.Security","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Security/automations/delete":{"id":"Microsoft.Security/automations/delete","name":"Defender for Cloud workflow automations","scope":"MEDIUM","parent":{"notes":"These drive automated response and downstream export of security events; tampering affects response/telemetry flow rather than production data.","description":"Automation configurations that route Microsoft Defender for Cloud alerts, recommendations, and assessment events to targets such as Logic Apps, Event Hubs, or Log Analytics for automated SOAR-style response and export."},"risks":["destruction:defense"],"notes":"Deleting an automation removes the automated response/export workflow, so detections no longer trigger their configured containment or notification actions.","links":["https://azure.permissions.cloud/iam/Microsoft.Security","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Security/customRecommendations/write":{"id":"Microsoft.Security/customRecommendations/write","name":"Custom security recommendations","scope":"MEDIUM","parent":{"notes":"These are custom detection checks; removing or altering them reduces detection coverage rather than affecting production data.","description":"Customer-defined Microsoft Defender for Cloud recommendations that evaluate resources against organization-specific security checks and surface findings for the scope."},"risks":["impact:manipulation"],"notes":"Editing a custom recommendation can loosen its logic so the attacker's misconfiguration no longer triggers a finding, manipulating what the posture surface reports.","links":["https://azure.permissions.cloud/iam/Microsoft.Security","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Security/customRecommendations/delete":{"id":"Microsoft.Security/customRecommendations/delete","name":"Custom security recommendations","scope":"MEDIUM","parent":{"notes":"These are custom detection checks; removing or altering them reduces detection coverage rather than affecting production data.","description":"Customer-defined Microsoft Defender for Cloud recommendations that evaluate resources against organization-specific security checks and surface findings for the scope."},"risks":["destruction:defense","impact:manipulation"],"notes":"Deleting a custom recommendation removes an organization-defined detection check entirely, eliminating coverage for the condition it monitored.","links":["https://azure.permissions.cloud/iam/Microsoft.Security","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Security/defenderforstoragesettings/write":{"id":"Microsoft.Security/defenderforstoragesettings/write","name":"Defender for Storage settings","scope":"MEDIUM","parent":{"notes":"This is a detection control over storage; disabling it removes malware/threat scanning coverage rather than altering stored data itself.","description":"The Microsoft Defender for Storage configuration for the scope, controlling on-upload malware scanning, sensitive-data threat detection, and activity monitoring for storage accounts."},"risks":["destruction:defense"],"notes":"Editing the settings can turn off malware scanning and threat detection for storage accounts, letting an attacker upload malicious or exfiltrate data without triggering storage threat alerts.","links":["https://azure.permissions.cloud/iam/Microsoft.Security","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Security/defenderforstoragesettings/delete":{"id":"Microsoft.Security/defenderforstoragesettings/delete","name":"Defender for Storage settings","scope":"MEDIUM","parent":{"notes":"This is a detection control over storage; disabling it removes malware/threat scanning coverage rather than altering stored data itself.","description":"The Microsoft Defender for Storage configuration for the scope, controlling on-upload malware scanning, sensitive-data threat detection, and activity monitoring for storage accounts."},"risks":["destruction:defense"],"notes":"Deleting the Defender for Storage settings disables storage malware/threat scanning entirely, removing that detection control.","links":["https://azure.permissions.cloud/iam/Microsoft.Security","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Security/iotDefenderSettings/DownloadManagerActivation/action":{"id":"Microsoft.Security/iotDefenderSettings/DownloadManagerActivation/action","name":"Defender for IoT settings","scope":"MEDIUM","parent":{"notes":"Configuration of a defensive security service; reading or altering it exposes or weakens the overall IoT threat-protection posture.","description":"Defender for IoT settings hold the subscription/tenant-wide configuration and plan for the Microsoft Defender for IoT security service."},"risks":["exfiltration:crypto"],"notes":"Downloads the on-premises management-console activation file (with subscription quota data), returning credential-like activation material used to onboard the central manager.","links":["https://azure.permissions.cloud/iam/Microsoft.Security","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Security/iotSensors/DownloadActivation/action":{"id":"Microsoft.Security/iotSensors/DownloadActivation/action","name":"Defender for IoT sensors","scope":"MEDIUM","parent":{"notes":"These are defensive security-monitoring components; tampering with them affects threat-detection coverage rather than primary production data.","description":"Defender for IoT network monitoring sensors are appliances that passively monitor OT/IoT network traffic for threats and feed detections into Microsoft Defender for IoT."},"risks":["exfiltration:crypto"],"notes":"Downloads the sensor activation/license file, returning credential-like onboarding material that authorizes a sensor; exporting it is exfiltration of secret material.","links":["https://azure.permissions.cloud/iam/Microsoft.Security","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Security/iotSensors/DownloadResetPassword/action":{"id":"Microsoft.Security/iotSensors/DownloadResetPassword/action","name":"Defender for IoT sensors","scope":"MEDIUM","parent":{"notes":"These are defensive security-monitoring components; tampering with them affects threat-detection coverage rather than primary production data.","description":"Defender for IoT network monitoring sensors are appliances that passively monitor OT/IoT network traffic for threats and feed detections into Microsoft Defender for IoT."},"risks":["exfiltration:crypto","takeover:account"],"notes":"Downloads a password-reset file returning credential material to reset the sensor's privileged admin account, exporting a secret and granting takeover of the sensor appliance.","links":["https://azure.permissions.cloud/iam/Microsoft.Security","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Security/locations/alerts/dismiss/action":{"id":"Microsoft.Security/locations/alerts/dismiss/action","name":"Security alert dismissal","scope":"MEDIUM","parent":{"notes":"Changes the state of an already-fired detection to hide it from responders; affects incident visibility rather than production data.","description":"The action that sets a Microsoft Defender for Cloud security alert's state to dismissed, removing it from the active alert queue that responders triage."},"risks":["destruction:defense","impact:manipulation"],"notes":"Dismissing an active alert hides an already-fired detection of the attacker's activity from responders and manipulates the alert's state to a benign disposition, evading incident response.","links":["https://azure.permissions.cloud/iam/Microsoft.Security","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Security/locations/alerts/resolve/action":{"id":"Microsoft.Security/locations/alerts/resolve/action","name":"Security alert resolution","scope":"MEDIUM","parent":{"notes":"Changes the state of an already-fired detection to hide it from responders; affects incident visibility rather than production data.","description":"The action that sets a Microsoft Defender for Cloud security alert's state to resolved, marking it as handled and removing it from the active alert queue."},"risks":["destruction:defense","impact:manipulation"],"notes":"Resolving an active alert prematurely closes a detection of the attacker's activity and manipulates its state to appear handled, evading incident response.","links":["https://azure.permissions.cloud/iam/Microsoft.Security","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Security/locations/jitNetworkAccessPolicies/initiate/action":{"id":"Microsoft.Security/locations/jitNetworkAccessPolicies/initiate/action","name":"JIT network access request","scope":"HIGH","parent":{"notes":"This action opens live inbound network access to production VMs, directly enabling reachability to workloads rather than only affecting detection.","description":"The action that initiates a just-in-time access request, opening the requested inbound ports on a VM to specified source IPs for a limited time under an existing JIT policy."},"risks":["escalation:network"],"notes":"Initiating a JIT request opens inbound access (e.g. RDP/SSH) to a VM from a chosen source, giving the attacker a live network path to reach and move toward the workload.","links":["https://azure.permissions.cloud/iam/Microsoft.Security","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Security/locations/jitNetworkAccessPolicies/write":{"id":"Microsoft.Security/locations/jitNetworkAccessPolicies/write","name":"JIT network access policies","scope":"HIGH","parent":{"notes":"These policies gate inbound network access to production VMs; tampering can open real network paths to compromise workloads, beyond mere detection posture.","description":"Just-in-time (JIT) VM access policies in Microsoft Defender for Cloud that define which VM ports may be opened on demand, to which source IPs, and for how long, keeping management ports closed until an approved request."},"risks":["impact:manipulation","escalation:network"],"notes":"Creating/updating a JIT policy can widen allowed ports, source ranges, or durations, weakening the gate so inbound access to VMs (e.g. RDP/SSH) can be opened broadly.","links":["https://azure.permissions.cloud/iam/Microsoft.Security","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Security/locations/jitNetworkAccessPolicies/delete":{"id":"Microsoft.Security/locations/jitNetworkAccessPolicies/delete","name":"JIT network access policies","scope":"HIGH","parent":{"notes":"These policies gate inbound network access to production VMs; tampering can open real network paths to compromise workloads, beyond mere detection posture.","description":"Just-in-time (JIT) VM access policies in Microsoft Defender for Cloud that define which VM ports may be opened on demand, to which source IPs, and for how long, keeping management ports closed until an approved request."},"risks":["impact:manipulation"],"notes":"Deleting a JIT policy removes the on-demand access control governing a VM's management ports, altering the enforced network access posture.","links":["https://azure.permissions.cloud/iam/Microsoft.Security","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Security/mdeOnboardings/read":{"id":"Microsoft.Security/mdeOnboardings/read","name":"Defender for Endpoint onboarding","scope":"MEDIUM","parent":{"notes":"The onboarding package contains sensitive provisioning material (an embedded onboarding secret/blob), not merely read-only posture metadata.","description":"The Microsoft Defender for Endpoint (MDE) onboarding script/package for the tenant, which embeds a tenant-specific onboarding key used to enroll machines into the organization's Defender tenant."},"risks":["exfiltration:crypto","discovery:infra"],"notes":"Returns the MDE onboarding script containing the tenant onboarding key/blob, exfiltrating sensitive defense-provisioning material and also revealing EDR deployment configuration.","links":["https://azure.permissions.cloud/iam/Microsoft.Security","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Security/policies/write":{"id":"Microsoft.Security/policies/write","name":"Security policies","scope":"MEDIUM","parent":{"notes":"This is security-scanning policy, not IAM/access policy; weakening it reduces which findings are detected, affecting detection posture rather than access control.","description":"The Defender for Cloud security policy (the set of security assessment/compliance rules evaluated against resources) governing which misconfigurations and threats are checked for at the scope."},"risks":["destruction:defense","impact:manipulation"],"notes":"Editing the security policy can disable assessment rules so the attacker's misconfigurations go undetected, weakening the detection posture and manipulating what the security scan reports.","links":["https://azure.permissions.cloud/iam/Microsoft.Security","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Security/pricings/securityoperators/delete":{"id":"Microsoft.Security/pricings/securityoperators/delete","name":"Defender plan security operators","scope":"MEDIUM","parent":{"notes":"Couples Defender plan enforcement with a privileged managed identity (e.g. Security Admin-equivalent), making writes a privilege/identity concern, not just a posture toggle.","description":"Security operator resources tied to Microsoft Defender for Cloud pricing plans, each backed by a system-assigned managed identity that operates a Defender plan at the scope."},"risks":["destruction:defense","impact:access"],"notes":"Deleting a security operator removes the managed identity that runs a Defender plan, disabling that plan's protection and revoking the legitimate operational access tied to it.","links":["https://azure.permissions.cloud/iam/Microsoft.Security","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Security/pricings/securityoperators/write":{"id":"Microsoft.Security/pricings/securityoperators/write","name":"Defender plan security operators","scope":"HIGH","parent":{"notes":"Couples Defender plan enforcement with a privileged managed identity (e.g. Security Admin-equivalent), making writes a privilege/identity concern, not just a posture toggle.","description":"Security operator resources tied to Microsoft Defender for Cloud pricing plans, each backed by a system-assigned managed identity that operates a Defender plan at the scope."},"risks":["escalation:lateral","persistence:account","escalation:privilege","destruction:defense"],"notes":"Creating/updating a security operator provisions and assigns a system-assigned managed identity granted Defender-plan operator (Security Admin-equivalent) privileges, enabling lateral movement via that identity, persistent identity access, and privilege escalation; it can also reconfigure the plan to weaken defenses.","links":["https://azure.permissions.cloud/iam/Microsoft.Security","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Security/pricings/write":{"id":"Microsoft.Security/pricings/write","name":"Defender for Cloud pricing plans","scope":"HIGH","parent":{"notes":"These settings are the master on/off switch for Defender workload threat protection across the subscription; toggling them off blinds detection for entire resource classes.","description":"Per-resource-type pricing settings that enable or disable Microsoft Defender for Cloud plans (Defender for Servers, Storage, Containers, Key Vault, etc.) at a scope, controlling whether workload threat protection is active."},"risks":["destruction:defense"],"notes":"Setting a plan's pricing tier to Free/off disables that Defender plan, turning off workload threat protection and detection for the affected resource type.","links":["https://azure.permissions.cloud/iam/Microsoft.Security","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Security/pricings/delete":{"id":"Microsoft.Security/pricings/delete","name":"Defender for Cloud pricing plans","scope":"HIGH","parent":{"notes":"These settings are the master on/off switch for Defender workload threat protection across the subscription; toggling them off blinds detection for entire resource classes.","description":"Per-resource-type pricing settings that enable or disable Microsoft Defender for Cloud plans (Defender for Servers, Storage, Containers, Key Vault, etc.) at a scope, controlling whether workload threat protection is active."},"risks":["destruction:defense"],"notes":"Deleting the pricing settings reverts the scope off the paid Defender plan, disabling its threat protection and detection.","links":["https://azure.permissions.cloud/iam/Microsoft.Security","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Security/pricings/action":{"id":"Microsoft.Security/pricings/action","name":"Defender for Cloud pricing plans","scope":"HIGH","parent":{"notes":"These settings are the master on/off switch for Defender workload threat protection across the subscription; toggling them off blinds detection for entire resource classes.","description":"Per-resource-type pricing settings that enable or disable Microsoft Defender for Cloud plans (Defender for Servers, Storage, Containers, Key Vault, etc.) at a scope, controlling whether workload threat protection is active."},"risks":["destruction:defense"],"notes":"Applies a batch of pricing settings at once, letting an attacker disable multiple Defender plans in a single call to broadly turn off workload protection.","links":["https://azure.permissions.cloud/iam/Microsoft.Security","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Security/securityContacts/write":{"id":"Microsoft.Security/securityContacts/write","name":"Security contacts","scope":"MEDIUM","parent":{"notes":"Controls the human notification path for security alerts; tampering affects whether responders are told about detections, not production data.","description":"The security contact configuration that defines which email addresses and phone numbers receive Microsoft Defender for Cloud alert notifications and severity thresholds for notifying."},"risks":["destruction:defense"],"notes":"Overwriting the security contact can remove responder recipients or raise the notification severity threshold so alerts on the attacker's activity are never emailed, cutting off the notification path.","links":["https://azure.permissions.cloud/iam/Microsoft.Security","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Security/securityContacts/delete":{"id":"Microsoft.Security/securityContacts/delete","name":"Security contacts","scope":"MEDIUM","parent":{"notes":"Controls the human notification path for security alerts; tampering affects whether responders are told about detections, not production data.","description":"The security contact configuration that defines which email addresses and phone numbers receive Microsoft Defender for Cloud alert notifications and severity thresholds for notifying."},"risks":["destruction:defense"],"notes":"Deleting the security contact removes alert-email recipients so no one is notified of Defender detections, blinding responders.","links":["https://azure.permissions.cloud/iam/Microsoft.Security","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Security/securityoperators/delete":{"id":"Microsoft.Security/securityoperators/delete","name":"Defender for Cloud security operators","scope":"HIGH","parent":{"notes":"The operator is a privileged security-plane identity, so creating/deleting it affects both privilege posture and defensive coverage.","description":"SecurityOperators are managed-identity bindings that enable Microsoft Defender for Cloud security plans (e.g. CSPM/agentless scanning) at a scope by associating a security operator identity with the requisite RBAC roles."},"risks":["destruction:defense"],"notes":"Deleting the security operator removes the identity that drives a Defender for Cloud security plan, disabling that defense mechanism's coverage at the scope.","links":["https://azure.permissions.cloud/iam/Microsoft.Security","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Security/securityoperators/write":{"id":"Microsoft.Security/securityoperators/write","name":"Defender for Cloud security operators","scope":"HIGH","parent":{"notes":"The operator is a privileged security-plane identity, so creating/deleting it affects both privilege posture and defensive coverage.","description":"SecurityOperators are managed-identity bindings that enable Microsoft Defender for Cloud security plans (e.g. CSPM/agentless scanning) at a scope by associating a security operator identity with the requisite RBAC roles."},"risks":["escalation:lateral","escalation:privilege","destruction:defense"],"notes":"Creating/updating a security operator provisions and binds a managed identity with security-plane RBAC at the scope, granting an attacker a privileged identity to act through (lateral/privilege) and the ability to repoint or weaken Defender enforcement.","links":["https://azure.permissions.cloud/iam/Microsoft.Security","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Security/settings/write":{"id":"Microsoft.Security/settings/write","name":"Defender for Cloud settings","scope":"MEDIUM","parent":{"notes":"These toggles govern which detection integrations and data feeds are active; disabling them reduces detection coverage rather than touching production data.","description":"Scope-level Microsoft Defender for Cloud settings, including integration toggles such as Microsoft Defender for Cloud Apps (MCAS) and WDATP/Defender for Endpoint data sharing."},"risks":["destruction:defense","impact:manipulation"],"notes":"Turning off integration settings (e.g. MCAS/WDATP data sharing) severs detection data feeds, degrading threat coverage and altering the effective security configuration.","links":["https://azure.permissions.cloud/iam/Microsoft.Security","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Security/unregister/action":{"id":"Microsoft.Security/unregister/action","name":"Defender for Cloud unregistration","scope":"HIGH","parent":{"notes":"Unregistration tears down Defender for Cloud coverage for the entire subscription, a broad single-action kill switch for cloud threat detection.","description":"The action that unregisters the subscription from the Microsoft.Security resource provider (Azure Security Center / Defender for Cloud), offboarding it from Defender for Cloud."},"risks":["destruction:defense"],"notes":"Unregistering the subscription offboards it from Defender for Cloud, disabling security assessments, alerts, and plans subscription-wide in a single action.","links":["https://azure.permissions.cloud/iam/Microsoft.Security","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Security/workspaceSettings/connect/action":{"id":"Microsoft.Security/workspaceSettings/connect/action","name":"Defender for Cloud workspace reconnection","scope":"HIGH","parent":{"notes":"Governs the live binding between Defender and its telemetry destination; changing it can disrupt where security data lands for the whole subscription.","description":"The action that changes the reconnection settings binding Microsoft Defender for Cloud to its Log Analytics workspace for the scope."},"risks":["destruction:logs","destruction:defense"],"notes":"Altering the workspace reconnection settings can rebind or break Defender's connection to its Log Analytics workspace, diverting or halting security telemetry and blinding detection.","links":["https://azure.permissions.cloud/iam/Microsoft.Security","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Security/workspaceSettings/write":{"id":"Microsoft.Security/workspaceSettings/write","name":"Defender for Cloud workspace settings","scope":"HIGH","parent":{"notes":"Defines the telemetry/alert destination for the whole subscription; redirecting or removing it can sever the flow of security data to where it is retained and analyzed.","description":"The workspace settings that determine which Log Analytics workspace Microsoft Defender for Cloud exports its security data, alerts, and agent telemetry to for the scope."},"risks":["destruction:logs","destruction:defense"],"notes":"Repointing the workspace export to an attacker-chosen or dead workspace diverts security telemetry and alerts away from the monitored/retained location, destroying the responders' log stream and blinding detection.","links":["https://azure.permissions.cloud/iam/Microsoft.Security","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Security/workspaceSettings/delete":{"id":"Microsoft.Security/workspaceSettings/delete","name":"Defender for Cloud workspace settings","scope":"HIGH","parent":{"notes":"Defines the telemetry/alert destination for the whole subscription; redirecting or removing it can sever the flow of security data to where it is retained and analyzed.","description":"The workspace settings that determine which Log Analytics workspace Microsoft Defender for Cloud exports its security data, alerts, and agent telemetry to for the scope."},"risks":["destruction:logs","destruction:defense"],"notes":"Deleting the workspace settings stops export of Defender security data to Log Analytics, cutting off telemetry retention and analysis.","links":["https://azure.permissions.cloud/iam/Microsoft.Security","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.SecurityInsights/ConfidentialWatchlists/delete":{"id":"Microsoft.SecurityInsights/ConfidentialWatchlists/delete","name":"Microsoft Sentinel confidential watchlists","scope":"HIGH","parent":{"notes":"Explicitly marked confidential; contents are sensitive security operations data, so the asset is HIGH sensitivity.","description":"Confidential Watchlists are sensitive curated reference data sets in Microsoft Sentinel (e.g. VIP users, terminated employees, sensitive assets/IPs) that analytics rules correlate against during detection."},"risks":["destruction:data","destruction:defense"],"notes":"Deleting Confidential Watchlists destroys sensitive curated data and removes the lookup tables that detection rules depend on, weakening defensive coverage.","links":["https://azure.permissions.cloud/iam/Microsoft.SecurityInsights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.SecurityInsights/ConfidentialWatchlists/read":{"id":"Microsoft.SecurityInsights/ConfidentialWatchlists/read","name":"Microsoft Sentinel confidential watchlists","scope":"HIGH","parent":{"notes":"Explicitly marked confidential; contents are sensitive security operations data, so the asset is HIGH sensitivity.","description":"Confidential Watchlists are sensitive curated reference data sets in Microsoft Sentinel (e.g. VIP users, terminated employees, sensitive assets/IPs) that analytics rules correlate against during detection."},"risks":["exfiltration:data"],"notes":"Reading Confidential Watchlists returns their sensitive curated contents, directly exfiltrating confidential security data useful for targeting and evasion.","links":["https://azure.permissions.cloud/iam/Microsoft.SecurityInsights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.SecurityInsights/ConfidentialWatchlists/write":{"id":"Microsoft.SecurityInsights/ConfidentialWatchlists/write","name":"Microsoft Sentinel confidential watchlists","scope":"HIGH","parent":{"notes":"Explicitly marked confidential; contents are sensitive security operations data, so the asset is HIGH sensitivity.","description":"Confidential Watchlists are sensitive curated reference data sets in Microsoft Sentinel (e.g. VIP users, terminated employees, sensitive assets/IPs) that analytics rules correlate against during detection."},"risks":["impact:manipulation"],"notes":"Creating or updating Confidential Watchlists lets an attacker tamper with the reference data that detection logic correlates against, skewing or evading analytics rules.","links":["https://azure.permissions.cloud/iam/Microsoft.SecurityInsights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.SecurityInsights/ExportConnections/write":{"id":"Microsoft.SecurityInsights/ExportConnections/write","name":"Microsoft Sentinel export connection","scope":"HIGH","parent":{"notes":"Export connections move aggregated security data (spanning many org functions) out of the workspace; configuring one is an exfiltration channel, so the resource type is HIGH.","description":"A Microsoft Sentinel export connection that routes security data out of the workspace to an external destination."},"risks":["exfiltration:data","exfiltration:logs"],"notes":"Creating or updating an export connection can route the workspace's aggregated security data and logs to an attacker-controlled destination, bulk-exfiltrating sensitive telemetry.","links":["https://azure.permissions.cloud/iam/Microsoft.SecurityInsights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.SecurityInsights/ExportConnections/delete":{"id":"Microsoft.SecurityInsights/ExportConnections/delete","name":"Microsoft Sentinel export connection","scope":"HIGH","parent":{"notes":"Export connections move aggregated security data (spanning many org functions) out of the workspace; configuring one is an exfiltration channel, so the resource type is HIGH.","description":"A Microsoft Sentinel export connection that routes security data out of the workspace to an external destination."},"risks":["destruction:defense"],"notes":"Deleting an export connection cuts a configured security-data export, which can sever a downstream retention or monitoring pipeline that depends on the exported telemetry.","links":["https://azure.permissions.cloud/iam/Microsoft.SecurityInsights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.SecurityInsights/SourceControls/write":{"id":"Microsoft.SecurityInsights/SourceControls/write","name":"Microsoft Sentinel source control connection","scope":"HIGH","parent":{"notes":"Source-control connections carry repository credentials and an automated content-deployment path into the workspace, a persistence and content-tampering vector, so the resource type is HIGH.","description":"A Microsoft Sentinel source-control connection binding the workspace to a Git repository (GitHub/Azure DevOps) for content CI/CD, holding the repository connection and credentials that deploy detections and content."},"risks":["persistence:account","impact:manipulation"],"notes":"Creating or updating a source-control connection installs attacker-controlled repository credentials and an automated deployment pipeline, both a persistence foothold and a channel to push malicious or weakened detection content into the workspace.","links":["https://azure.permissions.cloud/iam/Microsoft.SecurityInsights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.SecurityInsights/SourceControls/delete":{"id":"Microsoft.SecurityInsights/SourceControls/delete","name":"Microsoft Sentinel source control connection","scope":"HIGH","parent":{"notes":"Source-control connections carry repository credentials and an automated content-deployment path into the workspace, a persistence and content-tampering vector, so the resource type is HIGH.","description":"A Microsoft Sentinel source-control connection binding the workspace to a Git repository (GitHub/Azure DevOps) for content CI/CD, holding the repository connection and credentials that deploy detections and content."},"risks":["destruction:defense"],"notes":"Deleting a source-control connection tears down the managed content pipeline that keeps detections deployed and updated, degrading detection maintenance.","links":["https://azure.permissions.cloud/iam/Microsoft.SecurityInsights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.SecurityInsights/Watchlists/write":{"id":"Microsoft.SecurityInsights/Watchlists/write","name":"Microsoft Sentinel watchlist","scope":"MEDIUM","parent":{"notes":"Watchlists supply context that detections depend on; tampering can create blind spots and deletion can break dependent rules, but they are narrower than the detection engine itself, so this is MEDIUM.","description":"A Microsoft Sentinel watchlist, a named lookup table (asset lists, allow/deny lists, high-value accounts) that analytics rules and hunting queries join against for detection context."},"risks":["impact:manipulation"],"notes":"Editing a watchlist lets an attacker plant entries (e.g. add their own infrastructure to an allow-list) so rules that join against it suppress alerts on their activity.","links":["https://azure.permissions.cloud/iam/Microsoft.SecurityInsights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.SecurityInsights/Watchlists/delete":{"id":"Microsoft.SecurityInsights/Watchlists/delete","name":"Microsoft Sentinel watchlist","scope":"MEDIUM","parent":{"notes":"Watchlists supply context that detections depend on; tampering can create blind spots and deletion can break dependent rules, but they are narrower than the detection engine itself, so this is MEDIUM.","description":"A Microsoft Sentinel watchlist, a named lookup table (asset lists, allow/deny lists, high-value accounts) that analytics rules and hunting queries join against for detection context."},"risks":["destruction:defense"],"notes":"Deleting a watchlist breaks the analytics rules and hunting queries that reference it, silently disabling the detections that depend on its context.","links":["https://azure.permissions.cloud/iam/Microsoft.SecurityInsights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.SecurityInsights/alertRules/actions/write":{"id":"Microsoft.SecurityInsights/alertRules/actions/write","name":"Microsoft Sentinel analytics rule action","scope":"HIGH","parent":{"notes":"These bindings drive automated response; removing or altering them silently breaks the reaction to a detection even while the rule itself still fires, so they inherit the detection backbone's HIGH scope.","description":"A response action attached to a Microsoft Sentinel analytics rule, binding the rule to an automation/playbook that fires when the rule triggers."},"risks":["destruction:defense"],"notes":"Repointing or altering a rule's response action can suppress the automated reaction (notification, playbook) to a triggered detection, letting an alert fire into a void.","links":["https://azure.permissions.cloud/iam/Microsoft.SecurityInsights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.SecurityInsights/alertRules/actions/delete":{"id":"Microsoft.SecurityInsights/alertRules/actions/delete","name":"Microsoft Sentinel analytics rule action","scope":"HIGH","parent":{"notes":"These bindings drive automated response; removing or altering them silently breaks the reaction to a detection even while the rule itself still fires, so they inherit the detection backbone's HIGH scope.","description":"A response action attached to a Microsoft Sentinel analytics rule, binding the rule to an automation/playbook that fires when the rule triggers."},"risks":["destruction:defense"],"notes":"Deleting the response action decouples the rule from its automated response, so detections no longer drive any reaction.","links":["https://azure.permissions.cloud/iam/Microsoft.SecurityInsights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.SecurityInsights/alertRules/triggerRuleRun/action":{"id":"Microsoft.SecurityInsights/alertRules/triggerRuleRun/action","name":"Microsoft Sentinel analytics rule on-demand run","scope":"LOW","parent":{"notes":"This only re-executes an existing rule as already configured; it cannot disable or alter detection (that is alertRules/write) and has no destructive effect, so scope is LOW.","description":"Triggers an on-demand run of an existing Microsoft Sentinel analytics rule."},"risks":["impact:consumption"],"notes":"On-demand rule execution consumes analytics query capacity; repeated triggering could burn quota, but it neither alters nor disables detection.","links":["https://azure.permissions.cloud/iam/Microsoft.SecurityInsights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.SecurityInsights/alertRules/write":{"id":"Microsoft.SecurityInsights/alertRules/write","name":"Microsoft Sentinel analytics rule","scope":"HIGH","parent":{"notes":"Analytics rules are the SOC's detection backbone; tampering with or removing them creates blind spots across the security-monitoring function, so the resource type is inherently HIGH.","description":"A Microsoft Sentinel analytics (alert) rule that queries ingested telemetry on a schedule and raises alerts/incidents when its detection logic matches. These rules are the primary detection mechanism of the SIEM."},"risks":["destruction:defense"],"notes":"Updating a rule lets an attacker disable it or narrow its detection logic to carve out blind spots around their own activity, defeating detection without leaving an obvious deletion.","links":["https://azure.permissions.cloud/iam/Microsoft.SecurityInsights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.SecurityInsights/alertRules/delete":{"id":"Microsoft.SecurityInsights/alertRules/delete","name":"Microsoft Sentinel analytics rule","scope":"HIGH","parent":{"notes":"Analytics rules are the SOC's detection backbone; tampering with or removing them creates blind spots across the security-monitoring function, so the resource type is inherently HIGH.","description":"A Microsoft Sentinel analytics (alert) rule that queries ingested telemetry on a schedule and raises alerts/incidents when its detection logic matches. These rules are the primary detection mechanism of the SIEM."},"risks":["destruction:defense"],"notes":"Removing an analytics rule permanently stops the detections it produced, blinding the SOC to the behaviors it covered.","links":["https://azure.permissions.cloud/iam/Microsoft.SecurityInsights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.SecurityInsights/automationRules/write":{"id":"Microsoft.SecurityInsights/automationRules/write","name":"Microsoft Sentinel automation rule","scope":"HIGH","parent":{"notes":"Automation rules govern the SOAR response layer; tampering with them can disable auto-response or redirect it to attacker automation, so the resource type is HIGH.","description":"A Microsoft Sentinel automation rule that orchestrates incident handling, applying conditions to run playbooks, assign owners, change status, or suppress incidents automatically."},"risks":["destruction:defense","escalation:lateral"],"notes":"Updating an automation rule can disable automated response or auto-close incoming incidents (defeating response), and can point the rule at an attacker-chosen playbook that then runs under its managed identity.","links":["https://azure.permissions.cloud/iam/Microsoft.SecurityInsights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.SecurityInsights/automationRules/delete":{"id":"Microsoft.SecurityInsights/automationRules/delete","name":"Microsoft Sentinel automation rule","scope":"HIGH","parent":{"notes":"Automation rules govern the SOAR response layer; tampering with them can disable auto-response or redirect it to attacker automation, so the resource type is HIGH.","description":"A Microsoft Sentinel automation rule that orchestrates incident handling, applying conditions to run playbooks, assign owners, change status, or suppress incidents automatically."},"risks":["destruction:defense"],"notes":"Deleting an automation rule removes the automated incident-response orchestration it provided, so triggered incidents no longer drive a reaction.","links":["https://azure.permissions.cloud/iam/Microsoft.SecurityInsights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.SecurityInsights/cases/write":{"id":"Microsoft.SecurityInsights/cases/write","name":"Microsoft Sentinel case (legacy incident)","scope":"HIGH","parent":{"notes":"Cases are the legacy investigation and response record; deleting or tampering with them destroys the attack audit trail, mirroring incidents, so the resource type is HIGH.","description":"A legacy Microsoft Sentinel case, the predecessor to incidents, holding aggregated alerts and investigation/response state."},"risks":["impact:manipulation"],"notes":"Updating a case lets an attacker close or downgrade it to bury an active detection and mislead responders.","links":["https://azure.permissions.cloud/iam/Microsoft.SecurityInsights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.SecurityInsights/cases/delete":{"id":"Microsoft.SecurityInsights/cases/delete","name":"Microsoft Sentinel case (legacy incident)","scope":"HIGH","parent":{"notes":"Cases are the legacy investigation and response record; deleting or tampering with them destroys the attack audit trail, mirroring incidents, so the resource type is HIGH.","description":"A legacy Microsoft Sentinel case, the predecessor to incidents, holding aggregated alerts and investigation/response state."},"risks":["destruction:logs"],"notes":"Deleting a case destroys the legacy investigation and response record, erasing the audit trail it documented.","links":["https://azure.permissions.cloud/iam/Microsoft.SecurityInsights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.SecurityInsights/dataConnectors/write":{"id":"Microsoft.SecurityInsights/dataConnectors/write","name":"Microsoft Sentinel data connector","scope":"HIGH","parent":{"notes":"Connectors are the telemetry supply for the whole SIEM; cutting one stops the logs that every detection depends on, so the resource type is HIGH.","description":"A Microsoft Sentinel data connector that ingests telemetry from a source (Azure services, endpoints, third-party products) into the workspace, feeding all downstream detection."},"risks":["destruction:logs","destruction:defense"],"notes":"Reconfiguring or disabling a data connector halts the telemetry feeding the workspace, so security logs stop arriving and every detection built on that source goes dark.","links":["https://azure.permissions.cloud/iam/Microsoft.SecurityInsights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.SecurityInsights/dataConnectors/delete":{"id":"Microsoft.SecurityInsights/dataConnectors/delete","name":"Microsoft Sentinel data connector","scope":"HIGH","parent":{"notes":"Connectors are the telemetry supply for the whole SIEM; cutting one stops the logs that every detection depends on, so the resource type is HIGH.","description":"A Microsoft Sentinel data connector that ingests telemetry from a source (Azure services, endpoints, third-party products) into the workspace, feeding all downstream detection."},"risks":["destruction:logs","destruction:defense"],"notes":"Deleting a data connector severs the telemetry pipeline entirely, cutting off the log source and blinding all detections that rely on it.","links":["https://azure.permissions.cloud/iam/Microsoft.SecurityInsights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.SecurityInsights/hunts/write":{"id":"Microsoft.SecurityInsights/hunts/write","name":"Microsoft Sentinel hunt","scope":"MEDIUM","parent":{"notes":"Hunts hold proactive investigation context rather than live detection logic; deleting them destroys investigation records but does not disable the platform, so this is MEDIUM.","description":"A Microsoft Sentinel hunt, a proactive threat-hunting investigation record capturing hypotheses, queries, findings, and linked evidence."},"risks":["impact:manipulation"],"notes":"Updating a hunt lets an attacker alter findings or hypotheses to steer a hunt away from their activity and mislead threat hunters.","links":["https://azure.permissions.cloud/iam/Microsoft.SecurityInsights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.SecurityInsights/hunts/delete":{"id":"Microsoft.SecurityInsights/hunts/delete","name":"Microsoft Sentinel hunt","scope":"MEDIUM","parent":{"notes":"Hunts hold proactive investigation context rather than live detection logic; deleting them destroys investigation records but does not disable the platform, so this is MEDIUM.","description":"A Microsoft Sentinel hunt, a proactive threat-hunting investigation record capturing hypotheses, queries, findings, and linked evidence."},"risks":["destruction:logs"],"notes":"Deleting a hunt destroys the proactive-investigation record and its linked findings, erasing the trail of what was examined.","links":["https://azure.permissions.cloud/iam/Microsoft.SecurityInsights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.SecurityInsights/incidents/comments/delete":{"id":"Microsoft.SecurityInsights/incidents/comments/delete","name":"Microsoft Sentinel incident comment","scope":"MEDIUM","parent":{"notes":"Comments are a narrower part of the incident record than the incident itself; deleting them erases investigation notes but not the whole case, so this override is MEDIUM rather than the incident-level HIGH.","description":"An analyst comment on a Microsoft Sentinel incident, capturing investigation notes and response context on the case record."},"risks":["destruction:logs"],"notes":"Deleting incident comments removes analyst investigation notes from the case record, degrading the response audit trail.","links":["https://azure.permissions.cloud/iam/Microsoft.SecurityInsights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.SecurityInsights/incidents/relations/delete":{"id":"Microsoft.SecurityInsights/incidents/relations/delete","name":"Microsoft Sentinel incident relation","scope":"MEDIUM","parent":{"notes":"Relations are the evidence links of an incident rather than the incident itself; removing them degrades but does not delete the case, so this override is MEDIUM.","description":"A relation linking a Microsoft Sentinel incident to related resources such as bookmarks, alerts, and entities that constitute its investigation evidence."},"risks":["destruction:logs"],"notes":"Deleting incident relations severs the links between an incident and its supporting evidence (bookmarks, alerts, entities), degrading the investigation record.","links":["https://azure.permissions.cloud/iam/Microsoft.SecurityInsights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.SecurityInsights/incidents/runPlaybook/action":{"id":"Microsoft.SecurityInsights/incidents/runPlaybook/action","name":"Microsoft Sentinel incident playbook run","scope":"HIGH","parent":{"notes":"Playbooks run under their own managed identity, which often holds broad permissions to act on incidents and connected systems; on-demand invocation can drive that identity, so this is HIGH.","description":"Runs a playbook (Logic App) against a Microsoft Sentinel incident on demand, executing the playbook's automation under its configured identity."},"risks":["escalation:lateral"],"notes":"Triggering a playbook executes its Logic App under the playbook's managed identity, letting an attacker drive that (often broadly permissioned) identity's access to connected systems.","links":["https://azure.permissions.cloud/iam/Microsoft.SecurityInsights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.SecurityInsights/incidents/write":{"id":"Microsoft.SecurityInsights/incidents/write","name":"Microsoft Sentinel incident","scope":"HIGH","parent":{"notes":"Incidents are the SOC's investigation and response record; deleting or tampering with them destroys the audit trail of an attack, so the resource type is HIGH.","description":"A Microsoft Sentinel incident aggregating related alerts, entities, and analyst activity into the primary case record for security investigation and response."},"risks":["impact:manipulation"],"notes":"Updating an incident lets an attacker close it, downgrade its severity, or reassign it to bury an active detection and mislead responders.","links":["https://azure.permissions.cloud/iam/Microsoft.SecurityInsights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.SecurityInsights/incidents/delete":{"id":"Microsoft.SecurityInsights/incidents/delete","name":"Microsoft Sentinel incident","scope":"HIGH","parent":{"notes":"Incidents are the SOC's investigation and response record; deleting or tampering with them destroys the audit trail of an attack, so the resource type is HIGH.","description":"A Microsoft Sentinel incident aggregating related alerts, entities, and analyst activity into the primary case record for security investigation and response."},"risks":["destruction:logs"],"notes":"Deleting an incident destroys the aggregated investigation and response record, erasing the audit trail of the attack it documented.","links":["https://azure.permissions.cloud/iam/Microsoft.SecurityInsights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.SecurityInsights/onboardingStates/write":{"id":"Microsoft.SecurityInsights/onboardingStates/write","name":"Microsoft Sentinel onboarding state","scope":"HIGH","parent":{"notes":"The onboarding state controls whether Sentinel runs on a workspace at all; removing it offboards the SIEM, so the resource type is HIGH.","description":"The onboarding state marking a Log Analytics workspace as enabled for Microsoft Sentinel, gating whether the SIEM is active for that workspace."},"risks":["destruction:defense"],"notes":"Altering the onboarding state can change Sentinel's enablement on a workspace, a lever toward disabling the SIEM.","links":["https://azure.permissions.cloud/iam/Microsoft.SecurityInsights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.SecurityInsights/onboardingStates/delete":{"id":"Microsoft.SecurityInsights/onboardingStates/delete","name":"Microsoft Sentinel onboarding state","scope":"HIGH","parent":{"notes":"The onboarding state controls whether Sentinel runs on a workspace at all; removing it offboards the SIEM, so the resource type is HIGH.","description":"The onboarding state marking a Log Analytics workspace as enabled for Microsoft Sentinel, gating whether the SIEM is active for that workspace."},"risks":["destruction:defense","destruction:logs"],"notes":"Deleting the onboarding state offboards Sentinel from the workspace, tearing down detections and halting security-telemetry aggregation for it.","links":["https://azure.permissions.cloud/iam/Microsoft.SecurityInsights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.SecurityInsights/securityMLAnalyticsSettings/write":{"id":"Microsoft.SecurityInsights/securityMLAnalyticsSettings/write","name":"Microsoft Sentinel ML analytics setting","scope":"HIGH","parent":{"notes":"ML analytics settings back the anomaly-detection layer of the SIEM; disabling or weakening them removes behavioral detection coverage, so the resource type is HIGH.","description":"A machine-learning analytics setting in Microsoft Sentinel that powers behavioral/anomaly detections (e.g. UEBA-driven and Fusion ML models)."},"risks":["destruction:defense"],"notes":"Updating an ML analytics setting lets an attacker disable or detune anomaly detection, removing behavioral coverage that would otherwise flag their activity.","links":["https://azure.permissions.cloud/iam/Microsoft.SecurityInsights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.SecurityInsights/securityMLAnalyticsSettings/delete":{"id":"Microsoft.SecurityInsights/securityMLAnalyticsSettings/delete","name":"Microsoft Sentinel ML analytics setting","scope":"HIGH","parent":{"notes":"ML analytics settings back the anomaly-detection layer of the SIEM; disabling or weakening them removes behavioral detection coverage, so the resource type is HIGH.","description":"A machine-learning analytics setting in Microsoft Sentinel that powers behavioral/anomaly detections (e.g. UEBA-driven and Fusion ML models)."},"risks":["destruction:defense"],"notes":"Deleting an ML analytics setting removes a behavioral-detection model entirely, blinding the SOC to the anomalies it covered.","links":["https://azure.permissions.cloud/iam/Microsoft.SecurityInsights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.SecurityInsights/settings/write":{"id":"Microsoft.SecurityInsights/settings/write","name":"Microsoft Sentinel setting","scope":"HIGH","parent":{"notes":"These settings enable whole detection features; turning them off removes coverage across the workspace, so the resource type is HIGH.","description":"A Microsoft Sentinel workspace setting toggling detection features such as UEBA, anomalies, and entity-behavior (EyesOn) capabilities."},"risks":["destruction:defense"],"notes":"Updating a setting lets an attacker disable detection features (UEBA, anomalies, entity behavior), removing whole classes of coverage.","links":["https://azure.permissions.cloud/iam/Microsoft.SecurityInsights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.SecurityInsights/settings/delete":{"id":"Microsoft.SecurityInsights/settings/delete","name":"Microsoft Sentinel setting","scope":"HIGH","parent":{"notes":"These settings enable whole detection features; turning them off removes coverage across the workspace, so the resource type is HIGH.","description":"A Microsoft Sentinel workspace setting toggling detection features such as UEBA, anomalies, and entity-behavior (EyesOn) capabilities."},"risks":["destruction:defense"],"notes":"Deleting a setting turns off the detection feature it configured, blinding the SOC to the behaviors that feature covered.","links":["https://azure.permissions.cloud/iam/Microsoft.SecurityInsights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.SecurityInsights/threatintelligence/bulkDelete/action":{"id":"Microsoft.SecurityInsights/threatintelligence/bulkDelete/action","name":"Microsoft Sentinel threat intelligence bulk delete","scope":"MEDIUM","parent":{"notes":"TI is a detection input; bulk removal degrades coverage at scale but does not disable the platform, so this is MEDIUM.","description":"Bulk-deletes threat-intelligence objects in Microsoft Sentinel in a single operation."},"risks":["destruction:defense"],"notes":"Bulk-deleting threat intelligence strips indicators from the SIEM en masse, degrading detection of known-malicious infrastructure at scale.","links":["https://azure.permissions.cloud/iam/Microsoft.SecurityInsights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.SecurityInsights/threatintelligence/bulkactions/Query/action":{"id":"Microsoft.SecurityInsights/threatintelligence/bulkactions/Query/action","name":"Microsoft Sentinel threat intelligence bulk actions","scope":"MEDIUM","parent":{"notes":"Threat-intelligence indicator data and operations supporting the security-monitoring function.","description":"TI Bulk Action objects in Microsoft Sentinel represent bulk operations over threat-intelligence (STIX) indicators in the workspace, and the associated indicator/IOC data."},"risks":["exfiltration:data"],"notes":"Querying Threat Intelligence STIX objects returns the actual indicator content, exporting the organization's tracked IOCs so an attacker can learn detection coverage and avoid flagged infrastructure.","links":["https://azure.permissions.cloud/iam/Microsoft.SecurityInsights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.SecurityInsights/threatintelligence/indicators/bulkDelete/action":{"id":"Microsoft.SecurityInsights/threatintelligence/indicators/bulkDelete/action","name":"Microsoft Sentinel threat intelligence indicator bulk delete","scope":"MEDIUM","parent":{"notes":"Indicators are a detection input; bulk removal degrades coverage at scale but does not disable the platform, so this is MEDIUM.","description":"Bulk-deletes threat-intelligence indicators (IOCs) in Microsoft Sentinel in a single operation."},"risks":["destruction:defense"],"notes":"Bulk-deleting indicators strips IOCs from the SIEM en masse, degrading detection of known-malicious infrastructure at scale.","links":["https://azure.permissions.cloud/iam/Microsoft.SecurityInsights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.SecurityInsights/threatintelligence/indicators/write":{"id":"Microsoft.SecurityInsights/threatintelligence/indicators/write","name":"Microsoft Sentinel threat intelligence indicator","scope":"MEDIUM","parent":{"notes":"Indicators are a detection input; altering or removing them narrows coverage but does not disable the platform, so this is MEDIUM.","description":"An individual threat-intelligence indicator (IOC) in Microsoft Sentinel that detections match ingested telemetry against."},"risks":["impact:manipulation"],"notes":"Writing an indicator lets an attacker inject false IOCs or alter existing ones, poisoning detection logic and potentially whitelisting their own infrastructure.","links":["https://azure.permissions.cloud/iam/Microsoft.SecurityInsights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.SecurityInsights/threatintelligence/indicators/delete":{"id":"Microsoft.SecurityInsights/threatintelligence/indicators/delete","name":"Microsoft Sentinel threat intelligence indicator","scope":"MEDIUM","parent":{"notes":"Indicators are a detection input; altering or removing them narrows coverage but does not disable the platform, so this is MEDIUM.","description":"An individual threat-intelligence indicator (IOC) in Microsoft Sentinel that detections match ingested telemetry against."},"risks":["destruction:defense"],"notes":"Deleting an indicator removes an IOC the SIEM matches against, degrading detection coverage of known-malicious infrastructure.","links":["https://azure.permissions.cloud/iam/Microsoft.SecurityInsights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.SecurityInsights/threatintelligence/write":{"id":"Microsoft.SecurityInsights/threatintelligence/write","name":"Microsoft Sentinel threat intelligence","scope":"MEDIUM","parent":{"notes":"TI is a detection input rather than the full SIEM; degrading it narrows detection coverage but does not disable the platform, so this resource type is MEDIUM.","description":"Threat-intelligence (STIX) data in Microsoft Sentinel, the indicators and IOCs used to match ingested telemetry against known-malicious infrastructure."},"risks":["impact:manipulation"],"notes":"Writing threat intelligence lets an attacker inject false indicators or alter existing ones, poisoning detection logic and potentially whitelisting their own infrastructure.","links":["https://azure.permissions.cloud/iam/Microsoft.SecurityInsights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.SecurityInsights/threatintelligence/delete":{"id":"Microsoft.SecurityInsights/threatintelligence/delete","name":"Microsoft Sentinel threat intelligence","scope":"MEDIUM","parent":{"notes":"TI is a detection input rather than the full SIEM; degrading it narrows detection coverage but does not disable the platform, so this resource type is MEDIUM.","description":"Threat-intelligence (STIX) data in Microsoft Sentinel, the indicators and IOCs used to match ingested telemetry against known-malicious infrastructure."},"risks":["destruction:defense"],"notes":"Deleting threat intelligence removes indicators the SIEM matches against, degrading detection coverage of known-malicious infrastructure.","links":["https://azure.permissions.cloud/iam/Microsoft.SecurityInsights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.SecurityInsights/unregister/action":{"id":"Microsoft.SecurityInsights/unregister/action","name":"Microsoft Sentinel unregister","scope":"HIGH","parent":{"notes":"Unregistering removes Sentinel from the subscription, the broadest single blinding action available; the EVASION-tier risks carry the severity while the asset scope is HIGH.","description":"Unregisters the subscription from Microsoft Sentinel, tearing down the SIEM's registration at the subscription level."},"risks":["destruction:defense","destruction:logs"],"notes":"Unregistering the subscription from Sentinel offboards the SIEM entirely, disabling all detection and stopping security-telemetry aggregation across the subscription.","links":["https://azure.permissions.cloud/iam/Microsoft.SecurityInsights","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Sql/Locations/longTermRetentionServers/longTermRetentionDatabases/longTermRetentionBackups/copy/action":{"id":"Microsoft.Sql/Locations/longTermRetentionServers/longTermRetentionDatabases/longTermRetentionBackups/copy/action","name":"Azure SQL long-term retention backup","scope":"HIGH","parent":{"notes":"An LTR backup holds the complete data of a single production database; it is both a recovery asset and a full copy of sensitive organizational data, so its destruction, immutability controls, and copy operations directly affect that database's confidentiality and recoverability.","description":"A long-term retention (LTR) backup of an Azure SQL database — a full, restorable point-in-time copy of the source production database's contents retained according to an LTR policy."},"risks":["exfiltration:data"],"notes":"Copying the LTR backup to a server/location the attacker controls replicates the full database contents, allowing later restore and read of the production data (data exfiltration).","links":["https://azure.permissions.cloud/iam/Microsoft.Sql","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Sql/managedInstances/administrators/delete":{"id":"Microsoft.Sql/managedInstances/administrators/delete","name":"Azure SQL Managed Instance administrator","scope":"CRITICAL","parent":{"notes":"This is the top-level identity/access-control assignment for a production database instance; controlling it confers admin over all instance data.","description":"The Azure AD/Entra administrator binding for an Azure SQL Managed Instance, designating the privileged principal that holds full administrative control over the instance and all databases it hosts."},"risks":["destruction:policy","impact:access"],"notes":"Deletes the existing administrator binding, removing the access-control assignment (destruction:policy) and revoking the legitimate admin's authorized access to the instance (impact:access).","links":["https://azure.permissions.cloud/iam/Microsoft.Sql","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Sql/managedInstances/administrators/write":{"id":"Microsoft.Sql/managedInstances/administrators/write","name":"Azure SQL Managed Instance administrator","scope":"CRITICAL","parent":{"notes":"This is the top-level identity/access-control assignment for a production database instance; controlling it confers admin over all instance data.","description":"The Azure AD/Entra administrator binding for an Azure SQL Managed Instance, designating the privileged principal that holds full administrative control over the instance and all databases it hosts."},"risks":["escalation:privilege","escalation:lateral","persistence:account"],"notes":"Creates or updates the AAD administrator, letting an attacker designate an attacker-controlled principal as full instance admin (escalation:privilege), gaining admin over all instance data (escalation:lateral) and establishing durable privileged access (persistence:account); also overwrites the legitimate admin.","links":["https://azure.permissions.cloud/iam/Microsoft.Sql","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Sql/managedInstances/crossSubscriptionPITR/action":{"id":"Microsoft.Sql/managedInstances/crossSubscriptionPITR/action","name":"Azure SQL Managed Instance","scope":"HIGH","parent":{"notes":"A production data store supporting a single organizational function; its configuration governs data availability, encryption, identity, and network access.","description":"Azure SQL Managed Instance is a fully managed PaaS SQL Server engine hosting production relational databases and the organizational data they contain."},"risks":["exfiltration:data"],"notes":"Authorizing cross-subscription point-in-time restore lets an attacker restore the instance's databases (and their data) into an attacker-controlled subscription, exfiltrating production data across the subscription boundary.","links":["https://azure.permissions.cloud/iam/Microsoft.Sql","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Sql/managedInstances/databases/completeRestore/action":{"id":"Microsoft.Sql/managedInstances/databases/completeRestore/action","name":"Azure SQL Managed Database complete restore","scope":"HIGH","parent":{"notes":"Restores potentially stale data into an accessible database.","description":"Completes a managed database restore operation, bringing a restored database online and accessible."},"risks":["exfiltration:data"],"notes":"Completing a restore from an old backup can resurrect data that predates a security fix or that was since deliberately deleted, making stale sensitive records accessible again to anyone with access to the database.","links":["https://azure.permissions.cloud/iam/Microsoft.Sql","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Sql/managedInstances/databases/queries/read":{"id":"Microsoft.Sql/managedInstances/databases/queries/read","name":"Azure SQL Managed Instance database query (Query Store)","scope":"HIGH","parent":{"notes":"Query text can embed schema, table/column names, business logic, and literal parameter values from a production database.","description":"A Query Store query record on an Azure SQL Managed Instance database, exposing the stored SQL query text for a given query id."},"risks":["exfiltration:data","discovery:data"],"notes":"Retrieves the stored SQL query TEXT by id from Query Store, which can leak literal data values and reveal database schema/structure beyond mere enumeration.","links":["https://azure.permissions.cloud/iam/Microsoft.Sql","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Sql/managedInstances/databases/startMove/action":{"id":"Microsoft.Sql/managedInstances/databases/startMove/action","name":"Azure SQL Managed Database","scope":"HIGH","parent":{"notes":"Production data store; the data plane holds sensitive organizational data, while the control plane manages the database resource configuration.","description":"A database hosted on an Azure SQL Managed Instance, holding production organizational data for a single application or function."},"risks":["impact:manipulation","exfiltration:data"],"notes":"Initiates relocating/copying the production database to another managed instance, which can target an attacker-controlled instance, enabling exfiltration of the full dataset as well as disrupting operational placement.","links":["https://azure.permissions.cloud/iam/Microsoft.Sql","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Sql/managedInstances/databases/delete":{"id":"Microsoft.Sql/managedInstances/databases/delete","name":"Azure SQL Managed Database","scope":"HIGH","parent":{"notes":"Production data store; the data plane holds sensitive organizational data, while the control plane manages the database resource configuration.","description":"A database hosted on an Azure SQL Managed Instance, holding production organizational data for a single application or function."},"risks":["destruction:data","impact:dos"],"notes":"Deletes the managed database and all its stored data, causing irrecoverable data loss and interrupting the function it backs.","links":["https://azure.permissions.cloud/iam/Microsoft.Sql","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Sql/managedInstances/databases/write":{"id":"Microsoft.Sql/managedInstances/databases/write","name":"Azure SQL Managed Database","scope":"HIGH","parent":{"notes":"Production data store; the data plane holds sensitive organizational data, while the control plane manages the database resource configuration.","description":"A database hosted on an Azure SQL Managed Instance, holding production organizational data for a single application or function."},"risks":["impact:manipulation"],"notes":"Creates or updates the managed database's ARM properties (e.g. collation, restore source); lets an attacker drift the resource's configuration away from its intended state.","links":["https://azure.permissions.cloud/iam/Microsoft.Sql","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Sql/managedInstances/distributedAvailabilityGroups/delete":{"id":"Microsoft.Sql/managedInstances/distributedAvailabilityGroups/delete","name":"Azure SQL Managed Instance distributed availability groups","scope":"HIGH","parent":{"notes":"These links sit in front of production managed-instance databases; controlling them affects data replication direction, availability, and where production data flows.","description":"A distributed availability group is a replication link between an Azure SQL Managed Instance and a partner instance (or SQL Server), used for high availability, disaster recovery, and migration."},"risks":["destruction:infra","impact:dos"],"notes":"Deleting the distributed availability group tears down the replication/DR link supporting the production database's high availability, destroying that infrastructure and disrupting availability.","links":["https://azure.permissions.cloud/iam/Microsoft.Sql","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Sql/managedInstances/distributedAvailabilityGroups/write":{"id":"Microsoft.Sql/managedInstances/distributedAvailabilityGroups/write","name":"Azure SQL Managed Instance distributed availability groups","scope":"HIGH","parent":{"notes":"These links sit in front of production managed-instance databases; controlling them affects data replication direction, availability, and where production data flows.","description":"A distributed availability group is a replication link between an Azure SQL Managed Instance and a partner instance (or SQL Server), used for high availability, disaster recovery, and migration."},"risks":["exfiltration:data","impact:manipulation"],"notes":"Creating/configuring a distributed availability group establishes a replication link that can continuously stream production database contents to an attacker-influenced partner instance and alters the instance's replication configuration.","links":["https://azure.permissions.cloud/iam/Microsoft.Sql","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Sql/managedInstances/dnsAliases/acquire/action":{"id":"Microsoft.Sql/managedInstances/dnsAliases/acquire/action","name":"Azure SQL Managed Instance DNS alias","scope":"HIGH","parent":{"notes":"Controlling an alias controls where client connection traffic for a database endpoint resolves; aliases can be transferred (acquired) between instances.","description":"A friendly, CNAME-style DNS name that maps to an Azure SQL Managed Instance endpoint, allowing clients to connect using a stable alias rather than the instance's native hostname."},"risks":["takeover:domain","impact:manipulation"],"notes":"Acquiring an alias from another managed instance repoints that DNS name to the attacker's instance, hijacking client traffic destined for the legitimate database to intercept or impersonate it.","links":["https://azure.permissions.cloud/iam/Microsoft.Sql","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Sql/managedInstances/dnsAliases/delete":{"id":"Microsoft.Sql/managedInstances/dnsAliases/delete","name":"Azure SQL Managed Instance DNS alias","scope":"HIGH","parent":{"notes":"Controlling an alias controls where client connection traffic for a database endpoint resolves; aliases can be transferred (acquired) between instances.","description":"A friendly, CNAME-style DNS name that maps to an Azure SQL Managed Instance endpoint, allowing clients to connect using a stable alias rather than the instance's native hostname."},"risks":["destruction:network","impact:dos"],"notes":"Deleting a DNS alias removes the connection endpoint name clients depend on, breaking name resolution to the managed instance and denying service to dependent applications.","links":["https://azure.permissions.cloud/iam/Microsoft.Sql","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Sql/managedInstances/dnsAliases/write":{"id":"Microsoft.Sql/managedInstances/dnsAliases/write","name":"Azure SQL Managed Instance DNS alias","scope":"HIGH","parent":{"notes":"Controlling an alias controls where client connection traffic for a database endpoint resolves; aliases can be transferred (acquired) between instances.","description":"A friendly, CNAME-style DNS name that maps to an Azure SQL Managed Instance endpoint, allowing clients to connect using a stable alias rather than the instance's native hostname."},"risks":["takeover:domain","impact:manipulation"],"notes":"Creating/updating a DNS alias controls the name clients use to reach the managed instance, letting an attacker redirect database client connection traffic to an instance they control.","links":["https://azure.permissions.cloud/iam/Microsoft.Sql","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Sql/managedInstances/hybridLink/delete":{"id":"Microsoft.Sql/managedInstances/hybridLink/delete","name":"Azure SQL Managed Instance hybrid link","scope":"HIGH","parent":{"notes":"Operates on a production database service; the link governs cross-environment replication of database contents.","description":"A hybrid link (Managed Instance link) is a distributed availability group that replicates databases between an external/on-premises SQL Server and an Azure SQL Managed Instance."},"risks":["destruction:infra"],"notes":"Deletes the distributed availability group, tearing down the replication/availability infrastructure for the managed instance with a DoS-like effect on replication and migration.","links":["https://azure.permissions.cloud/iam/Microsoft.Sql","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Sql/managedInstances/hybridLink/write":{"id":"Microsoft.Sql/managedInstances/hybridLink/write","name":"Azure SQL Managed Instance hybrid link","scope":"HIGH","parent":{"notes":"Operates on a production database service; the link governs cross-environment replication of database contents.","description":"A hybrid link (Managed Instance link) is a distributed availability group that replicates databases between an external/on-premises SQL Server and an Azure SQL Managed Instance."},"risks":["impact:manipulation","exfiltration:data","escalation:network"],"notes":"Creating/updating the hybrid link establishes a distributed availability group that continuously replicates production database data to an external (potentially attacker-controlled) SQL Server, enabling data exfiltration, alteration of replication configuration, and extension of reach to additional networked resources.","links":["https://azure.permissions.cloud/iam/Microsoft.Sql","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Sql/servers/administrators/delete":{"id":"Microsoft.Sql/servers/administrators/delete","name":"Azure SQL server Azure AD administrator","scope":"CRITICAL","parent":{"notes":"This is an access-control assignment pointing at a highly privileged identity; controlling it grants full server/database admin authority.","description":"The Azure Active Directory administrator binding for an Azure SQL logical server, designating the identity that holds full administrative control over the server and all its databases."},"risks":["destruction:policy","impact:access"],"notes":"Deletes the Azure AD administrator binding, removing the access-control assignment (policy destruction) and denying the legitimate administrator their authorized access.","links":["https://azure.permissions.cloud/iam/Microsoft.Sql","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Sql/servers/administrators/write":{"id":"Microsoft.Sql/servers/administrators/write","name":"Azure SQL server Azure AD administrator","scope":"CRITICAL","parent":{"notes":"This is an access-control assignment pointing at a highly privileged identity; controlling it grants full server/database admin authority.","description":"The Azure Active Directory administrator binding for an Azure SQL logical server, designating the identity that holds full administrative control over the server and all its databases."},"risks":["escalation:privilege","escalation:lateral"],"notes":"Adds/updates the Azure AD administrator, letting an attacker designate a controlled identity as full server admin, granting privileged data/control access (escalation) and access via another identity (lateral movement).","links":["https://azure.permissions.cloud/iam/Microsoft.Sql","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Sql/servers/databases/export/action":{"id":"Microsoft.Sql/servers/databases/export/action","name":"Azure SQL Database","scope":"HIGH","parent":{"notes":"Control-plane operations manage the database resource and its configuration; the row data itself is on the data plane. The asset typically backs a single production function, hence HIGH.","description":"An Azure SQL Database is a managed relational database hosted on a logical SQL server, storing production organizational data for an application or function."},"risks":["exfiltration:data"],"notes":"Exporting the database to a bacpac produces a full copy of all stored data to a storage target, directly enabling bulk data exfiltration.","links":["https://azure.permissions.cloud/iam/Microsoft.Sql","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Sql/servers/databases/extensions/write":{"id":"Microsoft.Sql/servers/databases/extensions/write","name":"Azure SQL Database import/export extension","scope":"HIGH","parent":{"notes":"Touches the entire data plane of a production database via bulk import/export.","description":"The database extensions endpoint that drives import/export (BACPAC) operations against an Azure SQL Database, moving the full contents of a production database in or out."},"risks":["exfiltration:data","impact:manipulation"],"notes":"A write triggers a BACPAC export of the full database to attacker-controlled storage (exfiltration) or an import that overwrites/loads database contents (manipulation).","links":["https://azure.permissions.cloud/iam/Microsoft.Sql","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Sql/servers/databases/failover/action":{"id":"Microsoft.Sql/servers/databases/failover/action","name":"Azure SQL Database failover","scope":"HIGH","parent":{"notes":"Availability action against a production database.","description":"Customer-initiated failover of a database to its secondary replica."},"risks":["impact:dos"],"notes":"Forcing a failover interrupts connections and causes a brief availability gap while the secondary is promoted; repeated forced failovers can be used to disrupt a production workload.","links":["https://azure.permissions.cloud/iam/Microsoft.Sql","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Sql/servers/databases/import/action":{"id":"Microsoft.Sql/servers/databases/import/action","name":"Azure SQL Database import","scope":"HIGH","parent":{"notes":"Loads external, attacker-influenceable content into a production database.","description":"Imports a bacpac file from a storage location into an existing (or new) Azure SQL Database."},"risks":["impact:manipulation"],"notes":"The import source references a storage account/container chosen by the caller, which can be attacker-controlled; this lets an attacker overwrite or plant data that downstream consumers of the database will trust, staging a bacpac that is loaded into the database as a vector for injecting malicious content.","links":["https://azure.permissions.cloud/iam/Microsoft.Sql","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Sql/servers/databases/pause/action":{"id":"Microsoft.Sql/servers/databases/pause/action","name":"Azure SQL Data Warehouse pause","scope":"HIGH","parent":{"notes":"Availability action against a production data warehouse.","description":"Pauses an Azure SQL Data Warehouse database, taking it offline until resumed."},"risks":["impact:dos"],"notes":"Pausing the data warehouse makes it unavailable to legitimate users and applications until explicitly resumed.","links":["https://azure.permissions.cloud/iam/Microsoft.Sql","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Sql/servers/databases/queryStore/queryTexts/read":{"id":"Microsoft.Sql/servers/databases/queryStore/queryTexts/read","name":"Query Store query texts","scope":"HIGH","parent":{"notes":"Although a diagnostic feature, the stored SQL text can leak production data values and full schema, so reading it is effectively data exfiltration from inside the database.","description":"Query Store query texts are the captured raw SQL statement texts of queries executed against an Azure SQL database, retained for performance analysis. The text often embeds literal parameter values, predicates, identifiers, and schema details."},"risks":["exfiltration:data"],"notes":"Returns the actual executed SQL statement text, which routinely contains literal values and sensitive identifiers, exfiltrating data and schema from within the production database.","links":["https://azure.permissions.cloud/iam/Microsoft.Sql","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Sql/servers/databases/resume/action":{"id":"Microsoft.Sql/servers/databases/resume/action","name":"Azure SQL Data Warehouse resume","scope":"HIGH","parent":{"notes":"Availability action against a production data warehouse; also carries a billing/cost dimension since a paused warehouse incurs no compute charges.","description":"Resumes a paused Azure SQL Data Warehouse database."},"risks":["impact:spend"],"notes":"Resuming an intentionally paused warehouse restores billed compute usage against the organization's will; availability disruption from toggling the warehouse's running state is covered by pause.yml.","links":["https://azure.permissions.cloud/iam/Microsoft.Sql","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Sql/servers/databases/syncGroups/syncMembers/delete":{"id":"Microsoft.Sql/servers/databases/syncGroups/syncMembers/delete","name":"Azure SQL Sync Member","scope":"HIGH","parent":{"notes":"Sync members are a supporting data-replication feature; their configuration describes which databases exchange data.","description":"An Azure SQL Data Sync member is a database registered in a sync group that participates in bidirectional data synchronization, defined by its server/database identifiers and connection configuration."},"risks":["destruction:infra"],"notes":"Deleting a sync member tears down a replication relationship, disrupting data synchronization for the affected database.","links":["https://azure.permissions.cloud/iam/Microsoft.Sql","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Sql/servers/databases/syncGroups/syncMembers/write":{"id":"Microsoft.Sql/servers/databases/syncGroups/syncMembers/write","name":"Azure SQL Sync Member","scope":"HIGH","parent":{"notes":"Sync members are a supporting data-replication feature; their configuration describes which databases exchange data.","description":"An Azure SQL Data Sync member is a database registered in a sync group that participates in bidirectional data synchronization, defined by its server/database identifiers and connection configuration."},"risks":["impact:manipulation","exfiltration:data"],"notes":"Creating/updating a sync member can point replication at an attacker-controlled database, both manipulating the sync configuration/data flow and pulling production data out through the sync channel.","links":["https://azure.permissions.cloud/iam/Microsoft.Sql","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Sql/servers/databases/syncGroups/delete":{"id":"Microsoft.Sql/servers/databases/syncGroups/delete","name":"Azure SQL Sync Group","scope":"HIGH","parent":{"notes":"Sync groups govern the flow of operational data between databases; misconfiguration can redirect, overwrite, or disrupt replication of a single organizational function's data.","description":"An Azure SQL Data Sync group defines a hub-and-member data replication topology that synchronizes table data between a hub database and one or more member databases. It is a control-plane configuration object on a production database."},"risks":["destruction:infra","impact:dos"],"notes":"Deleting a sync group tears down the replication relationship, destroying the sync configuration and disrupting ongoing data synchronization between the hub and member databases.","links":["https://azure.permissions.cloud/iam/Microsoft.Sql","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Sql/servers/databases/syncGroups/write":{"id":"Microsoft.Sql/servers/databases/syncGroups/write","name":"Azure SQL Sync Group","scope":"HIGH","parent":{"notes":"Sync groups govern the flow of operational data between databases; misconfiguration can redirect, overwrite, or disrupt replication of a single organizational function's data.","description":"An Azure SQL Data Sync group defines a hub-and-member data replication topology that synchronizes table data between a hub database and one or more member databases. It is a control-plane configuration object on a production database."},"risks":["impact:manipulation","exfiltration:data"],"notes":"Creating/updating a sync group defines which databases replicate, the direction, and conflict resolution; an attacker can reshape operational data flow and add a member pointing at a database they influence to siphon synced production data.","links":["https://azure.permissions.cloud/iam/Microsoft.Sql","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Sql/servers/databases/topQueries/queryText/action":{"id":"Microsoft.Sql/servers/databases/topQueries/queryText/action","name":"Database top queries query text","scope":"HIGH","parent":{"notes":"Query text frequently embeds literal values (filter predicates, INSERT/VALUES) and reveals schema, so it can leak both stored-data fragments and structure for a single database.","description":"The raw SQL statement text of the top queries executed against an Azure SQL database, retrieved by query ID via Query Performance Insight."},"risks":["exfiltration:data","discovery:data"],"notes":"Returns the literal SQL text of executed queries, which can leak sensitive literal values embedded in statements and reveal schema/table/column structure of the database.","links":["https://azure.permissions.cloud/iam/Microsoft.Sql","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Sql/servers/databases/delete":{"id":"Microsoft.Sql/servers/databases/delete","name":"Azure SQL Database","scope":"HIGH","parent":{"notes":"Control-plane operations manage the database resource and its configuration; the row data itself is on the data plane. The asset typically backs a single production function, hence HIGH.","description":"An Azure SQL Database is a managed relational database hosted on a logical SQL server, storing production organizational data for an application or function."},"risks":["destruction:data","impact:dos"],"notes":"Deletes the database and all its stored data, causing irrecoverable data loss (absent a separate backup/restore path) and interrupting the function it backs.","links":["https://azure.permissions.cloud/iam/Microsoft.Sql","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Sql/servers/databases/write":{"id":"Microsoft.Sql/servers/databases/write","name":"Azure SQL Database","scope":"HIGH","parent":{"notes":"Control-plane operations manage the database resource and its configuration; the row data itself is on the data plane. The asset typically backs a single production function, hence HIGH.","description":"An Azure SQL Database is a managed relational database hosted on a logical SQL server, storing production organizational data for an application or function."},"risks":["impact:manipulation"],"notes":"Creates or updates the database's ARM properties, including SKU/tier, read-scale, zone redundancy, and transparent data encryption settings; an attacker can degrade the service (config drift) or weaken TDE-related protections on stored data.","links":["https://azure.permissions.cloud/iam/Microsoft.Sql","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Sql/servers/dnsAliases/acquire/action":{"id":"Microsoft.Sql/servers/dnsAliases/acquire/action","name":"Azure SQL Database server DNS alias","scope":"HIGH","parent":{"notes":"Controlling an alias controls the connection endpoint clients resolve to reach production databases; it is effectively a routing/domain control for the database service.","description":"A SQL server DNS alias is a stable CNAME-like DNS name that maps clients to an Azure SQL logical server, allowing the underlying server to change without updating connection strings."},"risks":["takeover:domain","impact:manipulation"],"notes":"Acquiring an existing alias from its current server and repointing it to another server hijacks the stable connection endpoint, silently redirecting client traffic to an attacker-chosen SQL server (and denying the legitimate one).","links":["https://azure.permissions.cloud/iam/Microsoft.Sql","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Sql/servers/dnsAliases/delete":{"id":"Microsoft.Sql/servers/dnsAliases/delete","name":"Azure SQL Database server DNS alias","scope":"HIGH","parent":{"notes":"Controlling an alias controls the connection endpoint clients resolve to reach production databases; it is effectively a routing/domain control for the database service.","description":"A SQL server DNS alias is a stable CNAME-like DNS name that maps clients to an Azure SQL logical server, allowing the underlying server to change without updating connection strings."},"risks":["destruction:network","impact:dos"],"notes":"Deleting a DNS alias removes the stable connection name clients resolve to, breaking application connectivity to the database (denial of service).","links":["https://azure.permissions.cloud/iam/Microsoft.Sql","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Sql/servers/dnsAliases/write":{"id":"Microsoft.Sql/servers/dnsAliases/write","name":"Azure SQL Database server DNS alias","scope":"HIGH","parent":{"notes":"Controlling an alias controls the connection endpoint clients resolve to reach production databases; it is effectively a routing/domain control for the database service.","description":"A SQL server DNS alias is a stable CNAME-like DNS name that maps clients to an Azure SQL logical server, allowing the underlying server to change without updating connection strings."},"risks":["takeover:domain","impact:manipulation"],"notes":"Creating/updating a DNS alias controls the stable connection hostname clients use, letting an attacker repoint the endpoint and redirect SQL traffic to a server of their choosing.","links":["https://azure.permissions.cloud/iam/Microsoft.Sql","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Sql/servers/externalPolicyBasedAuthorizations/delete":{"id":"Microsoft.Sql/servers/externalPolicyBasedAuthorizations/delete","name":"SQL server external policy-based authorization","scope":"CRITICAL","parent":{"notes":"This is the authorization control-plane configuration governing access to a production database server.","description":"The external policy-based authorization configuration on an Azure SQL logical server, binding an external authorization provider/policy that governs who is authorized to access the database server."},"risks":["destruction:policy","impact:access"],"notes":"Deleting the external policy-based authorization removes an access-control policy; when it would otherwise deny access this enables privilege escalation, and it can also revoke legitimate users' authorized access.","links":["https://azure.permissions.cloud/iam/Microsoft.Sql","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Sql/servers/externalPolicyBasedAuthorizations/write":{"id":"Microsoft.Sql/servers/externalPolicyBasedAuthorizations/write","name":"SQL server external policy-based authorization","scope":"CRITICAL","parent":{"notes":"This is the authorization control-plane configuration governing access to a production database server.","description":"The external policy-based authorization configuration on an Azure SQL logical server, binding an external authorization provider/policy that governs who is authorized to access the database server."},"risks":["escalation:privilege","impact:manipulation"],"notes":"Adding/updating the external policy-based authorization alters the authorization mapping governing database access, enabling an attacker to grant attacker-controlled principals access (privilege escalation) and manipulate the authorization configuration.","links":["https://azure.permissions.cloud/iam/Microsoft.Sql","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Sql/servers/jobAgents/credentials/delete":{"id":"Microsoft.Sql/servers/jobAgents/credentials/delete","name":"Azure SQL DB job credential","scope":"HIGH","parent":{"notes":"The control-plane read does not return the secret password (it is write-only), so reads only expose the identity/username rather than usable secret material.","description":"An Azure SQL DB job credential stores the username and (write-only) password the job agent uses to authenticate to target databases when running elastic jobs."},"risks":["destruction:infra","impact:access"],"notes":"Deleting a job credential removes the authentication object jobs depend on, breaking the scheduled automation and denying it authorized access to target databases.","links":["https://azure.permissions.cloud/iam/Microsoft.Sql","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Sql/servers/jobAgents/credentials/write":{"id":"Microsoft.Sql/servers/jobAgents/credentials/write","name":"Azure SQL DB job credential","scope":"HIGH","parent":{"notes":"The control-plane read does not return the secret password (it is write-only), so reads only expose the identity/username rather than usable secret material.","description":"An Azure SQL DB job credential stores the username and (write-only) password the job agent uses to authenticate to target databases when running elastic jobs."},"risks":["persistence:account","escalation:lateral"],"notes":"Creating/updating a job credential lets an attacker plant an attacker-chosen username/password that jobs use to authenticate to target databases, establishing reusable controlled credentials and lateral access.","links":["https://azure.permissions.cloud/iam/Microsoft.Sql","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Sql/servers/syncAgents/generateKey/action":{"id":"Microsoft.Sql/servers/syncAgents/generateKey/action","name":"Azure SQL Data Sync Agent","scope":"HIGH","parent":{"notes":"Supporting data-replication infrastructure; the registration key is a credential into the sync trust boundary.","description":"SQL Data Sync agent registered on an Azure SQL logical server, bridging on-premises/hybrid databases into Data Sync groups for cross-database replication."},"risks":["exfiltration:crypto","escalation:lateral"],"notes":"Generates and returns the sync agent registration key (credential material) that authenticates an agent into the Data Sync service, enabling an attacker to register a rogue agent and reach the synchronized databases.","links":["https://azure.permissions.cloud/iam/Microsoft.Sql","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Sql/servers/delete":{"id":"Microsoft.Sql/servers/delete","name":"Azure SQL Server","scope":"HIGH","parent":{"notes":"A primary production data store; control over the server confers broad control over hosted databases and their data.","description":"An Azure SQL logical server that hosts one or more production SQL databases and governs their admin login, identity, networking, and encryption configuration."},"risks":["destruction:data","destruction:infra"],"notes":"Deleting the server destroys the server infrastructure and all hosted databases and their data, causing irrecoverable data loss and denial of service.","links":["https://azure.permissions.cloud/iam/Microsoft.Sql","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Sql/servers/write":{"id":"Microsoft.Sql/servers/write","name":"Azure SQL Server","scope":"HIGH","parent":{"notes":"A primary production data store; control over the server confers broad control over hosted databases and their data.","description":"An Azure SQL logical server that hosts one or more production SQL databases and governs their admin login, identity, networking, and encryption configuration."},"risks":["impact:manipulation","escalation:lateral","persistence:account"],"notes":"Create/update can reset the administrator login/password, assign a managed identity to the server (lateral movement), and alter security-relevant configuration, granting persistent privileged access to the production database server.","links":["https://azure.permissions.cloud/iam/Microsoft.Sql","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action":{"id":"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action","name":"Storage Blob Service Blobs","scope":"MEDIUM","parent":{"notes":"Data-plane access to blobs directly exposes stored organizational data; ADLS Gen2 (hierarchical namespace) accounts also expose POSIX ownership/ACLs at the blob level.","description":"Blobs are the individual data objects (files) stored inside containers of an Azure Storage account's blob service. They hold an organization's unstructured production data such as documents, backups, media, and application data."},"risks":["impact:manipulation"],"notes":"Appends content to an append blob (e.g., logs) without needing to overwrite the whole object. Lets an attacker inject attacker-controlled content into append-only data such as audit or application logs; lower severity than overwriting a blob outright since existing content is not replaced.","links":["https://azure.permissions.cloud/iam/Microsoft.Storage","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/deleteBlobVersion/action":{"id":"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/deleteBlobVersion/action","name":"Storage Blob Service Blobs","scope":"CRITICAL","parent":{"notes":"Data-plane access to blobs directly exposes stored organizational data; ADLS Gen2 (hierarchical namespace) accounts also expose POSIX ownership/ACLs at the blob level.","description":"Blobs are the individual data objects (files) stored inside containers of an Azure Storage account's blob service. They hold an organization's unstructured production data such as documents, backups, media, and application data."},"risks":["destruction:data"],"notes":"Deletes a specific historical version of a blob. Blob versioning exists as a recovery control against accidental or malicious overwrite/deletion of the current version; deleting prior versions destroys that recovery path in addition to the version's data.","links":["https://azure.permissions.cloud/iam/Microsoft.Storage","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/filter/action":{"id":"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/filter/action","name":"Storage Blob Service Blobs","scope":"HIGH","parent":{"notes":"Data-plane access to blobs directly exposes stored organizational data; ADLS Gen2 (hierarchical namespace) accounts also expose POSIX ownership/ACLs at the blob level.","description":"Blobs are the individual data objects (files) stored inside containers of an Azure Storage account's blob service. They hold an organization's unstructured production data such as documents, backups, media, and application data."},"risks":["discovery:data"],"notes":"Returns the list of blobs under an account matching a tag filter, letting an attacker search across containers for blobs by tag (e.g., classification or sensitivity labels) instead of enumerating each container, a built-in targeted-search primitive for hunting specific sensitive content.","links":["https://azure.permissions.cloud/iam/Microsoft.Storage","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/manageOwnership/action":{"id":"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/manageOwnership/action","name":"Storage Blob Service Blobs","scope":"HIGH","parent":{"notes":"Data-plane access to blobs directly exposes stored organizational data; ADLS Gen2 (hierarchical namespace) accounts also expose POSIX ownership/ACLs at the blob level.","description":"Blobs are the individual data objects (files) stored inside containers of an Azure Storage account's blob service. They hold an organization's unstructured production data such as documents, backups, media, and application data."},"risks":["escalation:privilege","impact:access"],"notes":"Changing ADLS Gen2 POSIX ownership of a blob reassigns the owning principal, letting an attacker gain owner-level control over the data object and deny the legitimate owner's access.","links":["https://azure.permissions.cloud/iam/Microsoft.Storage","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/modifyPermissions/action":{"id":"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/modifyPermissions/action","name":"Storage Blob Service Blobs","scope":"HIGH","parent":{"notes":"Data-plane access to blobs directly exposes stored organizational data; ADLS Gen2 (hierarchical namespace) accounts also expose POSIX ownership/ACLs at the blob level.","description":"Blobs are the individual data objects (files) stored inside containers of an Azure Storage account's blob service. They hold an organization's unstructured production data such as documents, backups, media, and application data."},"risks":["escalation:privilege","impact:access"],"notes":"Modifying ADLS Gen2 POSIX permissions/ACLs on a blob lets an attacker grant themselves access to the data and revoke authorized principals' access.","links":["https://azure.permissions.cloud/iam/Microsoft.Storage","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action":{"id":"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action","name":"Storage Blob Service Blobs","scope":"MEDIUM","parent":{"notes":"Data-plane access to blobs directly exposes stored organizational data; ADLS Gen2 (hierarchical namespace) accounts also expose POSIX ownership/ACLs at the blob level.","description":"Blobs are the individual data objects (files) stored inside containers of an Azure Storage account's blob service. They hold an organization's unstructured production data such as documents, backups, media, and application data."},"risks":["impact:manipulation"],"notes":"Moves (renames) a blob from one path to another within a hierarchical-namespace (ADLS Gen2) account. Can disrupt applications that depend on a blob's path, or be used to relocate data underneath existing access controls or monitoring; operational impact rather than direct data loss or exposure.","links":["https://azure.permissions.cloud/iam/Microsoft.Storage","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/permanentDelete/action":{"id":"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/permanentDelete/action","name":"Storage Blob Service Blobs","scope":"CRITICAL","parent":{"notes":"Data-plane access to blobs directly exposes stored organizational data; ADLS Gen2 (hierarchical namespace) accounts also expose POSIX ownership/ACLs at the blob level.","description":"Blobs are the individual data objects (files) stored inside containers of an Azure Storage account's blob service. They hold an organization's unstructured production data such as documents, backups, media, and application data."},"risks":["destruction:data"],"notes":"Permanently deletes a blob, bypassing soft-delete retention. Soft-delete is the primary recovery control against accidental or malicious blob deletion; this operation defeats that control outright and destroys the data with no possibility of restoration, materially worse than the already-documented plain delete.","links":["https://azure.permissions.cloud/iam/Microsoft.Storage","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/runAsSuperUser/action":{"id":"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/runAsSuperUser/action","name":"Storage Blob Service Blobs","scope":"HIGH","parent":{"notes":"Data-plane access to blobs directly exposes stored organizational data; ADLS Gen2 (hierarchical namespace) accounts also expose POSIX ownership/ACLs at the blob level.","description":"Blobs are the individual data objects (files) stored inside containers of an Azure Storage account's blob service. They hold an organization's unstructured production data such as documents, backups, media, and application data."},"risks":["exfiltration:data","impact:manipulation","escalation:privilege"],"notes":"Executing blob commands as ADLS Gen2 superuser bypasses all POSIX ACL/ownership checks, granting unrestricted read, write, and access-control over any blob in the filesystem.","links":["https://azure.permissions.cloud/iam/Microsoft.Storage","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete":{"id":"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete","name":"Storage Blob Service Blobs","scope":"HIGH","parent":{"notes":"Data-plane access to blobs directly exposes stored organizational data; ADLS Gen2 (hierarchical namespace) accounts also expose POSIX ownership/ACLs at the blob level.","description":"Blobs are the individual data objects (files) stored inside containers of an Azure Storage account's blob service. They hold an organization's unstructured production data such as documents, backups, media, and application data."},"risks":["destruction:data"],"notes":"Deleting a blob destroys organizational data stored in the blob service.","links":["https://azure.permissions.cloud/iam/Microsoft.Storage","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read":{"id":"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read","name":"Storage Blob Service Blobs","scope":"HIGH","parent":{"notes":"Data-plane access to blobs directly exposes stored organizational data; ADLS Gen2 (hierarchical namespace) accounts also expose POSIX ownership/ACLs at the blob level.","description":"Blobs are the individual data objects (files) stored inside containers of an Azure Storage account's blob service. They hold an organization's unstructured production data such as documents, backups, media, and application data."},"risks":["exfiltration:data","discovery:data"],"notes":"Returns blob content (exfiltration of stored data) or a list of blobs (enumeration of data objects), per the description 'Returns a blob or a list of blobs'.","links":["https://azure.permissions.cloud/iam/Microsoft.Storage","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write":{"id":"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write","name":"Storage Blob Service Blobs","scope":"HIGH","parent":{"notes":"Data-plane access to blobs directly exposes stored organizational data; ADLS Gen2 (hierarchical namespace) accounts also expose POSIX ownership/ACLs at the blob level.","description":"Blobs are the individual data objects (files) stored inside containers of an Azure Storage account's blob service. They hold an organization's unstructured production data such as documents, backups, media, and application data."},"risks":["impact:manipulation","impact:encryption"],"notes":"Writing/overwriting blob content lets an attacker tamper with stored data and overwrite blobs with attacker-encrypted versions for ransomware extortion.","links":["https://azure.permissions.cloud/iam/Microsoft.Storage","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Storage/storageAccounts/blobServices/containers/clearLegalHold/action":{"id":"Microsoft.Storage/storageAccounts/blobServices/containers/clearLegalHold/action","name":"Storage Blob Service Containers","scope":"HIGH","parent":{"notes":"Container-level operations affect every blob grouped under the container at once and control the access-policy and immutability settings that govern them; scope matches the underlying blobs.yml rating for consistency.","description":"A blob container is a namespace within an Azure Storage account's blob service that groups and holds blobs, similar to a directory. Containers also carry their own metadata, stored access policies, and immutability/legal-hold protections."},"risks":["destruction:defense"],"notes":"Clears a legal hold on the container. Legal holds are a compliance/incident-response immutability control that blocks deletion of blobs while active; removing the hold disables that protective control and clears the way for the container's data to subsequently be deleted or overwritten.","links":["https://azure.permissions.cloud/iam/Microsoft.Storage","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Storage/storageAccounts/blobServices/containers/getAcl/action":{"id":"Microsoft.Storage/storageAccounts/blobServices/containers/getAcl/action","name":"Storage Blob Service Containers","scope":"LOW","parent":{"notes":"Container-level operations affect every blob grouped under the container at once and control the access-policy and immutability settings that govern them; scope matches the underlying blobs.yml rating for consistency.","description":"A blob container is a namespace within an Azure Storage account's blob service that groups and holds blobs, similar to a directory. Containers also carry their own metadata, stored access policies, and immutability/legal-hold protections."},"risks":["discovery:data"],"notes":"Gets the container's stored access policy, revealing the named policy identifiers in use (which SAS tokens can be minted or validated against). Minor reconnaissance value on its own; the write side (setAcl) is the higher-severity risk.","links":["https://azure.permissions.cloud/iam/Microsoft.Storage","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Storage/storageAccounts/blobServices/containers/lease/action":{"id":"Microsoft.Storage/storageAccounts/blobServices/containers/lease/action","name":"Storage Blob Service Containers","scope":"HIGH","parent":{"notes":"Container-level operations affect every blob grouped under the container at once and control the access-policy and immutability settings that govern them; scope matches the underlying blobs.yml rating for consistency.","description":"A blob container is a namespace within an Azure Storage account's blob service that groups and holds blobs, similar to a directory. Containers also carry their own metadata, stored access policies, and immutability/legal-hold protections."},"risks":["impact:dos"],"notes":"Acquires, renews, releases, or breaks a lease (lock) on the container. An attacker can acquire and continually renew an exclusive lease to block other writers/deleters from modifying or removing the container's blobs, or can break a lease an application depends on for coordination, disrupting normal operations.","links":["https://azure.permissions.cloud/iam/Microsoft.Storage","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Storage/storageAccounts/blobServices/containers/setAcl/action":{"id":"Microsoft.Storage/storageAccounts/blobServices/containers/setAcl/action","name":"Storage Blob Service Containers","scope":"HIGH","parent":{"notes":"Container-level operations affect every blob grouped under the container at once and control the access-policy and immutability settings that govern them; scope matches the underlying blobs.yml rating for consistency.","description":"A blob container is a namespace within an Azure Storage account's blob service that groups and holds blobs, similar to a directory. Containers also carry their own metadata, stored access policies, and immutability/legal-hold protections."},"risks":["escalation:privilege","impact:manipulation"],"notes":"Sets the container's stored access policy, the named, revocable access-policy definitions that container/blob SAS tokens can reference for their permissions and expiry. An attacker who can write this policy can mint or broaden a policy identifier granting long-lived or overly broad access, which every SAS token scoped to it will then honor, and can do so without minting a new SAS itself, similar in effect to attaching a favorable IAM policy.","links":["https://azure.permissions.cloud/iam/Microsoft.Storage","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Storage/storageAccounts/blobServices/containers/setLegalHold/action":{"id":"Microsoft.Storage/storageAccounts/blobServices/containers/setLegalHold/action","name":"Storage Blob Service Containers","scope":"LOW","parent":{"notes":"Container-level operations affect every blob grouped under the container at once and control the access-policy and immutability settings that govern them; scope matches the underlying blobs.yml rating for consistency.","description":"A blob container is a namespace within an Azure Storage account's blob service that groups and holds blobs, similar to a directory. Containers also carry their own metadata, stored access policies, and immutability/legal-hold protections."},"risks":["impact:manipulation"],"notes":"Sets a legal hold on the container, blocking deletion of its blobs until cleared. The opposite of clearLegalHold; an attacker's use is limited to nuisance denial of legitimate data lifecycle/deletion operations rather than direct data loss or exposure.","links":["https://azure.permissions.cloud/iam/Microsoft.Storage","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Storage/storageAccounts/blobServices/containers/delete":{"id":"Microsoft.Storage/storageAccounts/blobServices/containers/delete","name":"Storage Blob Service Containers","scope":"CRITICAL","parent":{"notes":"Container-level operations affect every blob grouped under the container at once and control the access-policy and immutability settings that govern them; scope matches the underlying blobs.yml rating for consistency.","description":"A blob container is a namespace within an Azure Storage account's blob service that groups and holds blobs, similar to a directory. Containers also carry their own metadata, stored access policies, and immutability/legal-hold protections."},"risks":["destruction:data"],"notes":"Deleting a container destroys every blob it holds in a single operation, so the potential blast radius is larger than deleting an individual blob and can encompass an arbitrarily large dataset.","links":["https://azure.permissions.cloud/iam/Microsoft.Storage","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action":{"id":"Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action","name":"Storage Blob Services","scope":"CRITICAL","parent":{"notes":"Control-plane configuration of a single storage account's blob service; reads here do not return blob data or secret material.","description":"The control-plane blob service of a storage account, holding service-level configuration such as CORS rules, soft-delete, versioning, change feed, restore policy, and retention settings."},"risks":["exfiltration:crypto","exfiltration:data","escalation:lateral"],"notes":"Returns a user delegation key, exporting cryptographic credential material that can sign SAS tokens granting direct data-plane access to blobs, thereby enabling data exfiltration and acting with delegated access to the underlying data.","links":["https://azure.permissions.cloud/iam/Microsoft.Storage","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Storage/storageAccounts/dataShares/delete":{"id":"Microsoft.Storage/storageAccounts/dataShares/delete","name":"Storage DataShare","scope":"MEDIUM","parent":{"notes":"Directly governs distribution of a single storage account's organizational data, making it a sensitive data-egress control point.","description":"A storage data share is a control-plane sub-resource of a storage account that configures sharing of the account's data with recipients, potentially external or cross-tenant."},"risks":["destruction:infra"],"notes":"Deleting a data share removes the sharing configuration, disrupting downstream consumers that depend on the share, but does not delete the underlying stored data.","links":["https://azure.permissions.cloud/iam/Microsoft.Storage","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Storage/storageAccounts/dataShares/write":{"id":"Microsoft.Storage/storageAccounts/dataShares/write","name":"Storage DataShare","scope":"HIGH","parent":{"notes":"Directly governs distribution of a single storage account's organizational data, making it a sensitive data-egress control point.","description":"A storage data share is a control-plane sub-resource of a storage account that configures sharing of the account's data with recipients, potentially external or cross-tenant."},"risks":["exfiltration:data","impact:manipulation"],"notes":"Creating or updating a data share can expose the account's data to attacker-controlled recipients (data egress channel) and alters the sharing configuration.","links":["https://azure.permissions.cloud/iam/Microsoft.Storage","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Storage/storageAccounts/fileServices/fileShares/files/actassuperuser/action":{"id":"Microsoft.Storage/storageAccounts/fileServices/fileShares/files/actassuperuser/action","name":"Storage File Service Files","scope":"HIGH","parent":{"notes":"Production file shares commonly hold sensitive business documents, application config, and home-directory data; data-plane access grants direct read/write/delete of that content.","description":"Files and folders stored within an Azure Files share inside a storage account. This is the data plane of the file share, holding the actual organizational file data."},"risks":["escalation:privilege","escalation:data","exfiltration:data"],"notes":"Grants file admin/superuser privileges that override per-file ownership and ACLs, escalating to full access over all data in the share and enabling unrestricted exfiltration.","links":["https://azure.permissions.cloud/iam/Microsoft.Storage","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Storage/storageAccounts/fileServices/fileShares/files/bypasspermissions/action":{"id":"Microsoft.Storage/storageAccounts/fileServices/fileShares/files/bypasspermissions/action","name":"Storage File Service Files","scope":"HIGH","parent":{"notes":"Production file shares commonly hold sensitive business documents, application config, and home-directory data; data-plane access grants direct read/write/delete of that content.","description":"Files and folders stored within an Azure Files share inside a storage account. This is the data plane of the file share, holding the actual organizational file data."},"risks":["escalation:privilege","escalation:data","exfiltration:data"],"notes":"Grants permission-bypass privileges that ignore configured file ACLs, letting an attacker access any file in the share regardless of permissions.","links":["https://azure.permissions.cloud/iam/Microsoft.Storage","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Storage/storageAccounts/fileServices/fileShares/files/modifyPermissions/action":{"id":"Microsoft.Storage/storageAccounts/fileServices/fileShares/files/modifyPermissions/action","name":"Storage File Service Files","scope":"HIGH","parent":{"notes":"Production file shares commonly hold sensitive business documents, application config, and home-directory data; data-plane access grants direct read/write/delete of that content.","description":"Files and folders stored within an Azure Files share inside a storage account. This is the data plane of the file share, holding the actual organizational file data."},"risks":["escalation:privilege","impact:access"],"notes":"Modifies the NTFS/file ACL, letting an attacker grant themselves additional access to file data and revoke or deny legitimate users' access.","links":["https://azure.permissions.cloud/iam/Microsoft.Storage","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Storage/storageAccounts/fileServices/fileShares/files/delete":{"id":"Microsoft.Storage/storageAccounts/fileServices/fileShares/files/delete","name":"Storage File Service Files","scope":"HIGH","parent":{"notes":"Production file shares commonly hold sensitive business documents, application config, and home-directory data; data-plane access grants direct read/write/delete of that content.","description":"Files and folders stored within an Azure Files share inside a storage account. This is the data plane of the file share, holding the actual organizational file data."},"risks":["destruction:data"],"notes":"Deletes files/folders from the share, directly destroying organizational data.","links":["https://azure.permissions.cloud/iam/Microsoft.Storage","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Storage/storageAccounts/fileServices/fileShares/files/read":{"id":"Microsoft.Storage/storageAccounts/fileServices/fileShares/files/read","name":"Storage File Service Files","scope":"HIGH","parent":{"notes":"Production file shares commonly hold sensitive business documents, application config, and home-directory data; data-plane access grants direct read/write/delete of that content.","description":"Files and folders stored within an Azure Files share inside a storage account. This is the data plane of the file share, holding the actual organizational file data."},"risks":["exfiltration:data","discovery:data"],"notes":"Returns file/folder contents and directory listings, enabling both exfiltration of stored file data and enumeration of stored objects.","links":["https://azure.permissions.cloud/iam/Microsoft.Storage","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Storage/storageAccounts/fileServices/fileShares/files/write":{"id":"Microsoft.Storage/storageAccounts/fileServices/fileShares/files/write","name":"Storage File Service Files","scope":"HIGH","parent":{"notes":"Production file shares commonly hold sensitive business documents, application config, and home-directory data; data-plane access grants direct read/write/delete of that content.","description":"Files and folders stored within an Azure Files share inside a storage account. This is the data plane of the file share, holding the actual organizational file data."},"risks":["impact:manipulation","impact:encryption"],"notes":"Creates/overwrites files and folders, letting an attacker tamper with organizational data and overwrite files with encrypted content for ransomware extortion.","links":["https://azure.permissions.cloud/iam/Microsoft.Storage","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Storage/storageAccounts/fileServices/generateUserDelegationKey/action":{"id":"Microsoft.Storage/storageAccounts/fileServices/generateUserDelegationKey/action","name":"Storage file service","scope":"CRITICAL","parent":{"notes":"Backup-semantics privileges (SeBackupPrivilege/SeRestorePrivilege equivalents) bypass per-file NTFS/share ACLs.","description":"The file service of a storage account exposes SMB/NFS file shares and its control-plane properties (CORS, share soft-delete/retention, SMB protocol and security settings). The data-plane holds organizational file data."},"risks":["exfiltration:crypto","escalation:lateral"],"notes":"Returns a user delegation key, cryptographic material that can sign user-delegation SAS tokens granting direct data-plane access to file shares under a delegated credential, enabling pivot to data access.","links":["https://azure.permissions.cloud/iam/Microsoft.Storage","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Storage/storageAccounts/fileServices/readFileBackupSemantics/action":{"id":"Microsoft.Storage/storageAccounts/fileServices/readFileBackupSemantics/action","name":"Storage file service","scope":"HIGH","parent":{"notes":"Backup-semantics privileges (SeBackupPrivilege/SeRestorePrivilege equivalents) bypass per-file NTFS/share ACLs.","description":"The file service of a storage account exposes SMB/NFS file shares and its control-plane properties (CORS, share soft-delete/retention, SMB protocol and security settings). The data-plane holds organizational file data."},"risks":["exfiltration:data"],"notes":"Backup-semantics read privilege bypasses per-file ACLs to read any file/directory contents in the share, enabling broad data exfiltration regardless of normal permissions.","links":["https://azure.permissions.cloud/iam/Microsoft.Storage","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Storage/storageAccounts/fileServices/runAsBuiltInFileAdministrator/action":{"id":"Microsoft.Storage/storageAccounts/fileServices/runAsBuiltInFileAdministrator/action","name":"Storage file service","scope":"HIGH","parent":{"notes":"Backup-semantics privileges (SeBackupPrivilege/SeRestorePrivilege equivalents) bypass per-file NTFS/share ACLs.","description":"The file service of a storage account exposes SMB/NFS file shares and its control-plane properties (CORS, share soft-delete/retention, SMB protocol and security settings). The data-plane holds organizational file data."},"risks":["escalation:data","exfiltration:data","impact:manipulation"],"notes":"Grants built-in file-administrator (superuser) access for share mounts via managed identity, bypassing all share/file ACLs to read, modify, and fully control every file in the shares.","links":["https://azure.permissions.cloud/iam/Microsoft.Storage","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Storage/storageAccounts/listAccountSas/action":{"id":"Microsoft.Storage/storageAccounts/listAccountSas/action","name":"Storage account","scope":"CRITICAL","parent":{"notes":"Storage accounts back a single organizational function's data; their access keys and SAS tokens are full-control data-plane credentials, making key/SAS-returning operations effectively account-takeover primitives.","description":"An Azure Storage account is a primary production data store holding blobs, files, queues, and tables, with control-plane configuration for networking, encryption, access keys, and custom domains."},"risks":["exfiltration:crypto","escalation:lateral","exfiltration:data"],"notes":"Returns an account-level SAS token, a signed credential granting broad data-plane access across the account's services that the attacker can exfiltrate and reuse.","links":["https://azure.permissions.cloud/iam/Microsoft.Storage","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Storage/storageAccounts/listKeys/action":{"id":"Microsoft.Storage/storageAccounts/listKeys/action","name":"Storage account","scope":"CRITICAL","parent":{"notes":"Storage accounts back a single organizational function's data; their access keys and SAS tokens are full-control data-plane credentials, making key/SAS-returning operations effectively account-takeover primitives.","description":"An Azure Storage account is a primary production data store holding blobs, files, queues, and tables, with control-plane configuration for networking, encryption, access keys, and custom domains."},"risks":["exfiltration:crypto","escalation:lateral","exfiltration:data","takeover:account"],"notes":"Returns the account access keys, full-control credentials granting complete data-plane access to all data and usable as a standalone identity.","links":["https://azure.permissions.cloud/iam/Microsoft.Storage","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Storage/storageAccounts/listServiceSas/action":{"id":"Microsoft.Storage/storageAccounts/listServiceSas/action","name":"Storage account","scope":"CRITICAL","parent":{"notes":"Storage accounts back a single organizational function's data; their access keys and SAS tokens are full-control data-plane credentials, making key/SAS-returning operations effectively account-takeover primitives.","description":"An Azure Storage account is a primary production data store holding blobs, files, queues, and tables, with control-plane configuration for networking, encryption, access keys, and custom domains."},"risks":["exfiltration:crypto","escalation:lateral","exfiltration:data"],"notes":"Returns a service-level SAS token, a signed credential granting scoped data-plane access to a specific service/container/object that an attacker can reuse directly to reach data.","links":["https://azure.permissions.cloud/iam/Microsoft.Storage","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Storage/storageAccounts/localUsers/listKeys/action":{"id":"Microsoft.Storage/storageAccounts/localUsers/listKeys/action","name":"Storage account local users (SFTP)","scope":"HIGH","parent":{"notes":"Grants data-plane access to blob/file data of a single storage account; a credentialed identity scoped to one organizational function.","description":"A local user identity configured on an Azure Storage account for SFTP/blob access, with its own credentials (password / SSH keys / shared key) and permission scopes."},"risks":["exfiltration:crypto","escalation:lateral"],"notes":"Returns the local user's SSH/shared key credential material, letting an attacker authenticate as that user for SFTP/blob data-plane access.","links":["https://azure.permissions.cloud/iam/Microsoft.Storage","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Storage/storageAccounts/localUsers/regeneratePassword/action":{"id":"Microsoft.Storage/storageAccounts/localUsers/regeneratePassword/action","name":"Storage account local users (SFTP)","scope":"HIGH","parent":{"notes":"Grants data-plane access to blob/file data of a single storage account; a credentialed identity scoped to one organizational function.","description":"A local user identity configured on an Azure Storage account for SFTP/blob access, with its own credentials (password / SSH keys / shared key) and permission scopes."},"risks":["exfiltration:crypto","escalation:lateral"],"notes":"Regenerates and returns a new SFTP password for a local user, yielding usable credential material that grants the attacker that user's data-plane access while revoking the legitimate user's existing password.","links":["https://azure.permissions.cloud/iam/Microsoft.Storage","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Storage/storageAccounts/localUsers/regenerateSharedKey/action":{"id":"Microsoft.Storage/storageAccounts/localUsers/regenerateSharedKey/action","name":"Storage account local users (SFTP)","scope":"HIGH","parent":{"notes":"Grants data-plane access to blob/file data of a single storage account; a credentialed identity scoped to one organizational function.","description":"A local user identity configured on an Azure Storage account for SFTP/blob access, with its own credentials (password / SSH keys / shared key) and permission scopes."},"risks":["exfiltration:crypto","escalation:lateral"],"notes":"Regenerates and returns a new shared key for the local user, producing usable credential material that grants the attacker data-plane access while invalidating the legitimate user's existing key.","links":["https://azure.permissions.cloud/iam/Microsoft.Storage","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Storage/storageAccounts/localUsers/delete":{"id":"Microsoft.Storage/storageAccounts/localUsers/delete","name":"Storage account local users (SFTP)","scope":"HIGH","parent":{"notes":"Grants data-plane access to blob/file data of a single storage account; a credentialed identity scoped to one organizational function.","description":"A local user identity configured on an Azure Storage account for SFTP/blob access, with its own credentials (password / SSH keys / shared key) and permission scopes."},"risks":["destruction:account","impact:access"],"notes":"Deletes a local SFTP user, destroying the identity and denying the legitimate principal's data-plane access to the storage account.","links":["https://azure.permissions.cloud/iam/Microsoft.Storage","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Storage/storageAccounts/localUsers/write":{"id":"Microsoft.Storage/storageAccounts/localUsers/write","name":"Storage account local users (SFTP)","scope":"HIGH","parent":{"notes":"Grants data-plane access to blob/file data of a single storage account; a credentialed identity scoped to one organizational function.","description":"A local user identity configured on an Azure Storage account for SFTP/blob access, with its own credentials (password / SSH keys / shared key) and permission scopes."},"risks":["persistence:account","escalation:lateral"],"notes":"Creates or updates a local SFTP user with chosen permission scopes, letting an attacker provision a persistent backdoor identity with data-plane access to the storage account.","links":["https://azure.permissions.cloud/iam/Microsoft.Storage","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Storage/storageAccounts/objectReplicationPolicies/delete":{"id":"Microsoft.Storage/storageAccounts/objectReplicationPolicies/delete","name":"Storage account object replication policy","scope":"MEDIUM","parent":{"notes":"A data-protection/redundancy mechanism; the policy itself holds no data.","description":"An object replication policy configuring asynchronous cross-account replication of blob data between a source and destination storage account."},"risks":["impact:manipulation"],"notes":"Deleting the policy halts cross-account blob replication, disrupting the configured data-protection/redundancy pipeline by altering operational replication state.","links":["https://azure.permissions.cloud/iam/Microsoft.Storage","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Storage/storageAccounts/objectReplicationPolicies/write":{"id":"Microsoft.Storage/storageAccounts/objectReplicationPolicies/write","name":"Storage account object replication policy","scope":"HIGH","parent":{"notes":"A data-protection/redundancy mechanism; the policy itself holds no data.","description":"An object replication policy configuring asynchronous cross-account replication of blob data between a source and destination storage account."},"risks":["impact:manipulation","collection:data","exfiltration:data"],"notes":"Create/update can configure continuous replication of blob data to an attacker-influenced destination account, enabling automated collection and exfiltration of organizational data while manipulating replication configuration.","links":["https://azure.permissions.cloud/iam/Microsoft.Storage","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Storage/storageAccounts/queueServices/generateUserDelegationKey/action":{"id":"Microsoft.Storage/storageAccounts/queueServices/generateUserDelegationKey/action","name":"Storage Queue Services","scope":"CRITICAL","parent":{"notes":"Configuration of a messaging service that carries operational data; service-level settings can affect logging and access signing.","description":"The queue service is the account-level control-plane resource for Azure Storage Queues, holding service-wide settings such as CORS rules, hour/minute metrics, and analytics logging configuration."},"risks":["exfiltration:crypto","escalation:lateral"],"notes":"Returns a user delegation key — exportable credential material that can sign SAS tokens granting standing delegated data-plane access to the queue service.","links":["https://azure.permissions.cloud/iam/Microsoft.Storage","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Storage/storageAccounts/queueServices/queues/messages/process/action":{"id":"Microsoft.Storage/storageAccounts/queueServices/queues/messages/process/action","name":"Storage Queue Service Messages","scope":"HIGH","parent":{"notes":"Message payloads may contain sensitive operational data, identifiers, or commands that drive downstream automation.","description":"Queue messages are the individual data payloads (work items) enqueued in a storage queue for asynchronous processing by downstream consumers."},"risks":["exfiltration:data","destruction:data"],"notes":"Processing (dequeue: get with visibility timeout then delete) both returns the message contents and removes it from the queue, enabling exfiltration and destruction of queued data.","links":["https://azure.permissions.cloud/iam/Microsoft.Storage","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Storage/storageAccounts/queueServices/queues/messages/delete":{"id":"Microsoft.Storage/storageAccounts/queueServices/queues/messages/delete","name":"Storage Queue Service Messages","scope":"HIGH","parent":{"notes":"Message payloads may contain sensitive operational data, identifiers, or commands that drive downstream automation.","description":"Queue messages are the individual data payloads (work items) enqueued in a storage queue for asynchronous processing by downstream consumers."},"risks":["destruction:data"],"notes":"This data action deletes messages from the queue, destroying organizational data in transit and dropping work items consumers would have processed.","links":["https://azure.permissions.cloud/iam/Microsoft.Storage","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Storage/storageAccounts/queueServices/queues/messages/read":{"id":"Microsoft.Storage/storageAccounts/queueServices/queues/messages/read","name":"Storage Queue Service Messages","scope":"HIGH","parent":{"notes":"Message payloads may contain sensitive operational data, identifiers, or commands that drive downstream automation.","description":"Queue messages are the individual data payloads (work items) enqueued in a storage queue for asynchronous processing by downstream consumers."},"risks":["exfiltration:data"],"notes":"This data action returns the contents of a queue message, enabling exfiltration of potentially sensitive payload data.","links":["https://azure.permissions.cloud/iam/Microsoft.Storage","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Storage/storageAccounts/queueServices/queues/messages/write":{"id":"Microsoft.Storage/storageAccounts/queueServices/queues/messages/write","name":"Storage Queue Service Messages","scope":"HIGH","parent":{"notes":"Message payloads may contain sensitive operational data, identifiers, or commands that drive downstream automation.","description":"Queue messages are the individual data payloads (work items) enqueued in a storage queue for asynchronous processing by downstream consumers."},"risks":["impact:manipulation"],"notes":"This data action updates message content/visibility, letting an attacker tamper with queued operational data that downstream consumers process.","links":["https://azure.permissions.cloud/iam/Microsoft.Storage","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Storage/storageAccounts/queueServices/queues/setAcl/action":{"id":"Microsoft.Storage/storageAccounts/queueServices/queues/setAcl/action","name":"Storage Queue Service Queues","scope":"HIGH","parent":{"notes":"Queues carry in-flight operational data and may drive downstream automation; their stored access policies back SAS-token access.","description":"A storage queue is a named message container within the queue service that holds messages (work items) for asynchronous producer/consumer processing."},"risks":["escalation:privilege","impact:manipulation"],"notes":"Despite the mislabeled 'Process message' display name, the setAcl operation writes the queue's stored access policy, letting an attacker grant or broaden SAS-backed access to the queue (and revoke others' access).","links":["https://azure.permissions.cloud/iam/Microsoft.Storage","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Storage/storageAccounts/regenerateKey/action":{"id":"Microsoft.Storage/storageAccounts/regenerateKey/action","name":"Storage account","scope":"CRITICAL","parent":{"notes":"Storage accounts back a single organizational function's data; their access keys and SAS tokens are full-control data-plane credentials, making key/SAS-returning operations effectively account-takeover primitives.","description":"An Azure Storage account is a primary production data store holding blobs, files, queues, and tables, with control-plane configuration for networking, encryption, access keys, and custom domains."},"risks":["impact:access","impact:dos","exfiltration:crypto","escalation:lateral"],"notes":"Regenerates an account access key, invalidating the prior key (denying legitimate clients and disrupting dependents) while returning the freshly generated full-access credential to the caller.","links":["https://azure.permissions.cloud/iam/Microsoft.Storage","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Storage/storageAccounts/tableServices/generateUserDelegationKey/action":{"id":"Microsoft.Storage/storageAccounts/tableServices/generateUserDelegationKey/action","name":"Storage table service","scope":"CRITICAL","parent":{"notes":"Control-plane property reads expose only service configuration, not table data.","description":"The table service of a storage account exposes NoSQL key/value table storage and its control-plane properties (CORS, storage analytics logging/metrics settings). The data-plane holds organizational table data."},"risks":["exfiltration:crypto","escalation:lateral"],"notes":"Returns a user delegation key, cryptographic material that can sign user-delegation SAS tokens granting direct data-plane access to table data under a delegated credential, enabling pivot to data access.","links":["https://azure.permissions.cloud/iam/Microsoft.Storage","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Storage/storageAccounts/tableServices/tables/entities/delete":{"id":"Microsoft.Storage/storageAccounts/tableServices/tables/entities/delete","name":"Storage Table entities","scope":"HIGH","parent":{"notes":"Production data store holding organizational structured data for a single function.","description":"Azure Table Storage entities — the structured NoSQL records (rows) stored in a storage account's tables."},"risks":["destruction:data"],"notes":"Data-plane delete of table entities directly destroys stored organizational data.","links":["https://azure.permissions.cloud/iam/Microsoft.Storage","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Storage/storageAccounts/tableServices/tables/entities/read":{"id":"Microsoft.Storage/storageAccounts/tableServices/tables/entities/read","name":"Storage Table entities","scope":"HIGH","parent":{"notes":"Production data store holding organizational structured data for a single function.","description":"Azure Table Storage entities — the structured NoSQL records (rows) stored in a storage account's tables."},"risks":["exfiltration:data"],"notes":"Data-plane query returns the actual table entity contents, enabling exfiltration of stored organizational data.","links":["https://azure.permissions.cloud/iam/Microsoft.Storage","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Storage/storageAccounts/tableServices/tables/entities/write":{"id":"Microsoft.Storage/storageAccounts/tableServices/tables/entities/write","name":"Storage Table entities","scope":"HIGH","parent":{"notes":"Production data store holding organizational structured data for a single function.","description":"Azure Table Storage entities — the structured NoSQL records (rows) stored in a storage account's tables."},"risks":["impact:manipulation"],"notes":"Insert/merge/update/replace of table entities lets an attacker alter or fabricate stored organizational data.","links":["https://azure.permissions.cloud/iam/Microsoft.Storage","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Storage/storageAccounts/tableServices/tables/setAcl/action":{"id":"Microsoft.Storage/storageAccounts/tableServices/tables/setAcl/action","name":"Storage Tables","scope":"HIGH","parent":{"notes":"Tables are a production data store supporting a single organizational function; their entities can hold confidential application data.","description":"An Azure Storage Table is a NoSQL key-attribute data store within a storage account that holds structured organizational entity data (rows)."},"risks":["escalation:privilege","impact:manipulation"],"notes":"Despite the mislabeled displayName ('Merge or update table entities'), setAcl writes the table's stored access policy (signedIdentifiers) that backs SAS tokens; an attacker can define a permissive policy to grant/broaden access to the table data and alter its access-control configuration.","links":["https://azure.permissions.cloud/iam/Microsoft.Storage","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Storage/storageAccounts/delete":{"id":"Microsoft.Storage/storageAccounts/delete","name":"Storage account","scope":"CRITICAL","parent":{"notes":"Storage accounts back a single organizational function's data; their access keys and SAS tokens are full-control data-plane credentials, making key/SAS-returning operations effectively account-takeover primitives.","description":"An Azure Storage account is a primary production data store holding blobs, files, queues, and tables, with control-plane configuration for networking, encryption, access keys, and custom domains."},"risks":["destruction:data","destruction:infra","impact:dos"],"notes":"Deletes the entire storage account, destroying all contained data and the account infrastructure and denying service to every dependent workload.","links":["https://azure.permissions.cloud/iam/Microsoft.Storage","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Storage/storageAccounts/write":{"id":"Microsoft.Storage/storageAccounts/write","name":"Storage account","scope":"HIGH","parent":{"notes":"Storage accounts back a single organizational function's data; their access keys and SAS tokens are full-control data-plane credentials, making key/SAS-returning operations effectively account-takeover primitives.","description":"An Azure Storage account is a primary production data store holding blobs, files, queues, and tables, with control-plane configuration for networking, encryption, access keys, and custom domains."},"risks":["impact:manipulation","destruction:defense","takeover:domain"],"notes":"Creates/updates the account, letting an attacker weaken network firewall/ACL and encryption settings, enable public/shared-key access, and add a custom domain to hijack traffic for that hostname.","links":["https://azure.permissions.cloud/iam/Microsoft.Storage","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Subscription/subscriptions/acceptChangeTenant/action":{"id":"Microsoft.Subscription/subscriptions/acceptChangeTenant/action","name":"Subscription tenant change acceptance","scope":"CRITICAL","parent":{"notes":"Subscription-wide control affecting all contained resources and identities; tenant-scope sensitivity.","description":"An action that accepts a pending tenant/directory change for an Azure subscription, moving it into the target tenant."},"risks":["escalation:privilege","escalation:lateral","impact:access"],"notes":"Accepting a tenant change moves the subscription into an attacker-controlled directory (escalation:privilege) granting control over all its resources/identities (escalation:lateral), while severing the original tenant's RBAC so legitimate principals lose access (impact:access).","links":["https://azure.permissions.cloud/iam/Microsoft.Subscription","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Subscription/subscriptions/acceptOwnership/action":{"id":"Microsoft.Subscription/subscriptions/acceptOwnership/action","name":"Subscription ownership acceptance","scope":"CRITICAL","parent":{"notes":"Subscription-wide control affecting all contained resources and identities; tenant-scope sensitivity.","description":"An action that completes an ownership/billing-transfer of an entire Azure subscription, making the accepting principal the subscription owner."},"risks":["escalation:privilege","escalation:lateral","impact:spend"],"notes":"Accepting ownership grants the attacker owner-level control over an entire subscription (escalation:privilege), lateral access to all its resources and identities (escalation:lateral), and shifts billing responsibility enabling attacker-incurred spend (impact:spend).","links":["https://azure.permissions.cloud/iam/Microsoft.Subscription","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/Sites/backup/Action":{"id":"Microsoft.Web/Sites/backup/Action","name":"Web App","scope":"HIGH","parent":{"notes":"Production application hosting for a single organizational function; can hold secrets in app settings, run code under a managed identity, and serve public traffic.","description":"An Azure App Service site (Web App, Function App, or Logic App Standard) is a managed hosting resource that runs an organization's application code, often with an attached managed identity, app settings/connection strings, and a public-facing endpoint."},"risks":["impact:spend","exfiltration:data"],"notes":"Triggering a backup writes a copy of the app's content, configuration, and linked database to a caller-specified storage target, enabling exfiltration of app data and incurring storage cost.","links":["https://azure.permissions.cloud/iam/Microsoft.Web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/Sites/backup/write":{"id":"Microsoft.Web/Sites/backup/write","name":"Web app backup configuration","scope":"MEDIUM","parent":{"notes":"Production application hosting for a single organizational function; can hold secrets in app settings, run code under a managed identity, and serve public traffic.","description":"An Azure App Service site (Web App, Function App, or Logic App Standard) is a managed hosting resource that runs an organization's application code, often with an attached managed identity, app settings/connection strings, and a public-facing endpoint."},"risks":["impact:manipulation"],"notes":"Updating the backup configuration lets an attacker disable backups, alter the schedule, or redirect backups to attacker-controlled storage, manipulating a recovery-oriented operational control.","links":["https://azure.permissions.cloud/iam/Microsoft.Web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/Sites/config/Snapshots/listSecrets/action":{"id":"Microsoft.Web/Sites/config/Snapshots/listSecrets/action","name":"Web App config snapshots","scope":"CRITICAL","parent":{"notes":"Listing returns only snapshot metadata/restore-point inventory, not the secret values they contain (a separate listsecrets action).","description":"Saved point-in-time configuration snapshots of a Web App, used as restore points; the read enumerates available snapshots and their metadata."},"risks":["exfiltration:crypto"],"notes":"Returns app settings and connection strings from a config snapshot, directly exporting reusable credential material.","links":["https://azure.permissions.cloud/iam/microsoft.web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/Sites/config/appsettings/read":{"id":"Microsoft.Web/Sites/config/appsettings/read","name":"Web App settings (application settings)","scope":"CRITICAL","parent":{"notes":"The ARM management API returns these values in cleartext; they commonly contain credentials enabling access to backing data stores and services.","description":"A Web App's application settings: the environment-variable configuration injected into the app, which routinely holds connection strings, storage account keys, API keys, and other credentials."},"risks":["exfiltration:crypto","escalation:lateral"],"notes":"Reading app settings returns the cleartext environment variables, exporting secret material (connection strings, account keys, API keys) usable for lateral movement into backing services.","links":["https://azure.permissions.cloud/iam/microsoft.web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/Sites/config/list/action":{"id":"Microsoft.Web/Sites/config/list/action","name":"Web App configuration","scope":"CRITICAL","parent":{"notes":"The control-plane Read masks secret values; the security-sensitive settings (publishing credentials, connection strings) are returned only by the separate list/Action.","description":"The configuration sub-resource of an App Service Web App, holding the app's runtime/site settings, app settings, and connection strings."},"risks":["exfiltration:crypto","escalation:lateral","takeover:account"],"notes":"Explicitly returns the Web App's security-sensitive settings including publishing credentials, app settings, and connection strings; publishing credentials are a reusable deployment credential and connection strings grant access to backing data stores.","links":["https://azure.permissions.cloud/iam/Microsoft.Web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/Sites/config/web/appsettings/delete":{"id":"Microsoft.Web/Sites/config/web/appsettings/delete","name":"Web App app setting","scope":"CRITICAL","parent":{"notes":"App settings routinely hold API keys, passwords, and connection secrets returned in cleartext; treated as credential material.","description":"App settings of an Azure App Service web app, injected into the running app as environment variables."},"risks":["impact:manipulation","impact:dos"],"notes":"Deleting an app setting removes an environment value the app depends on, altering operational config and potentially breaking the running app.","links":["https://azure.permissions.cloud/iam/microsoft.web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/Sites/config/web/appsettings/read":{"id":"Microsoft.Web/Sites/config/web/appsettings/read","name":"Web App app setting","scope":"CRITICAL","parent":{"notes":"App settings routinely hold API keys, passwords, and connection secrets returned in cleartext; treated as credential material.","description":"App settings of an Azure App Service web app, injected into the running app as environment variables."},"risks":["exfiltration:crypto","escalation:lateral"],"notes":"Reading a single app setting returns its cleartext value, which commonly contains secrets/credentials exportable for lateral movement to dependent systems.","links":["https://azure.permissions.cloud/iam/microsoft.web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/Sites/config/web/appsettings/write":{"id":"Microsoft.Web/Sites/config/web/appsettings/write","name":"Web App app setting","scope":"CRITICAL","parent":{"notes":"App settings routinely hold API keys, passwords, and connection secrets returned in cleartext; treated as credential material.","description":"App settings of an Azure App Service web app, injected into the running app as environment variables."},"risks":["impact:manipulation","escalation:lateral"],"notes":"Creating/updating an app setting changes a runtime environment variable the app consumes, enabling injection of attacker-controlled config/credentials executed in the app's context.","links":["https://azure.permissions.cloud/iam/microsoft.web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/Sites/config/web/connectionstrings/delete":{"id":"Microsoft.Web/Sites/config/web/connectionstrings/delete","name":"Web App connection string","scope":"CRITICAL","parent":{"notes":"Connection strings by definition contain database/storage credentials (passwords, account keys, SAS tokens) returned in cleartext; credential material.","description":"Connection strings of an Azure App Service web app that embed credentials for backing databases and storage services."},"risks":["impact:manipulation","impact:dos"],"notes":"Deleting a connection string severs the app's link to its backing data store, breaking data access and disrupting the service.","links":["https://azure.permissions.cloud/iam/microsoft.web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/Sites/config/web/connectionstrings/read":{"id":"Microsoft.Web/Sites/config/web/connectionstrings/read","name":"Web App connection string","scope":"CRITICAL","parent":{"notes":"Connection strings by definition contain database/storage credentials (passwords, account keys, SAS tokens) returned in cleartext; credential material.","description":"Connection strings of an Azure App Service web app that embed credentials for backing databases and storage services."},"risks":["exfiltration:crypto","escalation:lateral"],"notes":"Reading a connection string returns embedded backing-store credentials in cleartext, exportable for direct authenticated access to the data store.","links":["https://azure.permissions.cloud/iam/microsoft.web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/Sites/config/web/connectionstrings/write":{"id":"Microsoft.Web/Sites/config/web/connectionstrings/write","name":"Web App connection string","scope":"CRITICAL","parent":{"notes":"Connection strings by definition contain database/storage credentials (passwords, account keys, SAS tokens) returned in cleartext; credential material.","description":"Connection strings of an Azure App Service web app that embed credentials for backing databases and storage services."},"risks":["impact:manipulation","escalation:lateral"],"notes":"Creating/updating a connection string can repoint the app at an attacker-controlled data store or inject credentials, manipulating operational config and enabling lateral movement.","links":["https://azure.permissions.cloud/iam/microsoft.web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/Sites/domainownershipidentifiers/delete":{"id":"Microsoft.Web/Sites/domainownershipidentifiers/delete","name":"Web App domain ownership identifiers","scope":"HIGH","parent":{"notes":"Govern which custom domains can be associated with the app; manipulating them affects public-facing hostname routing for a single application.","description":"Domain ownership identifiers are the custom-domain verification tokens/configuration that bind and assert ownership of custom hostnames for an App Service web app."},"risks":["destruction:metadata","impact:dos"],"notes":"Deletes the custom-domain ownership verification identifiers, removing the domain-binding metadata which can break custom-domain validation and disrupt the app's public-facing access.","links":["https://azure.permissions.cloud/iam/Microsoft.Web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/Sites/domainownershipidentifiers/write":{"id":"Microsoft.Web/Sites/domainownershipidentifiers/write","name":"Web App domain ownership identifiers","scope":"HIGH","parent":{"notes":"Govern which custom domains can be associated with the app; manipulating them affects public-facing hostname routing for a single application.","description":"Domain ownership identifiers are the custom-domain verification tokens/configuration that bind and assert ownership of custom hostnames for an App Service web app."},"risks":["takeover:domain","impact:manipulation"],"notes":"Creating/updating domain ownership identifiers alters the custom-domain verification binding, letting an attacker assert ownership and route a custom domain/subdomain to the app.","links":["https://azure.permissions.cloud/iam/Microsoft.Web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/Sites/functions/keys/delete":{"id":"Microsoft.Web/Sites/functions/keys/delete","name":"Web Apps Functions keys","scope":"HIGH","parent":{"notes":"Function invocation keys are credentials; invoking a function runs code under the function app's (possibly managed) identity. Asset is a single function app -> HIGH.","description":"Access keys for an individual Azure Functions function, used as bearer credentials to authorize HTTP invocation of that function."},"risks":["impact:access","impact:dos"],"notes":"Deleting a function key revokes the credential legitimate callers use to invoke the function, denying authorized access and disrupting that function's HTTP endpoint.","links":["https://azure.permissions.cloud/iam/Microsoft.Web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/Sites/functions/keys/write":{"id":"Microsoft.Web/Sites/functions/keys/write","name":"Web Apps Functions keys","scope":"HIGH","parent":{"notes":"Function invocation keys are credentials; invoking a function runs code under the function app's (possibly managed) identity. Asset is a single function app -> HIGH.","description":"Access keys for an individual Azure Functions function, used as bearer credentials to authorize HTTP invocation of that function."},"risks":["persistence:account","escalation:lateral","impact:manipulation"],"notes":"Sending a PUT request to set a function key lets an attacker set a known invocation credential (durable backdoor / persistence) enabling repeated invocation that runs code as the app's identity (lateral), and overwriting an existing key alters/revokes the legitimate credential (manipulation).","links":["https://azure.permissions.cloud/iam/Microsoft.Web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/Sites/functions/listKeys/action":{"id":"Microsoft.Web/Sites/functions/listKeys/action","name":"Web App functions","scope":"CRITICAL","parent":{"notes":"Runs application logic under the function app's compute and (any attached) managed identity; supports a single organizational function.","description":"A function within an App Service Function App, comprising the deployed executable code/logic, its bindings/trigger configuration, and invocation keys."},"risks":["exfiltration:crypto","escalation:lateral"],"notes":"Returns the function access keys, bearer credentials that authorize invoking the protected function endpoint.","links":["https://azure.permissions.cloud/iam/microsoft.web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/Sites/functions/listSecrets/action":{"id":"Microsoft.Web/Sites/functions/listSecrets/action","name":"Web App functions","scope":"CRITICAL","parent":{"notes":"Runs application logic under the function app's compute and (any attached) managed identity; supports a single organizational function.","description":"A function within an App Service Function App, comprising the deployed executable code/logic, its bindings/trigger configuration, and invocation keys."},"risks":["exfiltration:crypto","escalation:lateral"],"notes":"Returns the function's secret material (function/host/system keys), bearer credentials usable to invoke and access the function endpoint.","links":["https://azure.permissions.cloud/iam/microsoft.web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/Sites/functions/masterkey/read":{"id":"Microsoft.Web/Sites/functions/masterkey/read","name":"Azure Functions master key","scope":"CRITICAL","parent":{"notes":"This is a root-level runtime credential equivalent to code execution as the function app and its managed identity.","description":"The Azure Functions master key, an administrative credential that grants full control to invoke and manage all functions and the function-app admin/key-management APIs."},"risks":["exfiltration:crypto","escalation:lateral"],"notes":"Returns the master key, reusable credential material enabling arbitrary code execution as the app and lateral movement to its identity.","links":["https://azure.permissions.cloud/iam/microsoft.web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/Sites/functions/token/read":{"id":"Microsoft.Web/Sites/functions/token/read","name":"Function App authentication token","scope":"CRITICAL","parent":{"notes":"Returns usable credential material that grants control of the function runtime and can pivot to the app's identity.","description":"The Functions runtime/admin authentication token for a Function App, a bearer credential used to authenticate to and invoke the function host and key-management endpoints."},"risks":["exfiltration:crypto","escalation:lateral"],"notes":"Returns the Functions bearer token an attacker can replay to authenticate to and act as the function app, exfiltrating credential material and enabling lateral movement into the function identity/key store.","links":["https://azure.permissions.cloud/iam/microsoft.web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/Sites/host/listKeys/action":{"id":"Microsoft.Web/Sites/host/listKeys/action","name":"Web Apps Functions host","scope":"CRITICAL","parent":{"notes":"Host-level operational control plane for a function app; affects which triggers the runtime activates.","description":"The Azure Functions host runtime for a function app, exposing operational actions such as syncing trigger definitions and reading sync status."},"risks":["exfiltration:crypto","escalation:lateral"],"notes":"This list action returns the host/master key material, exporting usable credentials that authorize admin-level invocation of all functions and code execution as the app identity.","links":["https://azure.permissions.cloud/iam/microsoft.web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/Sites/host/systemkeys/delete":{"id":"Microsoft.Web/Sites/host/systemkeys/delete","name":"Web Apps Functions host system keys","scope":"HIGH","parent":{"notes":"These keys are credential material gating privileged/admin invocation of the function app; functions invoked with them run under the app's assigned managed identity.","description":"Azure Functions host system keys are app-level bearer credentials that authorize the Functions runtime admin API and privileged extension webhook endpoints (e.g. Durable Functions, Event Grid extension) of a function app."},"risks":["destruction:crypto","impact:access","impact:dos"],"notes":"Deleting host system keys destroys the credential material and revokes the access that extensions/integrations (Event Grid, Durable Functions) and operators depend on, denying authorized access and breaking those privileged endpoints.","links":["https://azure.permissions.cloud/iam/microsoft.web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/Sites/host/systemkeys/write":{"id":"Microsoft.Web/Sites/host/systemkeys/write","name":"Web Apps Functions host system keys","scope":"HIGH","parent":{"notes":"These keys are credential material gating privileged/admin invocation of the function app; functions invoked with them run under the app's assigned managed identity.","description":"Azure Functions host system keys are app-level bearer credentials that authorize the Functions runtime admin API and privileged extension webhook endpoints (e.g. Durable Functions, Event Grid extension) of a function app."},"risks":["persistence:account","escalation:lateral","exfiltration:crypto","impact:manipulation"],"notes":"PUT creates/overwrites a host system key with an attacker-chosen value and returns the resolved key in the response, planting a persistent credential that authorizes privileged admin/extension invocation running as the app identity.","links":["https://azure.permissions.cloud/iam/microsoft.web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/Sites/hostnamebindings/delete":{"id":"Microsoft.Web/Sites/hostnamebindings/delete","name":"Web App hostname bindings","scope":"HIGH","parent":{"notes":"Governs public-facing reachability and domain-to-app routing for a single application function.","description":"A hostname binding maps a custom domain (and its SSL/SNI configuration) to an Azure App Service web app, controlling how public inbound traffic is routed to the site."},"risks":["destruction:network","impact:dos"],"notes":"Deleting a hostname binding removes the custom-domain endpoint that routes traffic to the web app, tearing down the public network binding and breaking inbound access (DoS) for that domain.","links":["https://azure.permissions.cloud/iam/Microsoft.Web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/Sites/hostnamebindings/write":{"id":"Microsoft.Web/Sites/hostnamebindings/write","name":"Web App hostname bindings","scope":"HIGH","parent":{"notes":"Governs public-facing reachability and domain-to-app routing for a single application function.","description":"A hostname binding maps a custom domain (and its SSL/SNI configuration) to an Azure App Service web app, controlling how public inbound traffic is routed to the site."},"risks":["takeover:domain","impact:defacement"],"notes":"Creating/updating a hostname binding lets an attacker attach or repoint a custom domain to an app, controlling traffic routing on that domain (takeover) and serving attacker-controlled content on the public-facing asset.","links":["https://azure.permissions.cloud/iam/Microsoft.Web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/Sites/hostruntime/functions/keys/read":{"id":"Microsoft.Web/Sites/hostruntime/functions/keys/read","name":"Web App hostruntime function keys","scope":"CRITICAL","parent":{"notes":"These keys authorize function invocation and code execution as the app identity, so the read returns usable secret material.","description":"Function access keys exposed via the Function App host runtime endpoint; despite the /read verb these are the actual invocation credentials."},"risks":["exfiltration:crypto","escalation:lateral"],"notes":"Returns function keys via the host runtime, exporting credential material that authorizes function invocation and code execution as the app.","links":["https://azure.permissions.cloud/iam/microsoft.web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/Sites/hostruntime/host/_master/read":{"id":"Microsoft.Web/Sites/hostruntime/host/_master/read","name":"Function App master key","scope":"CRITICAL","parent":{"notes":"Master key grants full administrative control of the Functions runtime and enables code execution under the app's managed identity.","description":"The Function App master key, an admin-level credential that bypasses function-level authorization to invoke and administer all functions in the Function App runtime."},"risks":["exfiltration:crypto","escalation:lateral","takeover:account"],"notes":"Returns the admin master key as reusable credential material, enabling invocation/management of all functions and code execution as the app identity.","links":["https://azure.permissions.cloud/iam/Microsoft.Web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/Sites/hostruntime/webhooks/Api/workflows/triggers/listCallbackUrl/action":{"id":"Microsoft.Web/Sites/hostruntime/webhooks/Api/workflows/triggers/listCallbackUrl/action","name":"Web Apps Hostruntime Workflow Triggers","scope":"HIGH","parent":{"notes":"Workflows often run with a managed identity and connections to other services; their triggers and run history can expose how business automation is wired and the data it processes.","description":"The trigger definitions of Logic Apps Standard / Functions-style workflows hosted in an App Service site host runtime. Triggers define how and when a workflow's automation fires (HTTP webhook, schedule, connector event)."},"risks":["exfiltration:crypto"],"notes":"Returns the trigger callback URL embedding a SAS signature (sig=) that lets anyone holding it invoke the workflow without further authentication, i.e. exported credential-equivalent material.","links":["https://azure.permissions.cloud/iam/microsoft.web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/Sites/hybridconnectionnamespaces/relays/listKeys/action":{"id":"Microsoft.Web/Sites/hybridconnectionnamespaces/relays/listKeys/action","name":"Web App hybrid connection relays","scope":"CRITICAL","parent":{"notes":"Configuration discloses the relay namespace and target host/port (network topology); the relay's send/listen keys are credential material retrieved via a separate listKeys action.","description":"A hybrid connection relay on a Web App is an Azure Relay-backed network bridge that lets the app reach a specific backend TCP endpoint (often on-premises or in a private network) by host and port."},"risks":["exfiltration:crypto","escalation:network"],"notes":"Returns the Azure Relay SAS send/listen access keys for the hybrid connection; an attacker exfiltrates these reusable credentials and connects to the relay to reach the backend/private/on-prem network it bridges.","links":["https://azure.permissions.cloud/iam/microsoft.web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/Sites/instances/processes/delete":{"id":"Microsoft.Web/Sites/instances/processes/delete","name":"Web App instance processes","scope":"HIGH","parent":{"notes":"Runtime process detail can include command lines and environment variables, which on App Service commonly hold connection strings and secrets.","description":"Instance processes are the live worker processes running the web app's workload on a given App Service instance, exposed via the Kudu/SCM process API."},"risks":["impact:dos"],"notes":"Deleting (killing) a running worker process on an app instance terminates the executing workload, disrupting service availability.","links":["https://azure.permissions.cloud/iam/Microsoft.Web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/Sites/instances/processes/read":{"id":"Microsoft.Web/Sites/instances/processes/read","name":"Web App instance processes","scope":"HIGH","parent":{"notes":"Runtime process detail can include command lines and environment variables, which on App Service commonly hold connection strings and secrets.","description":"Instance processes are the live worker processes running the web app's workload on a given App Service instance, exposed via the Kudu/SCM process API."},"risks":["discovery:infra","exfiltration:crypto"],"notes":"Reading process detail via the Kudu process API exposes command lines and environment variables, which on App Service routinely contain connection strings, account keys, and other secrets — enabling credential exfiltration beyond mere process enumeration.","links":["https://azure.permissions.cloud/iam/Microsoft.Web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/Sites/listworkflowsconnections/action":{"id":"Microsoft.Web/Sites/listworkflowsconnections/action","name":"Web App","scope":"HIGH","parent":{"notes":"Production application hosting for a single organizational function; can hold secrets in app settings, run code under a managed identity, and serve public traffic.","description":"An Azure App Service site (Web App, Function App, or Logic App Standard) is a managed hosting resource that runs an organization's application code, often with an attached managed identity, app settings/connection strings, and a public-facing endpoint."},"risks":["exfiltration:crypto","escalation:lateral"],"notes":"Listing a Logic App's connections by ID returns connection objects that can include runtime secrets/connection keys for downstream services, enabling credential exfiltration and lateral movement to connected systems.","links":["https://azure.permissions.cloud/iam/microsoft.web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/Sites/networktrace/action":{"id":"Microsoft.Web/Sites/networktrace/action","name":"Web App","scope":"MEDIUM","parent":{"notes":"Production application hosting for a single organizational function; can hold secrets in app settings, run code under a managed identity, and serve public traffic.","description":"An Azure App Service site (Web App, Function App, or Logic App Standard) is a managed hosting resource that runs an organization's application code, often with an attached managed identity, app settings/connection strings, and a public-facing endpoint."},"risks":["exfiltration:data","collection:data"],"notes":"Capturing a network trace records the app's live network traffic, which can collect and expose sensitive in-transit data and credentials.","links":["https://azure.permissions.cloud/iam/Microsoft.Web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/Sites/newpassword/action":{"id":"Microsoft.Web/Sites/newpassword/action","name":"Web App","scope":"HIGH","parent":{"notes":"Production application hosting for a single organizational function; can hold secrets in app settings, run code under a managed identity, and serve public traffic.","description":"An Azure App Service site (Web App, Function App, or Logic App Standard) is a managed hosting resource that runs an organization's application code, often with an attached managed identity, app settings/connection strings, and a public-facing endpoint."},"risks":["persistence:account","escalation:lateral"],"notes":"Regenerating the app-scope deployment password sets a new publishing credential the attacker controls, establishing persistent code-deployment access and execution as the app identity; the action sets/rotates rather than returning an existing secret.","links":["https://azure.permissions.cloud/iam/microsoft.web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/Sites/publishxml/Action":{"id":"Microsoft.Web/Sites/publishxml/Action","name":"Web App","scope":"CRITICAL","parent":{"notes":"Production application hosting for a single organizational function; can hold secrets in app settings, run code under a managed identity, and serve public traffic.","description":"An Azure App Service site (Web App, Function App, or Logic App Standard) is a managed hosting resource that runs an organization's application code, often with an attached managed identity, app settings/connection strings, and a public-facing endpoint."},"risks":["exfiltration:crypto","escalation:lateral","takeover:account"],"notes":"Returns the publishing profile XML containing FTP/Web Deploy/SCM deployment credentials, directly exfiltrating usable secrets that grant code-push access to the app and execution under its managed identity.","links":["https://azure.permissions.cloud/iam/Microsoft.Web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/Sites/publishxml/read":{"id":"Microsoft.Web/Sites/publishxml/read","name":"Web App publishing profile XML","scope":"CRITICAL","parent":{"notes":"Production application hosting for a single organizational function; can hold secrets in app settings, run code under a managed identity, and serve public traffic.","description":"An Azure App Service site (Web App, Function App, or Logic App Standard) is a managed hosting resource that runs an organization's application code, often with an attached managed identity, app settings/connection strings, and a public-facing endpoint."},"risks":["exfiltration:crypto","escalation:lateral","takeover:account"],"notes":"Returns the publish profile XML with deployment credentials, exporting secret material that lets an attacker deploy/run arbitrary code as the app and take over its deployment access.","links":["https://azure.permissions.cloud/iam/Microsoft.Web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/Sites/slots/backup/Action":{"id":"Microsoft.Web/Sites/slots/backup/Action","name":"Web App deployment slot","scope":"HIGH","parent":{"notes":"Slots host a single organizational function's production or staging workload; their configuration and managed identity make them a pivot point for code execution and lateral movement.","description":"An Azure App Service deployment slot is a live, addressable instance of a web/function/Logic App hosting application code, configuration (app settings, connection strings), and an assigned managed identity. Slots can be swapped into the production endpoint."},"risks":["impact:spend"],"notes":"Triggering an on-demand backup writes app content/config to a storage target and consumes storage/compute; in isolation it neither returns nor destroys data.","links":["https://azure.permissions.cloud/iam/Microsoft.Web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/Sites/slots/backup/read":{"id":"Microsoft.Web/Sites/slots/backup/read","name":"Web Apps Slots Backup configuration","scope":"HIGH","parent":{"notes":"Slots host a single organizational function's production or staging workload; their configuration and managed identity make them a pivot point for code execution and lateral movement.","description":"An Azure App Service deployment slot is a live, addressable instance of a web/function/Logic App hosting application code, configuration (app settings, connection strings), and an assigned managed identity. Slots can be swapped into the production endpoint."},"risks":["exfiltration:crypto","discovery:infra"],"notes":"Verified against the REST API (config/backup/list): the BackupRequest response returns properties.storageAccountUrl (a SAS URL to the backup container) and properties.databases[].connectionString, so reading it exfiltrates usable credential material in addition to enumerating backup settings.","links":["https://azure.permissions.cloud/iam/Microsoft.Web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/Sites/slots/backup/write":{"id":"Microsoft.Web/Sites/slots/backup/write","name":"Web Apps Slots Backup configuration","scope":"HIGH","parent":{"notes":"Slots host a single organizational function's production or staging workload; their configuration and managed identity make them a pivot point for code execution and lateral movement.","description":"An Azure App Service deployment slot is a live, addressable instance of a web/function/Logic App hosting application code, configuration (app settings, connection strings), and an assigned managed identity. Slots can be swapped into the production endpoint."},"risks":["impact:manipulation"],"notes":"Updating the slot backup configuration lets an attacker alter or disable the backup schedule/retention or redirect backups to attacker-controlled storage, undermining the app's recovery posture.","links":["https://azure.permissions.cloud/iam/Microsoft.Web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/Sites/slots/config/Snapshots/listSecrets/action":{"id":"Microsoft.Web/Sites/slots/config/Snapshots/listSecrets/action","name":"Web App slot config snapshots","scope":"CRITICAL","parent":{"notes":"The snapshot metadata/list does not return secret values; secret material is exposed only via the dedicated listsecrets action.","description":"Point-in-time configuration snapshots of an App Service deployment slot, capturing the slot's saved application settings and connection-string configuration history."},"risks":["exfiltration:crypto","escalation:lateral"],"notes":"This listsecrets action returns the secret app settings and connection strings captured in a slot config snapshot, exporting reusable credential/connection-string material that authenticates to backing data stores and enables pivoting to other identities.","links":["https://azure.permissions.cloud/iam/microsoft.web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/Sites/slots/config/appsettings/read":{"id":"Microsoft.Web/Sites/slots/config/appsettings/read","name":"Web App slot app setting","scope":"CRITICAL","parent":{"notes":"App settings routinely hold API keys, passwords, and connection secrets returned in cleartext; treated as credential material.","description":"App settings of an Azure App Service deployment slot, injected into the running app as environment variables."},"risks":["exfiltration:crypto","escalation:lateral"],"notes":"This management-plane read returns the slot's app setting values in cleartext, which commonly embed secrets/credentials usable to pivot into backing services.","links":["https://azure.permissions.cloud/iam/Microsoft.Web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/Sites/slots/config/appsettings/write":{"id":"Microsoft.Web/Sites/slots/config/appsettings/write","name":"Web App slot app setting","scope":"CRITICAL","parent":{"notes":"App settings routinely hold API keys, passwords, and connection secrets returned in cleartext; treated as credential material.","description":"App settings of an Azure App Service deployment slot, injected into the running app as environment variables."},"risks":["impact:manipulation","escalation:lateral"],"notes":"Creating/updating a slot app setting alters a runtime environment variable the app consumes, letting an attacker redirect dependencies or inject config the app's identity acts upon.","links":["https://azure.permissions.cloud/iam/Microsoft.Web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/Sites/slots/config/list/action":{"id":"Microsoft.Web/Sites/slots/config/list/action","name":"Web App Slot configuration","scope":"CRITICAL","parent":{"notes":"The control-plane Read masks secret values; the security-sensitive settings (publishing credentials, connection strings) are returned only by the separate list/Action.","description":"The configuration sub-resource of an App Service deployment slot, holding the slot's runtime/site settings, app settings, and connection strings. Slots are staging/production variants of a Web App."},"risks":["exfiltration:crypto","escalation:lateral","takeover:account"],"notes":"Explicitly returns the slot's security-sensitive settings including publishing credentials, app settings, and connection strings; the publishing credentials are a reusable deployment credential and connection strings yield access to backing data stores.","links":["https://azure.permissions.cloud/iam/Microsoft.Web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/Sites/slots/config/web/connectionstrings/delete":{"id":"Microsoft.Web/Sites/slots/config/web/connectionstrings/delete","name":"Web App slot connection string","scope":"CRITICAL","parent":{"notes":"Connection strings by definition contain database/storage credentials returned in cleartext; credential material.","description":"Connection strings of an Azure App Service deployment slot that embed credentials for backing databases and storage services."},"risks":["impact:manipulation","impact:dos"],"notes":"Deleting a slot's connection string removes its data-store binding, breaking the slot's data access and disrupting the service.","links":["https://azure.permissions.cloud/iam/microsoft.web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/Sites/slots/config/web/connectionstrings/read":{"id":"Microsoft.Web/Sites/slots/config/web/connectionstrings/read","name":"Web App slot connection string","scope":"CRITICAL","parent":{"notes":"Connection strings by definition contain database/storage credentials returned in cleartext; credential material.","description":"Connection strings of an Azure App Service deployment slot that embed credentials for backing databases and storage services."},"risks":["exfiltration:crypto","escalation:lateral"],"notes":"Reading a slot's connection string returns embedded backing-store credentials in cleartext, exportable for direct authenticated access to the data store.","links":["https://azure.permissions.cloud/iam/microsoft.web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/Sites/slots/config/web/connectionstrings/write":{"id":"Microsoft.Web/Sites/slots/config/web/connectionstrings/write","name":"Web App slot connection string","scope":"CRITICAL","parent":{"notes":"Connection strings by definition contain database/storage credentials returned in cleartext; credential material.","description":"Connection strings of an Azure App Service deployment slot that embed credentials for backing databases and storage services."},"risks":["impact:manipulation","escalation:lateral"],"notes":"Creating/updating a slot's connection string can repoint the slot to an attacker-controlled data store or inject credentials, manipulating config and enabling lateral movement.","links":["https://azure.permissions.cloud/iam/microsoft.web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/Sites/slots/domainownershipidentifiers/delete":{"id":"Microsoft.Web/Sites/slots/domainownershipidentifiers/delete","name":"Web App slot domain ownership identifiers","scope":"HIGH","parent":{"notes":"Controls custom-domain verification/binding for the public-facing app; write/delete can affect domain routing.","description":"Custom-domain ownership-verification identifiers (tokens) used to prove and bind a custom domain to a Web App deployment slot."},"risks":["takeover:domain","impact:dos"],"notes":"Deleting domain-ownership identifiers removes custom-domain verification bindings, disrupting public-facing domain routing and potentially allowing the domain to be re-claimed.","links":["https://azure.permissions.cloud/iam/Microsoft.Web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/Sites/slots/domainownershipidentifiers/write":{"id":"Microsoft.Web/Sites/slots/domainownershipidentifiers/write","name":"Web App slot domain ownership identifiers","scope":"HIGH","parent":{"notes":"Controls custom-domain verification/binding for the public-facing app; write/delete can affect domain routing.","description":"Custom-domain ownership-verification identifiers (tokens) used to prove and bind a custom domain to a Web App deployment slot."},"risks":["takeover:domain","impact:manipulation"],"notes":"Creating/updating domain-ownership identifiers manipulates the custom-domain verification/binding state, which can be abused to assert ownership and route a domain to the app.","links":["https://azure.permissions.cloud/iam/Microsoft.Web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/Sites/slots/extensions/Api/action":{"id":"Microsoft.Web/Sites/slots/extensions/Api/action","name":"Web Apps slot site extensions","scope":"HIGH","parent":{"notes":"Control-plane configuration of the app's runtime components; invoking Kudu/SCM can enable command execution and content read/write in the app's context.","description":"Site (Kudu/SCM) extensions installed on an App Service deployment slot are code modules/tooling that run inside the app's sandbox."},"risks":["escalation:lateral","impact:manipulation","impact:hijack","exfiltration:data"],"notes":"Invoking the slot extension (Kudu/SCM) APIs allows command execution, file/content read-write, and deployment in the app's context, running code as the app's managed identity, reading app files/code, and modifying the deployment.","links":["https://azure.permissions.cloud/iam/Microsoft.Web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/Sites/slots/functions/keys/delete":{"id":"Microsoft.Web/Sites/slots/functions/keys/delete","name":"Web Apps slot function keys","scope":"HIGH","parent":{"notes":"Credential material gating function invocation; the invoked function runs under the app's assigned managed identity.","description":"Function keys are per-function bearer credentials that authorize invocation of an HTTP-triggered function in an App Service Functions slot."},"risks":["destruction:crypto","impact:access","impact:dos"],"notes":"Deleting a function key destroys the credential material and revokes the invocation access legitimate callers depend on, denying authorized access and disrupting the function.","links":["https://azure.permissions.cloud/iam/microsoft.web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/Sites/slots/functions/keys/write":{"id":"Microsoft.Web/Sites/slots/functions/keys/write","name":"Web Apps slot function keys","scope":"HIGH","parent":{"notes":"Credential material gating function invocation; the invoked function runs under the app's assigned managed identity.","description":"Function keys are per-function bearer credentials that authorize invocation of an HTTP-triggered function in an App Service Functions slot."},"risks":["persistence:account","escalation:lateral","exfiltration:crypto","impact:manipulation"],"notes":"PUT creates/overwrites a function key with an attacker-chosen value and returns the resolved key, planting a persistent invocation credential and granting durable access to run the function as the app identity.","links":["https://azure.permissions.cloud/iam/microsoft.web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/Sites/slots/functions/listKeys/action":{"id":"Microsoft.Web/Sites/slots/functions/listKeys/action","name":"Web App slot functions","scope":"CRITICAL","parent":{"notes":"Function keys are invocation credentials enabling code execution as the function app.","description":"Functions deployed to a Web App / Function App deployment slot; this action lists the function access keys that authorize invoking those functions."},"risks":["exfiltration:crypto","escalation:lateral"],"notes":"Returns function access keys (invocation credentials), enabling an attacker to call protected functions and run code as the app.","links":["https://azure.permissions.cloud/iam/microsoft.web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/Sites/slots/functions/listSecrets/action":{"id":"Microsoft.Web/Sites/slots/functions/listSecrets/action","name":"Web App slot functions","scope":"CRITICAL","parent":{"notes":"Function keys are invocation credentials enabling code execution as the function app.","description":"Functions deployed to a Web App / Function App deployment slot; this action lists the function access keys that authorize invoking those functions."},"risks":["exfiltration:crypto","escalation:lateral"],"notes":"Returns the secret function keys for a slot's functions, exporting reusable invocation credentials that enable code execution as the app.","links":["https://azure.permissions.cloud/iam/microsoft.web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/Sites/slots/host/functionkeys/delete":{"id":"Microsoft.Web/Sites/slots/host/functionkeys/delete","name":"Web Apps slot Functions host function keys","scope":"HIGH","parent":{"notes":"Credential material gating app-wide function invocation; invoked functions run under the app's assigned managed identity.","description":"Functions host function keys are app-level bearer credentials valid for invoking any function across the function app slot."},"risks":["destruction:crypto","impact:access","impact:dos"],"notes":"Deleting a host-level function key destroys credential material valid across all functions in the app and revokes the invocation access legitimate callers depend on, denying authorized access app-wide.","links":["https://azure.permissions.cloud/iam/Microsoft.Web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/Sites/slots/host/functionkeys/write":{"id":"Microsoft.Web/Sites/slots/host/functionkeys/write","name":"Web Apps slot Functions host function keys","scope":"HIGH","parent":{"notes":"Credential material gating app-wide function invocation; invoked functions run under the app's assigned managed identity.","description":"Functions host function keys are app-level bearer credentials valid for invoking any function across the function app slot."},"risks":["persistence:account","escalation:lateral","exfiltration:crypto","impact:manipulation"],"notes":"PUT creates/overwrites a host-level function key with an attacker-chosen value and returns the resolved key, planting a persistent credential valid across all functions in the app and granting invocation as the app identity.","links":["https://azure.permissions.cloud/iam/Microsoft.Web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/Sites/slots/host/listKeys/action":{"id":"Microsoft.Web/Sites/slots/host/listKeys/action","name":"Web Apps slot Functions host keys","scope":"HIGH","parent":{"notes":"The master/host key is admin-equivalent over the function app; functions invoked with it run under the app's assigned managed identity.","description":"Functions host keys (including the host master key) are app-level bearer credentials that authorize invocation of any function in the app and administrative access to the Functions runtime."},"risks":["exfiltration:crypto","escalation:lateral"],"notes":"Listing the host keys returns the actual secret key material (including the master key), yielding usable bearer credentials to invoke any function in the app and run code as the app's managed identity.","links":["https://azure.permissions.cloud/iam/microsoft.web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/Sites/slots/host/systemkeys/delete":{"id":"Microsoft.Web/Sites/slots/host/systemkeys/delete","name":"Web Apps Functions Host system keys","scope":"HIGH","parent":{"notes":"These keys are high-privilege authentication credentials scoped to a single function app/slot; possessing them grants invocation and admin access to that function host.","description":"Functions host system keys are credential material that authenticate calls to the Azure Functions host's admin and extension endpoints (including the master-level admin key) for a function app deployment slot."},"risks":["destruction:crypto","impact:access"],"notes":"Deleting host system keys destroys secret credential/key material (destruction:crypto) and revokes the keys that legitimate callers, integrations, and webhooks depend on, denying authorized operational access to the function host (impact:access).","links":["https://azure.permissions.cloud/iam/microsoft.web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/Sites/slots/host/systemkeys/write":{"id":"Microsoft.Web/Sites/slots/host/systemkeys/write","name":"Web Apps Functions Host system keys","scope":"HIGH","parent":{"notes":"These keys are high-privilege authentication credentials scoped to a single function app/slot; possessing them grants invocation and admin access to that function host.","description":"Functions host system keys are credential material that authenticate calls to the Azure Functions host's admin and extension endpoints (including the master-level admin key) for a function app deployment slot."},"risks":["persistence:account","escalation:lateral","impact:manipulation"],"notes":"Setting/overwriting host system keys lets an attacker plant a known credential value for durable backdoor access (persistence:account) and use it to invoke functions and privileged admin/extension endpoints as the function app identity (escalation:lateral), while altering the security-sensitive auth-key configuration (impact:manipulation).","links":["https://azure.permissions.cloud/iam/microsoft.web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/Sites/slots/hostnamebindings/delete":{"id":"Microsoft.Web/Sites/slots/hostnamebindings/delete","name":"Web Apps Slots Hostname Bindings","scope":"HIGH","parent":{"notes":null,"description":"Hostname bindings map custom domains/hostnames to an App Service deployment slot, controlling how public traffic is routed to the app."},"risks":["destruction:network","impact:dos"],"notes":"Deleting a hostname binding removes the custom-domain-to-slot mapping, tearing down the inbound network endpoint and denying service to traffic on that domain.","links":["https://azure.permissions.cloud/iam/Microsoft.Web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/Sites/slots/hostnamebindings/write":{"id":"Microsoft.Web/Sites/slots/hostnamebindings/write","name":"Web Apps Slots Hostname Bindings","scope":"HIGH","parent":{"notes":null,"description":"Hostname bindings map custom domains/hostnames to an App Service deployment slot, controlling how public traffic is routed to the app."},"risks":["takeover:domain","impact:defacement"],"notes":"Creating/updating a hostname binding lets an attacker route a custom domain/subdomain to a slot they control, enabling domain takeover and defacement of public-facing content.","links":["https://azure.permissions.cloud/iam/Microsoft.Web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/Sites/slots/listworkflowsconnections/action":{"id":"Microsoft.Web/Sites/slots/listworkflowsconnections/action","name":"Web App deployment slot","scope":"HIGH","parent":{"notes":"Slots host a single organizational function's production or staging workload; their configuration and managed identity make them a pivot point for code execution and lateral movement.","description":"An Azure App Service deployment slot is a live, addressable instance of a web/function/Logic App hosting application code, configuration (app settings, connection strings), and an assigned managed identity. Slots can be swapped into the production endpoint."},"risks":["exfiltration:crypto","escalation:lateral"],"notes":"Listing a Logic App's connections by ID returns connection runtime objects that can include connection keys/secrets used to authenticate to backend services, disclosing usable credential material for downstream pivot.","links":["https://azure.permissions.cloud/iam/microsoft.web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/Sites/slots/networktrace/action":{"id":"Microsoft.Web/Sites/slots/networktrace/action","name":"Web App deployment slot","scope":"HIGH","parent":{"notes":"Slots host a single organizational function's production or staging workload; their configuration and managed identity make them a pivot point for code execution and lateral movement.","description":"An Azure App Service deployment slot is a live, addressable instance of a web/function/Logic App hosting application code, configuration (app settings, connection strings), and an assigned managed identity. Slots can be swapped into the production endpoint."},"risks":["exfiltration:data"],"notes":"Capturing a network trace records the slot's live in-transit traffic, which can include request/response payloads, tokens, and credentials, enabling data exfiltration.","links":["https://azure.permissions.cloud/iam/Microsoft.Web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/Sites/slots/newpassword/action":{"id":"Microsoft.Web/Sites/slots/newpassword/action","name":"Web App deployment slot","scope":"CRITICAL","parent":{"notes":"Slots host a single organizational function's production or staging workload; their configuration and managed identity make them a pivot point for code execution and lateral movement.","description":"An Azure App Service deployment slot is a live, addressable instance of a web/function/Logic App hosting application code, configuration (app settings, connection strings), and an assigned managed identity. Slots can be swapped into the production endpoint."},"risks":["exfiltration:crypto","escalation:lateral","persistence:account"],"notes":"Regenerating the slot's publishing password mints and returns fresh deployment credentials, granting the attacker authenticated deploy/control access and establishing persistent credentials while invalidating the legitimate one.","links":["https://azure.permissions.cloud/iam/microsoft.web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/Sites/slots/publishxml/action":{"id":"Microsoft.Web/Sites/slots/publishxml/action","name":"Web App deployment slot","scope":"CRITICAL","parent":{"notes":"Slots host a single organizational function's production or staging workload; their configuration and managed identity make them a pivot point for code execution and lateral movement.","description":"An Azure App Service deployment slot is a live, addressable instance of a web/function/Logic App hosting application code, configuration (app settings, connection strings), and an assigned managed identity. Slots can be swapped into the production endpoint."},"risks":["exfiltration:crypto","escalation:lateral","takeover:account"],"notes":"Returns the publishing profile XML containing live deployment credentials (FTP/Web Deploy/SCM usernames and passwords, often connection strings), letting an attacker authenticate, deploy arbitrary code, and operate as the app.","links":["https://azure.permissions.cloud/iam/Microsoft.Web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/apimanagementaccounts/apis/apiacls/delete":{"id":"Microsoft.Web/apimanagementaccounts/apis/apiacls/delete","name":"Logic Apps API access-control list","scope":"MEDIUM","parent":{"notes":"These ACLs are authorization policy; removing or rewriting them changes who can reach the API.","description":"The API access-control list (ACL) restricting which principals may invoke a managed API/connector."},"risks":["destruction:policy","impact:access"],"notes":"Deletes the API ACL entries, tearing down the access-control policy that restricts callers, which can strip authorized principals' access while relaxing restrictions guarding the API.","links":["https://azure.permissions.cloud/iam/microsoft.web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/apimanagementaccounts/apis/apiacls/write":{"id":"Microsoft.Web/apimanagementaccounts/apis/apiacls/write","name":"Logic Apps API access-control list","scope":"MEDIUM","parent":{"notes":"These ACLs are authorization policy; removing or rewriting them changes who can reach the API.","description":"The API access-control list (ACL) restricting which principals may invoke a managed API/connector."},"risks":["escalation:privilege","impact:access"],"notes":"Creating/updating the API ACL lets an attacker grant their own principal authorization to invoke the API and overwrite or restrict other principals' access.","links":["https://azure.permissions.cloud/iam/microsoft.web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/apimanagementaccounts/apis/connections/confirmConsentCode/action":{"id":"Microsoft.Web/apimanagementaccounts/apis/connections/confirmConsentCode/action","name":"Logic Apps API connection","scope":"HIGH","parent":{"notes":"Connections embed reusable backend credentials/OAuth tokens; secret material is exposed only via dedicated listsecrets/listconnectionkeys actions, while the resource itself supports a single integration function.","description":"A managed API connection (Logic Apps / connector instance) that stores the configuration and authentication binding linking workflows to a backend service."},"risks":["escalation:lateral","persistence:account"],"notes":"Confirms the OAuth consent code that finalizes the connection's delegated authorization, binding an identity/token the connection then acts as to reach the backend service and persisting that access.","links":["https://azure.permissions.cloud/iam/microsoft.web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/apimanagementaccounts/apis/connections/connectionacls/delete":{"id":"Microsoft.Web/apimanagementaccounts/apis/connections/connectionacls/delete","name":"API connection access-control lists (legacy connector connection ACLs)","scope":"MEDIUM","parent":{"notes":"Sensitivity is that of a single integration function's authorization gate; the connection may broker credentialed access to a backend.","description":"Connection ACLs are access-control list entries on legacy API Management account / managed-connector API connections, governing which principals and resources may use a connection. The connection itself typically holds backing credentials (tokens/keys) to a connected backend."},"risks":["destruction:policy","impact:access"],"notes":"Deleting the connection ACL removes the access-control policy restricting the connection (enabling unrestricted use) and can strip authorized principals of their legitimate access.","links":["https://azure.permissions.cloud/iam/Microsoft.Web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/apimanagementaccounts/apis/connections/connectionacls/write":{"id":"Microsoft.Web/apimanagementaccounts/apis/connections/connectionacls/write","name":"API connection access-control lists (legacy connector connection ACLs)","scope":"MEDIUM","parent":{"notes":"Sensitivity is that of a single integration function's authorization gate; the connection may broker credentialed access to a backend.","description":"Connection ACLs are access-control list entries on legacy API Management account / managed-connector API connections, governing which principals and resources may use a connection. The connection itself typically holds backing credentials (tokens/keys) to a connected backend."},"risks":["escalation:privilege","impact:manipulation"],"notes":"Creating/updating the connection ACL lets an attacker grant a controlled principal use of the credentialed connection (an access-control grant) and tamper with who may invoke it.","links":["https://azure.permissions.cloud/iam/Microsoft.Web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/apimanagementaccounts/apis/connections/listConnectionKeys/action":{"id":"Microsoft.Web/apimanagementaccounts/apis/connections/listConnectionKeys/action","name":"Logic Apps API connection","scope":"CRITICAL","parent":{"notes":"Connections embed reusable backend credentials/OAuth tokens; secret material is exposed only via dedicated listsecrets/listconnectionkeys actions, while the resource itself supports a single integration function.","description":"A managed API connection (Logic Apps / connector instance) that stores the configuration and authentication binding linking workflows to a backend service."},"risks":["exfiltration:crypto","escalation:lateral"],"notes":"A listKeys-style action returning the connection's runtime access keys, reusable credential material an attacker redeems to invoke the connection and pivot into the linked backend service.","links":["https://azure.permissions.cloud/iam/Microsoft.Web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/apimanagementaccounts/apis/connections/listSecrets/action":{"id":"Microsoft.Web/apimanagementaccounts/apis/connections/listSecrets/action","name":"Logic Apps API connection","scope":"CRITICAL","parent":{"notes":"Connections embed reusable backend credentials/OAuth tokens; secret material is exposed only via dedicated listsecrets/listconnectionkeys actions, while the resource itself supports a single integration function.","description":"A managed API connection (Logic Apps / connector instance) that stores the configuration and authentication binding linking workflows to a backend service."},"risks":["exfiltration:crypto","escalation:lateral"],"notes":"Returns the connection's stored secrets (backend passwords, OAuth tokens, connection strings), exporting reusable credentials that grant direct authenticated access to the connected system.","links":["https://azure.permissions.cloud/iam/Microsoft.Web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/connections/accessPolicies/Delete":{"id":"Microsoft.Web/connections/accessPolicies/Delete","name":"API Connection Access Policies","scope":"HIGH","parent":{"notes":"The connection wraps stored/delegated credentials to a backend system; access to use it confers access to that backend.","description":"Connection access policies are the access-control entries (objectId/tenantId grants) governing which principals may use an Azure API Connection, which brokers credentialed access to a backend service (e.g. for Logic Apps)."},"risks":["destruction:policy","impact:access"],"notes":"Deleting access policies removes access-control grants on the connection (destruction:policy), stripping legitimate principals (e.g. a Logic App's managed identity) of their authorized access to use the connection (impact:access).","links":["https://azure.permissions.cloud/iam/Microsoft.Web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/connections/accessPolicies/write":{"id":"Microsoft.Web/connections/accessPolicies/write","name":"API Connection Access Policies","scope":"HIGH","parent":{"notes":"The connection wraps stored/delegated credentials to a backend system; access to use it confers access to that backend.","description":"Connection access policies are the access-control entries (objectId/tenantId grants) governing which principals may use an Azure API Connection, which brokers credentialed access to a backend service (e.g. for Logic Apps)."},"risks":["escalation:privilege","escalation:lateral"],"notes":"Adding/updating an access policy lets an attacker grant an attacker-chosen principal authorization to use the connection (escalation:privilege); because the connection brokers credentialed access to a backend, the granted identity can then reach that backend (escalation:lateral).","links":["https://azure.permissions.cloud/iam/Microsoft.Web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/connections/confirmConsentCode/action":{"id":"Microsoft.Web/connections/confirmConsentCode/action","name":"API Connections","scope":"HIGH","parent":{"notes":"These resources broker authenticated access to external/backend systems and hold stored credential material, so key-listing and invoke operations are credential-grade exposures even though most control-plane operations affect a single integration function.","description":"Azure API Connections (Microsoft.Web/connections) are integration resources that store credential-backed connections (OAuth tokens, API keys, connection strings) used by Logic Apps and Power Automate to authenticate to backend SaaS and API services."},"risks":["persistence:account","escalation:lateral"],"notes":"Confirming the OAuth consent code completes the authorization handshake that binds delegated credentials/tokens to the connection, establishing and maintaining usable authenticated access to the backing identity/service.","links":["https://azure.permissions.cloud/iam/microsoft.web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/connections/dynamicInvoke/action":{"id":"Microsoft.Web/connections/dynamicInvoke/action","name":"API Connections","scope":"HIGH","parent":{"notes":"These resources broker authenticated access to external/backend systems and hold stored credential material, so key-listing and invoke operations are credential-grade exposures even though most control-plane operations affect a single integration function.","description":"Azure API Connections (Microsoft.Web/connections) are integration resources that store credential-backed connections (OAuth tokens, API keys, connection strings) used by Logic Apps and Power Automate to authenticate to backend SaaS and API services."},"risks":["escalation:lateral","exfiltration:data","impact:manipulation"],"notes":"Dynamic Invoke executes a call through the connection against the backing service using its stored credentials, letting an attacker ride the connection's identity to move laterally and read or manipulate data in the connected backend without seeing the raw secret.","links":["https://azure.permissions.cloud/iam/Microsoft.Web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/connections/listConnectionKeys/action":{"id":"Microsoft.Web/connections/listConnectionKeys/action","name":"API Connections","scope":"CRITICAL","parent":{"notes":"These resources broker authenticated access to external/backend systems and hold stored credential material, so key-listing and invoke operations are credential-grade exposures even though most control-plane operations affect a single integration function.","description":"Azure API Connections (Microsoft.Web/connections) are integration resources that store credential-backed connections (OAuth tokens, API keys, connection strings) used by Logic Apps and Power Automate to authenticate to backend SaaS and API services."},"risks":["exfiltration:crypto","escalation:lateral"],"notes":"This listKeys-style action returns the connection's secret access keys/credentials, letting an attacker exfiltrate the credential material and reuse the connection's identity to reach the backing service.","links":["https://azure.permissions.cloud/iam/Microsoft.Web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/connections/delete":{"id":"Microsoft.Web/connections/delete","name":"API Connections","scope":"HIGH","parent":{"notes":"These resources broker authenticated access to external/backend systems and hold stored credential material, so key-listing and invoke operations are credential-grade exposures even though most control-plane operations affect a single integration function.","description":"Azure API Connections (Microsoft.Web/connections) are integration resources that store credential-backed connections (OAuth tokens, API keys, connection strings) used by Logic Apps and Power Automate to authenticate to backend SaaS and API services."},"risks":["destruction:infra"],"notes":"Deleting a Connection removes the integration resource that dependent Logic Apps/workflows rely on, breaking those integrations in a denial-of-service-like manner.","links":["https://azure.permissions.cloud/iam/microsoft.web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/connections/write":{"id":"Microsoft.Web/connections/write","name":"API Connections","scope":"HIGH","parent":{"notes":"These resources broker authenticated access to external/backend systems and hold stored credential material, so key-listing and invoke operations are credential-grade exposures even though most control-plane operations affect a single integration function.","description":"Azure API Connections (Microsoft.Web/connections) are integration resources that store credential-backed connections (OAuth tokens, API keys, connection strings) used by Logic Apps and Power Automate to authenticate to backend SaaS and API services."},"risks":["impact:manipulation","escalation:lateral","persistence:account"],"notes":"Create/update lets an attacker alter connection configuration and supply or replace credentials/parameters so trusted workflows route through attacker-controlled or attacker-accessible backends, and can seed attacker-owned credentials for persistent authenticated access.","links":["https://azure.permissions.cloud/iam/microsoft.web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/connectorGateways/connections/accessPolicies/action":{"id":"Microsoft.Web/connectorGateways/connections/accessPolicies/action","name":"Connector Gateway Connection Access Policy","scope":"HIGH","parent":{"notes":"Access policies control use of a credential-bearing connection; altering them can grant unauthorized use of the connection and its backend credentials, or revoke legitimate access.","description":"Authorization bindings on a Connector Gateway connection that govern which principals may use the credential-bearing connection to access a backend data source."},"risks":["impact:manipulation","escalation:privilege"],"notes":"An action on a connection access policy operates on the authorization construct governing who may use the credentialed connection, letting an attacker alter that authorization in their favor.","links":["https://azure.permissions.cloud/iam/Microsoft.Web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/connectorGateways/connections/accessPolicies/delete":{"id":"Microsoft.Web/connectorGateways/connections/accessPolicies/delete","name":"Connector Gateway Connection Access Policy","scope":"HIGH","parent":{"notes":"Access policies control use of a credential-bearing connection; altering them can grant unauthorized use of the connection and its backend credentials, or revoke legitimate access.","description":"Authorization bindings on a Connector Gateway connection that govern which principals may use the credential-bearing connection to access a backend data source."},"risks":["destruction:policy","impact:access"],"notes":"Deleting a connection access policy removes the access-control binding governing the connection, tearing down authorization that would otherwise deny use and stripping legitimate principals' access.","links":["https://azure.permissions.cloud/iam/Microsoft.Web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/connectorGateways/connections/accessPolicies/write":{"id":"Microsoft.Web/connectorGateways/connections/accessPolicies/write","name":"Connector Gateway Connection Access Policy","scope":"HIGH","parent":{"notes":"Access policies control use of a credential-bearing connection; altering them can grant unauthorized use of the connection and its backend credentials, or revoke legitimate access.","description":"Authorization bindings on a Connector Gateway connection that govern which principals may use the credential-bearing connection to access a backend data source."},"risks":["escalation:privilege","escalation:lateral","impact:access"],"notes":"Create/update lets an attacker bind their own principal to the connection, granting authority to wield its stored backend credentials (privilege escalation -> lateral movement to the backend), and via policy replacement can remove legitimate principals' access.","links":["https://azure.permissions.cloud/iam/Microsoft.Web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/connectorGateways/connections/action":{"id":"Microsoft.Web/connectorGateways/connections/action","name":"Connector Gateway connections","scope":"HIGH","parent":{"notes":"Connections broker stored backend credentials/auth configuration; controlling them can enable access to the backend targets they point to.","description":"A Connector Gateway connection is a Microsoft.Web integration resource representing a credentialed link to a backend/on-premises data source used by Logic Apps/Power Platform connectors."},"risks":["impact:manipulation","escalation:lateral"],"notes":"A discrete action on a credential-bearing connection can exercise or alter the connection's stored backend identity, letting an attacker invoke the connection to reach the backend (lateral) and change its operational state.","links":["https://azure.permissions.cloud/iam/Microsoft.Web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/connectorGateways/connections/delete":{"id":"Microsoft.Web/connectorGateways/connections/delete","name":"Connector Gateway connections","scope":"HIGH","parent":{"notes":"Connections broker stored backend credentials/auth configuration; controlling them can enable access to the backend targets they point to.","description":"A Connector Gateway connection is a Microsoft.Web integration resource representing a credentialed link to a backend/on-premises data source used by Logic Apps/Power Platform connectors."},"risks":["destruction:infra","impact:dos"],"notes":"Deleting a connection removes the credentialed link a backend integration relies on, destroying the integration resource and disrupting dependent Logic Apps/workflows.","links":["https://azure.permissions.cloud/iam/Microsoft.Web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/connectorGateways/connections/write":{"id":"Microsoft.Web/connectorGateways/connections/write","name":"Connector Gateway connections","scope":"HIGH","parent":{"notes":"Connections broker stored backend credentials/auth configuration; controlling them can enable access to the backend targets they point to.","description":"A Connector Gateway connection is a Microsoft.Web integration resource representing a credentialed link to a backend/on-premises data source used by Logic Apps/Power Platform connectors."},"risks":["impact:manipulation","escalation:lateral","persistence:account"],"notes":"Create/update lets an attacker set or repoint the stored backend credential/auth configuration, planting an attacker-controlled credentialed link (persistence) and pivoting into the backend the connection targets (lateral) while altering integration config.","links":["https://azure.permissions.cloud/iam/Microsoft.Web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/containerApps/listSecrets/action":{"id":"Microsoft.Web/containerApps/listSecrets/action","name":"Container App","scope":"CRITICAL","parent":{"notes":"Production compute supporting a single application function; can hold secrets and managed identities that authenticate to backing services.","description":"An Azure Container App is a serverless container hosting resource that runs application workloads, with configuration covering the container image, ingress, scaling, environment variables, secrets, and assigned managed identities."},"risks":["exfiltration:crypto","escalation:lateral"],"notes":"This listSecrets action returns the app's secret values in cleartext, directly exfiltrating credential material and enabling lateral movement into the services those credentials authenticate to.","links":["https://azure.permissions.cloud/iam/Microsoft.Web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/publishingusers/write":{"id":"Microsoft.Web/publishingusers/write","name":"App Service deployment (publishing) user","scope":"HIGH","parent":{"notes":"Reads do not return the plaintext password (write-only), but the account controls code deployment to App Service sites.","description":"The subscription-scoped App Service deployment (publishing) user that holds the FTP/Git deployment credentials used to push code to web apps."},"risks":["persistence:account","escalation:lateral","impact:manipulation"],"notes":"Sets the deployment publishing user's username/password, letting an attacker establish known credentials for persistent Git/FTP code-push access, push code that runs under app identities (lateral movement), and alter deployed application content.","links":["https://azure.permissions.cloud/iam/microsoft.web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/sites/host/functionkeys/delete":{"id":"Microsoft.Web/sites/host/functionkeys/delete","name":"Web Apps Functions host function keys","scope":"HIGH","parent":{"notes":"Host-wide invocation credentials; invoking functions runs code under the app's (possibly managed) identity.","description":"Host-level function keys for a function app, bearer credentials valid across all functions in the app to authorize HTTP invocation."},"risks":["impact:access","impact:dos"],"notes":"Deleting a host-level function key revokes a credential used to invoke functions across the app, denying authorized callers and disrupting the app's HTTP endpoints.","links":["https://azure.permissions.cloud/iam/Microsoft.Web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/sites/host/functionkeys/write":{"id":"Microsoft.Web/sites/host/functionkeys/write","name":"Web Apps Functions host function keys","scope":"HIGH","parent":{"notes":"Host-wide invocation credentials; invoking functions runs code under the app's (possibly managed) identity.","description":"Host-level function keys for a function app, bearer credentials valid across all functions in the app to authorize HTTP invocation."},"risks":["persistence:account","escalation:lateral","impact:manipulation"],"notes":"PUTting a host-level function key sets a known credential valid across the whole app (durable backdoor / persistence), enabling repeated invocation as the app identity (lateral); overwriting an existing host key alters/revokes the legitimate credential (manipulation).","links":["https://azure.permissions.cloud/iam/Microsoft.Web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/staticSites/authproviders/users/delete":{"id":"Microsoft.Web/staticSites/authproviders/users/delete","name":"Static Site user","scope":"HIGH","parent":{"notes":"App-scoped auth principals/roles for a single static site, not tenant directory identities.","description":"An application-level authenticated user (auth-provider invitation/role assignment) governing access to authenticated content of an Azure Static Web App."},"risks":["impact:access","destruction:account"],"notes":"Deleting a Static Site user removes that principal's role/account binding, denying the authorized user's access and destroying the app-level account.","links":["https://azure.permissions.cloud/iam/Microsoft.Web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/staticSites/authproviders/users/write":{"id":"Microsoft.Web/staticSites/authproviders/users/write","name":"Static Site user","scope":"HIGH","parent":{"notes":"App-scoped auth principals/roles for a single static site, not tenant directory identities.","description":"An application-level authenticated user (auth-provider invitation/role assignment) governing access to authenticated content of an Azure Static Web App."},"risks":["escalation:privilege","persistence:account"],"notes":"Updating a Static Site user lets an attacker change the user's assigned roles/claims to elevate application privileges and maintain access via a controlled account.","links":["https://azure.permissions.cloud/iam/Microsoft.Web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/staticSites/builds/databaseConnections/show/action":{"id":"Microsoft.Web/staticSites/builds/databaseConnections/show/action","name":"Static Site build database connections","scope":"CRITICAL","parent":{"notes":"The connection binds a build environment to its backing data tier; the show action returns reusable database credentials, making that path credential-sensitive.","description":"A database connection resource that links a Static Web App build (e.g. a preview/staging environment) to a backend database, powering that build's Data API. It holds the target database binding, an optional managed-identity, and (retrievable separately) the connection string credential."},"risks":["exfiltration:crypto","escalation:lateral"],"notes":"The build-scoped showDetails action returns the full unmasked connection string and config files containing database credentials, exporting reusable secret material for direct authenticated access to the backend database.","links":["https://azure.permissions.cloud/iam/Microsoft.Web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/staticSites/builds/listappsettings/action":{"id":"Microsoft.Web/staticSites/builds/listappsettings/action","name":"Static Site build","scope":"CRITICAL","parent":{"notes":"A build represents a deployed version/environment serving public content and backing functions.","description":"A deployed build/environment (e.g. production or preview staging) of an Azure Static Web App that serves the site's static content and managed functions."},"risks":["exfiltration:crypto","escalation:lateral"],"notes":"Returns the build's app settings values, which commonly include secrets and connection strings, enabling credential exfiltration and lateral movement to connected resources.","links":["https://azure.permissions.cloud/iam/Microsoft.Web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/staticSites/builds/listfunctionappsettings/action":{"id":"Microsoft.Web/staticSites/builds/listfunctionappsettings/action","name":"Static Site build","scope":"CRITICAL","parent":{"notes":"A build represents a deployed version/environment serving public content and backing functions.","description":"A deployed build/environment (e.g. production or preview staging) of an Azure Static Web App that serves the site's static content and managed functions."},"risks":["exfiltration:crypto","escalation:lateral"],"notes":"Returns the build's function app settings values, which routinely contain connection strings, API keys, and credentials, enabling credential exfiltration and lateral movement to backing services.","links":["https://azure.permissions.cloud/iam/Microsoft.Web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/staticSites/builds/showDatabaseConnections/action":{"id":"Microsoft.Web/staticSites/builds/showDatabaseConnections/action","name":"Static Site build","scope":"CRITICAL","parent":{"notes":"A build represents a deployed version/environment serving public content and backing functions.","description":"A deployed build/environment (e.g. production or preview staging) of an Azure Static Web App that serves the site's static content and managed functions."},"risks":["exfiltration:crypto","escalation:lateral"],"notes":"Returns database connection details including connection strings/credentials for the build's linked databases, enabling secret exfiltration and lateral access to the backing data store.","links":["https://azure.permissions.cloud/iam/Microsoft.Web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/staticSites/createinvitation/action":{"id":"Microsoft.Web/staticSites/createinvitation/action","name":"Azure Static Web App","scope":"HIGH","parent":{"notes":"Asset hosts a single public-facing web application; its app settings and deployment tokens routinely contain secrets and connection strings, making secret-returning operations effectively credential disclosure.","description":"An Azure Static Web App (Static Site) is a managed hosting resource that serves a public-facing static frontend with linked source-repository/CI build configuration and optional managed serverless API (Azure Functions) backend."},"risks":["escalation:privilege","persistence:account"],"notes":"Generates an invitation link granting a chosen set of application roles to a static-site user, enabling privilege escalation and persistent authenticated access to the app's auth system.","links":["https://azure.permissions.cloud/iam/Microsoft.Web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/staticSites/customdomains/Delete":{"id":"Microsoft.Web/staticSites/customdomains/Delete","name":"Static Site custom domain","scope":"HIGH","parent":{"notes":"Public-facing asset; controls how a brand domain serves content to end users.","description":"A custom domain binding that maps a public hostname/subdomain to an Azure Static Web App, controlling how a domain routes to the public-facing site."},"risks":["destruction:network","impact:dos"],"notes":"Deleting the custom-domain binding removes the public hostname endpoint, taking the site offline at that domain and causing denial of service.","links":["https://azure.permissions.cloud/iam/Microsoft.Web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/staticSites/customdomains/Write":{"id":"Microsoft.Web/staticSites/customdomains/Write","name":"Static Site custom domain","scope":"HIGH","parent":{"notes":"Public-facing asset; controls how a brand domain serves content to end users.","description":"A custom domain binding that maps a public hostname/subdomain to an Azure Static Web App, controlling how a domain routes to the public-facing site."},"risks":["takeover:domain","impact:defacement"],"notes":"Creating a custom-domain binding lets an attacker route a domain/subdomain to the static site, enabling domain takeover and defacement of the public-facing asset.","links":["https://azure.permissions.cloud/iam/Microsoft.Web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/staticSites/databaseConnections/show/action":{"id":"Microsoft.Web/staticSites/databaseConnections/show/action","name":"Static Site database connections","scope":"CRITICAL","parent":{"notes":"The connection binds a production application to its backing data tier; the show action returns reusable database credentials, making that path credential-sensitive.","description":"A database connection resource that links an Azure Static Web App to a backend database, powering the site's Data API. It holds the target database binding, an optional managed-identity, and (retrievable separately) the connection string credential."},"risks":["exfiltration:crypto","escalation:lateral"],"notes":"The showDetails action returns the full unmasked connection string (and config files) embedding database credentials, a credential-export primitive redeemable for direct authenticated access to the backend database.","links":["https://azure.permissions.cloud/iam/Microsoft.Web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/staticSites/listSecrets/action":{"id":"Microsoft.Web/staticSites/listSecrets/action","name":"Azure Static Web App","scope":"CRITICAL","parent":{"notes":"Asset hosts a single public-facing web application; its app settings and deployment tokens routinely contain secrets and connection strings, making secret-returning operations effectively credential disclosure.","description":"An Azure Static Web App (Static Site) is a managed hosting resource that serves a public-facing static frontend with linked source-repository/CI build configuration and optional managed serverless API (Azure Functions) backend."},"risks":["exfiltration:crypto","escalation:lateral"],"notes":null,"links":["https://azure.permissions.cloud/iam/Microsoft.Web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/staticSites/listappsettings/action":{"id":"Microsoft.Web/staticSites/listappsettings/action","name":"Azure Static Web App","scope":"CRITICAL","parent":{"notes":"Asset hosts a single public-facing web application; its app settings and deployment tokens routinely contain secrets and connection strings, making secret-returning operations effectively credential disclosure.","description":"An Azure Static Web App (Static Site) is a managed hosting resource that serves a public-facing static frontend with linked source-repository/CI build configuration and optional managed serverless API (Azure Functions) backend."},"risks":["exfiltration:crypto","escalation:lateral"],"notes":null,"links":["https://azure.permissions.cloud/iam/Microsoft.Web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/staticSites/listfunctionappsettings/action":{"id":"Microsoft.Web/staticSites/listfunctionappsettings/action","name":"Azure Static Web App","scope":"CRITICAL","parent":{"notes":"Asset hosts a single public-facing web application; its app settings and deployment tokens routinely contain secrets and connection strings, making secret-returning operations effectively credential disclosure.","description":"An Azure Static Web App (Static Site) is a managed hosting resource that serves a public-facing static frontend with linked source-repository/CI build configuration and optional managed serverless API (Azure Functions) backend."},"risks":["exfiltration:crypto","escalation:lateral"],"notes":null,"links":["https://azure.permissions.cloud/iam/Microsoft.Web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/staticSites/resetapikey/action":{"id":"Microsoft.Web/staticSites/resetapikey/action","name":"Azure Static Web App","scope":"CRITICAL","parent":{"notes":"Asset hosts a single public-facing web application; its app settings and deployment tokens routinely contain secrets and connection strings, making secret-returning operations effectively credential disclosure.","description":"An Azure Static Web App (Static Site) is a managed hosting resource that serves a public-facing static frontend with linked source-repository/CI build configuration and optional managed serverless API (Azure Functions) backend."},"risks":["exfiltration:crypto","impact:access"],"notes":"Resets the deployment API key, yielding a fresh attacker-usable deployment credential while invalidating the existing key, denying legitimate operators and CI/CD pipelines deployment access.","links":["https://azure.permissions.cloud/iam/Microsoft.Web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/staticSites/showDatabaseConnections/action":{"id":"Microsoft.Web/staticSites/showDatabaseConnections/action","name":"Azure Static Web App","scope":"CRITICAL","parent":{"notes":"Asset hosts a single public-facing web application; its app settings and deployment tokens routinely contain secrets and connection strings, making secret-returning operations effectively credential disclosure.","description":"An Azure Static Web App (Static Site) is a managed hosting resource that serves a public-facing static frontend with linked source-repository/CI build configuration and optional managed serverless API (Azure Functions) backend."},"risks":["exfiltration:crypto","escalation:lateral"],"notes":null,"links":["https://azure.permissions.cloud/iam/Microsoft.Web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]},"Microsoft.Web/staticSites/validateCustomDomainOwnership/action":{"id":"Microsoft.Web/staticSites/validateCustomDomainOwnership/action","name":"Azure Static Web App","scope":"HIGH","parent":{"notes":"Asset hosts a single public-facing web application; its app settings and deployment tokens routinely contain secrets and connection strings, making secret-returning operations effectively credential disclosure.","description":"An Azure Static Web App (Static Site) is a managed hosting resource that serves a public-facing static frontend with linked source-repository/CI build configuration and optional managed serverless API (Azure Functions) backend."},"risks":["takeover:domain"],"notes":"Validates custom domain ownership, the gating step that binds a custom domain to the static site, enabling an attacker to route a domain/subdomain to attacker-controlled content.","links":["https://azure.permissions.cloud/iam/Microsoft.Web","https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"],"seeAlso":[]}},"gcp":{"apikeys.keys.create":{"id":"apikeys.keys.create","name":"Google API Keys","scope":"CRITICAL","parent":{"notes":"Because API keys do not provide a principal or check any additional authorization information, an individual that gains access to an API key will be able to use it to call supported Google APIs without detection.","description":"An API Key can be used to authenticate to supported Google REST APIs. Not all Google APIs support authentication via API key."},"risks":["impact:spend","impact:consumption"],"notes":"There is a maximum of 300 API keys per project that cannot be increased. The key creation API response does not actually return the key.","links":["https://cloud.google.com/docs/authentication/api-keys","https://cloud.google.com/api-keys/docs/reference/rest/v2/keys","https://cloud.google.com/api-keys/docs/overview"],"seeAlso":[]},"apikeys.keys.delete":{"id":"apikeys.keys.delete","name":"Google API Keys","scope":"CRITICAL","parent":{"notes":"Because API keys do not provide a principal or check any additional authorization information, an individual that gains access to an API key will be able to use it to call supported Google APIs without detection.","description":"An API Key can be used to authenticate to supported Google REST APIs. Not all Google APIs support authentication via API key."},"risks":["impact:dos"],"notes":null,"links":["https://cloud.google.com/docs/authentication/api-keys","https://cloud.google.com/api-keys/docs/reference/rest/v2/keys","https://cloud.google.com/api-keys/docs/overview"],"seeAlso":[]},"apikeys.keys.get":{"id":"apikeys.keys.get","name":"Google API Keys","scope":"CRITICAL","parent":{"notes":"Because API keys do not provide a principal or check any additional authorization information, an individual that gains access to an API key will be able to use it to call supported Google APIs without detection.","description":"An API Key can be used to authenticate to supported Google REST APIs. Not all Google APIs support authentication via API key."},"risks":["discovery:infra"],"notes":"Does not include the key value.","links":["https://cloud.google.com/docs/authentication/api-keys","https://cloud.google.com/api-keys/docs/reference/rest/v2/keys","https://cloud.google.com/api-keys/docs/overview"],"seeAlso":[]},"apikeys.keys.getKeyString":{"id":"apikeys.keys.getKeyString","name":"Google API Keys","scope":"CRITICAL","parent":{"notes":"Because API keys do not provide a principal or check any additional authorization information, an individual that gains access to an API key will be able to use it to call supported Google APIs without detection.","description":"An API Key can be used to authenticate to supported Google REST APIs. Not all Google APIs support authentication via API key."},"risks":["escalation:privilege"],"notes":null,"links":["https://cloud.google.com/docs/authentication/api-keys","https://cloud.google.com/api-keys/docs/reference/rest/v2/keys","https://cloud.google.com/api-keys/docs/overview"],"seeAlso":[]},"apikeys.keys.list":{"id":"apikeys.keys.list","name":"Google API Keys","scope":"CRITICAL","parent":{"notes":"Because API keys do not provide a principal or check any additional authorization information, an individual that gains access to an API key will be able to use it to call supported Google APIs without detection.","description":"An API Key can be used to authenticate to supported Google REST APIs. Not all Google APIs support authentication via API key."},"risks":["discovery:infra"],"notes":"Does not include the key value.","links":["https://cloud.google.com/docs/authentication/api-keys","https://cloud.google.com/api-keys/docs/reference/rest/v2/keys","https://cloud.google.com/api-keys/docs/overview"],"seeAlso":[]},"apikeys.keys.lookup":{"id":"apikeys.keys.lookup","name":"Google API Keys","scope":"CRITICAL","parent":{"notes":"Because API keys do not provide a principal or check any additional authorization information, an individual that gains access to an API key will be able to use it to call supported Google APIs without detection.","description":"An API Key can be used to authenticate to supported Google REST APIs. Not all Google APIs support authentication via API key."},"risks":[],"notes":"This is used to look-up the key from the key value.  It is not useful unless someone already has the key value.","links":["https://cloud.google.com/docs/authentication/api-keys","https://cloud.google.com/api-keys/docs/reference/rest/v2/keys","https://cloud.google.com/api-keys/docs/overview"],"seeAlso":[]},"apikeys.keys.undelete":{"id":"apikeys.keys.undelete","name":"Google API Keys","scope":"CRITICAL","parent":{"notes":"Because API keys do not provide a principal or check any additional authorization information, an individual that gains access to an API key will be able to use it to call supported Google APIs without detection.","description":"An API Key can be used to authenticate to supported Google REST APIs. Not all Google APIs support authentication via API key."},"risks":["impact:spend","impact:consumption"],"notes":null,"links":["https://cloud.google.com/docs/authentication/api-keys","https://cloud.google.com/api-keys/docs/reference/rest/v2/keys","https://cloud.google.com/api-keys/docs/overview"],"seeAlso":[]},"apikeys.keys.update":{"id":"apikeys.keys.update","name":"Google API Keys","scope":"CRITICAL","parent":{"notes":"Because API keys do not provide a principal or check any additional authorization information, an individual that gains access to an API key will be able to use it to call supported Google APIs without detection.","description":"An API Key can be used to authenticate to supported Google REST APIs. Not all Google APIs support authentication via API key."},"risks":["impact:dos","destruction:defense"],"notes":"Can be used to add or remove restrictions (API restrictions or application restrictions) on how the key can be used.","links":["https://cloud.google.com/docs/authentication/api-keys","https://cloud.google.com/api-keys/docs/reference/rest/v2/keys","https://cloud.google.com/api-keys/docs/overview"],"seeAlso":[]},"appengine.applications.create":{"id":"appengine.applications.create","name":"Google App Engine Applications","scope":"CRITICAL","parent":{"notes":"App Engine applications can be used for a broad range of organizational functions and may include publicly available web applications. Therefore, viewing and modifying application configuration has the potential to significantly disrupt organizational operations.","description":"A Google App Engine Applications are serverless web applications hosted and fully managed by Google."},"risks":["impact:spend"],"notes":null,"links":["https://cloud.google.com/appengine/docs/admin-api/access-control#roles","https://cloud.google.com/appengine/docs/admin-api/reference/rest/v1/apps.services"],"seeAlso":[]},"appengine.applications.get":{"id":"appengine.applications.get","name":"Google App Engine Applications","scope":"CRITICAL","parent":{"notes":"App Engine applications can be used for a broad range of organizational functions and may include publicly available web applications. Therefore, viewing and modifying application configuration has the potential to significantly disrupt organizational operations.","description":"A Google App Engine Applications are serverless web applications hosted and fully managed by Google."},"risks":["discovery:infra","discovery:data"],"notes":"Includes data discovery because it reveals Cloud Storage bucket names","links":["https://cloud.google.com/appengine/docs/admin-api/access-control#roles","https://cloud.google.com/appengine/docs/admin-api/reference/rest/v1/apps.services"],"seeAlso":[]},"appengine.applications.update":{"id":"appengine.applications.update","name":"Google App Engine Applications","scope":"CRITICAL","parent":{"notes":"App Engine applications can be used for a broad range of organizational functions and may include publicly available web applications. Therefore, viewing and modifying application configuration has the potential to significantly disrupt organizational operations.","description":"A Google App Engine Applications are serverless web applications hosted and fully managed by Google."},"risks":["impact:dos","impact:access","destruction:policy","escalation:lateral","destruction:defense"],"notes":"Allows modification of app IAP settings (which controls app authentication).  This can a create DOS if the IAP config is changed in a way that disallows access. Also allows  disabling IAP, in which case App Engine will stop requiring authentication for all incoming requests. This allows the attacker to gain access to your web application. Also allows modification of SSL keys, including modification of private keys. This allows the attacker to  decrypt customer traffic and potentially perform a man-in-the-middle attack. Does not allow deploying to the application.","links":["https://cloud.google.com/appengine/docs/admin-api/access-control#roles","https://cloud.google.com/appengine/docs/admin-api/reference/rest/v1/apps.services","https://cloud.google.com/beyondcorp-enterprise/docs/securing-app-engine"],"seeAlso":[]},"appengine.applications.disable":{"id":"appengine.applications.disable","name":"Google App Engine Applications","scope":"CRITICAL","parent":{"notes":"App Engine applications can be used for a broad range of organizational functions and may include publicly available web applications. Therefore, viewing and modifying application configuration has the potential to significantly disrupt organizational operations.","description":"A Google App Engine Applications are serverless web applications hosted and fully managed by Google."},"risks":[],"notes":"This permission is part of some predefined roles but doesn't provide access to anything","links":["https://cloud.google.com/appengine/docs/admin-api/access-control#roles","https://cloud.google.com/appengine/docs/admin-api/reference/rest/v1/apps.services"],"seeAlso":[]},"appengine.applications.list":{"id":"appengine.applications.list","name":"Google App Engine Applications","scope":"CRITICAL","parent":{"notes":"App Engine applications can be used for a broad range of organizational functions and may include publicly available web applications. Therefore, viewing and modifying application configuration has the potential to significantly disrupt organizational operations.","description":"A Google App Engine Applications are serverless web applications hosted and fully managed by Google."},"risks":[],"notes":"This permission is part of some predefined roles but doesn't do anything.","links":["https://cloud.google.com/appengine/docs/admin-api/access-control#roles","https://cloud.google.com/appengine/docs/admin-api/reference/rest/v1/apps.services"],"seeAlso":[]},"appengine.instances.delete":{"id":"appengine.instances.delete","name":"Google App Engine Instances","scope":"CRITICAL","parent":{"notes":null,"description":"An instance is the computing unit that fully hosts an App Engine application. An application may be running on one or more instances, with scaling and request routing managed by Google."},"risks":["impact:dos"],"notes":"App Engine will recreate the instance based on the scaling settings for the app,  but repeated deletions could still cause a DOS since in-flight requests may be dropped on deletion  (the app has 30 seconds to finish processing in-flight requests.)","links":["https://cloud.google.com/appengine/docs/admin-api/access-control#roles","https://cloud.google.com/appengine/docs/legacy/standard/java/how-instances-are-managed","https://cloud.google.com/appengine/docs/admin-api/reference/rest/v1/apps.services.versions.instances"],"seeAlso":[]},"appengine.instances.enableDebug":{"id":"appengine.instances.enableDebug","name":"Google App Engine Instances","scope":"CRITICAL","parent":{"notes":null,"description":"An instance is the computing unit that fully hosts an App Engine application. An application may be running on one or more instances, with scaling and request routing managed by Google."},"risks":["collection:data","discovery:network","discovery:policy","escalation:lateral","exfiltration:data","impact:defacement","impact:hijack"],"notes":"Allows the user to SSH into the VM where the instance lives.  Specific risks depend on instance and application configuration (and may require additional permissions based on configuration),  but can potentially allow data exfiltration from the application or defacement of the application. There are no destruction risks since instances are intended to be short-lived (deleted/created according to demand) and do not store data intended to be persistent.","links":["https://cloud.google.com/appengine/docs/admin-api/access-control#roles","https://cloud.google.com/appengine/docs/legacy/standard/java/how-instances-are-managed","https://cloud.google.com/appengine/docs/admin-api/reference/rest/v1/apps.services.versions.instances"],"seeAlso":[]},"appengine.instances.get":{"id":"appengine.instances.get","name":"Google App Engine Instances","scope":"CRITICAL","parent":{"notes":null,"description":"An instance is the computing unit that fully hosts an App Engine application. An application may be running on one or more instances, with scaling and request routing managed by Google."},"risks":["discovery:infra","discovery:network"],"notes":"This only exposes basic information about the VM it is running on (ID, zone, IP, etc) and application metrics (requests, errors, memory usage, etc)","links":["https://cloud.google.com/appengine/docs/admin-api/access-control#roles","https://cloud.google.com/appengine/docs/legacy/standard/java/how-instances-are-managed","https://cloud.google.com/appengine/docs/admin-api/reference/rest/v1/apps.services.versions.instances"],"seeAlso":[]},"appengine.instances.list":{"id":"appengine.instances.list","name":"Google App Engine Instances","scope":"CRITICAL","parent":{"notes":null,"description":"An instance is the computing unit that fully hosts an App Engine application. An application may be running on one or more instances, with scaling and request routing managed by Google."},"risks":["discovery:infra","discovery:network"],"notes":"This only exposes basic information about the VM it is running on (ID, zone, IP, etc) and application metrics (requests, errors, memory usage, etc)","links":["https://cloud.google.com/appengine/docs/admin-api/access-control#roles","https://cloud.google.com/appengine/docs/legacy/standard/java/how-instances-are-managed","https://cloud.google.com/appengine/docs/admin-api/reference/rest/v1/apps.services.versions.instances"],"seeAlso":[]},"appengine.instances.update":{"id":"appengine.instances.update","name":"Google App Engine Instances","scope":"CRITICAL","parent":{"notes":null,"description":"An instance is the computing unit that fully hosts an App Engine application. An application may be running on one or more instances, with scaling and request routing managed by Google."},"risks":[],"notes":"This permission is part of some predefined roles but doesn't do anything.","links":["https://cloud.google.com/appengine/docs/admin-api/access-control#roles","https://cloud.google.com/appengine/docs/legacy/standard/java/how-instances-are-managed","https://cloud.google.com/appengine/docs/admin-api/reference/rest/v1/apps.services.versions.instances"],"seeAlso":[]},"appengine.memcache.addKey":{"id":"appengine.memcache.addKey","name":"Google App Engine Memcache","scope":"HIGH","parent":{"notes":"Memcache is not intended for persistent storage. Values can expire anytime, so users are recommended to only use memcache for values that the application can behave acceptably without. Examples of data  commonly stored in memcache are session data and user preferences, as well as results of commonly used datastore queries. Scope is HIGH because this service may include sensitive customer data from cached datastore queries used by the application.","description":"Memcache is a key-value store accessible to App Engine applications."},"risks":["impact:spend"],"notes":null,"links":["https://cloud.google.com/appengine/docs/admin-api/access-control#roles","https://cloud.google.com/appengine/docs/legacy/standard/python/memcache/using","https://cloud.google.com/appengine/docs/legacy/standard/python/memcache"],"seeAlso":[]},"appengine.memcache.flush":{"id":"appengine.memcache.flush","name":"Google App Engine Memcache","scope":"HIGH","parent":{"notes":"Memcache is not intended for persistent storage. Values can expire anytime, so users are recommended to only use memcache for values that the application can behave acceptably without. Examples of data  commonly stored in memcache are session data and user preferences, as well as results of commonly used datastore queries. Scope is HIGH because this service may include sensitive customer data from cached datastore queries used by the application.","description":"Memcache is a key-value store accessible to App Engine applications."},"risks":["impact:dos"],"notes":"This removes all key-value pairs from the cache, but it does not cause destruction since values may expire anytime and applications need to design around that. Repeated flushes may result in a DoS.","links":["https://cloud.google.com/appengine/docs/admin-api/access-control#roles","https://cloud.google.com/appengine/docs/legacy/standard/python/memcache/using","https://cloud.google.com/appengine/docs/legacy/standard/python/memcache"],"seeAlso":[]},"appengine.memcache.get":{"id":"appengine.memcache.get","name":"Google App Engine Memcache","scope":"HIGH","parent":{"notes":"Memcache is not intended for persistent storage. Values can expire anytime, so users are recommended to only use memcache for values that the application can behave acceptably without. Examples of data  commonly stored in memcache are session data and user preferences, as well as results of commonly used datastore queries. Scope is HIGH because this service may include sensitive customer data from cached datastore queries used by the application.","description":"Memcache is a key-value store accessible to App Engine applications."},"risks":["exfiltration:data"],"notes":null,"links":["https://cloud.google.com/appengine/docs/admin-api/access-control#roles","https://cloud.google.com/appengine/docs/legacy/standard/python/memcache/using","https://cloud.google.com/appengine/docs/legacy/standard/python/memcache"],"seeAlso":[]},"appengine.memcache.getKey":{"id":"appengine.memcache.getKey","name":"Google App Engine Memcache","scope":"HIGH","parent":{"notes":"Memcache is not intended for persistent storage. Values can expire anytime, so users are recommended to only use memcache for values that the application can behave acceptably without. Examples of data  commonly stored in memcache are session data and user preferences, as well as results of commonly used datastore queries. Scope is HIGH because this service may include sensitive customer data from cached datastore queries used by the application.","description":"Memcache is a key-value store accessible to App Engine applications."},"risks":["exfiltration:data"],"notes":"The difference between getKey and get is not clear in Google's documentation.","links":["https://cloud.google.com/appengine/docs/admin-api/access-control#roles","https://cloud.google.com/appengine/docs/legacy/standard/python/memcache/using","https://cloud.google.com/appengine/docs/legacy/standard/python/memcache"],"seeAlso":[]},"appengine.memcache.list":{"id":"appengine.memcache.list","name":"Google App Engine Memcache","scope":"HIGH","parent":{"notes":"Memcache is not intended for persistent storage. Values can expire anytime, so users are recommended to only use memcache for values that the application can behave acceptably without. Examples of data  commonly stored in memcache are session data and user preferences, as well as results of commonly used datastore queries. Scope is HIGH because this service may include sensitive customer data from cached datastore queries used by the application.","description":"Memcache is a key-value store accessible to App Engine applications."},"risks":["exfiltration:data"],"notes":null,"links":["https://cloud.google.com/appengine/docs/admin-api/access-control#roles","https://cloud.google.com/appengine/docs/legacy/standard/python/memcache/using","https://cloud.google.com/appengine/docs/legacy/standard/python/memcache"],"seeAlso":[]},"appengine.memcache.update":{"id":"appengine.memcache.update","name":"Google App Engine Memcache","scope":"HIGH","parent":{"notes":"Memcache is not intended for persistent storage. Values can expire anytime, so users are recommended to only use memcache for values that the application can behave acceptably without. Examples of data  commonly stored in memcache are session data and user preferences, as well as results of commonly used datastore queries. Scope is HIGH because this service may include sensitive customer data from cached datastore queries used by the application.","description":"Memcache is a key-value store accessible to App Engine applications."},"risks":["impact:manipulation"],"notes":"Destruction is not a concern since memcache is only intended for temporary storage.","links":["https://cloud.google.com/appengine/docs/admin-api/access-control#roles","https://cloud.google.com/appengine/docs/legacy/standard/python/memcache/using","https://cloud.google.com/appengine/docs/legacy/standard/python/memcache"],"seeAlso":[]},"appengine.operations.get":{"id":"appengine.operations.get","name":"App Engine operations","scope":"MEDIUM","parent":{"notes":"The operation includes the data returned from the API call the operation is associated with. This means that viewing an operation includes access to view resource metadata, and would be the same risk as get and list on the resources.","description":"Operations represent long-running App Engine API calls. They are used for operations on applications, domainMappings, services, and versions."},"risks":["discovery:infra","discovery:network","discovery:data","discovery:policy"],"notes":"See applications.get, services.get, versions.get","links":["https://cloud.google.com/appengine/docs/admin-api/access-control#roles","https://cloud.google.com/appengine/docs/admin-api/reference/rest/v1/apps.operations"],"seeAlso":[]},"appengine.operations.list":{"id":"appengine.operations.list","name":"App Engine operations","scope":"MEDIUM","parent":{"notes":"The operation includes the data returned from the API call the operation is associated with. This means that viewing an operation includes access to view resource metadata, and would be the same risk as get and list on the resources.","description":"Operations represent long-running App Engine API calls. They are used for operations on applications, domainMappings, services, and versions."},"risks":["discovery:infra","discovery:network","discovery:data","discovery:policy"],"notes":"See notes for functions.get","links":["https://cloud.google.com/appengine/docs/admin-api/access-control#roles","https://cloud.google.com/appengine/docs/admin-api/reference/rest/v1/apps.operations"],"seeAlso":[]},"appengine.services.delete":{"id":"appengine.services.delete","name":"Google App Engine services","scope":"CRITICAL","parent":{"notes":"Application functionality relies on services: deleting or updating services can prevent normal application function.","description":"A service is a logical component of an application that can share state and securely communicate with other services."},"risks":["impact:dos","destruction:infra"],"notes":null,"links":["https://cloud.google.com/appengine/docs/admin-api/access-control#roles","https://cloud.google.com/appengine/docs/admin-api/reference/rest/v1/apps.services"],"seeAlso":[]},"appengine.services.get":{"id":"appengine.services.get","name":"Google App Engine services","scope":"CRITICAL","parent":{"notes":"Application functionality relies on services: deleting or updating services can prevent normal application function.","description":"A service is a logical component of an application that can share state and securely communicate with other services."},"risks":["discovery:infra","discovery:policy"],"notes":"Includes network discovery since it allows viewing of ingress traffic policies.","links":["https://cloud.google.com/appengine/docs/admin-api/access-control#roles","https://cloud.google.com/appengine/docs/admin-api/reference/rest/v1/apps.services"],"seeAlso":[]},"appengine.services.list":{"id":"appengine.services.list","name":"Google App Engine services","scope":"CRITICAL","parent":{"notes":"Application functionality relies on services: deleting or updating services can prevent normal application function.","description":"A service is a logical component of an application that can share state and securely communicate with other services."},"risks":["discovery:infra","discovery:policy"],"notes":"See get","links":["https://cloud.google.com/appengine/docs/admin-api/access-control#roles","https://cloud.google.com/appengine/docs/admin-api/reference/rest/v1/apps.services"],"seeAlso":[]},"appengine.services.update":{"id":"appengine.services.update","name":"Google App Engine services","scope":"CRITICAL","parent":{"notes":"Application functionality relies on services: deleting or updating services can prevent normal application function.","description":"A service is a logical component of an application that can share state and securely communicate with other services."},"risks":["impact:dos","destruction:policy","escalation:lateral","impact:access","impact:defacement"],"notes":"Allows modifying network traffic settings. An attacker could divert traffic to invalid versions, creating a DOS. Defacement impact when combined with versions.create, since they could deploy a version and then divert traffic to it. Also allows modifying ingress traffic settings, which could either lead to escalation by making access public,  or restrict previously authorized access by narrowing the policy.","links":["https://cloud.google.com/appengine/docs/admin-api/access-control#roles","https://cloud.google.com/appengine/docs/admin-api/reference/rest/v1/apps.services"],"seeAlso":[]},"appengine.services.create":{"id":"appengine.services.create","name":"Google App Engine services","scope":"CRITICAL","parent":{"notes":"Application functionality relies on services: deleting or updating services can prevent normal application function.","description":"A service is a logical component of an application that can share state and securely communicate with other services."},"risks":[],"notes":"This permission is part of some predefined roles but doesn't do anything.","links":["https://cloud.google.com/appengine/docs/admin-api/access-control#roles","https://cloud.google.com/appengine/docs/admin-api/reference/rest/v1/apps.services"],"seeAlso":[]},"appengine.versions.create":{"id":"appengine.versions.create","name":"Google App Engine version","scope":"CRITICAL","parent":{"notes":"Resources for a version, including source code, must first be uploaded to a Cloud Storage bucket.","description":"A version is a specific set of source code and configuration files that are deployed to a service."},"risks":["impact:hijack","impact:spend"],"notes":"Creating a version will deploy the provided source code to App Engine.  This does not route any external traffic to the new version, but allows for resource hijacking.","links":["https://cloud.google.com/appengine/docs/admin-api/access-control#roles","https://cloud.google.com/appengine/docs/admin-api/reference/rest/v1/apps.services.versions"],"seeAlso":[]},"appengine.versions.delete":{"id":"appengine.versions.delete","name":"Google App Engine version","scope":"CRITICAL","parent":{"notes":"Resources for a version, including source code, must first be uploaded to a Cloud Storage bucket.","description":"A version is a specific set of source code and configuration files that are deployed to a service."},"risks":["impact:dos","destruction:infra"],"notes":"App Engine does not allow deleting the default version for the application. However, non-default versions may still be configured to receive traffic and can be deleted.","links":["https://cloud.google.com/appengine/docs/admin-api/access-control#roles","https://cloud.google.com/appengine/docs/admin-api/reference/rest/v1/apps.services.versions"],"seeAlso":[]},"appengine.versions.get":{"id":"appengine.versions.get","name":"Google App Engine version","scope":"CRITICAL","parent":{"notes":"Resources for a version, including source code, must first be uploaded to a Cloud Storage bucket.","description":"A version is a specific set of source code and configuration files that are deployed to a service."},"risks":["discovery:infra","discovery:policy","discovery:network","discovery:data"],"notes":"Includes data discovery since it exposes names of Cloud Storage buckets, policy discovery since it includes VPC egress settings, and network discovery for network settings in the application environment..","links":["https://cloud.google.com/appengine/docs/admin-api/access-control#roles","https://cloud.google.com/appengine/docs/admin-api/reference/rest/v1/apps.services.versions"],"seeAlso":[]},"appengine.versions.getFileContents":{"id":"appengine.versions.getFileContents","name":"Google App Engine version","scope":"CRITICAL","parent":{"notes":"Resources for a version, including source code, must first be uploaded to a Cloud Storage bucket.","description":"A version is a specific set of source code and configuration files that are deployed to a service."},"risks":["exfiltration:code"],"notes":"Read access to deployed source code.","links":["https://cloud.google.com/appengine/docs/admin-api/access-control#roles","https://cloud.google.com/appengine/docs/admin-api/reference/rest/v1/apps.services.versions"],"seeAlso":[]},"appengine.versions.list":{"id":"appengine.versions.list","name":"Google App Engine version","scope":"CRITICAL","parent":{"notes":"Resources for a version, including source code, must first be uploaded to a Cloud Storage bucket.","description":"A version is a specific set of source code and configuration files that are deployed to a service."},"risks":["discovery:infra","discovery:policy","discovery:network","discovery:data"],"notes":"See get","links":["https://cloud.google.com/appengine/docs/admin-api/access-control#roles","https://cloud.google.com/appengine/docs/admin-api/reference/rest/v1/apps.services.versions"],"seeAlso":[]},"appengine.versions.update":{"id":"appengine.versions.update","name":"Google App Engine version","scope":"CRITICAL","parent":{"notes":"Resources for a version, including source code, must first be uploaded to a Cloud Storage bucket.","description":"A version is a specific set of source code and configuration files that are deployed to a service."},"risks":["impact:spend"],"notes":"Only allows updating scaling settings for the version.","links":["https://cloud.google.com/appengine/docs/admin-api/access-control#roles","https://cloud.google.com/appengine/docs/admin-api/reference/rest/v1/apps.services.versions","https://cloud.google.com/appengine/docs/admin-api/reference/rest/v1/apps.services.versions/patch"],"seeAlso":[]},"bigquery.capacityCommitments.create":{"id":"bigquery.capacityCommitments.create","name":"BigQuery capacity commitments","scope":"MEDIUM","parent":{"notes":"Capacity commitments affect operational cost.","description":"Privileges to view and edit BigQuery capacity commitments."},"risks":["impact:spend"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/reservations-intro","https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.capacityCommitments.delete":{"id":"bigquery.capacityCommitments.delete","name":"BigQuery capacity commitments","scope":"MEDIUM","parent":{"notes":"Capacity commitments affect operational cost.","description":"Privileges to view and edit BigQuery capacity commitments."},"risks":["impact:spend"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/reservations-intro","https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.capacityCommitments.get":{"id":"bigquery.capacityCommitments.get","name":"BigQuery capacity commitments","scope":"LOW","parent":{"notes":"Capacity commitments affect operational cost.","description":"Privileges to view and edit BigQuery capacity commitments."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/reservations-intro","https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.capacityCommitments.list":{"id":"bigquery.capacityCommitments.list","name":"BigQuery capacity commitments","scope":"LOW","parent":{"notes":"Capacity commitments affect operational cost.","description":"Privileges to view and edit BigQuery capacity commitments."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/reservations-intro","https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.capacityCommitments.update":{"id":"bigquery.capacityCommitments.update","name":"BigQuery capacity commitments","scope":"MEDIUM","parent":{"notes":"Capacity commitments affect operational cost.","description":"Privileges to view and edit BigQuery capacity commitments."},"risks":["impact:spend"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/reservations-intro","https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.config.get":{"id":"bigquery.config.get","name":"BigQuery config","scope":"MEDIUM","parent":{"notes":"Certain of these settings can affect operations (such as modification of default time-outs or timezones) when those operations operate with default settings.","description":"A BigQuery config is a set of organization settings applied across BigQuery. It is modified using the `ALTER ORGANIZATION` SQL statement, and read by executing a `SELECT` statement on tables in the `{region}.INFORMATION_SCHEMA` schema."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/access-control","https://cloud.google.com/bigquery/docs/default-configuration"],"seeAlso":[]},"bigquery.config.update":{"id":"bigquery.config.update","name":"BigQuery config","scope":"MEDIUM","parent":{"notes":"Certain of these settings can affect operations (such as modification of default time-outs or timezones) when those operations operate with default settings.","description":"A BigQuery config is a set of organization settings applied across BigQuery. It is modified using the `ALTER ORGANIZATION` SQL statement, and read by executing a `SELECT` statement on tables in the `{region}.INFORMATION_SCHEMA` schema."},"risks":["impact:dos"],"notes":"Can cause query timeouts.","links":["https://cloud.google.com/bigquery/docs/access-control","https://cloud.google.com/bigquery/docs/default-configuration"],"seeAlso":[]},"bigquery.connections.create":{"id":"bigquery.connections.create","name":"BigQuery connections","scope":"HIGH","parent":{"notes":"Deletion or alteration of connections can interrupt dependent operations. Reading connection metadata can expose database accounts.","description":"External read-only connections to data in other services (both within and without GCP)."},"risks":["impact:spend"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/access-control","https://cloud.google.com/bigquery/docs/working-with-connections"],"seeAlso":[]},"bigquery.connections.delegate":{"id":"bigquery.connections.delegate","name":"BigQuery connections","scope":"HIGH","parent":{"notes":"Deletion or alteration of connections can interrupt dependent operations. Reading connection metadata can expose database accounts.","description":"External read-only connections to data in other services (both within and without GCP)."},"risks":[],"notes":"May be unused.","links":["https://cloud.google.com/bigquery/docs/access-control","https://cloud.google.com/bigquery/docs/working-with-connections"],"seeAlso":[]},"bigquery.connections.delete":{"id":"bigquery.connections.delete","name":"BigQuery connections","scope":"HIGH","parent":{"notes":"Deletion or alteration of connections can interrupt dependent operations. Reading connection metadata can expose database accounts.","description":"External read-only connections to data in other services (both within and without GCP)."},"risks":["destruction:infra"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/access-control","https://cloud.google.com/bigquery/docs/working-with-connections"],"seeAlso":[]},"bigquery.connections.get":{"id":"bigquery.connections.get","name":"BigQuery connections","scope":"HIGH","parent":{"notes":"Deletion or alteration of connections can interrupt dependent operations. Reading connection metadata can expose database accounts.","description":"External read-only connections to data in other services (both within and without GCP)."},"risks":["discovery:infra"],"notes":"Exposes SQL connection metadata. Per Google documentation, SQL credentials are omitted.","links":["https://cloud.google.com/bigquery/docs/access-control","https://cloud.google.com/bigquery/docs/working-with-connections"],"seeAlso":[]},"bigquery.connections.getIamPolicy":{"id":"bigquery.connections.getIamPolicy","name":"BigQuery connections","scope":"HIGH","parent":{"notes":"Deletion or alteration of connections can interrupt dependent operations. Reading connection metadata can expose database accounts.","description":"External read-only connections to data in other services (both within and without GCP)."},"risks":["discovery:account","discovery:policy"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/access-control","https://cloud.google.com/bigquery/docs/working-with-connections"],"seeAlso":[]},"bigquery.connections.list":{"id":"bigquery.connections.list","name":"BigQuery connections","scope":"LOW","parent":{"notes":"Deletion or alteration of connections can interrupt dependent operations. Reading connection metadata can expose database accounts.","description":"External read-only connections to data in other services (both within and without GCP)."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/access-control","https://cloud.google.com/bigquery/docs/working-with-connections"],"seeAlso":[]},"bigquery.connections.setIamPolicy":{"id":"bigquery.connections.setIamPolicy","name":"BigQuery connections","scope":"HIGH","parent":{"notes":"Deletion or alteration of connections can interrupt dependent operations. Reading connection metadata can expose database accounts.","description":"External read-only connections to data in other services (both within and without GCP)."},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/access-control","https://cloud.google.com/bigquery/docs/working-with-connections"],"seeAlso":[]},"bigquery.connections.update":{"id":"bigquery.connections.update","name":"BigQuery connections","scope":"HIGH","parent":{"notes":"Deletion or alteration of connections can interrupt dependent operations. Reading connection metadata can expose database accounts.","description":"External read-only connections to data in other services (both within and without GCP)."},"risks":["destruction:infra"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/access-control","https://cloud.google.com/bigquery/docs/working-with-connections"],"seeAlso":[]},"bigquery.connections.updateTag":{"id":"bigquery.connections.updateTag","name":"BigQuery connections","scope":"HIGH","parent":{"notes":"Deletion or alteration of connections can interrupt dependent operations. Reading connection metadata can expose database accounts.","description":"External read-only connections to data in other services (both within and without GCP)."},"risks":[],"notes":"Appears unused.","links":["https://cloud.google.com/bigquery/docs/access-control","https://cloud.google.com/bigquery/docs/working-with-connections"],"seeAlso":[]},"bigquery.connections.use":{"id":"bigquery.connections.use","name":"BigQuery connections","scope":"LOW","parent":{"notes":"Deletion or alteration of connections can interrupt dependent operations. Reading connection metadata can expose database accounts.","description":"External read-only connections to data in other services (both within and without GCP)."},"risks":["exfiltration:data"],"notes":"In order to exploit a connection to read data from a third-party source, all of the following must be true:\n  - The attacker must have permission to create a connection of the correct type\n  - The attacker must already have read access to the target data system, or have a mechanism to give\n    the connection read access to the target data system\n  - The attacker can then use this permission to run queries against the connection\nIn general, therefore, exfiltration is only possible when the attacker already otherwise has access to the target system.\n","links":["https://cloud.google.com/bigquery/docs/access-control","https://cloud.google.com/bigquery/docs/working-with-connections"],"seeAlso":[]},"bigquery.dataPolicies.create":{"id":"bigquery.dataPolicies.create","name":"BigQuery data policies","scope":"HIGH","parent":{"notes":"Alteration of data-masking policies can allow access to sensitive data or deny access to necessary data.","description":"Column-level data-masking policies for BigQuery tables."},"risks":["impact:dos"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.dataPolicies.delete":{"id":"bigquery.dataPolicies.delete","name":"BigQuery data policies","scope":"HIGH","parent":{"notes":"Alteration of data-masking policies can allow access to sensitive data or deny access to necessary data.","description":"Column-level data-masking policies for BigQuery tables."},"risks":["escalation:data"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.dataPolicies.get":{"id":"bigquery.dataPolicies.get","name":"BigQuery data policies","scope":"HIGH","parent":{"notes":"Alteration of data-masking policies can allow access to sensitive data or deny access to necessary data.","description":"Column-level data-masking policies for BigQuery tables."},"risks":["discovery:policy"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.dataPolicies.getIamPolicy":{"id":"bigquery.dataPolicies.getIamPolicy","name":"BigQuery data policies","scope":"HIGH","parent":{"notes":"Alteration of data-masking policies can allow access to sensitive data or deny access to necessary data.","description":"Column-level data-masking policies for BigQuery tables."},"risks":["discovery:policy","discovery:account"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.dataPolicies.list":{"id":"bigquery.dataPolicies.list","name":"BigQuery data policies","scope":"HIGH","parent":{"notes":"Alteration of data-masking policies can allow access to sensitive data or deny access to necessary data.","description":"Column-level data-masking policies for BigQuery tables."},"risks":["discovery:policy"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.dataPolicies.setIamPolicy":{"id":"bigquery.dataPolicies.setIamPolicy","name":"BigQuery data policies","scope":"HIGH","parent":{"notes":"Alteration of data-masking policies can allow access to sensitive data or deny access to necessary data.","description":"Column-level data-masking policies for BigQuery tables."},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.dataPolicies.update":{"id":"bigquery.dataPolicies.update","name":"BigQuery data policies","scope":"HIGH","parent":{"notes":"Alteration of data-masking policies can allow access to sensitive data or deny access to necessary data.","description":"Column-level data-masking policies for BigQuery tables."},"risks":["impact:dos","escalation:data"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.datasets.create":{"id":"bigquery.datasets.create","name":"BigQuery datasets","scope":"CRITICAL","parent":{"notes":"BigQuery can potentially store sensitive information from across an organization's functions.","description":"Datasets in BigQuery are a primary unit of organizing and controlling access to data. They are analogous to schemata in relational data systems."},"risks":[],"notes":null,"links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.datasets.createTagBinding":{"id":"bigquery.datasets.createTagBinding","name":"BigQuery datasets","scope":"CRITICAL","parent":{"notes":"BigQuery can potentially store sensitive information from across an organization's functions.","description":"Datasets in BigQuery are a primary unit of organizing and controlling access to data. They are analogous to schemata in relational data systems."},"risks":["impact:access","escalation:privilege"],"notes":"A common use case of tag bindings is for use in IAM policy conditions. The risks apply if the tag is used in any policies.","links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.datasets.delete":{"id":"bigquery.datasets.delete","name":"BigQuery datasets","scope":"CRITICAL","parent":{"notes":"BigQuery can potentially store sensitive information from across an organization's functions.","description":"Datasets in BigQuery are a primary unit of organizing and controlling access to data. They are analogous to schemata in relational data systems."},"risks":["destruction:data"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.datasets.deleteTagBinding":{"id":"bigquery.datasets.deleteTagBinding","name":"BigQuery datasets","scope":"CRITICAL","parent":{"notes":"BigQuery can potentially store sensitive information from across an organization's functions.","description":"Datasets in BigQuery are a primary unit of organizing and controlling access to data. They are analogous to schemata in relational data systems."},"risks":["escalation:privilege","destruction:policy","impact:access"],"notes":"A common use case of tag bindings is for use in IAM policy conditions. The risks apply if the tag is used in any policies.","links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.datasets.get":{"id":"bigquery.datasets.get","name":"BigQuery datasets","scope":"CRITICAL","parent":{"notes":"BigQuery can potentially store sensitive information from across an organization's functions.","description":"Datasets in BigQuery are a primary unit of organizing and controlling access to data. They are analogous to schemata in relational data systems."},"risks":["discovery:data"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.datasets.getIamPolicy":{"id":"bigquery.datasets.getIamPolicy","name":"BigQuery datasets","scope":"CRITICAL","parent":{"notes":"BigQuery can potentially store sensitive information from across an organization's functions.","description":"Datasets in BigQuery are a primary unit of organizing and controlling access to data. They are analogous to schemata in relational data systems."},"risks":["discovery:policy","discovery:account"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.datasets.link":{"id":"bigquery.datasets.link","name":"BigQuery datasets","scope":"CRITICAL","parent":{"notes":"BigQuery can potentially store sensitive information from across an organization's functions.","description":"Datasets in BigQuery are a primary unit of organizing and controlling access to data. They are analogous to schemata in relational data systems."},"risks":[],"notes":"Possibly used by the AnalyticsHub API projects.locations.dataExchanges/create, although this is undocumented by Google. More likely is that creating linked datasets is actually solely enabled by analyticshub.listings.create, and this permission is unused.","links":["https://cloud.google.com/bigquery/docs/access-control","https://cloud.google.com/bigquery/docs/reference/analytics-hub/rest/v1/projects.locations.dataExchanges/create"],"seeAlso":[]},"bigquery.datasets.listEffectiveTags":{"id":"bigquery.datasets.listEffectiveTags","name":"BigQuery datasets","scope":"CRITICAL","parent":{"notes":"BigQuery can potentially store sensitive information from across an organization's functions.","description":"Datasets in BigQuery are a primary unit of organizing and controlling access to data. They are analogous to schemata in relational data systems."},"risks":["discovery:policy"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.datasets.listTagBindings":{"id":"bigquery.datasets.listTagBindings","name":"BigQuery datasets","scope":"CRITICAL","parent":{"notes":"BigQuery can potentially store sensitive information from across an organization's functions.","description":"Datasets in BigQuery are a primary unit of organizing and controlling access to data. They are analogous to schemata in relational data systems."},"risks":["discovery:policy"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.datasets.setIamPolicy":{"id":"bigquery.datasets.setIamPolicy","name":"BigQuery datasets","scope":"CRITICAL","parent":{"notes":"BigQuery can potentially store sensitive information from across an organization's functions.","description":"Datasets in BigQuery are a primary unit of organizing and controlling access to data. They are analogous to schemata in relational data systems."},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.datasets.update":{"id":"bigquery.datasets.update","name":"BigQuery datasets","scope":"CRITICAL","parent":{"notes":"BigQuery can potentially store sensitive information from across an organization's functions.","description":"Datasets in BigQuery are a primary unit of organizing and controlling access to data. They are analogous to schemata in relational data systems."},"risks":["destruction:data"],"notes":"Data can be destroyed if default table expiration is modified.","links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.datasets.updateTag":{"id":"bigquery.datasets.updateTag","name":"BigQuery datasets","scope":"CRITICAL","parent":{"notes":"BigQuery can potentially store sensitive information from across an organization's functions.","description":"Datasets in BigQuery are a primary unit of organizing and controlling access to data. They are analogous to schemata in relational data systems."},"risks":["escalation:privilege","impact:access"],"notes":"A common use case of tag bindings is for use in IAM policy conditions. The risks apply if the tag is used in any policies.","links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.models.create":{"id":"bigquery.models.create","name":"BigQuery jobs","scope":"HIGH","parent":{"notes":"Marked as HIGH (vs. CRITICAL), as the scope of data accessible via models is generally likely to be more limited than direct query access. This may underestimate scope in the event that an organization's primary function depends on machine learning implemented within BigQuery models.","description":"BigQuery models allow users to build machine-learning pipelines within BigQuery."},"risks":["impact:hijack","impact:spend"],"notes":"From Google: \"Create new models.\". Requires read access to any source data.","links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.models.delete":{"id":"bigquery.models.delete","name":"BigQuery jobs","scope":"HIGH","parent":{"notes":"Marked as HIGH (vs. CRITICAL), as the scope of data accessible via models is generally likely to be more limited than direct query access. This may underestimate scope in the event that an organization's primary function depends on machine learning implemented within BigQuery models.","description":"BigQuery models allow users to build machine-learning pipelines within BigQuery."},"risks":["destruction:data","destruction:infra"],"notes":"From Google: \"Delete models.\"","links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.models.getData":{"id":"bigquery.models.getData","name":"BigQuery jobs","scope":"HIGH","parent":{"notes":"Marked as HIGH (vs. CRITICAL), as the scope of data accessible via models is generally likely to be more limited than direct query access. This may underestimate scope in the event that an organization's primary function depends on machine learning implemented within BigQuery models.","description":"BigQuery models allow users to build machine-learning pipelines within BigQuery."},"risks":["exfiltration:data"],"notes":"From Google: \"Get model data.\"","links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.models.getMetadata":{"id":"bigquery.models.getMetadata","name":"BigQuery jobs","scope":"HIGH","parent":{"notes":"Marked as HIGH (vs. CRITICAL), as the scope of data accessible via models is generally likely to be more limited than direct query access. This may underestimate scope in the event that an organization's primary function depends on machine learning implemented within BigQuery models.","description":"BigQuery models allow users to build machine-learning pipelines within BigQuery."},"risks":["discovery:infra"],"notes":"From Google: \"Get model metadata.\"","links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.models.list":{"id":"bigquery.models.list","name":"BigQuery jobs","scope":"HIGH","parent":{"notes":"Marked as HIGH (vs. CRITICAL), as the scope of data accessible via models is generally likely to be more limited than direct query access. This may underestimate scope in the event that an organization's primary function depends on machine learning implemented within BigQuery models.","description":"BigQuery models allow users to build machine-learning pipelines within BigQuery."},"risks":["discovery:infra"],"notes":"From Google: \"List models and metadata on models.\"","links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.models.updateData":{"id":"bigquery.models.updateData","name":"BigQuery jobs","scope":"HIGH","parent":{"notes":"Marked as HIGH (vs. CRITICAL), as the scope of data accessible via models is generally likely to be more limited than direct query access. This may underestimate scope in the event that an organization's primary function depends on machine learning implemented within BigQuery models.","description":"BigQuery models allow users to build machine-learning pipelines within BigQuery."},"risks":[],"notes":"From Google: \"Update model data.\". Appears unused.","links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.models.updateMetadata":{"id":"bigquery.models.updateMetadata","name":"BigQuery jobs","scope":"HIGH","parent":{"notes":"Marked as HIGH (vs. CRITICAL), as the scope of data accessible via models is generally likely to be more limited than direct query access. This may underestimate scope in the event that an organization's primary function depends on machine learning implemented within BigQuery models.","description":"BigQuery models allow users to build machine-learning pipelines within BigQuery."},"risks":["destruction:artifact"],"notes":"'From Google: \"Update model metadata.\". Allows users to update description, labels and change model expiration time.' Allows users to destroy a model by setting its expiration to 0.","links":["https://cloud.google.com/bigquery/docs/access-control","https://cloud.google.com/bigquery/docs/updating-model-metadata","https://cloud.google.com/bigquery/docs/reference/rest/v2/models/patch"],"seeAlso":[]},"bigquery.models.export":{"id":"bigquery.models.export","name":"BigQuery jobs","scope":"HIGH","parent":{"notes":"Marked as HIGH (vs. CRITICAL), as the scope of data accessible via models is generally likely to be more limited than direct query access. This may underestimate scope in the event that an organization's primary function depends on machine learning implemented within BigQuery models.","description":"BigQuery models allow users to build machine-learning pipelines within BigQuery."},"risks":["exfiltration:data"],"notes":"From Google: \"Export a model.\". Requires bigquery.jobs.create in order to create the export job.","links":["https://cloud.google.com/bigquery/docs/access-control","https://cloud.google.com/bigquery/docs/exporting-models"],"seeAlso":[]},"bigquery.reservationAssignments.create":{"id":"bigquery.reservationAssignments.create","name":"BigQuery reservations","scope":"LOW","parent":{"notes":"Assignments do not directly incur additional cost beyond previously purchased reservations.","description":"Assigns projects to previously purchased BigQuery reservations"},"risks":[],"notes":null,"links":["https://cloud.google.com/bigquery/docs/reservations-intro","https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.reservationAssignments.delete":{"id":"bigquery.reservationAssignments.delete","name":"BigQuery reservations","scope":"LOW","parent":{"notes":"Assignments do not directly incur additional cost beyond previously purchased reservations.","description":"Assigns projects to previously purchased BigQuery reservations"},"risks":["destruction:infra"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/reservations-intro","https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.reservationAssignments.list":{"id":"bigquery.reservationAssignments.list","name":"BigQuery reservations","scope":"LOW","parent":{"notes":"Assignments do not directly incur additional cost beyond previously purchased reservations.","description":"Assigns projects to previously purchased BigQuery reservations"},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/reservations-intro","https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.reservationAssignments.search":{"id":"bigquery.reservationAssignments.search","name":"BigQuery reservations","scope":"LOW","parent":{"notes":"Assignments do not directly incur additional cost beyond previously purchased reservations.","description":"Assigns projects to previously purchased BigQuery reservations"},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/reservations-intro","https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.reservations.create":{"id":"bigquery.reservations.create","name":"BigQuery reservations","scope":"MEDIUM","parent":{"notes":"Reservations affect operational cost.","description":"Works with capacity commitments to assign BigQuery slots to commitments."},"risks":["impact:spend"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/reservations-intro","https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.reservations.delete":{"id":"bigquery.reservations.delete","name":"BigQuery reservations","scope":"MEDIUM","parent":{"notes":"Reservations affect operational cost.","description":"Works with capacity commitments to assign BigQuery slots to commitments."},"risks":["impact:spend"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/reservations-intro","https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.reservations.get":{"id":"bigquery.reservations.get","name":"BigQuery reservations","scope":"LOW","parent":{"notes":"Reservations affect operational cost.","description":"Works with capacity commitments to assign BigQuery slots to commitments."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/reservations-intro","https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.reservations.list":{"id":"bigquery.reservations.list","name":"BigQuery reservations","scope":"LOW","parent":{"notes":"Reservations affect operational cost.","description":"Works with capacity commitments to assign BigQuery slots to commitments."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/reservations-intro","https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.reservations.update":{"id":"bigquery.reservations.update","name":"BigQuery reservations","scope":"MEDIUM","parent":{"notes":"Reservations affect operational cost.","description":"Works with capacity commitments to assign BigQuery slots to commitments."},"risks":["impact:spend"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/reservations-intro","https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.routines.create":{"id":"bigquery.routines.create","name":"BigQuery routines","scope":"LOW","parent":{"notes":"Deletion or alteration of functions can alter data returned by queries.","description":"Includes stored procedures, user-defined functions, and table functions."},"risks":[],"notes":null,"links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.routines.delete":{"id":"bigquery.routines.delete","name":"BigQuery routines","scope":"LOW","parent":{"notes":"Deletion or alteration of functions can alter data returned by queries.","description":"Includes stored procedures, user-defined functions, and table functions."},"risks":["destruction:infra"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.routines.get":{"id":"bigquery.routines.get","name":"BigQuery routines","scope":"LOW","parent":{"notes":"Deletion or alteration of functions can alter data returned by queries.","description":"Includes stored procedures, user-defined functions, and table functions."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.routines.list":{"id":"bigquery.routines.list","name":"BigQuery routines","scope":"LOW","parent":{"notes":"Deletion or alteration of functions can alter data returned by queries.","description":"Includes stored procedures, user-defined functions, and table functions."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.routines.update":{"id":"bigquery.routines.update","name":"BigQuery routines","scope":"LOW","parent":{"notes":"Deletion or alteration of functions can alter data returned by queries.","description":"Includes stored procedures, user-defined functions, and table functions."},"risks":["destruction:infra"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.routines.updateTag":{"id":"bigquery.routines.updateTag","name":"BigQuery routines","scope":"LOW","parent":{"notes":"Deletion or alteration of functions can alter data returned by queries.","description":"Includes stored procedures, user-defined functions, and table functions."},"risks":[],"notes":"Appears unused.","links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.routines.use":{"id":"bigquery.routines.use","name":"BigQuery routines","scope":"LOW","parent":{"notes":"Deletion or alteration of functions can alter data returned by queries.","description":"Includes stored procedures, user-defined functions, and table functions."},"risks":[],"notes":"Appears unused.","links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.rowAccessPolicies.create":{"id":"bigquery.rowAccessPolicies.create","name":"BigQuery row-access policies","scope":"HIGH","parent":{"notes":"Alteration of row-access policies can allow access to sensitive data or deny access to necessary data.","description":"Row-level access policies for BigQuery tables."},"risks":["impact:dos"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/row-level-security-intro","https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.rowAccessPolicies.delete":{"id":"bigquery.rowAccessPolicies.delete","name":"BigQuery row-access policies","scope":"HIGH","parent":{"notes":"Alteration of row-access policies can allow access to sensitive data or deny access to necessary data.","description":"Row-level access policies for BigQuery tables."},"risks":["escalation:data"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/row-level-security-intro","https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.rowAccessPolicies.get":{"id":"bigquery.rowAccessPolicies.get","name":"BigQuery row-access policies","scope":"HIGH","parent":{"notes":"Alteration of row-access policies can allow access to sensitive data or deny access to necessary data.","description":"Row-level access policies for BigQuery tables."},"risks":["discovery:policy"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/row-level-security-intro","https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.rowAccessPolicies.getFilteredData":{"id":"bigquery.rowAccessPolicies.getFilteredData","name":"BigQuery row-access policies","scope":"HIGH","parent":{"notes":"Alteration of row-access policies can allow access to sensitive data or deny access to necessary data.","description":"Row-level access policies for BigQuery tables."},"risks":["exfiltration:data"],"notes":"Should only be granted per row-access policy","links":["https://cloud.google.com/bigquery/docs/row-level-security-intro","https://cloud.google.com/bigquery/docs/access-control","https://cloud.google.com/bigquery/docs/best-practices-row-level-security#use_the_filtered_data_viewer_role_with_caution"],"seeAlso":[]},"bigquery.rowAccessPolicies.getIamPolicy":{"id":"bigquery.rowAccessPolicies.getIamPolicy","name":"BigQuery row-access policies","scope":"HIGH","parent":{"notes":"Alteration of row-access policies can allow access to sensitive data or deny access to necessary data.","description":"Row-level access policies for BigQuery tables."},"risks":["discovery:policy","discovery:account"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/row-level-security-intro","https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.rowAccessPolicies.overrideTimeTravelRestrictions":{"id":"bigquery.rowAccessPolicies.overrideTimeTravelRestrictions","name":"BigQuery row-access policies","scope":"HIGH","parent":{"notes":"Alteration of row-access policies can allow access to sensitive data or deny access to necessary data.","description":"Row-level access policies for BigQuery tables."},"risks":["exfiltration:data"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/row-level-security-intro","https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.rowAccessPolicies.list":{"id":"bigquery.rowAccessPolicies.list","name":"BigQuery row-access policies","scope":"HIGH","parent":{"notes":"Alteration of row-access policies can allow access to sensitive data or deny access to necessary data.","description":"Row-level access policies for BigQuery tables."},"risks":["discovery:policy"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/row-level-security-intro","https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.rowAccessPolicies.setIamPolicy":{"id":"bigquery.rowAccessPolicies.setIamPolicy","name":"BigQuery row-access policies","scope":"HIGH","parent":{"notes":"Alteration of row-access policies can allow access to sensitive data or deny access to necessary data.","description":"Row-level access policies for BigQuery tables."},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/row-level-security-intro","https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.rowAccessPolicies.update":{"id":"bigquery.rowAccessPolicies.update","name":"BigQuery row-access policies","scope":"HIGH","parent":{"notes":"Alteration of row-access policies can allow access to sensitive data or deny access to necessary data.","description":"Row-level access policies for BigQuery tables."},"risks":["impact:dos","escalation:data"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/row-level-security-intro","https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.savedqueries.create":{"id":"bigquery.savedqueries.create","name":"BigQuery saved queries","scope":"MEDIUM","parent":{"notes":"Queries can expose relation identifiers and schemata.","description":"Access to persist query SQL."},"risks":[],"notes":null,"links":["https://cloud.google.com/bigquery/docs/work-with-saved-queries","https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.savedqueries.delete":{"id":"bigquery.savedqueries.delete","name":"BigQuery saved queries","scope":"MEDIUM","parent":{"notes":"Queries can expose relation identifiers and schemata.","description":"Access to persist query SQL."},"risks":["destruction:infra"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/work-with-saved-queries","https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.savedqueries.get":{"id":"bigquery.savedqueries.get","name":"BigQuery saved queries","scope":"MEDIUM","parent":{"notes":"Queries can expose relation identifiers and schemata.","description":"Access to persist query SQL."},"risks":["discovery:data","discovery:infra"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/work-with-saved-queries","https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.savedqueries.list":{"id":"bigquery.savedqueries.list","name":"BigQuery saved queries","scope":"MEDIUM","parent":{"notes":"Queries can expose relation identifiers and schemata.","description":"Access to persist query SQL."},"risks":["discovery:data","discovery:infra"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/work-with-saved-queries","https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.savedqueries.update":{"id":"bigquery.savedqueries.update","name":"BigQuery saved queries","scope":"MEDIUM","parent":{"notes":"Queries can expose relation identifiers and schemata.","description":"Access to persist query SQL."},"risks":["destruction:infra"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/work-with-saved-queries","https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.savedqueries.updateTag":{"id":"bigquery.savedqueries.updateTag","name":"BigQuery saved queries","scope":"MEDIUM","parent":{"notes":"Queries can expose relation identifiers and schemata.","description":"Access to persist query SQL."},"risks":[],"notes":"Appears unused.","links":["https://cloud.google.com/bigquery/docs/work-with-saved-queries","https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.savedqueries.use":{"id":"bigquery.savedqueries.use","name":"BigQuery saved queries","scope":"MEDIUM","parent":{"notes":"Queries can expose relation identifiers and schemata.","description":"Access to persist query SQL."},"risks":[],"notes":"Appears unused.","links":["https://cloud.google.com/bigquery/docs/work-with-saved-queries","https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.tables.create":{"id":"bigquery.tables.create","name":"BigQuery tables","scope":"CRITICAL","parent":{"notes":"BigQuery can potentially store sensitive information from across an organization's functions.","description":"BigQuery tables hold data."},"risks":[],"notes":null,"links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.tables.createIndex":{"id":"bigquery.tables.createIndex","name":"BigQuery tables","scope":"CRITICAL","parent":{"notes":"BigQuery can potentially store sensitive information from across an organization's functions.","description":"BigQuery tables hold data."},"risks":["impact:spend"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.tables.createSnapshot":{"id":"bigquery.tables.createSnapshot","name":"BigQuery tables","scope":"CRITICAL","parent":{"notes":"BigQuery can potentially store sensitive information from across an organization's functions.","description":"BigQuery tables hold data."},"risks":["impact:spend"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.tables.delete":{"id":"bigquery.tables.delete","name":"BigQuery tables","scope":"CRITICAL","parent":{"notes":"BigQuery can potentially store sensitive information from across an organization's functions.","description":"BigQuery tables hold data."},"risks":["destruction:data"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.tables.deleteIndex":{"id":"bigquery.tables.deleteIndex","name":"BigQuery tables","scope":"CRITICAL","parent":{"notes":"BigQuery can potentially store sensitive information from across an organization's functions.","description":"BigQuery tables hold data."},"risks":["destruction:infra","impact:spend","impact:dos"],"notes":"Can cause service interruptions by reducing query performance.","links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.tables.deleteSnapshot":{"id":"bigquery.tables.deleteSnapshot","name":"BigQuery tables","scope":"CRITICAL","parent":{"notes":"BigQuery can potentially store sensitive information from across an organization's functions.","description":"BigQuery tables hold data."},"risks":["destruction:data"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.tables.export":{"id":"bigquery.tables.export","name":"BigQuery tables","scope":"CRITICAL","parent":{"notes":"BigQuery can potentially store sensitive information from across an organization's functions.","description":"BigQuery tables hold data."},"risks":["exfiltration:data"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.tables.get":{"id":"bigquery.tables.get","name":"BigQuery tables","scope":"CRITICAL","parent":{"notes":"BigQuery can potentially store sensitive information from across an organization's functions.","description":"BigQuery tables hold data."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.tables.getData":{"id":"bigquery.tables.getData","name":"BigQuery tables","scope":"CRITICAL","parent":{"notes":"BigQuery can potentially store sensitive information from across an organization's functions.","description":"BigQuery tables hold data."},"risks":["exfiltration:data"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.tables.getIamPolicy":{"id":"bigquery.tables.getIamPolicy","name":"BigQuery tables","scope":"CRITICAL","parent":{"notes":"BigQuery can potentially store sensitive information from across an organization's functions.","description":"BigQuery tables hold data."},"risks":["discovery:policy","discovery:account"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.tables.list":{"id":"bigquery.tables.list","name":"BigQuery tables","scope":"CRITICAL","parent":{"notes":"BigQuery can potentially store sensitive information from across an organization's functions.","description":"BigQuery tables hold data."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.tables.restoreSnapshot":{"id":"bigquery.tables.restoreSnapshot","name":"BigQuery tables","scope":"CRITICAL","parent":{"notes":"BigQuery can potentially store sensitive information from across an organization's functions.","description":"BigQuery tables hold data."},"risks":["destruction:data"],"notes":"Can destroy data more recent than the restored snapshot.","links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.tables.setCategory":{"id":"bigquery.tables.setCategory","name":"BigQuery tables","scope":"CRITICAL","parent":{"notes":"BigQuery can potentially store sensitive information from across an organization's functions.","description":"BigQuery tables hold data."},"risks":["escalation:privilege","impact:access"],"notes":"Categories alter table access.","links":["https://cloud.google.com/bigquery/docs/access-control","https://cloud.google.com/bigquery/docs/managing-policy-tags-across-locations"],"seeAlso":[]},"bigquery.tables.setIamPolicy":{"id":"bigquery.tables.setIamPolicy","name":"BigQuery tables","scope":"CRITICAL","parent":{"notes":"BigQuery can potentially store sensitive information from across an organization's functions.","description":"BigQuery tables hold data."},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.tables.update":{"id":"bigquery.tables.update","name":"BigQuery tables","scope":"CRITICAL","parent":{"notes":"BigQuery can potentially store sensitive information from across an organization's functions.","description":"BigQuery tables hold data."},"risks":["destruction:infra"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.tables.updateData":{"id":"bigquery.tables.updateData","name":"BigQuery tables","scope":"CRITICAL","parent":{"notes":"BigQuery can potentially store sensitive information from across an organization's functions.","description":"BigQuery tables hold data."},"risks":["destruction:data"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.tables.updateTag":{"id":"bigquery.tables.updateTag","name":"BigQuery tables","scope":"CRITICAL","parent":{"notes":"BigQuery can potentially store sensitive information from across an organization's functions.","description":"BigQuery tables hold data."},"risks":["escalation:privilege","impact:access"],"notes":"A common use case of tag bindings is for use in IAM policy conditions. The risks apply if the tag is used in any policies.","links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.transfers.get":{"id":"bigquery.transfers.get","name":"BigQuery transfers","scope":"MEDIUM","parent":{"notes":"Creation or alteration of transfers can interrupt service and incur spend. Note that the `bigquery.datasets.update` privilege is required to alter data. Additionally, the BigQuery Data Transfer Service must be enabled separately from BigQuery itself.","description":"Automates data import into BigQuery."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/dts-introduction","https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.transfers.update":{"id":"bigquery.transfers.update","name":"BigQuery transfers","scope":"MEDIUM","parent":{"notes":"Creation or alteration of transfers can interrupt service and incur spend. Note that the `bigquery.datasets.update` privilege is required to alter data. Additionally, the BigQuery Data Transfer Service must be enabled separately from BigQuery itself.","description":"Automates data import into BigQuery."},"risks":["impact:dos","impact:spend"],"notes":"Can interrupt services that rely on data transfers.","links":["https://cloud.google.com/bigquery/docs/dts-introduction","https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"billing.accounts.close":{"id":"billing.accounts.close","name":"Cloud Billing Accounts","scope":"HIGH","parent":{"notes":"Removing or updating billing information may render billable Google services or APIs unavailable.","description":"A cloud billing account is used to define who pays for a given set of Google Cloud resources and APIs. It is connected to a Google payments profile through which costs are charged."},"risks":["impact:dos"],"notes":"It is possible to close an active account. This stops all billable services in linked projects.","links":["https://cloud.google.com/billing/docs/how-to/billing-access","https://cloud.google.com/billing/docs/reference/rest/v1/billingAccounts","https://cloud.google.com/billing/docs/how-to/custom-roles","https://cloud.google.com/billing/docs/how-to/close-or-reopen-billing-account"],"seeAlso":[]},"billing.accounts.create":{"id":"billing.accounts.create","name":"Cloud Billing Accounts","scope":"MEDIUM","parent":{"notes":"Removing or updating billing information may render billable Google services or APIs unavailable.","description":"A cloud billing account is used to define who pays for a given set of Google Cloud resources and APIs. It is connected to a Google payments profile through which costs are charged."},"risks":[],"notes":null,"links":["https://cloud.google.com/billing/docs/how-to/billing-access","https://cloud.google.com/billing/docs/reference/rest/v1/billingAccounts","https://cloud.google.com/billing/docs/how-to/custom-roles"],"seeAlso":[]},"billing.accounts.get":{"id":"billing.accounts.get","name":"Cloud Billing Accounts","scope":"MEDIUM","parent":{"notes":"Removing or updating billing information may render billable Google services or APIs unavailable.","description":"A cloud billing account is used to define who pays for a given set of Google Cloud resources and APIs. It is connected to a Google payments profile through which costs are charged."},"risks":["discovery:account"],"notes":"This includes only the resource name of the billing account and whether it's open.","links":["https://cloud.google.com/billing/docs/how-to/billing-access","https://cloud.google.com/billing/docs/reference/rest/v1/billingAccounts","https://cloud.google.com/billing/docs/how-to/custom-roles"],"seeAlso":[]},"billing.accounts.getCarbonInformation":{"id":"billing.accounts.getCarbonInformation","name":"Cloud Billing Accounts","scope":"MEDIUM","parent":{"notes":"Removing or updating billing information may render billable Google services or APIs unavailable.","description":"A cloud billing account is used to define who pays for a given set of Google Cloud resources and APIs. It is connected to a Google payments profile through which costs are charged."},"risks":[],"notes":null,"links":["https://cloud.google.com/billing/docs/how-to/billing-access","https://cloud.google.com/billing/docs/reference/rest/v1/billingAccounts","https://cloud.google.com/billing/docs/how-to/custom-roles"],"seeAlso":[]},"billing.accounts.getIamPolicy":{"id":"billing.accounts.getIamPolicy","name":"Cloud Billing Accounts","scope":"MEDIUM","parent":{"notes":"Removing or updating billing information may render billable Google services or APIs unavailable.","description":"A cloud billing account is used to define who pays for a given set of Google Cloud resources and APIs. It is connected to a Google payments profile through which costs are charged."},"risks":["discovery:policy","discovery:account"],"notes":null,"links":["https://cloud.google.com/billing/docs/how-to/billing-access","https://cloud.google.com/billing/docs/reference/rest/v1/billingAccounts","https://cloud.google.com/billing/docs/how-to/custom-roles"],"seeAlso":[]},"billing.accounts.getPaymentInfo":{"id":"billing.accounts.getPaymentInfo","name":"Cloud Billing Accounts","scope":"MEDIUM","parent":{"notes":"Removing or updating billing information may render billable Google services or APIs unavailable.","description":"A cloud billing account is used to define who pays for a given set of Google Cloud resources and APIs. It is connected to a Google payments profile through which costs are charged."},"risks":["discovery:data"],"notes":"Allows viewing full name and address associated with payment information.","links":["https://cloud.google.com/billing/docs/how-to/billing-access","https://cloud.google.com/billing/docs/reference/rest/v1/billingAccounts","https://cloud.google.com/billing/docs/how-to/custom-roles"],"seeAlso":[]},"billing.accounts.getPricing":{"id":"billing.accounts.getPricing","name":"Cloud Billing Accounts","scope":"MEDIUM","parent":{"notes":"Removing or updating billing information may render billable Google services or APIs unavailable.","description":"A cloud billing account is used to define who pays for a given set of Google Cloud resources and APIs. It is connected to a Google payments profile through which costs are charged."},"risks":[],"notes":"Only exposes Google's pricing for your organization.","links":["https://cloud.google.com/billing/docs/how-to/billing-access","https://cloud.google.com/billing/docs/reference/rest/v1/billingAccounts","https://cloud.google.com/billing/docs/how-to/custom-roles"],"seeAlso":[]},"billing.accounts.getSpendingInformation":{"id":"billing.accounts.getSpendingInformation","name":"Cloud Billing Accounts","scope":"MEDIUM","parent":{"notes":"Removing or updating billing information may render billable Google services or APIs unavailable.","description":"A cloud billing account is used to define who pays for a given set of Google Cloud resources and APIs. It is connected to a Google payments profile through which costs are charged."},"risks":["discovery:finance"],"notes":null,"links":["https://cloud.google.com/billing/docs/how-to/billing-access","https://cloud.google.com/billing/docs/reference/rest/v1/billingAccounts","https://cloud.google.com/billing/docs/how-to/custom-roles"],"seeAlso":[]},"billing.accounts.getUsageExportSpec":{"id":"billing.accounts.getUsageExportSpec","name":"Cloud Billing Accounts","scope":"LOW","parent":{"notes":"Removing or updating billing information may render billable Google services or APIs unavailable.","description":"A cloud billing account is used to define who pays for a given set of Google Cloud resources and APIs. It is connected to a Google payments profile through which costs are charged."},"risks":["discovery:infra"],"notes":"Shows where usage data is currently exported to (Cloud Storage Bucket or BigQuery table)","links":["https://cloud.google.com/billing/docs/how-to/billing-access","https://cloud.google.com/billing/docs/reference/rest/v1/billingAccounts","https://cloud.google.com/billing/docs/how-to/custom-roles"],"seeAlso":[]},"billing.accounts.list":{"id":"billing.accounts.list","name":"Cloud Billing Accounts","scope":"MEDIUM","parent":{"notes":"Removing or updating billing information may render billable Google services or APIs unavailable.","description":"A cloud billing account is used to define who pays for a given set of Google Cloud resources and APIs. It is connected to a Google payments profile through which costs are charged."},"risks":["discovery:account"],"notes":"This includes only the resource name of the billing account and whether it's open.","links":["https://cloud.google.com/billing/docs/how-to/billing-access","https://cloud.google.com/billing/docs/reference/rest/v1/billingAccounts","https://cloud.google.com/billing/docs/how-to/custom-roles"],"seeAlso":[]},"billing.accounts.move":{"id":"billing.accounts.move","name":"Cloud Billing Accounts","scope":"MEDIUM","parent":{"notes":"Removing or updating billing information may render billable Google services or APIs unavailable.","description":"A cloud billing account is used to define who pays for a given set of Google Cloud resources and APIs. It is connected to a Google payments profile through which costs are charged."},"risks":["impact:spend"],"notes":"Along with billing.accounts.removeFromOrganization, allows moving the account to a new organization.  This could allow the new organization to use the account and existing payment info for billing.","links":["https://cloud.google.com/billing/docs/how-to/billing-access","https://cloud.google.com/billing/docs/reference/rest/v1/billingAccounts","https://cloud.google.com/billing/docs/how-to/custom-roles"],"seeAlso":[]},"billing.accounts.redeemPromotion":{"id":"billing.accounts.redeemPromotion","name":"Cloud Billing Accounts","scope":"MEDIUM","parent":{"notes":"Removing or updating billing information may render billable Google services or APIs unavailable.","description":"A cloud billing account is used to define who pays for a given set of Google Cloud resources and APIs. It is connected to a Google payments profile through which costs are charged."},"risks":[],"notes":null,"links":["https://cloud.google.com/billing/docs/how-to/billing-access","https://cloud.google.com/billing/docs/reference/rest/v1/billingAccounts","https://cloud.google.com/billing/docs/how-to/custom-roles"],"seeAlso":[]},"billing.accounts.removeFromOrganization":{"id":"billing.accounts.removeFromOrganization","name":"Cloud Billing Accounts","scope":"MEDIUM","parent":{"notes":"Removing or updating billing information may render billable Google services or APIs unavailable.","description":"A cloud billing account is used to define who pays for a given set of Google Cloud resources and APIs. It is connected to a Google payments profile through which costs are charged."},"risks":["impact:dos"],"notes":null,"links":["https://cloud.google.com/billing/docs/how-to/billing-access","https://cloud.google.com/billing/docs/reference/rest/v1/billingAccounts","https://cloud.google.com/billing/docs/how-to/custom-roles"],"seeAlso":[]},"billing.accounts.reopen":{"id":"billing.accounts.reopen","name":"Cloud Billing Accounts","scope":"MEDIUM","parent":{"notes":"Removing or updating billing information may render billable Google services or APIs unavailable.","description":"A cloud billing account is used to define who pays for a given set of Google Cloud resources and APIs. It is connected to a Google payments profile through which costs are charged."},"risks":[],"notes":null,"links":["https://cloud.google.com/billing/docs/how-to/billing-access","https://cloud.google.com/billing/docs/reference/rest/v1/billingAccounts","https://cloud.google.com/billing/docs/how-to/custom-roles"],"seeAlso":[]},"billing.accounts.setIamPolicy":{"id":"billing.accounts.setIamPolicy","name":"Cloud Billing Accounts","scope":"MEDIUM","parent":{"notes":"Removing or updating billing information may render billable Google services or APIs unavailable.","description":"A cloud billing account is used to define who pays for a given set of Google Cloud resources and APIs. It is connected to a Google payments profile through which costs are charged."},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/billing/docs/how-to/billing-access","https://cloud.google.com/billing/docs/reference/rest/v1/billingAccounts","https://cloud.google.com/billing/docs/how-to/custom-roles"],"seeAlso":[]},"billing.accounts.update":{"id":"billing.accounts.update","name":"Cloud Billing Accounts","scope":"MEDIUM","parent":{"notes":"Removing or updating billing information may render billable Google services or APIs unavailable.","description":"A cloud billing account is used to define who pays for a given set of Google Cloud resources and APIs. It is connected to a Google payments profile through which costs are charged."},"risks":["impact:spend"],"notes":"Only allows changing display name, upgrading from a free trial, or redeeming promotional codes.","links":["https://cloud.google.com/billing/docs/how-to/billing-access","https://cloud.google.com/billing/docs/reference/rest/v1/billingAccounts","https://cloud.google.com/billing/docs/how-to/custom-roles"],"seeAlso":[]},"billing.accounts.updatePaymentInfo":{"id":"billing.accounts.updatePaymentInfo","name":"Cloud Billing Accounts","scope":"MEDIUM","parent":{"notes":"Removing or updating billing information may render billable Google services or APIs unavailable.","description":"A cloud billing account is used to define who pays for a given set of Google Cloud resources and APIs. It is connected to a Google payments profile through which costs are charged."},"risks":["impact:dos"],"notes":"An account must have at least one payment method at all times, so the only payment method cannot be removed. However, the payment method could be updated to a card that will get declined, causing a DOS.","links":["https://cloud.google.com/billing/docs/how-to/billing-access","https://cloud.google.com/billing/docs/reference/rest/v1/billingAccounts","https://cloud.google.com/billing/docs/how-to/custom-roles"],"seeAlso":[]},"billing.budgets.get":{"id":"billing.budgets.get","name":"Cloud Billing Budgets","scope":"LOW","parent":{"notes":null,"description":"Budgets allow you to monitor cloud spend by triggering alerts if spend reaches thresholds. This does not automatically cap usage."},"risks":["discovery:finance"],"notes":"This includes monthly spend info","links":["https://cloud.google.com/billing/docs/how-to/custom-roles"],"seeAlso":[]},"billing.budgets.list":{"id":"billing.budgets.list","name":"Cloud Billing Budgets","scope":"LOW","parent":{"notes":null,"description":"Budgets allow you to monitor cloud spend by triggering alerts if spend reaches thresholds. This does not automatically cap usage."},"risks":["discovery:finance"],"notes":"This includes monthly spend info","links":["https://cloud.google.com/billing/docs/how-to/custom-roles"],"seeAlso":[]},"billing.budgets.create":{"id":"billing.budgets.create","name":"Cloud Billing Budgets","scope":"LOW","parent":{"notes":null,"description":"Budgets allow you to monitor cloud spend by triggering alerts if spend reaches thresholds. This does not automatically cap usage."},"risks":[],"notes":null,"links":["https://cloud.google.com/billing/docs/how-to/custom-roles"],"seeAlso":[]},"billing.budgets.update":{"id":"billing.budgets.update","name":"Cloud Billing Budgets","scope":"LOW","parent":{"notes":null,"description":"Budgets allow you to monitor cloud spend by triggering alerts if spend reaches thresholds. This does not automatically cap usage."},"risks":[],"notes":null,"links":["https://cloud.google.com/billing/docs/how-to/custom-roles"],"seeAlso":[]},"billing.credits.list":{"id":"billing.credits.list","name":"Cloud Billing Credits","scope":"LOW","parent":{"notes":null,"description":"Credits include various ways to save on cloud spend, such as free-tier, committed use discounts, etc."},"risks":["discovery:finance"],"notes":"Allows viewing both the original credit and the current usage amount.","links":["https://cloud.google.com/billing/docs/how-to/custom-roles"],"seeAlso":[]},"billing.resourceAssociations copy.list":{"id":"billing.resourceAssociations copy.list","name":"Cloud Billing Resource Associations","scope":"MEDIUM","parent":{"notes":null,"description":"A \"resource association\" associates a project with the billing account used for it."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/billing/docs/how-to/custom-roles"],"seeAlso":[]},"billing.resourceAssociations copy.create":{"id":"billing.resourceAssociations copy.create","name":"Cloud Billing Resource Associations","scope":"MEDIUM","parent":{"notes":null,"description":"A \"resource association\" associates a project with the billing account used for it."},"risks":["impact:spend"],"notes":"Can be used to associate the billing account with another project.","links":["https://cloud.google.com/billing/docs/how-to/custom-roles"],"seeAlso":[]},"billing.resourceAssociations copy.delete":{"id":"billing.resourceAssociations copy.delete","name":"Cloud Billing Resource Associations","scope":"MEDIUM","parent":{"notes":null,"description":"A \"resource association\" associates a project with the billing account used for it."},"risks":["impact:dos"],"notes":"Can render the project without a billing method, interrupting service.","links":["https://cloud.google.com/billing/docs/how-to/custom-roles"],"seeAlso":[]},"billing.resourceCosts.list":{"id":"billing.resourceCosts.list","name":"Cloud Billing Resource Costs","scope":"LOW","parent":{"notes":null,"description":"Resource costs include costs and usage information for Google Cloud resources."},"risks":["discovery:finance"],"notes":null,"links":["https://cloud.google.com/billing/docs/how-to/custom-roles"],"seeAlso":[]},"cloudbuild.builds.approve":{"id":"cloudbuild.builds.approve","name":"Cloud Build","scope":"MEDIUM","parent":{"notes":"Code and artifacts are generally stored in other services, such as Cloud storage.","description":"A Cloud build describes where to find source code, how to build it, and where to store built artifacts."},"risks":["impact:dos"],"notes":"This allows the user to both approve or deny an existing build.","links":["https://cloud.google.com/build/docs/iam-roles-permissions","https://cloud.google.com/build/docs/overview#how_builds_work","https://cloud.google.com/build/docs/cloud-build-service-account#default_permissions_of_service_account","https://cloud.google.com/build/docs/api/reference/rest/v1/projects.builds#Build"],"seeAlso":[]},"cloudbuild.builds.create":{"id":"cloudbuild.builds.create","name":"Cloud Build","scope":"MEDIUM","parent":{"notes":"Code and artifacts are generally stored in other services, such as Cloud storage.","description":"A Cloud build describes where to find source code, how to build it, and where to store built artifacts."},"risks":["impact:spend","impact:dos","escalation:lateral"],"notes":"This permission allows users to run builds as the Cloud Build service account. This can allow the user to have escalated build-time privileges. Google explicitly cautions against granting this permission for that reason.","links":["https://cloud.google.com/build/docs/iam-roles-permissions","https://cloud.google.com/build/docs/overview#how_builds_work","https://cloud.google.com/build/docs/cloud-build-service-account#default_permissions_of_service_account","https://cloud.google.com/build/docs/api/reference/rest/v1/projects.builds#Build"],"seeAlso":[]},"cloudbuild.builds.get":{"id":"cloudbuild.builds.get","name":"Cloud Build","scope":"MEDIUM","parent":{"notes":"Code and artifacts are generally stored in other services, such as Cloud storage.","description":"A Cloud build describes where to find source code, how to build it, and where to store built artifacts."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/build/docs/iam-roles-permissions","https://cloud.google.com/build/docs/overview#how_builds_work","https://cloud.google.com/build/docs/cloud-build-service-account#default_permissions_of_service_account","https://cloud.google.com/build/docs/api/reference/rest/v1/projects.builds#Build"],"seeAlso":[]},"cloudbuild.builds.list":{"id":"cloudbuild.builds.list","name":"Cloud Build","scope":"MEDIUM","parent":{"notes":"Code and artifacts are generally stored in other services, such as Cloud storage.","description":"A Cloud build describes where to find source code, how to build it, and where to store built artifacts."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/build/docs/iam-roles-permissions","https://cloud.google.com/build/docs/overview#how_builds_work","https://cloud.google.com/build/docs/cloud-build-service-account#default_permissions_of_service_account","https://cloud.google.com/build/docs/api/reference/rest/v1/projects.builds#Build"],"seeAlso":[]},"cloudbuild.builds.update":{"id":"cloudbuild.builds.update","name":"Cloud Build","scope":"MEDIUM","parent":{"notes":"Code and artifacts are generally stored in other services, such as Cloud storage.","description":"A Cloud build describes where to find source code, how to build it, and where to store built artifacts."},"risks":["impact:dos"],"notes":"This allows the user to cancel a build.","links":["https://cloud.google.com/build/docs/iam-roles-permissions","https://cloud.google.com/build/docs/overview#how_builds_work","https://cloud.google.com/build/docs/cloud-build-service-account#default_permissions_of_service_account","https://cloud.google.com/build/docs/api/reference/rest/v1/projects.builds#Build"],"seeAlso":[]},"cloudbuild.connections.create":{"id":"cloudbuild.connections.create","name":"Cloud Build Connection","scope":"MEDIUM","parent":{"notes":null,"description":"A Cloud build connection is a connection to an external Source Code Management system, like Github and Gitlab."},"risks":[],"notes":null,"links":["https://cloud.google.com/build/docs/iam-roles-permissions","https://cloud.google.com/sdk/gcloud/reference/alpha/builds/connections","https://cloud.google.com/build/docs/api/reference/rest/v2/projects.locations.connections"],"seeAlso":[]},"cloudbuild.connections.delete":{"id":"cloudbuild.connections.delete","name":"Cloud Build Connection","scope":"MEDIUM","parent":{"notes":null,"description":"A Cloud build connection is a connection to an external Source Code Management system, like Github and Gitlab."},"risks":["impact:dos"],"notes":null,"links":["https://cloud.google.com/build/docs/iam-roles-permissions","https://cloud.google.com/sdk/gcloud/reference/alpha/builds/connections","https://cloud.google.com/build/docs/api/reference/rest/v2/projects.locations.connections"],"seeAlso":[]},"cloudbuild.connections.fetchLinkableRepositories":{"id":"cloudbuild.connections.fetchLinkableRepositories","name":"Cloud Build Connection","scope":"MEDIUM","parent":{"notes":null,"description":"A Cloud build connection is a connection to an external Source Code Management system, like Github and Gitlab."},"risks":["discovery:code"],"notes":"This fetches repositories from the system the connection is with.","links":["https://cloud.google.com/build/docs/iam-roles-permissions","https://cloud.google.com/sdk/gcloud/reference/alpha/builds/connections","https://cloud.google.com/build/docs/api/reference/rest/v2/projects.locations.connections"],"seeAlso":[]},"cloudbuild.connections.get":{"id":"cloudbuild.connections.get","name":"Cloud Build Connection","scope":"MEDIUM","parent":{"notes":null,"description":"A Cloud build connection is a connection to an external Source Code Management system, like Github and Gitlab."},"risks":["discovery:infra","discovery:code"],"notes":null,"links":["https://cloud.google.com/build/docs/iam-roles-permissions","https://cloud.google.com/sdk/gcloud/reference/alpha/builds/connections","https://cloud.google.com/build/docs/api/reference/rest/v2/projects.locations.connections"],"seeAlso":[]},"cloudbuild.connections.getIamPolicy":{"id":"cloudbuild.connections.getIamPolicy","name":"Cloud Build Connection","scope":"MEDIUM","parent":{"notes":null,"description":"A Cloud build connection is a connection to an external Source Code Management system, like Github and Gitlab."},"risks":["discovery:policy","discovery:account"],"notes":null,"links":["https://cloud.google.com/build/docs/iam-roles-permissions","https://cloud.google.com/sdk/gcloud/reference/alpha/builds/connections","https://cloud.google.com/build/docs/api/reference/rest/v2/projects.locations.connections"],"seeAlso":[]},"cloudbuild.connections.list":{"id":"cloudbuild.connections.list","name":"Cloud Build Connection","scope":"MEDIUM","parent":{"notes":null,"description":"A Cloud build connection is a connection to an external Source Code Management system, like Github and Gitlab."},"risks":["discovery:infra","discovery:code"],"notes":null,"links":["https://cloud.google.com/build/docs/iam-roles-permissions","https://cloud.google.com/sdk/gcloud/reference/alpha/builds/connections","https://cloud.google.com/build/docs/api/reference/rest/v2/projects.locations.connections"],"seeAlso":[]},"cloudbuild.connections.setIamPolicy":{"id":"cloudbuild.connections.setIamPolicy","name":"Cloud Build Connection","scope":"MEDIUM","parent":{"notes":null,"description":"A Cloud build connection is a connection to an external Source Code Management system, like Github and Gitlab."},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/build/docs/iam-roles-permissions","https://cloud.google.com/sdk/gcloud/reference/alpha/builds/connections","https://cloud.google.com/build/docs/api/reference/rest/v2/projects.locations.connections"],"seeAlso":[]},"cloudbuild.connections.update":{"id":"cloudbuild.connections.update","name":"Cloud Build Connection","scope":"MEDIUM","parent":{"notes":null,"description":"A Cloud build connection is a connection to an external Source Code Management system, like Github and Gitlab."},"risks":["impact:dos"],"notes":"You can change the user token secret used for the connection, effectively resulting in a DOS.","links":["https://cloud.google.com/build/docs/iam-roles-permissions","https://cloud.google.com/sdk/gcloud/reference/alpha/builds/connections","https://cloud.google.com/build/docs/api/reference/rest/v2/projects.locations.connections"],"seeAlso":[]},"cloudbuild.repositories.accessReadToken":{"id":"cloudbuild.repositories.accessReadToken","name":"Cloud Build Repository","scope":"MEDIUM","parent":{"notes":null,"description":"A Cloud build repository is a connection to a repository located in an external Source Code Management provider, like Github and Gitlab."},"risks":["exfiltration:code"],"notes":"Fetches the read token for the connected repository","links":["https://cloud.google.com/build/docs/iam-roles-permissions","https://cloud.google.com/build/docs/api/reference/rest/v2/projects.locations.connections.repositories","https://cloud.google.com/build/docs/repositories"],"seeAlso":[]},"cloudbuild.repositories.accessReadWriteToken":{"id":"cloudbuild.repositories.accessReadWriteToken","name":"Cloud Build Repository","scope":"MEDIUM","parent":{"notes":null,"description":"A Cloud build repository is a connection to a repository located in an external Source Code Management provider, like Github and Gitlab."},"risks":["exfiltration:code","impact:defacement","impact:dos"],"notes":"Fetches the read/write token for the connected repository","links":["https://cloud.google.com/build/docs/iam-roles-permissions","https://cloud.google.com/build/docs/api/reference/rest/v2/projects.locations.connections.repositories","https://cloud.google.com/build/docs/repositories"],"seeAlso":[]},"cloudbuild.repositories.create":{"id":"cloudbuild.repositories.create","name":"Cloud Build Repository","scope":"MEDIUM","parent":{"notes":null,"description":"A Cloud build repository is a connection to a repository located in an external Source Code Management provider, like Github and Gitlab."},"risks":[],"notes":null,"links":["https://cloud.google.com/build/docs/iam-roles-permissions","https://cloud.google.com/build/docs/api/reference/rest/v2/projects.locations.connections.repositories","https://cloud.google.com/build/docs/repositories"],"seeAlso":[]},"cloudbuild.repositories.delete":{"id":"cloudbuild.repositories.delete","name":"Cloud Build Repository","scope":"MEDIUM","parent":{"notes":null,"description":"A Cloud build repository is a connection to a repository located in an external Source Code Management provider, like Github and Gitlab."},"risks":["impact:dos"],"notes":null,"links":["https://cloud.google.com/build/docs/iam-roles-permissions","https://cloud.google.com/build/docs/api/reference/rest/v2/projects.locations.connections.repositories","https://cloud.google.com/build/docs/repositories"],"seeAlso":[]},"cloudbuild.repositories.fetchGitRefs":{"id":"cloudbuild.repositories.fetchGitRefs","name":"Cloud Build Repository","scope":"MEDIUM","parent":{"notes":null,"description":"A Cloud build repository is a connection to a repository located in an external Source Code Management provider, like Github and Gitlab."},"risks":[],"notes":"Could not find any documentation on this and it is not included in any Cloud Build roles, so I think this permission is unused.","links":["https://cloud.google.com/build/docs/iam-roles-permissions","https://cloud.google.com/build/docs/api/reference/rest/v2/projects.locations.connections.repositories","https://cloud.google.com/build/docs/repositories"],"seeAlso":[]},"cloudbuild.repositories.get":{"id":"cloudbuild.repositories.get","name":"Cloud Build Repository","scope":"MEDIUM","parent":{"notes":null,"description":"A Cloud build repository is a connection to a repository located in an external Source Code Management provider, like Github and Gitlab."},"risks":["discovery:infra","discovery:code"],"notes":null,"links":["https://cloud.google.com/build/docs/iam-roles-permissions","https://cloud.google.com/build/docs/api/reference/rest/v2/projects.locations.connections.repositories","https://cloud.google.com/build/docs/repositories"],"seeAlso":[]},"cloudbuild.repositories.list":{"id":"cloudbuild.repositories.list","name":"Cloud Build Repository","scope":"MEDIUM","parent":{"notes":null,"description":"A Cloud build repository is a connection to a repository located in an external Source Code Management provider, like Github and Gitlab."},"risks":["discovery:infra","discovery:code"],"notes":null,"links":["https://cloud.google.com/build/docs/iam-roles-permissions","https://cloud.google.com/build/docs/api/reference/rest/v2/projects.locations.connections.repositories","https://cloud.google.com/build/docs/repositories"],"seeAlso":[]},"cloudbuild.workerpools.create":{"id":"cloudbuild.workerpools.create","name":"Cloud Build Worker Pools","scope":"MEDIUM","parent":{"notes":null,"description":"A Cloud build worker pool is a dedicated pool of workers that offers customization over the build environment, including the ability to access resources in a private network."},"risks":[],"notes":"Build is priced per build minute, so just creating a worker pool does not add spend.","links":["https://cloud.google.com/build/docs/iam-roles-permissions","https://cloud.google.com/build/docs/private-pools/private-pools-overview"],"seeAlso":[]},"cloudbuild.workerpools.delete":{"id":"cloudbuild.workerpools.delete","name":"Cloud Build Worker Pools","scope":"MEDIUM","parent":{"notes":null,"description":"A Cloud build worker pool is a dedicated pool of workers that offers customization over the build environment, including the ability to access resources in a private network."},"risks":["impact:dos"],"notes":null,"links":["https://cloud.google.com/build/docs/iam-roles-permissions","https://cloud.google.com/build/docs/private-pools/private-pools-overview"],"seeAlso":[]},"cloudbuild.workerpools.get":{"id":"cloudbuild.workerpools.get","name":"Cloud Build Worker Pools","scope":"MEDIUM","parent":{"notes":null,"description":"A Cloud build worker pool is a dedicated pool of workers that offers customization over the build environment, including the ability to access resources in a private network."},"risks":["discovery:infra","discovery:network"],"notes":null,"links":["https://cloud.google.com/build/docs/iam-roles-permissions","https://cloud.google.com/build/docs/private-pools/private-pools-overview"],"seeAlso":[]},"cloudbuild.workerpools.list":{"id":"cloudbuild.workerpools.list","name":"Cloud Build Worker Pools","scope":"MEDIUM","parent":{"notes":null,"description":"A Cloud build worker pool is a dedicated pool of workers that offers customization over the build environment, including the ability to access resources in a private network."},"risks":["discovery:infra","discovery:network"],"notes":null,"links":["https://cloud.google.com/build/docs/iam-roles-permissions","https://cloud.google.com/build/docs/private-pools/private-pools-overview"],"seeAlso":[]},"cloudbuild.workerpools.update":{"id":"cloudbuild.workerpools.update","name":"Cloud Build Worker Pools","scope":"MEDIUM","parent":{"notes":null,"description":"A Cloud build worker pool is a dedicated pool of workers that offers customization over the build environment, including the ability to access resources in a private network."},"risks":["impact:dos","impact:spend"],"notes":"Can effectively create a DOS by reducing disk size. Spend impact via increasing disk size or changing machine type.","links":["https://cloud.google.com/build/docs/iam-roles-permissions","https://cloud.google.com/build/docs/private-pools/private-pools-overview"],"seeAlso":[]},"cloudbuild.workerpools.use":{"id":"cloudbuild.workerpools.use","name":"Cloud Build Worker Pools","scope":"MEDIUM","parent":{"notes":null,"description":"A Cloud build worker pool is a dedicated pool of workers that offers customization over the build environment, including the ability to access resources in a private network."},"risks":["impact:spend","escalation:network"],"notes":"This also requires builds.create. Allows a user to run a build on the worker pool. If the worker pool has access to a VPC network, provides an opportunity for network escalation.","links":["https://cloud.google.com/build/docs/iam-roles-permissions","https://cloud.google.com/build/docs/private-pools/private-pools-overview"],"seeAlso":[]},"cloudfunctions.functions.get":{"id":"cloudfunctions.functions.get","name":"Cloud functions","scope":"CRITICAL","parent":{"notes":null,"description":"Cloud functions is a serverless computing service. Functions are triggered in response to events and the code runs in an environment fully managed by Google."},"risks":["discovery:infra","discovery:network","discovery:data","discovery:policy"],"notes":"Function metadata includes the following: \n  - labels and descriptions associated with the function\n  - build config (docker registry/repository, source code location, build-time env variables)\n  - service deployment config (memory info, env variables available during execution, network traffic settings: ingress for function, egress for VPC connector, secret volume and env variable configuration)\n  - configuration for events that trigger the function (service info for the service that triggers the info, filters on event fields)\n  - encryption key name","links":["https://cloud.google.com/functions/docs/reference/iam/permissions","https://cloud.google.com/functions/docs/reference/rest/v2/projects.locations.functions"],"seeAlso":[]},"cloudfunctions.functions.list":{"id":"cloudfunctions.functions.list","name":"Cloud functions","scope":"CRITICAL","parent":{"notes":null,"description":"Cloud functions is a serverless computing service. Functions are triggered in response to events and the code runs in an environment fully managed by Google."},"risks":["discovery:infra","discovery:network","discovery:data","discovery:policy"],"notes":"See notes for get","links":["https://cloud.google.com/functions/docs/reference/iam/permissions","https://cloud.google.com/functions/docs/reference/rest/v2/projects.locations.functions"],"seeAlso":[]},"cloudfunctions.functions.call":{"id":"cloudfunctions.functions.call","name":"Cloud functions","scope":"CRITICAL","parent":{"notes":null,"description":"Cloud functions is a serverless computing service. Functions are triggered in response to events and the code runs in an environment fully managed by Google."},"risks":["discovery:account","discovery:infra","discovery:data","exfiltration:data","impact:spend","impact:dos","impact:manipulation"],"notes":"Allows execution of a cloud function. Can expose a variety of risks depending on the contents of the cloud function. Also allows for DOS via spamming executions and data injection via execution with fake parameters.","links":["https://cloud.google.com/functions/docs/reference/iam/permissions","https://cloud.google.com/functions/docs/reference/rest/v2/projects.locations.functions"],"seeAlso":[]},"cloudfunctions.functions.invoke":{"id":"cloudfunctions.functions.invoke","name":"Cloud functions","scope":"CRITICAL","parent":{"notes":null,"description":"Cloud functions is a serverless computing service. Functions are triggered in response to events and the code runs in an environment fully managed by Google."},"risks":["discovery:account","discovery:infra","discovery:data","exfiltration:data","impact:spend","impact:dos","impact:manipulation"],"notes":"Allows execution of a cloud function.  Can expose a variety of risks depending on the contents of the cloud function.  Also allows for DOS via spamming executions and data injection via execution with fake parameters.","links":["https://cloud.google.com/functions/docs/reference/iam/permissions","https://cloud.google.com/functions/docs/reference/rest/v2/projects.locations.functions"],"seeAlso":[]},"cloudfunctions.functions.create":{"id":"cloudfunctions.functions.create","name":"Cloud functions","scope":"CRITICAL","parent":{"notes":null,"description":"Cloud functions is a serverless computing service. Functions are triggered in response to events and the code runs in an environment fully managed by Google."},"risks":["impact:spend","impact:hijack"],"notes":"Creating a cloud function requires permissions on the cloud functions runtime service account. Includes a vulnerability where the user can export service account credentials, but exploiting this  vulnerability requires the user to already have iam.serviceAccounts.actAs on the target service account.","links":["https://cloud.google.com/functions/docs/reference/iam/permissions","https://cloud.google.com/functions/docs/reference/rest/v2/projects.locations.functions","https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/","https://cloud.google.com/functions/docs/calling","https://cloud.google.com/functions/docs/reference/iam/roles#additional-configuration"],"seeAlso":[]},"cloudfunctions.functions.delete":{"id":"cloudfunctions.functions.delete","name":"Cloud functions","scope":"CRITICAL","parent":{"notes":null,"description":"Cloud functions is a serverless computing service. Functions are triggered in response to events and the code runs in an environment fully managed by Google."},"risks":["destruction:infra","destruction:data"],"notes":null,"links":["https://cloud.google.com/functions/docs/reference/iam/permissions","https://cloud.google.com/functions/docs/reference/rest/v2/projects.locations.functions"],"seeAlso":[]},"cloudfunctions.functions.sourceCodeGet":{"id":"cloudfunctions.functions.sourceCodeGet","name":"Cloud functions","scope":"CRITICAL","parent":{"notes":null,"description":"Cloud functions is a serverless computing service. Functions are triggered in response to events and the code runs in an environment fully managed by Google."},"risks":["exfiltration:code"],"notes":null,"links":["https://cloud.google.com/functions/docs/reference/iam/permissions","https://cloud.google.com/functions/docs/reference/rest/v2/projects.locations.functions"],"seeAlso":[]},"cloudfunctions.functions.update":{"id":"cloudfunctions.functions.update","name":"Cloud functions","scope":"CRITICAL","parent":{"notes":null,"description":"Cloud functions is a serverless computing service. Functions are triggered in response to events and the code runs in an environment fully managed by Google."},"risks":["impact:encryption","impact:dos","impact:spend"],"notes":"Allows for updating ingress and egress network traffic settings as well as updating encryption keys","links":["https://cloud.google.com/functions/docs/reference/iam/permissions","https://cloud.google.com/functions/docs/reference/rest/v2/projects.locations.functions"],"seeAlso":[]},"cloudfunctions.functions.sourceCodeSet":{"id":"cloudfunctions.functions.sourceCodeSet","name":"Cloud functions","scope":"CRITICAL","parent":{"notes":null,"description":"Cloud functions is a serverless computing service. Functions are triggered in response to events and the code runs in an environment fully managed by Google."},"risks":["impact:dos","impact:manipulation","impact:spend","impact:hijack"],"notes":"Includes DOS, data manipulation, spend, and hijack risks.","links":["https://cloud.google.com/functions/docs/reference/iam/permissions","https://cloud.google.com/functions/docs/reference/rest/v2/projects.locations.functions"],"seeAlso":[]},"cloudfunctions.functions.getIamPolicy":{"id":"cloudfunctions.functions.getIamPolicy","name":"Cloud functions","scope":"CRITICAL","parent":{"notes":null,"description":"Cloud functions is a serverless computing service. Functions are triggered in response to events and the code runs in an environment fully managed by Google."},"risks":["discovery:policy","discovery:account"],"notes":null,"links":["https://cloud.google.com/functions/docs/reference/iam/permissions","https://cloud.google.com/functions/docs/reference/rest/v2/projects.locations.functions"],"seeAlso":[]},"cloudfunctions.functions.setIamPolicy":{"id":"cloudfunctions.functions.setIamPolicy","name":"Cloud functions","scope":"CRITICAL","parent":{"notes":null,"description":"Cloud functions is a serverless computing service. Functions are triggered in response to events and the code runs in an environment fully managed by Google."},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/functions/docs/reference/iam/permissions","https://cloud.google.com/functions/docs/reference/rest/v2/projects.locations.functions"],"seeAlso":[]},"cloudfunctions.locations.list":{"id":"cloudfunctions.locations.list","name":"Cloud Functions Locations","scope":"PUBLIC","parent":{"notes":"This resource contains public information about Google's location offerings for Cloud Functions.","description":"Infrastructure regions available for Google Cloud functions."},"risks":[],"notes":null,"links":["https://cloud.google.com/functions/docs/locations","https://cloud.google.com/functions/docs/reference/iam/permissions"],"seeAlso":[]},"cloudfunctions.operations.get":{"id":"cloudfunctions.operations.get","name":"Cloud functions operations","scope":"CRITICAL","parent":{"notes":"The operation includes the data returned from the API call the operation is associated with. This means that viewing an operation includes access to view function metadata, and contains the same risks as get and list operations directly on functions.","description":"Operations represent long-running cloud functions API calls. They are used for create, delete, and update operations on cloud functions."},"risks":["discovery:infra","discovery:network","discovery:data","discovery:policy"],"notes":"See notes for functions.get","links":["https://cloud.google.com/functions/docs/reference/iam/permissions","https://cloud.google.com/functions/docs/reference/rest/v2/projects.locations.operations"],"seeAlso":[]},"cloudfunctions.operations.list":{"id":"cloudfunctions.operations.list","name":"Cloud functions operations","scope":"CRITICAL","parent":{"notes":"The operation includes the data returned from the API call the operation is associated with. This means that viewing an operation includes access to view function metadata, and contains the same risks as get and list operations directly on functions.","description":"Operations represent long-running cloud functions API calls. They are used for create, delete, and update operations on cloud functions."},"risks":["discovery:infra","discovery:network","discovery:data","discovery:policy"],"notes":"See notes for functions.get","links":["https://cloud.google.com/functions/docs/reference/iam/permissions","https://cloud.google.com/functions/docs/reference/rest/v2/projects.locations.operations"],"seeAlso":[]},"cloudfunctions.runtimes.list":{"id":"cloudfunctions.runtimes.list","name":"Cloud Functions runtimes","scope":"PUBLIC","parent":{"notes":"This resource contains public information about Google's runtime offerings for Cloud Functions.","description":"Runtimes available for Google Cloud functions."},"risks":[],"notes":null,"links":["https://cloud.google.com/functions/docs/runtime-support","https://cloud.google.com/functions/docs/reference/iam/permissions"],"seeAlso":[]},"cloudkms.cryptoKeyVersions.create":{"id":"cloudkms.cryptoKeyVersions.create","name":"Cloud KMS Crypto Key Versions","scope":"CRITICAL","parent":{"notes":"Cloud KMS is an extremely sensitive service. Keys can be used for encryption/decryption of  sensitive data or for the creation or verification of digital signatures.","description":"A key version contains key material used for encryption or signing."},"risks":["impact:spend"],"notes":null,"links":["https://cloud.google.com/kms/docs/resource-hierarchy","https://cloud.google.com/kms/docs/iam","https://cloud.google.com/kms/docs/reference/rest"],"seeAlso":[]},"cloudkms.cryptoKeyVersions.destroy":{"id":"cloudkms.cryptoKeyVersions.destroy","name":"Cloud KMS Crypto Key Versions","scope":"CRITICAL","parent":{"notes":"Cloud KMS is an extremely sensitive service. Keys can be used for encryption/decryption of  sensitive data or for the creation or verification of digital signatures.","description":"A key version contains key material used for encryption or signing."},"risks":["destruction:crypto","impact:encryption"],"notes":"Destroyed key versions cannot be recovered. Any data encrypted with the key version will no longer be able to be decrypted.","links":["https://cloud.google.com/kms/docs/resource-hierarchy","https://cloud.google.com/kms/docs/iam","https://cloud.google.com/kms/docs/reference/rest"],"seeAlso":[]},"cloudkms.cryptoKeyVersions.get":{"id":"cloudkms.cryptoKeyVersions.get","name":"Cloud KMS Crypto Key Versions","scope":"CRITICAL","parent":{"notes":"Cloud KMS is an extremely sensitive service. Keys can be used for encryption/decryption of  sensitive data or for the creation or verification of digital signatures.","description":"A key version contains key material used for encryption or signing."},"risks":["discovery:infra"],"notes":"This includes infra discovery because key metadata such as the algorithm are exposed. Does not give access to keys.","links":["https://cloud.google.com/kms/docs/resource-hierarchy","https://cloud.google.com/kms/docs/iam","https://cloud.google.com/kms/docs/reference/rest"],"seeAlso":[]},"cloudkms.cryptoKeyVersions.list":{"id":"cloudkms.cryptoKeyVersions.list","name":"Cloud KMS Crypto Key Versions","scope":"CRITICAL","parent":{"notes":"Cloud KMS is an extremely sensitive service. Keys can be used for encryption/decryption of  sensitive data or for the creation or verification of digital signatures.","description":"A key version contains key material used for encryption or signing."},"risks":["discovery:infra"],"notes":"See get.","links":["https://cloud.google.com/kms/docs/resource-hierarchy","https://cloud.google.com/kms/docs/iam","https://cloud.google.com/kms/docs/reference/rest"],"seeAlso":[]},"cloudkms.cryptoKeyVersions.manageRawAesCbcKeys":{"id":"cloudkms.cryptoKeyVersions.manageRawAesCbcKeys","name":"Cloud KMS Crypto Key Versions","scope":"CRITICAL","parent":{"notes":"Cloud KMS is an extremely sensitive service. Keys can be used for encryption/decryption of  sensitive data or for the creation or verification of digital signatures.","description":"A key version contains key material used for encryption or signing."},"risks":[],"notes":"This permission is required to manage AES CBC keys.  It has no risks because it provides no access on its own: the user still needs permissions on the keys.","links":["https://cloud.google.com/kms/docs/resource-hierarchy","https://cloud.google.com/kms/docs/iam","https://cloud.google.com/kms/docs/reference/rest"],"seeAlso":[]},"cloudkms.cryptoKeyVersions.manageRawAesCtrKeys":{"id":"cloudkms.cryptoKeyVersions.manageRawAesCtrKeys","name":"Cloud KMS Crypto Key Versions","scope":"CRITICAL","parent":{"notes":"Cloud KMS is an extremely sensitive service. Keys can be used for encryption/decryption of  sensitive data or for the creation or verification of digital signatures.","description":"A key version contains key material used for encryption or signing."},"risks":[],"notes":"This permission is required to manage AES CTR keys.  It has no risks because it provides no access on its own: the user still needs permissions on the keys.","links":["https://cloud.google.com/kms/docs/resource-hierarchy","https://cloud.google.com/kms/docs/iam","https://cloud.google.com/kms/docs/reference/rest"],"seeAlso":[]},"cloudkms.cryptoKeyVersions.manageRawPKCS1Keys":{"id":"cloudkms.cryptoKeyVersions.manageRawPKCS1Keys","name":"Cloud KMS Crypto Key Versions","scope":"CRITICAL","parent":{"notes":"Cloud KMS is an extremely sensitive service. Keys can be used for encryption/decryption of  sensitive data or for the creation or verification of digital signatures.","description":"A key version contains key material used for encryption or signing."},"risks":[],"notes":"This permission is required to manage AES CTR keys.  It has no risks because it provides no access on its own: the user still needs permissions on the keys.","links":["https://cloud.google.com/kms/docs/resource-hierarchy","https://cloud.google.com/kms/docs/iam","https://cloud.google.com/kms/docs/reference/rest"],"seeAlso":[]},"cloudkms.cryptoKeyVersions.restore":{"id":"cloudkms.cryptoKeyVersions.restore","name":"Cloud KMS Crypto Key Versions","scope":"CRITICAL","parent":{"notes":"Cloud KMS is an extremely sensitive service. Keys can be used for encryption/decryption of  sensitive data or for the creation or verification of digital signatures.","description":"A key version contains key material used for encryption or signing."},"risks":["impact:spend"],"notes":"Restores a key that was scheduled for destruction.","links":["https://cloud.google.com/kms/docs/resource-hierarchy","https://cloud.google.com/kms/docs/iam","https://cloud.google.com/kms/docs/reference/rest"],"seeAlso":[]},"cloudkms.cryptoKeyVersions.update":{"id":"cloudkms.cryptoKeyVersions.update","name":"Cloud KMS Crypto Key Versions","scope":"CRITICAL","parent":{"notes":"Cloud KMS is an extremely sensitive service. Keys can be used for encryption/decryption of  sensitive data or for the creation or verification of digital signatures.","description":"A key version contains key material used for encryption or signing."},"risks":["impact:dos","destruction:metadata"],"notes":"Can be used to disable a key version. While a key version is disabled, data encrypted with it cannot be accessed. The secret content of the key cannot be edited or destroyed via this method.","links":["https://cloud.google.com/kms/docs/resource-hierarchy","https://cloud.google.com/kms/docs/iam","https://cloud.google.com/kms/docs/reference/rest"],"seeAlso":[]},"cloudkms.cryptoKeyVersions.useToDecrypt":{"id":"cloudkms.cryptoKeyVersions.useToDecrypt","name":"Cloud KMS Crypto Key Versions","scope":"CRITICAL","parent":{"notes":"Cloud KMS is an extremely sensitive service. Keys can be used for encryption/decryption of  sensitive data or for the creation or verification of digital signatures.","description":"A key version contains key material used for encryption or signing."},"risks":["impact:spend","exfiltration:data"],"notes":"Can be used to decrypt data encrypted with the key version.","links":["https://cloud.google.com/kms/docs/resource-hierarchy","https://cloud.google.com/kms/docs/iam","https://cloud.google.com/kms/docs/reference/rest"],"seeAlso":[]},"cloudkms.cryptoKeyVersions.useToDecryptViaDelegation":{"id":"cloudkms.cryptoKeyVersions.useToDecryptViaDelegation","name":"Cloud KMS Crypto Key Versions","scope":"CRITICAL","parent":{"notes":"Cloud KMS is an extremely sensitive service. Keys can be used for encryption/decryption of  sensitive data or for the creation or verification of digital signatures.","description":"A key version contains key material used for encryption or signing."},"risks":["impact:spend","exfiltration:data"],"notes":"Can be used to decrypt data encrypted with the key version through other Google Services.","links":["https://cloud.google.com/kms/docs/resource-hierarchy","https://cloud.google.com/kms/docs/iam","https://cloud.google.com/kms/docs/reference/rest"],"seeAlso":[]},"cloudkms.cryptoKeyVersions.useToEncrypt":{"id":"cloudkms.cryptoKeyVersions.useToEncrypt","name":"Cloud KMS Crypto Key Versions","scope":"CRITICAL","parent":{"notes":"Cloud KMS is an extremely sensitive service. Keys can be used for encryption/decryption of  sensitive data or for the creation or verification of digital signatures.","description":"A key version contains key material used for encryption or signing."},"risks":["impact:spend"],"notes":"Can be used to encrypt data with the key version.","links":["https://cloud.google.com/kms/docs/resource-hierarchy","https://cloud.google.com/kms/docs/iam","https://cloud.google.com/kms/docs/reference/rest"],"seeAlso":[]},"cloudkms.cryptoKeyVersions.useToEncryptViaDelegation":{"id":"cloudkms.cryptoKeyVersions.useToEncryptViaDelegation","name":"Cloud KMS Crypto Key Versions","scope":"CRITICAL","parent":{"notes":"Cloud KMS is an extremely sensitive service. Keys can be used for encryption/decryption of  sensitive data or for the creation or verification of digital signatures.","description":"A key version contains key material used for encryption or signing."},"risks":["impact:spend"],"notes":"Can be used to encrypt data with the key version through other Google Services.","links":["https://cloud.google.com/kms/docs/resource-hierarchy","https://cloud.google.com/kms/docs/iam","https://cloud.google.com/kms/docs/reference/rest"],"seeAlso":[]},"cloudkms.cryptoKeyVersions.useToSign":{"id":"cloudkms.cryptoKeyVersions.useToSign","name":"Cloud KMS Crypto Key Versions","scope":"CRITICAL","parent":{"notes":"Cloud KMS is an extremely sensitive service. Keys can be used for encryption/decryption of  sensitive data or for the creation or verification of digital signatures.","description":"A key version contains key material used for encryption or signing."},"risks":["impact:spend","impact:manipulation"],"notes":"Can be used to sign data with the key version.","links":["https://cloud.google.com/kms/docs/resource-hierarchy","https://cloud.google.com/kms/docs/iam","https://cloud.google.com/kms/docs/reference/rest"],"seeAlso":[]},"cloudkms.cryptoKeyVersions.useToVerify":{"id":"cloudkms.cryptoKeyVersions.useToVerify","name":"Cloud KMS Crypto Key Versions","scope":"CRITICAL","parent":{"notes":"Cloud KMS is an extremely sensitive service. Keys can be used for encryption/decryption of  sensitive data or for the creation or verification of digital signatures.","description":"A key version contains key material used for encryption or signing."},"risks":["impact:spend"],"notes":"Can be used to verify data signed with the key version.","links":["https://cloud.google.com/kms/docs/resource-hierarchy","https://cloud.google.com/kms/docs/iam","https://cloud.google.com/kms/docs/reference/rest"],"seeAlso":[]},"cloudkms.cryptoKeyVersions.viewPublicKey":{"id":"cloudkms.cryptoKeyVersions.viewPublicKey","name":"Cloud KMS Crypto Key Versions","scope":"CRITICAL","parent":{"notes":"Cloud KMS is an extremely sensitive service. Keys can be used for encryption/decryption of  sensitive data or for the creation or verification of digital signatures.","description":"A key version contains key material used for encryption or signing."},"risks":[],"notes":"This only shows public keys","links":["https://cloud.google.com/kms/docs/resource-hierarchy","https://cloud.google.com/kms/docs/iam","https://cloud.google.com/kms/docs/reference/rest"],"seeAlso":[]},"cloudkms.cryptoKeys.create":{"id":"cloudkms.cryptoKeys.create","name":"Cloud KMS Crypto Keys","scope":"CRITICAL","parent":{"notes":"Cloud KMS is an extremely sensitive service. Keys can be used for encryption/decryption of  sensitive data or for the creation or verification of digital signatures.","description":"A key contains one or more versions along with metadata.  The actual contents of the key are stored in the version."},"risks":[],"notes":"Billing is based on key versions, so keys do not incur billing.","links":["https://cloud.google.com/kms/docs/resource-hierarchy","https://cloud.google.com/kms/docs/iam","https://cloud.google.com/kms/docs/reference/rest"],"seeAlso":[]},"cloudkms.cryptoKeys.get":{"id":"cloudkms.cryptoKeys.get","name":"Cloud KMS Crypto Keys","scope":"CRITICAL","parent":{"notes":"Cloud KMS is an extremely sensitive service. Keys can be used for encryption/decryption of  sensitive data or for the creation or verification of digital signatures.","description":"A key contains one or more versions along with metadata.  The actual contents of the key are stored in the version."},"risks":["discovery:infra"],"notes":"Does not provide access to keys: raw key material can never be viewed.","links":["https://cloud.google.com/kms/docs/resource-hierarchy","https://cloud.google.com/kms/docs/iam","https://cloud.google.com/kms/docs/reference/rest","https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys.cryptoKeyVersions#CryptoKeyVersion"],"seeAlso":[]},"cloudkms.cryptoKeys.getIamPolicy":{"id":"cloudkms.cryptoKeys.getIamPolicy","name":"Cloud KMS Crypto Keys","scope":"CRITICAL","parent":{"notes":"Cloud KMS is an extremely sensitive service. Keys can be used for encryption/decryption of  sensitive data or for the creation or verification of digital signatures.","description":"A key contains one or more versions along with metadata.  The actual contents of the key are stored in the version."},"risks":["discovery:policy","discovery:account"],"notes":null,"links":["https://cloud.google.com/kms/docs/resource-hierarchy","https://cloud.google.com/kms/docs/iam","https://cloud.google.com/kms/docs/reference/rest"],"seeAlso":[]},"cloudkms.cryptoKeys.list":{"id":"cloudkms.cryptoKeys.list","name":"Cloud KMS Crypto Keys","scope":"CRITICAL","parent":{"notes":"Cloud KMS is an extremely sensitive service. Keys can be used for encryption/decryption of  sensitive data or for the creation or verification of digital signatures.","description":"A key contains one or more versions along with metadata.  The actual contents of the key are stored in the version."},"risks":["discovery:infra"],"notes":"Does not provide access to keys: raw key material can never be viewed.","links":["https://cloud.google.com/kms/docs/resource-hierarchy","https://cloud.google.com/kms/docs/iam","https://cloud.google.com/kms/docs/reference/rest","https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys.cryptoKeyVersions#CryptoKeyVersion"],"seeAlso":[]},"cloudkms.cryptoKeys.setIamPolicy":{"id":"cloudkms.cryptoKeys.setIamPolicy","name":"Cloud KMS Crypto Keys","scope":"CRITICAL","parent":{"notes":"Cloud KMS is an extremely sensitive service. Keys can be used for encryption/decryption of  sensitive data or for the creation or verification of digital signatures.","description":"A key contains one or more versions along with metadata.  The actual contents of the key are stored in the version."},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/kms/docs/resource-hierarchy","https://cloud.google.com/kms/docs/iam","https://cloud.google.com/kms/docs/reference/rest"],"seeAlso":[]},"cloudkms.cryptoKeys.update":{"id":"cloudkms.cryptoKeys.update","name":"Cloud KMS Crypto Keys","scope":"CRITICAL","parent":{"notes":"Cloud KMS is an extremely sensitive service. Keys can be used for encryption/decryption of  sensitive data or for the creation or verification of digital signatures.","description":"A key contains one or more versions along with metadata.  The actual contents of the key are stored in the version."},"risks":["destruction:defense","destruction:metadata"],"notes":"Can be used to change key rotation settings, impairing defense.","links":["https://cloud.google.com/kms/docs/resource-hierarchy","https://cloud.google.com/kms/docs/iam","https://cloud.google.com/kms/docs/reference/rest"],"seeAlso":[]},"cloudkms.ekmConfigs.get":{"id":"cloudkms.ekmConfigs.get","name":"Cloud KMS EKM Configs","scope":"MEDIUM","parent":{"notes":null,"description":"A Cloud KMS EKM config applies to all keys with a protection level of EXTERNAL_VPC in a given project or location. These are keys managed by and stored in an external key management system and accessed by Cloud KMS over VPC."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/kms/docs/reference/rest/v1/EkmConfig"],"seeAlso":[]},"cloudkms.ekmConfigs.getIamPolicy":{"id":"cloudkms.ekmConfigs.getIamPolicy","name":"Cloud KMS EKM Configs","scope":"MEDIUM","parent":{"notes":null,"description":"A Cloud KMS EKM config applies to all keys with a protection level of EXTERNAL_VPC in a given project or location. These are keys managed by and stored in an external key management system and accessed by Cloud KMS over VPC."},"risks":["discovery:policy","discovery:account"],"notes":null,"links":["https://cloud.google.com/kms/docs/reference/rest/v1/EkmConfig"],"seeAlso":[]},"cloudkms.ekmConfigs.setIamPolicy":{"id":"cloudkms.ekmConfigs.setIamPolicy","name":"Cloud KMS EKM Configs","scope":"MEDIUM","parent":{"notes":null,"description":"A Cloud KMS EKM config applies to all keys with a protection level of EXTERNAL_VPC in a given project or location. These are keys managed by and stored in an external key management system and accessed by Cloud KMS over VPC."},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/kms/docs/reference/rest/v1/EkmConfig"],"seeAlso":[]},"cloudkms.ekmConfigs.update":{"id":"cloudkms.ekmConfigs.update","name":"Cloud KMS EKM Configs","scope":"MEDIUM","parent":{"notes":null,"description":"A Cloud KMS EKM config applies to all keys with a protection level of EXTERNAL_VPC in a given project or location. These are keys managed by and stored in an external key management system and accessed by Cloud KMS over VPC."},"risks":["impact:dos"],"notes":"Allows changing or removing the default EKM connection for this project and location. This may cause keys to be inaccessible, creating a DOS.","links":["https://cloud.google.com/kms/docs/reference/rest/v1/EkmConfig"],"seeAlso":[]},"cloudkms.ekmConnections.create":{"id":"cloudkms.ekmConnections.create","name":"Cloud KMS EKM Connections","scope":"MEDIUM","parent":{"notes":null,"description":"An EKM connection organizes VPC connections to your on-premises external key managers  in a specific Google Cloud location. An EKM connection allows you to connect to and use keys  from an external key manager over a VPC network"},"risks":[],"notes":"EKM connections do not incur storage costs.","links":["https://cloud.google.com/kms/docs/resource-hierarchy","https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.ekmConnections"],"seeAlso":[]},"cloudkms.ekmConnections.get":{"id":"cloudkms.ekmConnections.get","name":"Cloud KMS EKM Connections","scope":"MEDIUM","parent":{"notes":null,"description":"An EKM connection organizes VPC connections to your on-premises external key managers  in a specific Google Cloud location. An EKM connection allows you to connect to and use keys  from an external key manager over a VPC network"},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/kms/docs/resource-hierarchy","https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.ekmConnections"],"seeAlso":[]},"cloudkms.ekmConnections.getIamPolicy":{"id":"cloudkms.ekmConnections.getIamPolicy","name":"Cloud KMS EKM Connections","scope":"MEDIUM","parent":{"notes":null,"description":"An EKM connection organizes VPC connections to your on-premises external key managers  in a specific Google Cloud location. An EKM connection allows you to connect to and use keys  from an external key manager over a VPC network"},"risks":["discovery:policy","discovery:account"],"notes":null,"links":["https://cloud.google.com/kms/docs/resource-hierarchy","https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.ekmConnections"],"seeAlso":[]},"cloudkms.ekmConnections.list":{"id":"cloudkms.ekmConnections.list","name":"Cloud KMS EKM Connections","scope":"MEDIUM","parent":{"notes":null,"description":"An EKM connection organizes VPC connections to your on-premises external key managers  in a specific Google Cloud location. An EKM connection allows you to connect to and use keys  from an external key manager over a VPC network"},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/kms/docs/resource-hierarchy","https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.ekmConnections"],"seeAlso":[]},"cloudkms.ekmConnections.setIamPolicy":{"id":"cloudkms.ekmConnections.setIamPolicy","name":"Cloud KMS EKM Connections","scope":"MEDIUM","parent":{"notes":null,"description":"An EKM connection organizes VPC connections to your on-premises external key managers  in a specific Google Cloud location. An EKM connection allows you to connect to and use keys  from an external key manager over a VPC network"},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/kms/docs/resource-hierarchy","https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.ekmConnections"],"seeAlso":[]},"cloudkms.ekmConnections.update":{"id":"cloudkms.ekmConnections.update","name":"Cloud KMS EKM Connections","scope":"MEDIUM","parent":{"notes":null,"description":"An EKM connection organizes VPC connections to your on-premises external key managers  in a specific Google Cloud location. An EKM connection allows you to connect to and use keys  from an external key manager over a VPC network"},"risks":["impact:dos"],"notes":"Can update the settings used connect to the external key management instance, such as the EKM hostname and the server hostname. Changing these settings can render keys inaccessible.","links":["https://cloud.google.com/kms/docs/resource-hierarchy","https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.ekmConnections"],"seeAlso":[]},"cloudkms.ekmConnections.use":{"id":"cloudkms.ekmConnections.use","name":"Cloud KMS EKM Connections","scope":"MEDIUM","parent":{"notes":null,"description":"An EKM connection organizes VPC connections to your on-premises external key managers  in a specific Google Cloud location. An EKM connection allows you to connect to and use keys  from an external key manager over a VPC network"},"risks":[],"notes":"The specific use of this permission is unknown.","links":["https://cloud.google.com/kms/docs/resource-hierarchy","https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.ekmConnections"],"seeAlso":[]},"cloudkms.ekmConnections.verifyConnectivity":{"id":"cloudkms.ekmConnections.verifyConnectivity","name":"Cloud KMS EKM Connections","scope":"MEDIUM","parent":{"notes":null,"description":"An EKM connection organizes VPC connections to your on-premises external key managers  in a specific Google Cloud location. An EKM connection allows you to connect to and use keys  from an external key manager over a VPC network"},"risks":[],"notes":"Returns only a success or failure indicating whether Cloud KMS can connect to the external key manager.","links":["https://cloud.google.com/kms/docs/resource-hierarchy","https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.ekmConnections"],"seeAlso":[]},"cloudkms.importJobs.create":{"id":"cloudkms.importJobs.create","name":"Cloud KMS Import Jobs","scope":"MEDIUM","parent":{"notes":null,"description":"A Cloud KMS import job is used to create KMS Crypto Keys and Crypto Key Versions using pre-existing key material."},"risks":["impact:spend"],"notes":null,"links":["https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.importJobs"],"seeAlso":[]},"cloudkms.importJobs.get":{"id":"cloudkms.importJobs.get","name":"Cloud KMS Import Jobs","scope":"MEDIUM","parent":{"notes":null,"description":"A Cloud KMS import job is used to create KMS Crypto Keys and Crypto Key Versions using pre-existing key material."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.importJobs"],"seeAlso":[]},"cloudkms.importJobs.getIamPolicy":{"id":"cloudkms.importJobs.getIamPolicy","name":"Cloud KMS Import Jobs","scope":"MEDIUM","parent":{"notes":null,"description":"A Cloud KMS import job is used to create KMS Crypto Keys and Crypto Key Versions using pre-existing key material."},"risks":["discovery:policy","discovery:account"],"notes":null,"links":["https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.importJobs"],"seeAlso":[]},"cloudkms.importJobs.list":{"id":"cloudkms.importJobs.list","name":"Cloud KMS Import Jobs","scope":"MEDIUM","parent":{"notes":null,"description":"A Cloud KMS import job is used to create KMS Crypto Keys and Crypto Key Versions using pre-existing key material."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.importJobs"],"seeAlso":[]},"cloudkms.importJobs.setIamPolicy":{"id":"cloudkms.importJobs.setIamPolicy","name":"Cloud KMS Import Jobs","scope":"MEDIUM","parent":{"notes":null,"description":"A Cloud KMS import job is used to create KMS Crypto Keys and Crypto Key Versions using pre-existing key material."},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.importJobs"],"seeAlso":[]},"cloudkms.importJobs.useToImport":{"id":"cloudkms.importJobs.useToImport","name":"Cloud KMS Import Jobs","scope":"MEDIUM","parent":{"notes":null,"description":"A Cloud KMS import job is used to create KMS Crypto Keys and Crypto Key Versions using pre-existing key material."},"risks":[],"notes":"The specific use of this permission is unknown.","links":["https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.importJobs"],"seeAlso":[]},"cloudkms.keyRings.create":{"id":"cloudkms.keyRings.create","name":"Cloud KMS Key Rings","scope":"CRITICAL","parent":{"notes":"Cloud KMS is an extremely sensitive service. Keys can be used for encryption/decryption of  sensitive data or for the creation or verification of digital signatures.","description":"A Cloud KMS key ring is a logical grouping of keys in the same location."},"risks":[],"notes":"Billing is based on key versions, so key rings do not incur billing.","links":["https://cloud.google.com/secret-manager/docs/locations"],"seeAlso":[]},"cloudkms.keyRings.createTagBinding":{"id":"cloudkms.keyRings.createTagBinding","name":"Cloud KMS Key Rings","scope":"CRITICAL","parent":{"notes":"Cloud KMS is an extremely sensitive service. Keys can be used for encryption/decryption of  sensitive data or for the creation or verification of digital signatures.","description":"A Cloud KMS key ring is a logical grouping of keys in the same location."},"risks":["impact:access","escalation:privilege"],"notes":"A common use case of tag bindings is for use in IAM policy conditions. The risks apply if the tag is used in any policies.","links":["https://cloud.google.com/secret-manager/docs/locations"],"seeAlso":[]},"cloudkms.keyRings.deleteTagBinding":{"id":"cloudkms.keyRings.deleteTagBinding","name":"Cloud KMS Key Rings","scope":"CRITICAL","parent":{"notes":"Cloud KMS is an extremely sensitive service. Keys can be used for encryption/decryption of  sensitive data or for the creation or verification of digital signatures.","description":"A Cloud KMS key ring is a logical grouping of keys in the same location."},"risks":["escalation:privilege","destruction:policy","impact:access"],"notes":"A common use case of tag bindings is for use in IAM policy conditions. The risks apply if the tag is used in any policies.","links":["https://cloud.google.com/secret-manager/docs/locations"],"seeAlso":[]},"cloudkms.keyRings.get":{"id":"cloudkms.keyRings.get","name":"Cloud KMS Key Rings","scope":"CRITICAL","parent":{"notes":"Cloud KMS is an extremely sensitive service. Keys can be used for encryption/decryption of  sensitive data or for the creation or verification of digital signatures.","description":"A Cloud KMS key ring is a logical grouping of keys in the same location."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/secret-manager/docs/locations"],"seeAlso":[]},"cloudkms.keyRings.getIamPolicy":{"id":"cloudkms.keyRings.getIamPolicy","name":"Cloud KMS Key Rings","scope":"CRITICAL","parent":{"notes":"Cloud KMS is an extremely sensitive service. Keys can be used for encryption/decryption of  sensitive data or for the creation or verification of digital signatures.","description":"A Cloud KMS key ring is a logical grouping of keys in the same location."},"risks":["discovery:policy","discovery:account"],"notes":null,"links":["https://cloud.google.com/secret-manager/docs/locations"],"seeAlso":[]},"cloudkms.keyRings.list":{"id":"cloudkms.keyRings.list","name":"Cloud KMS Key Rings","scope":"CRITICAL","parent":{"notes":"Cloud KMS is an extremely sensitive service. Keys can be used for encryption/decryption of  sensitive data or for the creation or verification of digital signatures.","description":"A Cloud KMS key ring is a logical grouping of keys in the same location."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/secret-manager/docs/locations"],"seeAlso":[]},"cloudkms.keyRings.listEffectiveTags":{"id":"cloudkms.keyRings.listEffectiveTags","name":"Cloud KMS Key Rings","scope":"CRITICAL","parent":{"notes":"Cloud KMS is an extremely sensitive service. Keys can be used for encryption/decryption of  sensitive data or for the creation or verification of digital signatures.","description":"A Cloud KMS key ring is a logical grouping of keys in the same location."},"risks":["discovery:policy"],"notes":null,"links":["https://cloud.google.com/secret-manager/docs/locations"],"seeAlso":[]},"cloudkms.keyRings.listTagBindings":{"id":"cloudkms.keyRings.listTagBindings","name":"Cloud KMS Key Rings","scope":"CRITICAL","parent":{"notes":"Cloud KMS is an extremely sensitive service. Keys can be used for encryption/decryption of  sensitive data or for the creation or verification of digital signatures.","description":"A Cloud KMS key ring is a logical grouping of keys in the same location."},"risks":["discovery:policy"],"notes":null,"links":["https://cloud.google.com/secret-manager/docs/locations"],"seeAlso":[]},"cloudkms.keyRings.setIamPolicy":{"id":"cloudkms.keyRings.setIamPolicy","name":"Cloud KMS Key Rings","scope":"CRITICAL","parent":{"notes":"Cloud KMS is an extremely sensitive service. Keys can be used for encryption/decryption of  sensitive data or for the creation or verification of digital signatures.","description":"A Cloud KMS key ring is a logical grouping of keys in the same location."},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/secret-manager/docs/locations"],"seeAlso":[]},"cloudkms.locations.list":{"id":"cloudkms.locations.list","name":"Cloud KMS Locations","scope":"PUBLIC","parent":{"notes":"This resource contains public information about Google's location offerings for Cloud KMS","description":"Infrastructure regions available for Cloud KMS resources"},"risks":[],"notes":null,"links":["https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations"],"seeAlso":[]},"cloudkms.locations.get":{"id":"cloudkms.locations.get","name":"Cloud KMS Locations","scope":"PUBLIC","parent":{"notes":"This resource contains public information about Google's location offerings for Cloud KMS","description":"Infrastructure regions available for Cloud KMS resources"},"risks":[],"notes":null,"links":["https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations"],"seeAlso":[]},"cloudkms.locations.generateRandomBytes":{"id":"cloudkms.locations.generateRandomBytes","name":"Cloud KMS Locations","scope":"PUBLIC","parent":{"notes":"This resource contains public information about Google's location offerings for Cloud KMS","description":"Infrastructure regions available for Cloud KMS resources"},"risks":[],"notes":null,"links":["https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations"],"seeAlso":[]},"cloudkms.locations.optOutKeyDeletionMsa":{"id":"cloudkms.locations.optOutKeyDeletionMsa","name":"Cloud KMS Locations","scope":"PUBLIC","parent":{"notes":"This resource contains public information about Google's location offerings for Cloud KMS","description":"Infrastructure regions available for Cloud KMS resources"},"risks":[],"notes":"The specific use of this permission is unknown.","links":["https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations"],"seeAlso":[]},"cloudkms.protectedResources.search":{"id":"cloudkms.protectedResources.search","name":"Cloud KMS Protected Resources","scope":"MEDIUM","parent":{"notes":"This resource may contain information about a broad range of Google Cloud resources.","description":"Cloud KMS Protected Resources are Google Cloud resources secured with Cloud KMS keys."},"risks":["discovery:infra"],"notes":"Allows searching resources secured by Cloud KMS keys.","links":["https://cloud.google.com/kms/docs/reference/inventory/rest/v1/organizations.protectedResources"],"seeAlso":[]},"cloudsql.backupRuns.create":{"id":"cloudsql.backupRuns.create","name":"Google Cloud SQL","scope":"LOW","parent":{"notes":null,"description":"Cloud SQL backups contain the data stored in your Cloud SQL instance, to be used for recovery and rollback purposes."},"risks":["impact:spend"],"notes":null,"links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions"],"seeAlso":[]},"cloudsql.backupRuns.delete":{"id":"cloudsql.backupRuns.delete","name":"Google Cloud SQL","scope":"LOW","parent":{"notes":null,"description":"Cloud SQL backups contain the data stored in your Cloud SQL instance, to be used for recovery and rollback purposes."},"risks":["destruction:defense"],"notes":null,"links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions"],"seeAlso":[]},"cloudsql.backupRuns.get":{"id":"cloudsql.backupRuns.get","name":"Google Cloud SQL","scope":"LOW","parent":{"notes":null,"description":"Cloud SQL backups contain the data stored in your Cloud SQL instance, to be used for recovery and rollback purposes."},"risks":["discovery:infra"],"notes":"Access to backup metadata.","links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions"],"seeAlso":[]},"cloudsql.backupRuns.list":{"id":"cloudsql.backupRuns.list","name":"Google Cloud SQL","scope":"LOW","parent":{"notes":null,"description":"Cloud SQL backups contain the data stored in your Cloud SQL instance, to be used for recovery and rollback purposes."},"risks":["discovery:infra"],"notes":"Access to backup metadata.","links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions"],"seeAlso":[]},"cloudsql.databases.create":{"id":"cloudsql.databases.create","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"The Cloud SQL database is the set of software and files that operates the MySQL, PostgreSQL, or SQL Server database service."},"risks":["impact:spend","impact:consumption"],"notes":"This privilege enables users to create databases within a Cloud SQL instance. Adding databases can increase spend.","links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions"],"seeAlso":[]},"cloudsql.databases.delete":{"id":"cloudsql.databases.delete","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"The Cloud SQL database is the set of software and files that operates the MySQL, PostgreSQL, or SQL Server database service."},"risks":["destruction:data","destruction:infra","destruction:logs"],"notes":"With this privilege, users can delete databases within a Cloud SQL instance.","links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions"],"seeAlso":[]},"cloudsql.databases.get":{"id":"cloudsql.databases.get","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"The Cloud SQL database is the set of software and files that operates the MySQL, PostgreSQL, or SQL Server database service."},"risks":["discovery:infra"],"notes":"Access to database metadata.","links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions"],"seeAlso":[]},"cloudsql.databases.list":{"id":"cloudsql.databases.list","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"The Cloud SQL database is the set of software and files that operates the MySQL, PostgreSQL, or SQL Server database service."},"risks":["discovery:infra"],"notes":"Access to database metadata.","links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions"],"seeAlso":[]},"cloudsql.databases.update":{"id":"cloudsql.databases.update","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"The Cloud SQL database is the set of software and files that operates the MySQL, PostgreSQL, or SQL Server database service."},"risks":[],"notes":"Allows updating database charset and collation settings.","links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions"],"seeAlso":[]},"cloudsql.instances.addServerCa":{"id":"cloudsql.instances.addServerCa","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"A Cloud SQL instance is a VM managed by Google that runs the SQL database instance (as well as any accompanying containers)"},"risks":[],"notes":"Adds a new trusted Certificate Authority version for the specified instance. It does not actually update the existing CA,  that requires a separate permission (rotateServerCa), so this poses no risks.","links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions","https://cloud.google.com/sql/docs/mysql/admin-api/rest/v1beta4/instances/addServerCa"],"seeAlso":[]},"cloudsql.instances.clone":{"id":"cloudsql.instances.clone","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"A Cloud SQL instance is a VM managed by Google that runs the SQL database instance (as well as any accompanying containers)"},"risks":["impact:spend"],"notes":"Cloning an instance also requires the create privilege.","links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions"],"seeAlso":[]},"cloudsql.instances.connect":{"id":"cloudsql.instances.connect","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"A Cloud SQL instance is a VM managed by Google that runs the SQL database instance (as well as any accompanying containers)"},"risks":["escalation:network"],"notes":"This command temporarily changes the authorized networks for this instance to allow connections from your IP address. Note that authentication into the database is still separate, so this does not provide access to data.","links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions","https://cloud.google.com/sdk/gcloud/reference/sql/connect"],"seeAlso":[]},"cloudsql.instances.create":{"id":"cloudsql.instances.create","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"A Cloud SQL instance is a VM managed by Google that runs the SQL database instance (as well as any accompanying containers)"},"risks":["impact:spend"],"notes":"This privilege allows users to create new Cloud SQL instances, potentially incurring cost due to resource usage.","links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions"],"seeAlso":[]},"cloudsql.instances.createTagBinding":{"id":"cloudsql.instances.createTagBinding","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"A Cloud SQL instance is a VM managed by Google that runs the SQL database instance (as well as any accompanying containers)"},"risks":["impact:access","escalation:privilege"],"notes":"A common use case of tag bindings is for use in IAM policy conditions. If the user has any policies that use tag bindings to enforce conditions, creating a tag on a resource allows them to escalate their access to that resource. Also requires getIamPolicy or knowledge of the IAM policy from some other means.","links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions"],"seeAlso":[]},"cloudsql.instances.delete":{"id":"cloudsql.instances.delete","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"A Cloud SQL instance is a VM managed by Google that runs the SQL database instance (as well as any accompanying containers)"},"risks":["destruction:data","destruction:infra"],"notes":"With this privilege, users can delete Cloud SQL instances. It poses risks of service disruption, permanent data loss, and infrastructure damage.","links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions"],"seeAlso":[]},"cloudsql.instances.deleteTagBinding":{"id":"cloudsql.instances.deleteTagBinding","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"A Cloud SQL instance is a VM managed by Google that runs the SQL database instance (as well as any accompanying containers)"},"risks":["escalation:privilege","destruction:policy","impact:access"],"notes":"A common use case of tag bindings is for use in IAM policy conditions. The \"destruction:policy\" and \"impact:access\" risks apply if the tag is used in any policies.","links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions"],"seeAlso":[]},"cloudsql.instances.demoteMaster":{"id":"cloudsql.instances.demoteMaster","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"A Cloud SQL instance is a VM managed by Google that runs the SQL database instance (as well as any accompanying containers)"},"risks":["impact:dos"],"notes":"This permission allows converting an instance to a read replica. Since read replicas do not allow write requests, this can cause a denial of service if the instance is handling write requests.","links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions","https://cloud.google.com/sql/docs/mysql/replication"],"seeAlso":[]},"cloudsql.instances.export":{"id":"cloudsql.instances.export","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"A Cloud SQL instance is a VM managed by Google that runs the SQL database instance (as well as any accompanying containers)"},"risks":["exfiltration:data"],"notes":"This permission allows exporting the results of a SQL query run on the instance database as a CSV, or exporting the entire database as a SQL dump.","links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions"],"seeAlso":[]},"cloudsql.instances.failover":{"id":"cloudsql.instances.failover","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"A Cloud SQL instance is a VM managed by Google that runs the SQL database instance (as well as any accompanying containers)"},"risks":["impact:dos"],"notes":"This causes Cloud SQL to switch to serving data from a secondary instance instead of the primary. Google expects the failover operation to render the instance inaccessible for about 60 seconds, so this could  produce a DOS if executed repeatedly.","links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions"],"seeAlso":[]},"cloudsql.instances.get":{"id":"cloudsql.instances.get","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"A Cloud SQL instance is a VM managed by Google that runs the SQL database instance (as well as any accompanying containers)"},"risks":["discovery:infra","discovery:policy"],"notes":"Allows access to instance metadata and settings, including IP addresses, authorized networks, and backup settings.","links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions"],"seeAlso":[]},"cloudsql.instances.getDiskShrinkConfig":{"id":"cloudsql.instances.getDiskShrinkConfig","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"A Cloud SQL instance is a VM managed by Google that runs the SQL database instance (as well as any accompanying containers)"},"risks":[],"notes":"The specific use of this permission is unknown.","links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions"],"seeAlso":[]},"cloudsql.instances.import":{"id":"cloudsql.instances.import","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"A Cloud SQL instance is a VM managed by Google that runs the SQL database instance (as well as any accompanying containers)"},"risks":["impact:consumption","impact:dos","impact:manipulation"],"notes":"Allows importing data to an instance. If enough data is imported to exceed the disk space of the instance,  will cause a DOS until the instance is manually resized.","links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions"],"seeAlso":[]},"cloudsql.instances.list":{"id":"cloudsql.instances.list","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"A Cloud SQL instance is a VM managed by Google that runs the SQL database instance (as well as any accompanying containers)"},"risks":["discovery:infra","discovery:policy"],"notes":"Allows access to instance metadata and settings, including IP addresses, authorized networks, and backup settings.","links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions"],"seeAlso":[]},"cloudsql.instances.listEffectiveTags":{"id":"cloudsql.instances.listEffectiveTags","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"A Cloud SQL instance is a VM managed by Google that runs the SQL database instance (as well as any accompanying containers)"},"risks":["discovery:policy"],"notes":null,"links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions"],"seeAlso":[]},"cloudsql.instances.listServerCas":{"id":"cloudsql.instances.listServerCas","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"A Cloud SQL instance is a VM managed by Google that runs the SQL database instance (as well as any accompanying containers)"},"risks":[],"notes":null,"links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions"],"seeAlso":[]},"cloudsql.instances.listTagBindings":{"id":"cloudsql.instances.listTagBindings","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"A Cloud SQL instance is a VM managed by Google that runs the SQL database instance (as well as any accompanying containers)"},"risks":["discovery:policy"],"notes":null,"links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions"],"seeAlso":[]},"cloudsql.instances.login":{"id":"cloudsql.instances.login","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"A Cloud SQL instance is a VM managed by Google that runs the SQL database instance (as well as any accompanying containers)"},"risks":[],"notes":"The specific use of this permission is unknown.","links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions"],"seeAlso":[]},"cloudsql.instances.migrate":{"id":"cloudsql.instances.migrate","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"A Cloud SQL instance is a VM managed by Google that runs the SQL database instance (as well as any accompanying containers)"},"risks":[],"notes":"The specific use of this permission is unknown.","links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions"],"seeAlso":[]},"cloudsql.instances.performDiskShrink":{"id":"cloudsql.instances.performDiskShrink","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"A Cloud SQL instance is a VM managed by Google that runs the SQL database instance (as well as any accompanying containers)"},"risks":[],"notes":"The specific use of this permission is unknown.","links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions"],"seeAlso":[]},"cloudsql.instances.promoteReplica":{"id":"cloudsql.instances.promoteReplica","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"A Cloud SQL instance is a VM managed by Google that runs the SQL database instance (as well as any accompanying containers)"},"risks":["impact:spend"],"notes":"This permission allows converting a read replica to a primary instance.","links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions","https://cloud.google.com/sql/docs/mysql/replication"],"seeAlso":[]},"cloudsql.instances.reencrypt":{"id":"cloudsql.instances.reencrypt","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"A Cloud SQL instance is a VM managed by Google that runs the SQL database instance (as well as any accompanying containers)"},"risks":[],"notes":"This permission re-encrypts the instance with the existing primary key.","links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions"],"seeAlso":[]},"cloudsql.instances.resetReplicaSize":{"id":"cloudsql.instances.resetReplicaSize","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"A Cloud SQL instance is a VM managed by Google that runs the SQL database instance (as well as any accompanying containers)"},"risks":[],"notes":"The specific use of this permission is unknown.","links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions"],"seeAlso":[]},"cloudsql.instances.resetSslConfig":{"id":"cloudsql.instances.resetSslConfig","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"A Cloud SQL instance is a VM managed by Google that runs the SQL database instance (as well as any accompanying containers)"},"risks":["impact:dos"],"notes":"Deletes all client certificates and generates a new server SSL certificate for the instance. This can cause a denial of service since clients will not be updated to use the new certificate.","links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions","https://cloud.google.com/sql/docs/mysql/admin-api/rest/v1beta4/instances/resetSslConfig"],"seeAlso":[]},"cloudsql.instances.restart":{"id":"cloudsql.instances.restart","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"A Cloud SQL instance is a VM managed by Google that runs the SQL database instance (as well as any accompanying containers)"},"risks":["impact:dos"],"notes":"Restarts the instance. This can cause a denial of service since it closes all existing connections.","links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions"],"seeAlso":[]},"cloudsql.instances.restoreBackup":{"id":"cloudsql.instances.restoreBackup","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"A Cloud SQL instance is a VM managed by Google that runs the SQL database instance (as well as any accompanying containers)"},"risks":["destruction:data","destruction:logs"],"notes":"The restore process overwrites all the current data on the instance and it cannot be recovered.","links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions","https://cloud.google.com/sql/docs/mysql/backup-recovery/restoring"],"seeAlso":[]},"cloudsql.instances.rotateServerCa":{"id":"cloudsql.instances.rotateServerCa","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"A Cloud SQL instance is a VM managed by Google that runs the SQL database instance (as well as any accompanying containers)"},"risks":["impact:dos"],"notes":"Rotates the server certificate to one signed by the certificate authority version previously added.  Can cause a denial of service if clients have not been updated to use the new certificate. There must be another certificate authority already added to exploit this.","links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions","https://cloud.google.com/sql/docs/mysql/admin-api/rest/v1beta4/instances/addServerCa"],"seeAlso":[]},"cloudsql.instances.startReplica":{"id":"cloudsql.instances.startReplica","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"A Cloud SQL instance is a VM managed by Google that runs the SQL database instance (as well as any accompanying containers)"},"risks":[],"notes":"Starts replication from the primary instance on a read replica.","links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions","https://cloud.google.com/sql/docs/postgres/replication/manage-replicas"],"seeAlso":[]},"cloudsql.instances.stopReplica":{"id":"cloudsql.instances.stopReplica","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"A Cloud SQL instance is a VM managed by Google that runs the SQL database instance (as well as any accompanying containers)"},"risks":["destruction:defense"],"notes":"Stops replication from the primary instance on a read replica. Requests are made directly to a replica,  so any subsequent requests to that read replica will get outdated data.","links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions","https://cloud.google.com/sql/docs/postgres/replication/manage-replicas"],"seeAlso":[]},"cloudsql.instances.truncateLog":{"id":"cloudsql.instances.truncateLog","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"A Cloud SQL instance is a VM managed by Google that runs the SQL database instance (as well as any accompanying containers)"},"risks":["destruction:logs"],"notes":"This allows truncating log entries from the instance. Will only pose a risk to logs that are stored as tables in the database, which is configured in database settings.","links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions"],"seeAlso":[]},"cloudsql.instances.update":{"id":"cloudsql.instances.update","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"A Cloud SQL instance is a VM managed by Google that runs the SQL database instance (as well as any accompanying containers)"},"risks":["impact:dos","destruction:defense","impact:spend","impact:encryption"],"notes":"Allows updating various instance metadata and settings, including authorized networks, backup settings,  and encryption keys.","links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions"],"seeAlso":[]},"cloudsql.sslCerts.create":{"id":"cloudsql.sslCerts.create","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"SSL client certificates for connecting to a Cloud SQL instance. Each instance can have 10 client certificates."},"risks":["impact:consumption","escalation:network"],"notes":"This permission allows creating a client SSL certificate for the instance, which allows the user to establish a connection to the instance. Note that authentication into the database is still separate, so this does not provide access to data.","links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions"],"seeAlso":[]},"cloudsql.sslCerts.createEphemeral":{"id":"cloudsql.sslCerts.createEphemeral","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"SSL client certificates for connecting to a Cloud SQL instance. Each instance can have 10 client certificates."},"risks":["escalation:network"],"notes":"This permission allows creating an ephemeral client SSL certificate for the instance, which allows the user to establish a connection to the instance. Note that authentication into the database is still separate, so this does not provide access to data.","links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions"],"seeAlso":[]},"cloudsql.sslCerts.delete":{"id":"cloudsql.sslCerts.delete","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"SSL client certificates for connecting to a Cloud SQL instance. Each instance can have 10 client certificates."},"risks":["impact:dos"],"notes":null,"links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions"],"seeAlso":[]},"cloudsql.sslCerts.get":{"id":"cloudsql.sslCerts.get","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"SSL client certificates for connecting to a Cloud SQL instance. Each instance can have 10 client certificates."},"risks":[],"notes":"Does not include private keys.","links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions"],"seeAlso":[]},"cloudsql.sslCerts.list":{"id":"cloudsql.sslCerts.list","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"SSL client certificates for connecting to a Cloud SQL instance. Each instance can have 10 client certificates."},"risks":[],"notes":"Does not include private keys.","links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions"],"seeAlso":[]},"cloudsql.users.create":{"id":"cloudsql.users.create","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"Cloud SQL users are used to authenticate into Cloud SQL databases."},"risks":["destruction:data","destruction:logs","exfiltration:data","exfiltration:logs","impact:manipulation"],"notes":"This permission allows creating a new user with a provided username/password.  It grants the created user super user privileges on the database.","links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions","https://cloud.google.com/sql/docs/postgres/create-manage-users"],"seeAlso":[]},"cloudsql.users.get":{"id":"cloudsql.users.get","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"Cloud SQL users are used to authenticate into Cloud SQL databases."},"risks":["discovery:account"],"notes":null,"links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions"],"seeAlso":[]},"cloudsql.users.list":{"id":"cloudsql.users.list","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"Cloud SQL users are used to authenticate into Cloud SQL databases."},"risks":["discovery:account"],"notes":null,"links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions"],"seeAlso":[]},"cloudsql.users.update":{"id":"cloudsql.users.update","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"Cloud SQL users are used to authenticate into Cloud SQL databases."},"risks":["impact:access","destruction:data","destruction:logs","exfiltration:data","exfiltration:logs","impact:manipulation"],"notes":"Allows updating the password of an existing user.","links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions"],"seeAlso":[]},"cloudsql.users.delete":{"id":"cloudsql.users.delete","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"Cloud SQL users are used to authenticate into Cloud SQL databases."},"risks":["destruction:account"],"notes":"Users with this privilege can delete database users within a Cloud SQL instance.","links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions"],"seeAlso":[]},"compute.acceleratorTypes.get":{"id":"compute.acceleratorTypes.get","name":"Compute Engine accelerator-optimized machines","scope":"PUBLIC","parent":{"notes":"Reads publicly available data from Google Cloud","description":"Read accelerator-optimized machine types"},"risks":[],"notes":null,"links":["https://cloud.google.com/compute/docs/accelerator-optimized-machines"],"seeAlso":[]},"compute.acceleratorTypes.list":{"id":"compute.acceleratorTypes.list","name":"Compute Engine accelerator-optimized machines","scope":"PUBLIC","parent":{"notes":"Reads publicly available data from Google Cloud","description":"Read accelerator-optimized machine types"},"risks":[],"notes":null,"links":["https://cloud.google.com/compute/docs/accelerator-optimized-machines"],"seeAlso":[]},"compute.addresses.create":{"id":"compute.addresses.create","name":"Compute Engine addresses","scope":"LOW","parent":{"notes":"Allows discovering, reserving, and modifying IP addresses within Compute Engine. If IP ranges are narrowly constrained (e.g., from a /28 range), may allow an attacker to deny access to infrastructure.","description":"Read and edit Compute Engine addresses"},"risks":["impact:consumption"],"notes":null,"links":["https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address","https://cloud.google.com/compute/docs/ip-addresses/reserve-static-internal-ip-address"],"seeAlso":[]},"compute.addresses.createInternal":{"id":"compute.addresses.createInternal","name":"Compute Engine addresses","scope":"LOW","parent":{"notes":"Allows discovering, reserving, and modifying IP addresses within Compute Engine. If IP ranges are narrowly constrained (e.g., from a /28 range), may allow an attacker to deny access to infrastructure.","description":"Read and edit Compute Engine addresses"},"risks":["impact:consumption"],"notes":null,"links":["https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address","https://cloud.google.com/compute/docs/ip-addresses/reserve-static-internal-ip-address"],"seeAlso":[]},"compute.addresses.delete":{"id":"compute.addresses.delete","name":"Compute Engine addresses","scope":"LOW","parent":{"notes":"Allows discovering, reserving, and modifying IP addresses within Compute Engine. If IP ranges are narrowly constrained (e.g., from a /28 range), may allow an attacker to deny access to infrastructure.","description":"Read and edit Compute Engine addresses"},"risks":["destruction:infra"],"notes":"Can not delete an address that is in use by an instance.","links":["https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address","https://cloud.google.com/compute/docs/ip-addresses/reserve-static-internal-ip-address"],"seeAlso":[]},"compute.addresses.deleteInternal":{"id":"compute.addresses.deleteInternal","name":"Compute Engine addresses","scope":"LOW","parent":{"notes":"Allows discovering, reserving, and modifying IP addresses within Compute Engine. If IP ranges are narrowly constrained (e.g., from a /28 range), may allow an attacker to deny access to infrastructure.","description":"Read and edit Compute Engine addresses"},"risks":["destruction:infra"],"notes":"Can not delete an address that is in use by an instance.","links":["https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address","https://cloud.google.com/compute/docs/ip-addresses/reserve-static-internal-ip-address"],"seeAlso":[]},"compute.addresses.get":{"id":"compute.addresses.get","name":"Compute Engine addresses","scope":"LOW","parent":{"notes":"Allows discovering, reserving, and modifying IP addresses within Compute Engine. If IP ranges are narrowly constrained (e.g., from a /28 range), may allow an attacker to deny access to infrastructure.","description":"Read and edit Compute Engine addresses"},"risks":["discovery:network"],"notes":"May allow an attacker to identify network resources to target.","links":["https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address","https://cloud.google.com/compute/docs/ip-addresses/reserve-static-internal-ip-address"],"seeAlso":[]},"compute.addresses.list":{"id":"compute.addresses.list","name":"Compute Engine addresses","scope":"LOW","parent":{"notes":"Allows discovering, reserving, and modifying IP addresses within Compute Engine. If IP ranges are narrowly constrained (e.g., from a /28 range), may allow an attacker to deny access to infrastructure.","description":"Read and edit Compute Engine addresses"},"risks":["discovery:network"],"notes":"May allow an attacker to identify network resources to target.","links":["https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address","https://cloud.google.com/compute/docs/ip-addresses/reserve-static-internal-ip-address"],"seeAlso":[]},"compute.addresses.setLabels":{"id":"compute.addresses.setLabels","name":"Compute Engine addresses","scope":"LOW","parent":{"notes":"Allows discovering, reserving, and modifying IP addresses within Compute Engine. If IP ranges are narrowly constrained (e.g., from a /28 range), may allow an attacker to deny access to infrastructure.","description":"Read and edit Compute Engine addresses"},"risks":["destruction:infra"],"notes":null,"links":["https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address","https://cloud.google.com/compute/docs/ip-addresses/reserve-static-internal-ip-address"],"seeAlso":[]},"compute.addresses.use":{"id":"compute.addresses.use","name":"Compute Engine addresses","scope":"LOW","parent":{"notes":"Allows discovering, reserving, and modifying IP addresses within Compute Engine. If IP ranges are narrowly constrained (e.g., from a /28 range), may allow an attacker to deny access to infrastructure.","description":"Read and edit Compute Engine addresses"},"risks":["escalation:lateral"],"notes":"If used to attach a network address to an already compromised access, can allow lateral movement across a network.","links":["https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address","https://cloud.google.com/compute/docs/ip-addresses/reserve-static-internal-ip-address"],"seeAlso":[]},"compute.addresses.useInternal":{"id":"compute.addresses.useInternal","name":"Compute Engine addresses","scope":"LOW","parent":{"notes":"Allows discovering, reserving, and modifying IP addresses within Compute Engine. If IP ranges are narrowly constrained (e.g., from a /28 range), may allow an attacker to deny access to infrastructure.","description":"Read and edit Compute Engine addresses"},"risks":["escalation:lateral"],"notes":"If used to attach a network address to an already compromised access, can allow lateral movement across a network.","links":["https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address","https://cloud.google.com/compute/docs/ip-addresses/reserve-static-internal-ip-address"],"seeAlso":[]},"compute.autoscalers.create":{"id":"compute.autoscalers.create","name":"Compute Engine autoscalers","scope":"MEDIUM","parent":{"notes":"Note that autoscaling is only applicable if the resource uses managed instance groups (MIGs). Generally requires `compute.instanceGroupManagers.use`.","description":"Read and edit Compute Engine autoscaling groups."},"risks":["impact:spend","impact:hijack"],"notes":null,"links":["https://cloud.google.com/compute/docs/autoscaler"],"seeAlso":[]},"compute.autoscalers.delete":{"id":"compute.autoscalers.delete","name":"Compute Engine autoscalers","scope":"MEDIUM","parent":{"notes":"Note that autoscaling is only applicable if the resource uses managed instance groups (MIGs). Generally requires `compute.instanceGroupManagers.use`.","description":"Read and edit Compute Engine autoscaling groups."},"risks":["destruction:infra"],"notes":null,"links":["https://cloud.google.com/compute/docs/autoscaler"],"seeAlso":[]},"compute.autoscalers.get":{"id":"compute.autoscalers.get","name":"Compute Engine autoscalers","scope":"MEDIUM","parent":{"notes":"Note that autoscaling is only applicable if the resource uses managed instance groups (MIGs). Generally requires `compute.instanceGroupManagers.use`.","description":"Read and edit Compute Engine autoscaling groups."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/compute/docs/autoscaler"],"seeAlso":[]},"compute.autoscalers.list":{"id":"compute.autoscalers.list","name":"Compute Engine autoscalers","scope":"MEDIUM","parent":{"notes":"Note that autoscaling is only applicable if the resource uses managed instance groups (MIGs). Generally requires `compute.instanceGroupManagers.use`.","description":"Read and edit Compute Engine autoscaling groups."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/compute/docs/autoscaler"],"seeAlso":[]},"compute.autoscalers.update":{"id":"compute.autoscalers.update","name":"Compute Engine autoscalers","scope":"MEDIUM","parent":{"notes":"Note that autoscaling is only applicable if the resource uses managed instance groups (MIGs). Generally requires `compute.instanceGroupManagers.use`.","description":"Read and edit Compute Engine autoscaling groups."},"risks":["impact:spend","impact:hijack","destruction:infra"],"notes":null,"links":["https://cloud.google.com/compute/docs/autoscaler"],"seeAlso":[]},"compute.backendBuckets.addSignedUrlKey":{"id":"compute.backendBuckets.addSignedUrlKey","name":"Compute Engine backend buckets","scope":"HIGH","parent":{"notes":"Generally used for providing publicly accessible data via a load balancer. This scope may depend on the exact configuration of the load balancer (e.g. if the load balancer requires certain cookies or auth tokens), and whether the load balancer itself is intended to be publicly accessible. The scope of read permissions should be downgraded to PUBLIC if only publicly accessible data are contained within these buckets.","description":"Cloud Storage buckets that may be referenced by load-balancer URL maps, or via Cloud CDN."},"risks":["escalation:privilege"],"notes":"Allows an attacker to forge signed URLs, potentially gaining access to additional data.","links":["https://cloud.google.com/load-balancing/docs/https/ext-load-balancer-backend-buckets","https://cloud.google.com/compute/docs/reference/rest/v1/backendBuckets"],"seeAlso":["compute.backendServices"]},"compute.backendBuckets.create":{"id":"compute.backendBuckets.create","name":"Compute Engine backend buckets","scope":"HIGH","parent":{"notes":"Generally used for providing publicly accessible data via a load balancer. This scope may depend on the exact configuration of the load balancer (e.g. if the load balancer requires certain cookies or auth tokens), and whether the load balancer itself is intended to be publicly accessible. The scope of read permissions should be downgraded to PUBLIC if only publicly accessible data are contained within these buckets.","description":"Cloud Storage buckets that may be referenced by load-balancer URL maps, or via Cloud CDN."},"risks":[],"notes":null,"links":["https://cloud.google.com/load-balancing/docs/https/ext-load-balancer-backend-buckets","https://cloud.google.com/compute/docs/reference/rest/v1/backendBuckets"],"seeAlso":["compute.backendServices"]},"compute.backendBuckets.delete":{"id":"compute.backendBuckets.delete","name":"Compute Engine backend buckets","scope":"HIGH","parent":{"notes":"Generally used for providing publicly accessible data via a load balancer. This scope may depend on the exact configuration of the load balancer (e.g. if the load balancer requires certain cookies or auth tokens), and whether the load balancer itself is intended to be publicly accessible. The scope of read permissions should be downgraded to PUBLIC if only publicly accessible data are contained within these buckets.","description":"Cloud Storage buckets that may be referenced by load-balancer URL maps, or via Cloud CDN."},"risks":["destruction:infra","destruction:data"],"notes":null,"links":["https://cloud.google.com/load-balancing/docs/https/ext-load-balancer-backend-buckets","https://cloud.google.com/compute/docs/reference/rest/v1/backendBuckets"],"seeAlso":["compute.backendServices"]},"compute.backendBuckets.deleteSignedUrlKey":{"id":"compute.backendBuckets.deleteSignedUrlKey","name":"Compute Engine backend buckets","scope":"HIGH","parent":{"notes":"Generally used for providing publicly accessible data via a load balancer. This scope may depend on the exact configuration of the load balancer (e.g. if the load balancer requires certain cookies or auth tokens), and whether the load balancer itself is intended to be publicly accessible. The scope of read permissions should be downgraded to PUBLIC if only publicly accessible data are contained within these buckets.","description":"Cloud Storage buckets that may be referenced by load-balancer URL maps, or via Cloud CDN."},"risks":["destruction:infra"],"notes":null,"links":["https://cloud.google.com/load-balancing/docs/https/ext-load-balancer-backend-buckets","https://cloud.google.com/compute/docs/reference/rest/v1/backendBuckets"],"seeAlso":["compute.backendServices"]},"compute.backendBuckets.get":{"id":"compute.backendBuckets.get","name":"Compute Engine backend buckets","scope":"HIGH","parent":{"notes":"Generally used for providing publicly accessible data via a load balancer. This scope may depend on the exact configuration of the load balancer (e.g. if the load balancer requires certain cookies or auth tokens), and whether the load balancer itself is intended to be publicly accessible. The scope of read permissions should be downgraded to PUBLIC if only publicly accessible data are contained within these buckets.","description":"Cloud Storage buckets that may be referenced by load-balancer URL maps, or via Cloud CDN."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/load-balancing/docs/https/ext-load-balancer-backend-buckets","https://cloud.google.com/compute/docs/reference/rest/v1/backendBuckets"],"seeAlso":["compute.backendServices"]},"compute.backendBuckets.getIamPolicy":{"id":"compute.backendBuckets.getIamPolicy","name":"Compute Engine backend buckets","scope":"HIGH","parent":{"notes":"Generally used for providing publicly accessible data via a load balancer. This scope may depend on the exact configuration of the load balancer (e.g. if the load balancer requires certain cookies or auth tokens), and whether the load balancer itself is intended to be publicly accessible. The scope of read permissions should be downgraded to PUBLIC if only publicly accessible data are contained within these buckets.","description":"Cloud Storage buckets that may be referenced by load-balancer URL maps, or via Cloud CDN."},"risks":["discovery:policy","discovery:account"],"notes":null,"links":["https://cloud.google.com/load-balancing/docs/https/ext-load-balancer-backend-buckets","https://cloud.google.com/compute/docs/reference/rest/v1/backendBuckets"],"seeAlso":["compute.backendServices"]},"compute.backendBuckets.list":{"id":"compute.backendBuckets.list","name":"Compute Engine backend buckets","scope":"HIGH","parent":{"notes":"Generally used for providing publicly accessible data via a load balancer. This scope may depend on the exact configuration of the load balancer (e.g. if the load balancer requires certain cookies or auth tokens), and whether the load balancer itself is intended to be publicly accessible. The scope of read permissions should be downgraded to PUBLIC if only publicly accessible data are contained within these buckets.","description":"Cloud Storage buckets that may be referenced by load-balancer URL maps, or via Cloud CDN."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/load-balancing/docs/https/ext-load-balancer-backend-buckets","https://cloud.google.com/compute/docs/reference/rest/v1/backendBuckets"],"seeAlso":["compute.backendServices"]},"compute.backendBuckets.setIamPolicy":{"id":"compute.backendBuckets.setIamPolicy","name":"Compute Engine backend buckets","scope":"HIGH","parent":{"notes":"Generally used for providing publicly accessible data via a load balancer. This scope may depend on the exact configuration of the load balancer (e.g. if the load balancer requires certain cookies or auth tokens), and whether the load balancer itself is intended to be publicly accessible. The scope of read permissions should be downgraded to PUBLIC if only publicly accessible data are contained within these buckets.","description":"Cloud Storage buckets that may be referenced by load-balancer URL maps, or via Cloud CDN."},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/load-balancing/docs/https/ext-load-balancer-backend-buckets","https://cloud.google.com/compute/docs/reference/rest/v1/backendBuckets"],"seeAlso":["compute.backendServices"]},"compute.backendBuckets.setSecurityPolicy":{"id":"compute.backendBuckets.setSecurityPolicy","name":"Compute Engine backend buckets","scope":"HIGH","parent":{"notes":"Generally used for providing publicly accessible data via a load balancer. This scope may depend on the exact configuration of the load balancer (e.g. if the load balancer requires certain cookies or auth tokens), and whether the load balancer itself is intended to be publicly accessible. The scope of read permissions should be downgraded to PUBLIC if only publicly accessible data are contained within these buckets.","description":"Cloud Storage buckets that may be referenced by load-balancer URL maps, or via Cloud CDN."},"risks":["escalation:privilege"],"notes":"Allows an attacker to defeat content security, gaining access to bucket contents.","links":["https://cloud.google.com/load-balancing/docs/https/ext-load-balancer-backend-buckets","https://cloud.google.com/compute/docs/reference/rest/v1/backendBuckets","https://cloud.google.com/armor/docs/security-policy-overview"],"seeAlso":["compute.backendServices"]},"compute.backendBuckets.update":{"id":"compute.backendBuckets.update","name":"Compute Engine backend buckets","scope":"HIGH","parent":{"notes":"Generally used for providing publicly accessible data via a load balancer. This scope may depend on the exact configuration of the load balancer (e.g. if the load balancer requires certain cookies or auth tokens), and whether the load balancer itself is intended to be publicly accessible. The scope of read permissions should be downgraded to PUBLIC if only publicly accessible data are contained within these buckets.","description":"Cloud Storage buckets that may be referenced by load-balancer URL maps, or via Cloud CDN."},"risks":["destruction:infra","destruction:data"],"notes":"Does not allow modification to edge security policies. Allows modifying some CDN policies, but not anything that impacts access control.","links":["https://cloud.google.com/load-balancing/docs/https/ext-load-balancer-backend-buckets","https://cloud.google.com/compute/docs/reference/rest/v1/backendBuckets","https://cloud.google.com/compute/docs/reference/rest/v1/backendBuckets/update"],"seeAlso":["compute.backendServices"]},"compute.backendBuckets.use":{"id":"compute.backendBuckets.use","name":"Compute Engine backend buckets","scope":"HIGH","parent":{"notes":"Generally used for providing publicly accessible data via a load balancer. This scope may depend on the exact configuration of the load balancer (e.g. if the load balancer requires certain cookies or auth tokens), and whether the load balancer itself is intended to be publicly accessible. The scope of read permissions should be downgraded to PUBLIC if only publicly accessible data are contained within these buckets.","description":"Cloud Storage buckets that may be referenced by load-balancer URL maps, or via Cloud CDN."},"risks":["escalation:lateral"],"notes":"When combined with the ability to edit URL maps, allows an attacker to point a load-balancer URL to a backend bucket.","links":["https://cloud.google.com/load-balancing/docs/https/ext-load-balancer-backend-buckets","https://cloud.google.com/compute/docs/reference/rest/v1/backendBuckets","https://cloud.google.com/compute/docs/reference/rest/v1/urlMaps/insert"],"seeAlso":["compute.backendServices"]},"compute.backendServices.addSignedUrlKey":{"id":"compute.backendServices.addSignedUrlKey","name":"Compute Engine backend services","scope":"HIGH","parent":{"notes":"Used to serve dynamic content via a load balancer.","description":"Backend endpoints that may be referenced by load-balancer URL maps, or via Cloud CDN."},"risks":["escalation:privilege"],"notes":"Allows an attacker to forge signed URLs, potentially gaining access to additional data.","links":["https://cloud.google.com/load-balancing/docs/backend-service","https://cloud.google.com/compute/docs/reference/rest/v1/backendServices"],"seeAlso":["compute.backendBuckets"]},"compute.backendServices.create":{"id":"compute.backendServices.create","name":"Compute Engine backend services","scope":"HIGH","parent":{"notes":"Used to serve dynamic content via a load balancer.","description":"Backend endpoints that may be referenced by load-balancer URL maps, or via Cloud CDN."},"risks":[],"notes":null,"links":["https://cloud.google.com/load-balancing/docs/backend-service","https://cloud.google.com/compute/docs/reference/rest/v1/backendServices"],"seeAlso":["compute.backendBuckets"]},"compute.backendServices.delete":{"id":"compute.backendServices.delete","name":"Compute Engine backend services","scope":"HIGH","parent":{"notes":"Used to serve dynamic content via a load balancer.","description":"Backend endpoints that may be referenced by load-balancer URL maps, or via Cloud CDN."},"risks":["destruction:infra"],"notes":null,"links":["https://cloud.google.com/load-balancing/docs/backend-service","https://cloud.google.com/compute/docs/reference/rest/v1/backendServices"],"seeAlso":["compute.backendBuckets"]},"compute.backendServices.deleteSignedUrlKey":{"id":"compute.backendServices.deleteSignedUrlKey","name":"Compute Engine backend services","scope":"HIGH","parent":{"notes":"Used to serve dynamic content via a load balancer.","description":"Backend endpoints that may be referenced by load-balancer URL maps, or via Cloud CDN."},"risks":["destruction:infra"],"notes":null,"links":["https://cloud.google.com/load-balancing/docs/backend-service","https://cloud.google.com/compute/docs/reference/rest/v1/backendServices"],"seeAlso":["compute.backendBuckets"]},"compute.backendServices.get":{"id":"compute.backendServices.get","name":"Compute Engine backend services","scope":"HIGH","parent":{"notes":"Used to serve dynamic content via a load balancer.","description":"Backend endpoints that may be referenced by load-balancer URL maps, or via Cloud CDN."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/load-balancing/docs/backend-service","https://cloud.google.com/compute/docs/reference/rest/v1/backendServices"],"seeAlso":["compute.backendBuckets"]},"compute.backendServices.getIamPolicy":{"id":"compute.backendServices.getIamPolicy","name":"Compute Engine backend services","scope":"HIGH","parent":{"notes":"Used to serve dynamic content via a load balancer.","description":"Backend endpoints that may be referenced by load-balancer URL maps, or via Cloud CDN."},"risks":["discovery:policy","discovery:account"],"notes":null,"links":["https://cloud.google.com/load-balancing/docs/backend-service","https://cloud.google.com/compute/docs/reference/rest/v1/backendServices"],"seeAlso":["compute.backendBuckets"]},"compute.backendServices.list":{"id":"compute.backendServices.list","name":"Compute Engine backend services","scope":"HIGH","parent":{"notes":"Used to serve dynamic content via a load balancer.","description":"Backend endpoints that may be referenced by load-balancer URL maps, or via Cloud CDN."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/load-balancing/docs/backend-service","https://cloud.google.com/compute/docs/reference/rest/v1/backendServices"],"seeAlso":["compute.backendBuckets"]},"compute.backendServices.setIamPolicy":{"id":"compute.backendServices.setIamPolicy","name":"Compute Engine backend services","scope":"HIGH","parent":{"notes":"Used to serve dynamic content via a load balancer.","description":"Backend endpoints that may be referenced by load-balancer URL maps, or via Cloud CDN."},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/load-balancing/docs/backend-service","https://cloud.google.com/compute/docs/reference/rest/v1/backendServices"],"seeAlso":["compute.backendBuckets"]},"compute.backendServices.setSecurityPolicy":{"id":"compute.backendServices.setSecurityPolicy","name":"Compute Engine backend services","scope":"HIGH","parent":{"notes":"Used to serve dynamic content via a load balancer.","description":"Backend endpoints that may be referenced by load-balancer URL maps, or via Cloud CDN."},"risks":["escalation:privilege"],"notes":"Allows an attacker to defeat content security, potentially gaining layer-7 access to the service.","links":["https://cloud.google.com/load-balancing/docs/backend-service","https://cloud.google.com/compute/docs/reference/rest/v1/backendServices","https://cloud.google.com/armor/docs/security-policy-overview"],"seeAlso":["compute.backendBuckets"]},"compute.backendServices.update":{"id":"compute.backendServices.update","name":"Compute Engine backend services","scope":"HIGH","parent":{"notes":"Used to serve dynamic content via a load balancer.","description":"Backend endpoints that may be referenced by load-balancer URL maps, or via Cloud CDN."},"risks":["destruction:infra","destruction:data"],"notes":"Does not allow modification of security policies. Allows CDN policy modification but  nothing that affects access control.","links":["https://cloud.google.com/load-balancing/docs/backend-service","https://cloud.google.com/compute/docs/reference/rest/v1/backendServices","https://cloud.google.com/compute/docs/reference/rest/v1/backendServices/update"],"seeAlso":["compute.backendBuckets"]},"compute.backendServices.use":{"id":"compute.backendServices.use","name":"Compute Engine backend services","scope":"HIGH","parent":{"notes":"Used to serve dynamic content via a load balancer.","description":"Backend endpoints that may be referenced by load-balancer URL maps, or via Cloud CDN."},"risks":["escalation:lateral"],"notes":"When combined with the ability to edit URL maps, allows an attacker to point a load-balancer URL to a backend service.","links":["https://cloud.google.com/load-balancing/docs/backend-service","https://cloud.google.com/compute/docs/reference/rest/v1/backendServices","https://cloud.google.com/compute/docs/reference/rest/v1/urlMaps/insert"],"seeAlso":["compute.backendBuckets"]},"compute.commitments.create":{"id":"compute.commitments.create","name":"Compute Engine commitments","scope":"MEDIUM","parent":{"notes":"Commitments affect operational cost.","description":"Manage committed use discounts."},"risks":["impact:spend"],"notes":null,"links":["https://cloud.google.com/compute/docs/instances/committed-use-discounts-overview"],"seeAlso":[]},"compute.commitments.get":{"id":"compute.commitments.get","name":"Compute Engine commitments","scope":"LOW","parent":{"notes":"Commitments affect operational cost.","description":"Manage committed use discounts."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/compute/docs/instances/committed-use-discounts-overview"],"seeAlso":[]},"compute.commitments.list":{"id":"compute.commitments.list","name":"Compute Engine commitments","scope":"LOW","parent":{"notes":"Commitments affect operational cost.","description":"Manage committed use discounts."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/compute/docs/instances/committed-use-discounts-overview"],"seeAlso":[]},"compute.commitments.update":{"id":"compute.commitments.update","name":"Compute Engine commitments","scope":"MEDIUM","parent":{"notes":"Commitments affect operational cost.","description":"Manage committed use discounts."},"risks":["impact:spend"],"notes":null,"links":["https://cloud.google.com/compute/docs/instances/committed-use-discounts-overview"],"seeAlso":[]},"compute.commitments.updateReservations":{"id":"compute.commitments.updateReservations","name":"Compute Engine commitments","scope":"MEDIUM","parent":{"notes":"Commitments affect operational cost.","description":"Manage committed use discounts."},"risks":["impact:spend"],"notes":null,"links":["https://cloud.google.com/compute/docs/instances/committed-use-discounts-overview"],"seeAlso":[]},"compute.diskTypes.get":{"id":"compute.diskTypes.get","name":"Compute Engine disk types","scope":"PUBLIC","parent":{"notes":"Reads publicly available data from Google Cloud","description":"Read available disk types"},"risks":[],"notes":null,"links":["https://cloud.google.com/compute/docs/disks","https://cloud.google.com/compute/docs/reference/rest/v1/diskTypes"],"seeAlso":[]},"compute.diskTypes.list":{"id":"compute.diskTypes.list","name":"Compute Engine disk types","scope":"PUBLIC","parent":{"notes":"Reads publicly available data from Google Cloud","description":"Read available disk types"},"risks":[],"notes":null,"links":["https://cloud.google.com/compute/docs/disks","https://cloud.google.com/compute/docs/reference/rest/v1/diskTypes"],"seeAlso":[]},"compute.disks.addResourcePolicies":{"id":"compute.disks.addResourcePolicies","name":"Compute Engine disks","scope":"CRITICAL","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine.","description":"Read and edit Compute Engine disks and disk assignments."},"risks":["impact:spend","collection:data"],"notes":"Requires a useful resource policy to otherwise exist.","links":["https://cloud.google.com/compute/docs/disks/persistent-disks","https://cloud.google.com/compute/docs/reference/rest/v1/resourcePolicies","https://cloud.google.com/compute/docs/disks/scheduled-snapshots"],"seeAlso":[]},"compute.disks.create":{"id":"compute.disks.create","name":"Compute Engine disks","scope":"CRITICAL","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine.","description":"Read and edit Compute Engine disks and disk assignments."},"risks":["impact:spend"],"notes":null,"links":["https://cloud.google.com/compute/docs/disks/persistent-disks"],"seeAlso":[]},"compute.disks.createSnapshot":{"id":"compute.disks.createSnapshot","name":"Compute Engine disks","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine.","description":"Read and edit Compute Engine disks and disk assignments."},"risks":["collection:data"],"notes":"When combined with the ability to read disk images, can allow access to disk data.","links":["https://cloud.google.com/compute/docs/disks/persistent-disks"],"seeAlso":[]},"compute.disks.createTagBinding":{"id":"compute.disks.createTagBinding","name":"Compute Engine disks","scope":"CRITICAL","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine.","description":"Read and edit Compute Engine disks and disk assignments."},"risks":["impact:access","escalation:privilege"],"notes":"Tag bindings are used to dynamically modify IAM policies.","links":["https://cloud.google.com/compute/docs/disks/persistent-disks"],"seeAlso":[]},"compute.disks.delete":{"id":"compute.disks.delete","name":"Compute Engine disks","scope":"CRITICAL","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine.","description":"Read and edit Compute Engine disks and disk assignments."},"risks":["destruction:infra","destruction:data"],"notes":null,"links":["https://cloud.google.com/compute/docs/disks/persistent-disks"],"seeAlso":[]},"compute.disks.deleteTagBinding":{"id":"compute.disks.deleteTagBinding","name":"Compute Engine disks","scope":"CRITICAL","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine.","description":"Read and edit Compute Engine disks and disk assignments."},"risks":["escalation:privilege","destruction:policy","impact:access"],"notes":"Tag bindings are used to dynamically modify IAM policies.","links":["https://cloud.google.com/compute/docs/disks/persistent-disks"],"seeAlso":[]},"compute.disks.get":{"id":"compute.disks.get","name":"Compute Engine disks","scope":"CRITICAL","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine.","description":"Read and edit Compute Engine disks and disk assignments."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/compute/docs/disks/persistent-disks"],"seeAlso":[]},"compute.disks.getIamPolicy":{"id":"compute.disks.getIamPolicy","name":"Compute Engine disks","scope":"CRITICAL","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine.","description":"Read and edit Compute Engine disks and disk assignments."},"risks":["discovery:account","discovery:policy"],"notes":null,"links":["https://cloud.google.com/compute/docs/disks/persistent-disks"],"seeAlso":[]},"compute.disks.list":{"id":"compute.disks.list","name":"Compute Engine disks","scope":"CRITICAL","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine.","description":"Read and edit Compute Engine disks and disk assignments."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/compute/docs/disks/persistent-disks"],"seeAlso":[]},"compute.disks.listEffectiveTags":{"id":"compute.disks.listEffectiveTags","name":"Compute Engine disks","scope":"CRITICAL","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine.","description":"Read and edit Compute Engine disks and disk assignments."},"risks":["discovery:policy"],"notes":null,"links":["https://cloud.google.com/compute/docs/disks/persistent-disks"],"seeAlso":[]},"compute.disks.listTagBindings":{"id":"compute.disks.listTagBindings","name":"Compute Engine disks","scope":"CRITICAL","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine.","description":"Read and edit Compute Engine disks and disk assignments."},"risks":["discovery:policy"],"notes":null,"links":["https://cloud.google.com/compute/docs/disks/persistent-disks"],"seeAlso":[]},"compute.disks.removeResourceBindings":{"id":"compute.disks.removeResourceBindings","name":"Compute Engine disks","scope":"CRITICAL","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine.","description":"Read and edit Compute Engine disks and disk assignments."},"risks":["destruction:infra"],"notes":null,"links":["https://cloud.google.com/compute/docs/disks/persistent-disks","https://cloud.google.com/compute/docs/reference/rest/v1/resourcePolicies","https://cloud.google.com/compute/docs/disks/scheduled-snapshots"],"seeAlso":[]},"compute.disks.resize":{"id":"compute.disks.resize","name":"Compute Engine disks","scope":"CRITICAL","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine.","description":"Read and edit Compute Engine disks and disk assignments."},"risks":["impact:spend"],"notes":"Disks can only be increased in size.","links":["https://cloud.google.com/compute/docs/disks/persistent-disks","https://cloud.google.com/compute/docs/reference/rest/v1/disks/resize"],"seeAlso":[]},"compute.disks.setIamPolicy":{"id":"compute.disks.setIamPolicy","name":"Compute Engine disks","scope":"CRITICAL","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine.","description":"Read and edit Compute Engine disks and disk assignments."},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/compute/docs/disks/persistent-disks"],"seeAlso":[]},"compute.disks.setLabels":{"id":"compute.disks.setLabels","name":"Compute Engine disks","scope":"CRITICAL","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine.","description":"Read and edit Compute Engine disks and disk assignments."},"risks":["destruction:infra"],"notes":null,"links":["https://cloud.google.com/compute/docs/disks/persistent-disks"],"seeAlso":[]},"compute.disks.startAsyncReplication":{"id":"compute.disks.startAsyncReplication","name":"Compute Engine disks","scope":"CRITICAL","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine.","description":"Read and edit Compute Engine disks and disk assignments."},"risks":[],"notes":null,"links":["https://cloud.google.com/compute/docs/disks/persistent-disks","https://cloud.google.com/compute/docs/disks/async-pd/about"],"seeAlso":[]},"compute.disks.stopAsyncReplication":{"id":"compute.disks.stopAsyncReplication","name":"Compute Engine disks","scope":"CRITICAL","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine.","description":"Read and edit Compute Engine disks and disk assignments."},"risks":["destruction:infra"],"notes":"Can effectively turn off disk replication if applied repeatedly.","links":["https://cloud.google.com/compute/docs/disks/persistent-disks","https://cloud.google.com/compute/docs/disks/async-pd/about"],"seeAlso":[]},"compute.disks.stopGroupAsyncReplication":{"id":"compute.disks.stopGroupAsyncReplication","name":"Compute Engine disks","scope":"CRITICAL","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine.","description":"Read and edit Compute Engine disks and disk assignments."},"risks":["destruction:infra"],"notes":"Can effectively turn off disk replication if applied repeatedly.","links":["https://cloud.google.com/compute/docs/disks/persistent-disks","https://cloud.google.com/compute/docs/disks/async-pd/about"],"seeAlso":[]},"compute.disks.update":{"id":"compute.disks.update","name":"Compute Engine disks","scope":"CRITICAL","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine.","description":"Read and edit Compute Engine disks and disk assignments."},"risks":["escalation:data","destruction:infra"],"notes":"Can allow data access via modifying disk or snapshot encryption keys.","links":["https://cloud.google.com/compute/docs/disks/persistent-disks"],"seeAlso":[]},"compute.disks.use":{"id":"compute.disks.use","name":"Compute Engine disks","scope":"CRITICAL","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine.","description":"Read and edit Compute Engine disks and disk assignments."},"risks":["collection:data","destruction:data"],"notes":"Can allow data access if the attacker can attach the disk to an additionally compromised instance.","links":["https://cloud.google.com/compute/docs/disks/persistent-disks"],"seeAlso":[]},"compute.disks.useReadOnly":{"id":"compute.disks.useReadOnly","name":"Compute Engine disks","scope":"CRITICAL","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine.","description":"Read and edit Compute Engine disks and disk assignments."},"risks":["collection:data"],"notes":"Can allow data access if the attacker can attach the disk to an additionally compromised instance.","links":["https://cloud.google.com/compute/docs/disks/persistent-disks"],"seeAlso":[]},"compute.externalVpnGateways.create":{"id":"compute.externalVpnGateways.create","name":"Compute Engine external VPN gateways","scope":"CRITICAL","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine.","description":"Manage external access points to Compute Engine VPNs (e.g., network gateways)."},"risks":[],"notes":null,"links":["https://cloud.google.com/network-connectivity/docs/vpn/concepts/overview","https://cloud.google.com/network-connectivity/docs/vpn/how-to/configuring-peer-gateway"],"seeAlso":[]},"compute.externalVpnGateways.delete":{"id":"compute.externalVpnGateways.delete","name":"Compute Engine external VPN gateways","scope":"CRITICAL","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine.","description":"Manage external access points to Compute Engine VPNs (e.g., network gateways)."},"risks":["destruction:network"],"notes":null,"links":["https://cloud.google.com/network-connectivity/docs/vpn/concepts/overview","https://cloud.google.com/network-connectivity/docs/vpn/how-to/configuring-peer-gateway"],"seeAlso":[]},"compute.externalVpnGateways.get":{"id":"compute.externalVpnGateways.get","name":"Compute Engine external VPN gateways","scope":"CRITICAL","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine.","description":"Manage external access points to Compute Engine VPNs (e.g., network gateways)."},"risks":["discovery:network"],"notes":null,"links":["https://cloud.google.com/network-connectivity/docs/vpn/concepts/overview","https://cloud.google.com/network-connectivity/docs/vpn/how-to/configuring-peer-gateway"],"seeAlso":[]},"compute.externalVpnGateways.list":{"id":"compute.externalVpnGateways.list","name":"Compute Engine external VPN gateways","scope":"CRITICAL","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine.","description":"Manage external access points to Compute Engine VPNs (e.g., network gateways)."},"risks":["discovery:network"],"notes":null,"links":["https://cloud.google.com/network-connectivity/docs/vpn/concepts/overview","https://cloud.google.com/network-connectivity/docs/vpn/how-to/configuring-peer-gateway"],"seeAlso":[]},"compute.externalVpnGateways.setLabels":{"id":"compute.externalVpnGateways.setLabels","name":"Compute Engine external VPN gateways","scope":"CRITICAL","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine.","description":"Manage external access points to Compute Engine VPNs (e.g., network gateways)."},"risks":["destruction:infra"],"notes":null,"links":["https://cloud.google.com/network-connectivity/docs/vpn/concepts/overview","https://cloud.google.com/network-connectivity/docs/vpn/how-to/configuring-peer-gateway"],"seeAlso":[]},"compute.externalVpnGateways.use":{"id":"compute.externalVpnGateways.use","name":"Compute Engine external VPN gateways","scope":"CRITICAL","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine.","description":"Manage external access points to Compute Engine VPNs (e.g., network gateways)."},"risks":["escalation:lateral"],"notes":"Can be used to gain network access when the attacker has access to both the gateway in question, and the ability to modify the VPN settings.","links":["https://cloud.google.com/network-connectivity/docs/vpn/concepts/overview","https://cloud.google.com/network-connectivity/docs/vpn/how-to/configuring-peer-gateway"],"seeAlso":[]},"compute.firewallPolicies.addAssociation":{"id":"compute.firewallPolicies.addAssociation","name":"Compute Engine firewall policies","scope":"CRITICAL","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine.","description":"Manage groups of firewall rules. Groupings can be across VPCs, regions, or an entire project."},"risks":["escalation:lateral"],"notes":"Appears to be an alias for compute.firewallPolicies.use.","links":["https://cloud.google.com/vpc/docs/firewall-policies-overview","https://cloud.google.com/sdk/gcloud/reference/compute/firewall-policies","https://cloud.google.com/compute/docs/reference/rest/v1/firewallPolicies","https://cloud.google.com/vpc/docs/use-network-firewall-policies#associate"],"seeAlso":[]},"compute.firewallPolicies.cloneRules":{"id":"compute.firewallPolicies.cloneRules","name":"Compute Engine firewall policies","scope":"CRITICAL","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine.","description":"Manage groups of firewall rules. Groupings can be across VPCs, regions, or an entire project."},"risks":["destruction:policy","escalation:lateral"],"notes":"Simultaneously deletes a firewall policy and creates a new policy. Allows escalation when the new policy is overly permissive, or the attacker additionally can alter the copied policy.","links":["https://cloud.google.com/vpc/docs/firewall-policies-overview","https://cloud.google.com/sdk/gcloud/reference/compute/firewall-policies","https://cloud.google.com/compute/docs/reference/rest/v1/firewallPolicies"],"seeAlso":[]},"compute.firewallPolicies.copyRules":{"id":"compute.firewallPolicies.copyRules","name":"Compute Engine firewall policies","scope":"CRITICAL","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine.","description":"Manage groups of firewall rules. Groupings can be across VPCs, regions, or an entire project."},"risks":[],"notes":"Unknown or undocumented functionality. Likely unused.","links":["https://cloud.google.com/vpc/docs/firewall-policies-overview","https://cloud.google.com/sdk/gcloud/reference/compute/firewall-policies","https://cloud.google.com/compute/docs/reference/rest/v1/firewallPolicies"],"seeAlso":[]},"compute.firewallPolicies.create":{"id":"compute.firewallPolicies.create","name":"Compute Engine firewall policies","scope":"CRITICAL","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine.","description":"Manage groups of firewall rules. Groupings can be across VPCs, regions, or an entire project."},"risks":[],"notes":"No direct risks, but may increase the severity of attacks using other privileges (see addAssociation, cloneRules, and move).","links":["https://cloud.google.com/vpc/docs/firewall-policies-overview","https://cloud.google.com/sdk/gcloud/reference/compute/firewall-policies","https://cloud.google.com/compute/docs/reference/rest/v1/firewallPolicies"],"seeAlso":[]},"compute.firewallPolicies.delete":{"id":"compute.firewallPolicies.delete","name":"Compute Engine firewall policies","scope":"LOW","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine.","description":"Manage groups of firewall rules. Groupings can be across VPCs, regions, or an entire project."},"risks":["destruction:policy"],"notes":"All associations must be removed prior to deletion.","links":["https://cloud.google.com/vpc/docs/firewall-policies-overview","https://cloud.google.com/sdk/gcloud/reference/compute/firewall-policies","https://cloud.google.com/compute/docs/reference/rest/v1/firewallPolicies"],"seeAlso":[]},"compute.firewallPolicies.get":{"id":"compute.firewallPolicies.get","name":"Compute Engine firewall policies","scope":"CRITICAL","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine.","description":"Manage groups of firewall rules. Groupings can be across VPCs, regions, or an entire project."},"risks":["discovery:network","discovery:policy"],"notes":null,"links":["https://cloud.google.com/vpc/docs/firewall-policies-overview","https://cloud.google.com/sdk/gcloud/reference/compute/firewall-policies","https://cloud.google.com/compute/docs/reference/rest/v1/firewallPolicies"],"seeAlso":[]},"compute.firewallPolicies.getIamPolicy":{"id":"compute.firewallPolicies.getIamPolicy","name":"Compute Engine firewall policies","scope":"CRITICAL","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine.","description":"Manage groups of firewall rules. Groupings can be across VPCs, regions, or an entire project."},"risks":["discovery:account","discovery:policy"],"notes":null,"links":["https://cloud.google.com/vpc/docs/firewall-policies-overview","https://cloud.google.com/sdk/gcloud/reference/compute/firewall-policies","https://cloud.google.com/compute/docs/reference/rest/v1/firewallPolicies"],"seeAlso":[]},"compute.firewallPolicies.list":{"id":"compute.firewallPolicies.list","name":"Compute Engine firewall policies","scope":"CRITICAL","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine.","description":"Manage groups of firewall rules. Groupings can be across VPCs, regions, or an entire project."},"risks":["discovery:network","discovery:policy"],"notes":null,"links":["https://cloud.google.com/vpc/docs/firewall-policies-overview","https://cloud.google.com/sdk/gcloud/reference/compute/firewall-policies","https://cloud.google.com/compute/docs/reference/rest/v1/firewallPolicies"],"seeAlso":[]},"compute.firewallPolicies.move":{"id":"compute.firewallPolicies.move","name":"Compute Engine firewall policies","scope":"CRITICAL","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine.","description":"Manage groups of firewall rules. Groupings can be across VPCs, regions, or an entire project."},"risks":[],"notes":null,"links":["https://cloud.google.com/vpc/docs/firewall-policies-overview","https://cloud.google.com/sdk/gcloud/reference/compute/firewall-policies","https://cloud.google.com/compute/docs/reference/rest/v1/firewallPolicies"],"seeAlso":[]},"compute.firewallPolicies.removeAssociation":{"id":"compute.firewallPolicies.removeAssociation","name":"Compute Engine firewall policies","scope":"CRITICAL","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine.","description":"Manage groups of firewall rules. Groupings can be across VPCs, regions, or an entire project."},"risks":["destruction:policy","escalation:lateral"],"notes":"Allows removal of a policy from a VPC.","links":["https://cloud.google.com/vpc/docs/firewall-policies-overview","https://cloud.google.com/sdk/gcloud/reference/compute/firewall-policies","https://cloud.google.com/compute/docs/reference/rest/v1/firewallPolicies"],"seeAlso":[]},"compute.firewallPolicies.setIamPolicy":{"id":"compute.firewallPolicies.setIamPolicy","name":"Compute Engine firewall policies","scope":"CRITICAL","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine.","description":"Manage groups of firewall rules. Groupings can be across VPCs, regions, or an entire project."},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/vpc/docs/firewall-policies-overview","https://cloud.google.com/sdk/gcloud/reference/compute/firewall-policies","https://cloud.google.com/compute/docs/reference/rest/v1/firewallPolicies"],"seeAlso":[]},"compute.firewallPolicies.update":{"id":"compute.firewallPolicies.update","name":"Compute Engine firewall policies","scope":"LOW","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine.","description":"Manage groups of firewall rules. Groupings can be across VPCs, regions, or an entire project."},"risks":["destruction:infra"],"notes":"Only allows for modification of a policy's description.","links":["https://cloud.google.com/vpc/docs/firewall-policies-overview","https://cloud.google.com/sdk/gcloud/reference/compute/firewall-policies","https://cloud.google.com/compute/docs/reference/rest/v1/firewallPolicies"],"seeAlso":[]},"compute.firewallPolicies.use":{"id":"compute.firewallPolicies.use","name":"Compute Engine firewall policies","scope":"CRITICAL","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine.","description":"Manage groups of firewall rules. Groupings can be across VPCs, regions, or an entire project."},"risks":["escalation:lateral"],"notes":"Allows application of a firewall policy to a VPC.","links":["https://cloud.google.com/vpc/docs/firewall-policies-overview","https://cloud.google.com/sdk/gcloud/reference/compute/firewall-policies","https://cloud.google.com/compute/docs/reference/rest/v1/firewallPolicies","https://cloud.google.com/compute/docs/reference/rest/v1/firewallPolicies/addAssociation"],"seeAlso":[]},"compute.forwardingRules.create":{"id":"compute.forwardingRules.create","name":"Compute Engine forwarding rules","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of forwarding rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage layer 4 port forwarding rules within a Google Cloud load balancer."},"risks":["escalation:lateral"],"notes":"Can be used to directly create a load balancer.","links":["https://cloud.google.com/load-balancing/docs/using-forwarding-rules","https://cloud.google.com/load-balancing/docs/protocol-forwarding","https://cloud.google.com/load-balancing/docs/access-control","https://cloud.google.com/service-directory/docs/configuring-netlb-in-sd","https://cloud.google.com/sdk/gcloud/reference/compute/forwarding-rules","https://cloud.google.com/vpc/docs/private-service-connect"],"seeAlso":["compute.globalForwardingRules"]},"compute.forwardingRules.delete":{"id":"compute.forwardingRules.delete","name":"Compute Engine forwarding rules","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of forwarding rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage layer 4 port forwarding rules within a Google Cloud load balancer."},"risks":["destruction:network"],"notes":"Also can terminate a load balancer.","links":["https://cloud.google.com/load-balancing/docs/using-forwarding-rules","https://cloud.google.com/load-balancing/docs/protocol-forwarding","https://cloud.google.com/load-balancing/docs/access-control","https://cloud.google.com/service-directory/docs/configuring-netlb-in-sd","https://cloud.google.com/sdk/gcloud/reference/compute/forwarding-rules","https://cloud.google.com/vpc/docs/private-service-connect"],"seeAlso":["compute.globalForwardingRules"]},"compute.forwardingRules.get":{"id":"compute.forwardingRules.get","name":"Compute Engine forwarding rules","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of forwarding rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage layer 4 port forwarding rules within a Google Cloud load balancer."},"risks":["discovery:network","discovery:infra"],"notes":"Discovers infrastructure when the target is identified by resource identifier.","links":["https://cloud.google.com/load-balancing/docs/using-forwarding-rules","https://cloud.google.com/load-balancing/docs/protocol-forwarding","https://cloud.google.com/load-balancing/docs/access-control","https://cloud.google.com/service-directory/docs/configuring-netlb-in-sd","https://cloud.google.com/sdk/gcloud/reference/compute/forwarding-rules","https://cloud.google.com/vpc/docs/private-service-connect"],"seeAlso":["compute.globalForwardingRules"]},"compute.forwardingRules.list":{"id":"compute.forwardingRules.list","name":"Compute Engine forwarding rules","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of forwarding rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage layer 4 port forwarding rules within a Google Cloud load balancer."},"risks":["discovery:network","discovery:infra"],"notes":"Discovers infrastructure when the target is identified by resource identifier.","links":["https://cloud.google.com/load-balancing/docs/using-forwarding-rules","https://cloud.google.com/load-balancing/docs/protocol-forwarding","https://cloud.google.com/load-balancing/docs/access-control","https://cloud.google.com/service-directory/docs/configuring-netlb-in-sd","https://cloud.google.com/sdk/gcloud/reference/compute/forwarding-rules","https://cloud.google.com/vpc/docs/private-service-connect"],"seeAlso":["compute.globalForwardingRules"]},"compute.forwardingRules.pscCreate":{"id":"compute.forwardingRules.pscCreate","name":"Compute Engine forwarding rules","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of forwarding rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage layer 4 port forwarding rules within a Google Cloud load balancer."},"risks":["escalation:lateral"],"notes":"Can be used to access Google managed services when a VM is already compromised.","links":["https://cloud.google.com/load-balancing/docs/using-forwarding-rules","https://cloud.google.com/load-balancing/docs/protocol-forwarding","https://cloud.google.com/load-balancing/docs/access-control","https://cloud.google.com/service-directory/docs/configuring-netlb-in-sd","https://cloud.google.com/sdk/gcloud/reference/compute/forwarding-rules","https://cloud.google.com/vpc/docs/private-service-connect"],"seeAlso":["compute.globalForwardingRules"]},"compute.forwardingRules.pscDelete":{"id":"compute.forwardingRules.pscDelete","name":"Compute Engine forwarding rules","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of forwarding rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage layer 4 port forwarding rules within a Google Cloud load balancer."},"risks":["destruction:network"],"notes":null,"links":["https://cloud.google.com/load-balancing/docs/using-forwarding-rules","https://cloud.google.com/load-balancing/docs/protocol-forwarding","https://cloud.google.com/load-balancing/docs/access-control","https://cloud.google.com/service-directory/docs/configuring-netlb-in-sd","https://cloud.google.com/sdk/gcloud/reference/compute/forwarding-rules","https://cloud.google.com/vpc/docs/private-service-connect"],"seeAlso":["compute.globalForwardingRules"]},"compute.forwardingRules.pscSetLabels":{"id":"compute.forwardingRules.pscSetLabels","name":"Compute Engine forwarding rules","scope":"MEDIUM","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of forwarding rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage layer 4 port forwarding rules within a Google Cloud load balancer."},"risks":["destruction:infra"],"notes":"Labels are generally low-sensitivity infrastructure.","links":["https://cloud.google.com/load-balancing/docs/using-forwarding-rules","https://cloud.google.com/load-balancing/docs/protocol-forwarding","https://cloud.google.com/load-balancing/docs/access-control","https://cloud.google.com/service-directory/docs/configuring-netlb-in-sd","https://cloud.google.com/sdk/gcloud/reference/compute/forwarding-rules","https://cloud.google.com/vpc/docs/private-service-connect"],"seeAlso":["compute.globalForwardingRules"]},"compute.forwardingRules.pscSetTarget":{"id":"compute.forwardingRules.pscSetTarget","name":"Compute Engine forwarding rules","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of forwarding rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage layer 4 port forwarding rules within a Google Cloud load balancer."},"risks":["escalation:lateral"],"notes":"Can be used to access Google managed services when a VM is already compromised.","links":["https://cloud.google.com/load-balancing/docs/using-forwarding-rules","https://cloud.google.com/load-balancing/docs/protocol-forwarding","https://cloud.google.com/load-balancing/docs/access-control","https://cloud.google.com/service-directory/docs/configuring-netlb-in-sd","https://cloud.google.com/sdk/gcloud/reference/compute/forwarding-rules","https://cloud.google.com/vpc/docs/private-service-connect"],"seeAlso":["compute.globalForwardingRules"]},"compute.forwardingRules.pscUpdate":{"id":"compute.forwardingRules.pscUpdate","name":"Compute Engine forwarding rules","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of forwarding rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage layer 4 port forwarding rules within a Google Cloud load balancer."},"risks":["escalation:lateral","destruction:network"],"notes":"Can not be used to change targets. Can be used to access Google managed services when the rule already directs traffic to a target service and the attacker has access to a particular source VM.","links":["https://cloud.google.com/load-balancing/docs/using-forwarding-rules","https://cloud.google.com/load-balancing/docs/protocol-forwarding","https://cloud.google.com/load-balancing/docs/access-control","https://cloud.google.com/service-directory/docs/configuring-netlb-in-sd","https://cloud.google.com/sdk/gcloud/reference/compute/forwarding-rules","https://cloud.google.com/vpc/docs/private-service-connect"],"seeAlso":["compute.globalForwardingRules"]},"compute.forwardingRules.setLabels":{"id":"compute.forwardingRules.setLabels","name":"Compute Engine forwarding rules","scope":"MEDIUM","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of forwarding rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage layer 4 port forwarding rules within a Google Cloud load balancer."},"risks":["destruction:infra"],"notes":"Labels are generally low-sensitivity infrastructure.","links":["https://cloud.google.com/load-balancing/docs/using-forwarding-rules","https://cloud.google.com/load-balancing/docs/protocol-forwarding","https://cloud.google.com/load-balancing/docs/access-control","https://cloud.google.com/service-directory/docs/configuring-netlb-in-sd","https://cloud.google.com/sdk/gcloud/reference/compute/forwarding-rules","https://cloud.google.com/vpc/docs/private-service-connect"],"seeAlso":["compute.globalForwardingRules"]},"compute.forwardingRules.setTargets":{"id":"compute.forwardingRules.setTargets","name":"Compute Engine forwarding rules","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of forwarding rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage layer 4 port forwarding rules within a Google Cloud load balancer."},"risks":["escalation:lateral"],"notes":"Can be used to escalate access when an attacker can reach the loadbalancer source endpoint.","links":["https://cloud.google.com/load-balancing/docs/using-forwarding-rules","https://cloud.google.com/load-balancing/docs/protocol-forwarding","https://cloud.google.com/load-balancing/docs/access-control","https://cloud.google.com/service-directory/docs/configuring-netlb-in-sd","https://cloud.google.com/sdk/gcloud/reference/compute/forwarding-rules","https://cloud.google.com/vpc/docs/private-service-connect"],"seeAlso":["compute.globalForwardingRules"]},"compute.forwardingRules.update":{"id":"compute.forwardingRules.update","name":"Compute Engine forwarding rules","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of forwarding rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage layer 4 port forwarding rules within a Google Cloud load balancer."},"risks":["escalation:lateral","destruction:network"],"notes":"Can not be used to change targets. Can be used to escalate access when the rule already directs traffic to a target system and the attacker has access to a particular source endpoint.","links":["https://cloud.google.com/load-balancing/docs/using-forwarding-rules","https://cloud.google.com/load-balancing/docs/protocol-forwarding","https://cloud.google.com/load-balancing/docs/access-control","https://cloud.google.com/service-directory/docs/configuring-netlb-in-sd","https://cloud.google.com/sdk/gcloud/reference/compute/forwarding-rules","https://cloud.google.com/vpc/docs/private-service-connect"],"seeAlso":["compute.globalForwardingRules"]},"compute.forwardingRules.use":{"id":"compute.forwardingRules.use","name":"Compute Engine forwarding rules","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of forwarding rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage layer 4 port forwarding rules within a Google Cloud load balancer."},"risks":["escalation:lateral"],"notes":"This privilege is undocumented by Google. In analogy to other .use privileges, this *may* allow connection of an existing forwarding rule to an (existing) load balancer, thereby potentially allowing access to a service. This has not been tested by the catalog maintainers.","links":["https://cloud.google.com/load-balancing/docs/using-forwarding-rules","https://cloud.google.com/load-balancing/docs/protocol-forwarding","https://cloud.google.com/load-balancing/docs/access-control","https://cloud.google.com/service-directory/docs/configuring-netlb-in-sd","https://cloud.google.com/sdk/gcloud/reference/compute/forwarding-rules","https://cloud.google.com/vpc/docs/private-service-connect"],"seeAlso":["compute.globalForwardingRules"]},"compute.globalAddresses.create":{"id":"compute.globalAddresses.create","name":"Compute Engine global addresses","scope":"HIGH","parent":{"notes":"Limited attack compared to direct VM access; exploitation involves also exercising risks in load-balancer routing.","description":"Manage global addresses used by cloud load balancers."},"risks":["impact:consumption"],"notes":"Reserves a global IP address, but does not assign it to any infrastructure.","links":["https://cloud.google.com/compute/docs/ip-addresses/","https://cloud.google.com/load-balancing/docs/choosing-load-balancer#global-regional","https://cloud.google.com/sdk/gcloud/reference/compute/addresses","https://cloud.google.com/compute/docs/reference/rest/v1/globalAddresses"],"seeAlso":[]},"compute.globalAddresses.createInternal":{"id":"compute.globalAddresses.createInternal","name":"Compute Engine global addresses","scope":"HIGH","parent":{"notes":"Limited attack compared to direct VM access; exploitation involves also exercising risks in load-balancer routing.","description":"Manage global addresses used by cloud load balancers."},"risks":["impact:consumption"],"notes":"Reserves a global IP address, but does not assign it to any infrastructure. Requires access to the internal network for exploitation.","links":["https://cloud.google.com/compute/docs/ip-addresses/","https://cloud.google.com/load-balancing/docs/choosing-load-balancer#global-regional","https://cloud.google.com/sdk/gcloud/reference/compute/addresses","https://cloud.google.com/compute/docs/reference/rest/v1/globalAddresses"],"seeAlso":[]},"compute.globalAddresses.delete":{"id":"compute.globalAddresses.delete","name":"Compute Engine global addresses","scope":"LOW","parent":{"notes":"Limited attack compared to direct VM access; exploitation involves also exercising risks in load-balancer routing.","description":"Manage global addresses used by cloud load balancers."},"risks":["destruction:network"],"notes":"An address can only be released if it is not in use.","links":["https://cloud.google.com/compute/docs/ip-addresses/","https://cloud.google.com/load-balancing/docs/choosing-load-balancer#global-regional","https://cloud.google.com/sdk/gcloud/reference/compute/addresses","https://cloud.google.com/compute/docs/reference/rest/v1/globalAddresses"],"seeAlso":[]},"compute.globalAddresses.deleteInternal":{"id":"compute.globalAddresses.deleteInternal","name":"Compute Engine global addresses","scope":"LOW","parent":{"notes":"Limited attack compared to direct VM access; exploitation involves also exercising risks in load-balancer routing.","description":"Manage global addresses used by cloud load balancers."},"risks":["destruction:network"],"notes":"An address can only be released if it is not in use.","links":["https://cloud.google.com/compute/docs/ip-addresses/","https://cloud.google.com/load-balancing/docs/choosing-load-balancer#global-regional","https://cloud.google.com/sdk/gcloud/reference/compute/addresses","https://cloud.google.com/compute/docs/reference/rest/v1/globalAddresses"],"seeAlso":[]},"compute.globalAddresses.get":{"id":"compute.globalAddresses.get","name":"Compute Engine global addresses","scope":"HIGH","parent":{"notes":"Limited attack compared to direct VM access; exploitation involves also exercising risks in load-balancer routing.","description":"Manage global addresses used by cloud load balancers."},"risks":["discovery:network"],"notes":null,"links":["https://cloud.google.com/compute/docs/ip-addresses/","https://cloud.google.com/load-balancing/docs/choosing-load-balancer#global-regional","https://cloud.google.com/sdk/gcloud/reference/compute/addresses","https://cloud.google.com/compute/docs/reference/rest/v1/globalAddresses"],"seeAlso":[]},"compute.globalAddresses.list":{"id":"compute.globalAddresses.list","name":"Compute Engine global addresses","scope":"HIGH","parent":{"notes":"Limited attack compared to direct VM access; exploitation involves also exercising risks in load-balancer routing.","description":"Manage global addresses used by cloud load balancers."},"risks":["discovery:network"],"notes":null,"links":["https://cloud.google.com/compute/docs/ip-addresses/","https://cloud.google.com/load-balancing/docs/choosing-load-balancer#global-regional","https://cloud.google.com/sdk/gcloud/reference/compute/addresses","https://cloud.google.com/compute/docs/reference/rest/v1/globalAddresses"],"seeAlso":[]},"compute.globalAddresses.setLabels":{"id":"compute.globalAddresses.setLabels","name":"Compute Engine global addresses","scope":"LOW","parent":{"notes":"Limited attack compared to direct VM access; exploitation involves also exercising risks in load-balancer routing.","description":"Manage global addresses used by cloud load balancers."},"risks":["destruction:infra"],"notes":null,"links":["https://cloud.google.com/compute/docs/ip-addresses/","https://cloud.google.com/load-balancing/docs/choosing-load-balancer#global-regional","https://cloud.google.com/sdk/gcloud/reference/compute/addresses","https://cloud.google.com/compute/docs/reference/rest/v1/globalAddresses"],"seeAlso":[]},"compute.globalAddresses.use":{"id":"compute.globalAddresses.use","name":"Compute Engine global addresses","scope":"HIGH","parent":{"notes":"Limited attack compared to direct VM access; exploitation involves also exercising risks in load-balancer routing.","description":"Manage global addresses used by cloud load balancers."},"risks":["escalation:lateral"],"notes":"Requires an attacker to also be able to manipulate load-balancer routing rules to gain access to any network resource.","links":["https://cloud.google.com/compute/docs/ip-addresses/","https://cloud.google.com/load-balancing/docs/choosing-load-balancer#global-regional","https://cloud.google.com/sdk/gcloud/reference/compute/addresses","https://cloud.google.com/compute/docs/reference/rest/v1/globalAddresses"],"seeAlso":[]},"compute.globalForwardingRules.create":{"id":"compute.globalForwardingRules.create","name":"Compute Engine forwarding rules","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of forwarding rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage layer 4 port forwarding rules within a Google Cloud load balancer. Like `forwardingRules`, but for global load balancing."},"risks":["escalation:lateral"],"notes":"Can be used to directly create a load balancer.","links":["https://cloud.google.com/load-balancing/docs/using-forwarding-rules","https://cloud.google.com/load-balancing/docs/protocol-forwarding","https://cloud.google.com/load-balancing/docs/access-control","https://cloud.google.com/service-directory/docs/configuring-netlb-in-sd","https://cloud.google.com/sdk/gcloud/reference/compute/forwarding-rules","https://cloud.google.com/vpc/docs/private-service-connect"],"seeAlso":["compute.forwardingRules"]},"compute.globalForwardingRules.delete":{"id":"compute.globalForwardingRules.delete","name":"Compute Engine forwarding rules","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of forwarding rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage layer 4 port forwarding rules within a Google Cloud load balancer. Like `forwardingRules`, but for global load balancing."},"risks":["destruction:network"],"notes":"Also can terminate a load balancer.","links":["https://cloud.google.com/load-balancing/docs/using-forwarding-rules","https://cloud.google.com/load-balancing/docs/protocol-forwarding","https://cloud.google.com/load-balancing/docs/access-control","https://cloud.google.com/service-directory/docs/configuring-netlb-in-sd","https://cloud.google.com/sdk/gcloud/reference/compute/forwarding-rules","https://cloud.google.com/vpc/docs/private-service-connect"],"seeAlso":["compute.forwardingRules"]},"compute.globalForwardingRules.get":{"id":"compute.globalForwardingRules.get","name":"Compute Engine forwarding rules","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of forwarding rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage layer 4 port forwarding rules within a Google Cloud load balancer. Like `forwardingRules`, but for global load balancing."},"risks":["discovery:network","discovery:infra"],"notes":"Discovers infrastructure when the target is identified by resource identifier.","links":["https://cloud.google.com/load-balancing/docs/using-forwarding-rules","https://cloud.google.com/load-balancing/docs/protocol-forwarding","https://cloud.google.com/load-balancing/docs/access-control","https://cloud.google.com/service-directory/docs/configuring-netlb-in-sd","https://cloud.google.com/sdk/gcloud/reference/compute/forwarding-rules","https://cloud.google.com/vpc/docs/private-service-connect"],"seeAlso":["compute.forwardingRules"]},"compute.globalForwardingRules.list":{"id":"compute.globalForwardingRules.list","name":"Compute Engine forwarding rules","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of forwarding rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage layer 4 port forwarding rules within a Google Cloud load balancer. Like `forwardingRules`, but for global load balancing."},"risks":["discovery:network","discovery:infra"],"notes":"Discovers infrastructure when the target is identified by resource identifier.","links":["https://cloud.google.com/load-balancing/docs/using-forwarding-rules","https://cloud.google.com/load-balancing/docs/protocol-forwarding","https://cloud.google.com/load-balancing/docs/access-control","https://cloud.google.com/service-directory/docs/configuring-netlb-in-sd","https://cloud.google.com/sdk/gcloud/reference/compute/forwarding-rules","https://cloud.google.com/vpc/docs/private-service-connect"],"seeAlso":["compute.forwardingRules"]},"compute.globalForwardingRules.pscCreate":{"id":"compute.globalForwardingRules.pscCreate","name":"Compute Engine forwarding rules","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of forwarding rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage layer 4 port forwarding rules within a Google Cloud load balancer. Like `forwardingRules`, but for global load balancing."},"risks":["escalation:lateral"],"notes":"Can be used to access Google managed services when a VM is already compromised.","links":["https://cloud.google.com/load-balancing/docs/using-forwarding-rules","https://cloud.google.com/load-balancing/docs/protocol-forwarding","https://cloud.google.com/load-balancing/docs/access-control","https://cloud.google.com/service-directory/docs/configuring-netlb-in-sd","https://cloud.google.com/sdk/gcloud/reference/compute/forwarding-rules","https://cloud.google.com/vpc/docs/private-service-connect"],"seeAlso":["compute.forwardingRules"]},"compute.globalForwardingRules.pscGet":{"id":"compute.globalForwardingRules.pscGet","name":"Compute Engine forwarding rules","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of forwarding rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage layer 4 port forwarding rules within a Google Cloud load balancer. Like `forwardingRules`, but for global load balancing."},"risks":["discovery:network","discovery:infra"],"notes":"Discovers infrastructure when the target is identified by resource identifier.","links":["https://cloud.google.com/load-balancing/docs/using-forwarding-rules","https://cloud.google.com/load-balancing/docs/protocol-forwarding","https://cloud.google.com/load-balancing/docs/access-control","https://cloud.google.com/service-directory/docs/configuring-netlb-in-sd","https://cloud.google.com/sdk/gcloud/reference/compute/forwarding-rules","https://cloud.google.com/vpc/docs/private-service-connect"],"seeAlso":["compute.forwardingRules"]},"compute.globalForwardingRules.pscDelete":{"id":"compute.globalForwardingRules.pscDelete","name":"Compute Engine forwarding rules","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of forwarding rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage layer 4 port forwarding rules within a Google Cloud load balancer. Like `forwardingRules`, but for global load balancing."},"risks":["destruction:network"],"notes":null,"links":["https://cloud.google.com/load-balancing/docs/using-forwarding-rules","https://cloud.google.com/load-balancing/docs/protocol-forwarding","https://cloud.google.com/load-balancing/docs/access-control","https://cloud.google.com/service-directory/docs/configuring-netlb-in-sd","https://cloud.google.com/sdk/gcloud/reference/compute/forwarding-rules","https://cloud.google.com/vpc/docs/private-service-connect"],"seeAlso":["compute.forwardingRules"]},"compute.globalForwardingRules.pscSetLabels":{"id":"compute.globalForwardingRules.pscSetLabels","name":"Compute Engine forwarding rules","scope":"MEDIUM","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of forwarding rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage layer 4 port forwarding rules within a Google Cloud load balancer. Like `forwardingRules`, but for global load balancing."},"risks":["destruction:infra"],"notes":"Labels are generally low-sensitivity infrastructure.","links":["https://cloud.google.com/load-balancing/docs/using-forwarding-rules","https://cloud.google.com/load-balancing/docs/protocol-forwarding","https://cloud.google.com/load-balancing/docs/access-control","https://cloud.google.com/service-directory/docs/configuring-netlb-in-sd","https://cloud.google.com/sdk/gcloud/reference/compute/forwarding-rules","https://cloud.google.com/vpc/docs/private-service-connect"],"seeAlso":["compute.forwardingRules"]},"compute.globalForwardingRules.pscSetTarget":{"id":"compute.globalForwardingRules.pscSetTarget","name":"Compute Engine forwarding rules","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of forwarding rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage layer 4 port forwarding rules within a Google Cloud load balancer. Like `forwardingRules`, but for global load balancing."},"risks":["escalation:lateral"],"notes":"Can be used to access Google managed services when a VM is already compromised.","links":["https://cloud.google.com/load-balancing/docs/using-forwarding-rules","https://cloud.google.com/load-balancing/docs/protocol-forwarding","https://cloud.google.com/load-balancing/docs/access-control","https://cloud.google.com/service-directory/docs/configuring-netlb-in-sd","https://cloud.google.com/sdk/gcloud/reference/compute/forwarding-rules","https://cloud.google.com/vpc/docs/private-service-connect"],"seeAlso":["compute.forwardingRules"]},"compute.globalForwardingRules.pscUpdate":{"id":"compute.globalForwardingRules.pscUpdate","name":"Compute Engine forwarding rules","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of forwarding rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage layer 4 port forwarding rules within a Google Cloud load balancer. Like `forwardingRules`, but for global load balancing."},"risks":["escalation:lateral","destruction:network"],"notes":"Can not be used to change targets. Can be used to access Google managed services when the rule already directs traffic to a target service and the attacker has access to a particular source VM.","links":["https://cloud.google.com/load-balancing/docs/using-forwarding-rules","https://cloud.google.com/load-balancing/docs/protocol-forwarding","https://cloud.google.com/load-balancing/docs/access-control","https://cloud.google.com/service-directory/docs/configuring-netlb-in-sd","https://cloud.google.com/sdk/gcloud/reference/compute/forwarding-rules","https://cloud.google.com/vpc/docs/private-service-connect"],"seeAlso":["compute.forwardingRules"]},"compute.globalForwardingRules.setLabels":{"id":"compute.globalForwardingRules.setLabels","name":"Compute Engine forwarding rules","scope":"MEDIUM","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of forwarding rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage layer 4 port forwarding rules within a Google Cloud load balancer. Like `forwardingRules`, but for global load balancing."},"risks":["destruction:infra"],"notes":"Labels are generally low-sensitivity infrastructure.","links":["https://cloud.google.com/load-balancing/docs/using-forwarding-rules","https://cloud.google.com/load-balancing/docs/protocol-forwarding","https://cloud.google.com/load-balancing/docs/access-control","https://cloud.google.com/service-directory/docs/configuring-netlb-in-sd","https://cloud.google.com/sdk/gcloud/reference/compute/forwarding-rules","https://cloud.google.com/vpc/docs/private-service-connect"],"seeAlso":["compute.forwardingRules"]},"compute.globalForwardingRules.setTargets":{"id":"compute.globalForwardingRules.setTargets","name":"Compute Engine forwarding rules","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of forwarding rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage layer 4 port forwarding rules within a Google Cloud load balancer. Like `forwardingRules`, but for global load balancing."},"risks":["escalation:lateral"],"notes":"Can be used to escalate access when an attacker can reach the loadbalancer source endpoint.","links":["https://cloud.google.com/load-balancing/docs/using-forwarding-rules","https://cloud.google.com/load-balancing/docs/protocol-forwarding","https://cloud.google.com/load-balancing/docs/access-control","https://cloud.google.com/service-directory/docs/configuring-netlb-in-sd","https://cloud.google.com/sdk/gcloud/reference/compute/forwarding-rules","https://cloud.google.com/vpc/docs/private-service-connect"],"seeAlso":["compute.forwardingRules"]},"compute.globalForwardingRules.update":{"id":"compute.globalForwardingRules.update","name":"Compute Engine forwarding rules","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of forwarding rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage layer 4 port forwarding rules within a Google Cloud load balancer. Like `forwardingRules`, but for global load balancing."},"risks":["escalation:lateral","destruction:network"],"notes":"Can not be used to change targets. Can be used to escalate access when the rule already directs traffic to a target system and the attacker has access to a particular source endpoint.","links":["https://cloud.google.com/load-balancing/docs/using-forwarding-rules","https://cloud.google.com/load-balancing/docs/protocol-forwarding","https://cloud.google.com/load-balancing/docs/access-control","https://cloud.google.com/service-directory/docs/configuring-netlb-in-sd","https://cloud.google.com/sdk/gcloud/reference/compute/forwarding-rules","https://cloud.google.com/vpc/docs/private-service-connect"],"seeAlso":["compute.forwardingRules"]},"compute.globalForwardingRules.use":{"id":"compute.globalForwardingRules.use","name":"Compute Engine forwarding rules","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of forwarding rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage layer 4 port forwarding rules within a Google Cloud load balancer. Like `forwardingRules`, but for global load balancing."},"risks":["escalation:lateral"],"notes":"This privilege is undocumented by Google. In analogy to other .use privileges, this *may* allow connection of an existing forwarding rule to an (existing) load balancer, thereby potentially allowing access to a service. This has not been tested by the catalog maintainers.","links":["https://cloud.google.com/load-balancing/docs/using-forwarding-rules","https://cloud.google.com/load-balancing/docs/protocol-forwarding","https://cloud.google.com/load-balancing/docs/access-control","https://cloud.google.com/service-directory/docs/configuring-netlb-in-sd","https://cloud.google.com/sdk/gcloud/reference/compute/forwarding-rules","https://cloud.google.com/vpc/docs/private-service-connect"],"seeAlso":["compute.forwardingRules"]},"compute.globalNetworkEndpointGroups.attachNetworkEndpoints":{"id":"compute.globalNetworkEndpointGroups.attachNetworkEndpoints","name":"Compute Engine global network endpoint groups","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of network-endpoint rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage global network endpoint groups (NEGs) for Google Cloud load balancers."},"risks":["escalation:lateral"],"notes":"With a NEG on an already accessible network, can be used to connect to sensitive backend services. Can be combined with `create` to broaden attack surface.","links":["https://cloud.google.com/load-balancing/docs/negs","https://cloud.google.com/sdk/gcloud/reference/compute/network-endpoint-groups","https://cloud.google.com/compute/docs/reference/rest/v1/networkEndpointGroups"],"seeAlso":["compute.networkEndpointGroups"]},"compute.globalNetworkEndpointGroups.create":{"id":"compute.globalNetworkEndpointGroups.create","name":"Compute Engine global network endpoint groups","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of network-endpoint rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage global network endpoint groups (NEGs) for Google Cloud load balancers."},"risks":["escalation:lateral"],"notes":"When combined with attachNetworkEndpoints, can be used to connect to sensitive backend services.","links":["https://cloud.google.com/load-balancing/docs/negs","https://cloud.google.com/sdk/gcloud/reference/compute/network-endpoint-groups","https://cloud.google.com/compute/docs/reference/rest/v1/networkEndpointGroups"],"seeAlso":["compute.networkEndpointGroups"]},"compute.globalNetworkEndpointGroups.delete":{"id":"compute.globalNetworkEndpointGroups.delete","name":"Compute Engine global network endpoint groups","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of network-endpoint rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage global network endpoint groups (NEGs) for Google Cloud load balancers."},"risks":["destruction:network"],"notes":null,"links":["https://cloud.google.com/load-balancing/docs/negs","https://cloud.google.com/sdk/gcloud/reference/compute/network-endpoint-groups","https://cloud.google.com/compute/docs/reference/rest/v1/networkEndpointGroups"],"seeAlso":["compute.networkEndpointGroups"]},"compute.globalNetworkEndpointGroups.detachNetworkEndpoints":{"id":"compute.globalNetworkEndpointGroups.detachNetworkEndpoints","name":"Compute Engine global network endpoint groups","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of network-endpoint rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage global network endpoint groups (NEGs) for Google Cloud load balancers."},"risks":["destruction:network"],"notes":null,"links":["https://cloud.google.com/load-balancing/docs/negs","https://cloud.google.com/sdk/gcloud/reference/compute/network-endpoint-groups","https://cloud.google.com/compute/docs/reference/rest/v1/networkEndpointGroups"],"seeAlso":["compute.networkEndpointGroups"]},"compute.globalNetworkEndpointGroups.get":{"id":"compute.globalNetworkEndpointGroups.get","name":"Compute Engine global network endpoint groups","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of network-endpoint rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage global network endpoint groups (NEGs) for Google Cloud load balancers."},"risks":["discovery:network"],"notes":null,"links":["https://cloud.google.com/load-balancing/docs/negs","https://cloud.google.com/sdk/gcloud/reference/compute/network-endpoint-groups","https://cloud.google.com/compute/docs/reference/rest/v1/networkEndpointGroups"],"seeAlso":["compute.networkEndpointGroups"]},"compute.globalNetworkEndpointGroups.getIamPolicy":{"id":"compute.globalNetworkEndpointGroups.getIamPolicy","name":"Compute Engine global network endpoint groups","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of network-endpoint rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage global network endpoint groups (NEGs) for Google Cloud load balancers."},"risks":["discovery:account","discovery:policy"],"notes":null,"links":["https://cloud.google.com/load-balancing/docs/negs","https://cloud.google.com/sdk/gcloud/reference/compute/network-endpoint-groups","https://cloud.google.com/compute/docs/reference/rest/v1/networkEndpointGroups"],"seeAlso":["compute.networkEndpointGroups"]},"compute.globalNetworkEndpointGroups.list":{"id":"compute.globalNetworkEndpointGroups.list","name":"Compute Engine global network endpoint groups","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of network-endpoint rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage global network endpoint groups (NEGs) for Google Cloud load balancers."},"risks":["discovery:network"],"notes":null,"links":["https://cloud.google.com/load-balancing/docs/negs","https://cloud.google.com/sdk/gcloud/reference/compute/network-endpoint-groups","https://cloud.google.com/compute/docs/reference/rest/v1/networkEndpointGroups"],"seeAlso":["compute.networkEndpointGroups"]},"compute.globalNetworkEndpointGroups.setIamPolicy":{"id":"compute.globalNetworkEndpointGroups.setIamPolicy","name":"Compute Engine global network endpoint groups","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of network-endpoint rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage global network endpoint groups (NEGs) for Google Cloud load balancers."},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/load-balancing/docs/negs","https://cloud.google.com/sdk/gcloud/reference/compute/network-endpoint-groups","https://cloud.google.com/compute/docs/reference/rest/v1/networkEndpointGroups"],"seeAlso":["compute.networkEndpointGroups"]},"compute.globalNetworkEndpointGroups.use":{"id":"compute.globalNetworkEndpointGroups.use","name":"Compute Engine global network endpoint groups","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of network-endpoint rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage global network endpoint groups (NEGs) for Google Cloud load balancers."},"risks":["impact:dos"],"notes":"In combination with the ability to alter health checks, slows creation of health checks based on NEGs. Could lead to DOS if health checks are sufficiently frequent, and the referenced endpoints sufficiently expensive.","links":["https://cloud.google.com/load-balancing/docs/negs","https://cloud.google.com/sdk/gcloud/reference/compute/network-endpoint-groups","https://cloud.google.com/compute/docs/reference/rest/v1/networkEndpointGroups","https://cloud.google.com/compute/docs/reference/rest/v1/regionHealthCheckServices/insert"],"seeAlso":["compute.networkEndpointGroups"]},"compute.healthChecks.create":{"id":"compute.healthChecks.create","name":"Compute Engine health checks","scope":"MEDIUM","parent":{"notes":"Exploitation relies on multiple additional exercisable risks, including poorly secured backend endpoints, the ability to route to this infrastructure, and provisioned forwarding rules to the subject backends.","description":"Create and manage health checks used by Cloud load balancers."},"risks":["impact:dos"],"notes":null,"links":["https://cloud.google.com/load-balancing/docs/health-checks","https://cloud.google.com/sdk/gcloud/reference/compute/health-checks","https://cloud.google.com/compute/docs/reference/rest/v1/healthChecks"],"seeAlso":["compute.httpHealthChecks","compute.httpsHealthChecks","compute.regionalHealthChecks"]},"compute.healthChecks.delete":{"id":"compute.healthChecks.delete","name":"Compute Engine health checks","scope":"HIGH","parent":{"notes":"Exploitation relies on multiple additional exercisable risks, including poorly secured backend endpoints, the ability to route to this infrastructure, and provisioned forwarding rules to the subject backends.","description":"Create and manage health checks used by Cloud load balancers."},"risks":["destruction:network"],"notes":"May make backend infrastructure unroutable for intended uses.","links":["https://cloud.google.com/load-balancing/docs/health-checks","https://cloud.google.com/sdk/gcloud/reference/compute/health-checks","https://cloud.google.com/compute/docs/reference/rest/v1/healthChecks"],"seeAlso":["compute.httpHealthChecks","compute.httpsHealthChecks","compute.regionalHealthChecks"]},"compute.healthChecks.get":{"id":"compute.healthChecks.get","name":"Compute Engine health checks","scope":"MEDIUM","parent":{"notes":"Exploitation relies on multiple additional exercisable risks, including poorly secured backend endpoints, the ability to route to this infrastructure, and provisioned forwarding rules to the subject backends.","description":"Create and manage health checks used by Cloud load balancers."},"risks":["discovery:network"],"notes":null,"links":["https://cloud.google.com/load-balancing/docs/health-checks","https://cloud.google.com/sdk/gcloud/reference/compute/health-checks","https://cloud.google.com/compute/docs/reference/rest/v1/healthChecks"],"seeAlso":["compute.httpHealthChecks","compute.httpsHealthChecks","compute.regionalHealthChecks"]},"compute.healthChecks.list":{"id":"compute.healthChecks.list","name":"Compute Engine health checks","scope":"MEDIUM","parent":{"notes":"Exploitation relies on multiple additional exercisable risks, including poorly secured backend endpoints, the ability to route to this infrastructure, and provisioned forwarding rules to the subject backends.","description":"Create and manage health checks used by Cloud load balancers."},"risks":["discovery:network"],"notes":null,"links":["https://cloud.google.com/load-balancing/docs/health-checks","https://cloud.google.com/sdk/gcloud/reference/compute/health-checks","https://cloud.google.com/compute/docs/reference/rest/v1/healthChecks"],"seeAlso":["compute.httpHealthChecks","compute.httpsHealthChecks","compute.regionalHealthChecks"]},"compute.healthChecks.update":{"id":"compute.healthChecks.update","name":"Compute Engine health checks","scope":"HIGH","parent":{"notes":"Exploitation relies on multiple additional exercisable risks, including poorly secured backend endpoints, the ability to route to this infrastructure, and provisioned forwarding rules to the subject backends.","description":"Create and manage health checks used by Cloud load balancers."},"risks":["destruction:infra","destruction:network","impact:dos"],"notes":"May make backend infrastructure unroutable for intended uses.","links":["https://cloud.google.com/load-balancing/docs/health-checks","https://cloud.google.com/sdk/gcloud/reference/compute/health-checks","https://cloud.google.com/compute/docs/reference/rest/v1/healthChecks"],"seeAlso":["compute.httpHealthChecks","compute.httpsHealthChecks","compute.regionalHealthChecks"]},"compute.healthChecks.use":{"id":"compute.healthChecks.use","name":"Compute Engine health checks","scope":"MEDIUM","parent":{"notes":"Exploitation relies on multiple additional exercisable risks, including poorly secured backend endpoints, the ability to route to this infrastructure, and provisioned forwarding rules to the subject backends.","description":"Create and manage health checks used by Cloud load balancers."},"risks":["impact:dos"],"notes":"When combined with tailored health checks, may make backend infrastructure unroutable for intended uses.","links":["https://cloud.google.com/load-balancing/docs/health-checks","https://cloud.google.com/sdk/gcloud/reference/compute/health-checks","https://cloud.google.com/compute/docs/reference/rest/v1/healthChecks"],"seeAlso":["compute.httpHealthChecks","compute.httpsHealthChecks","compute.regionalHealthChecks"]},"compute.healthChecks.useReadOnly":{"id":"compute.healthChecks.useReadOnly","name":"Compute Engine health checks","scope":"MEDIUM","parent":{"notes":"Exploitation relies on multiple additional exercisable risks, including poorly secured backend endpoints, the ability to route to this infrastructure, and provisioned forwarding rules to the subject backends.","description":"Create and manage health checks used by Cloud load balancers."},"risks":["impact:dos"],"notes":"When combined with tailored health checks, may make backend infrastructure unroutable for intended uses.","links":["https://cloud.google.com/load-balancing/docs/health-checks","https://cloud.google.com/sdk/gcloud/reference/compute/health-checks","https://cloud.google.com/compute/docs/reference/rest/v1/healthChecks"],"seeAlso":["compute.httpHealthChecks","compute.httpsHealthChecks","compute.regionalHealthChecks"]},"compute.httpHealthChecks.create":{"id":"compute.httpHealthChecks.create","name":"Compute Engine health checks","scope":"MEDIUM","parent":{"notes":"Exploitation relies on multiple additional exercisable risks, including poorly secured backend endpoints, the ability to route to this infrastructure, and provisioned forwarding rules to the subject backends.","description":"Create and manage legacy HTTP health checks used by Cloud load balancers."},"risks":["impact:dos"],"notes":null,"links":["https://cloud.google.com/load-balancing/docs/health-checks","https://cloud.google.com/sdk/gcloud/reference/compute/http-health-checks","https://cloud.google.com/compute/docs/reference/rest/v1/httpHealthChecks"],"seeAlso":["compute.healthChecks","compute.httpsHealthChecks","compute.regionalHealthChecks"]},"compute.httpHealthChecks.delete":{"id":"compute.httpHealthChecks.delete","name":"Compute Engine health checks","scope":"HIGH","parent":{"notes":"Exploitation relies on multiple additional exercisable risks, including poorly secured backend endpoints, the ability to route to this infrastructure, and provisioned forwarding rules to the subject backends.","description":"Create and manage legacy HTTP health checks used by Cloud load balancers."},"risks":["destruction:network"],"notes":"May make backend infrastructure unroutable for intended uses.","links":["https://cloud.google.com/load-balancing/docs/health-checks","https://cloud.google.com/sdk/gcloud/reference/compute/http-health-checks","https://cloud.google.com/compute/docs/reference/rest/v1/httpHealthChecks"],"seeAlso":["compute.healthChecks","compute.httpsHealthChecks","compute.regionalHealthChecks"]},"compute.httpHealthChecks.get":{"id":"compute.httpHealthChecks.get","name":"Compute Engine health checks","scope":"MEDIUM","parent":{"notes":"Exploitation relies on multiple additional exercisable risks, including poorly secured backend endpoints, the ability to route to this infrastructure, and provisioned forwarding rules to the subject backends.","description":"Create and manage legacy HTTP health checks used by Cloud load balancers."},"risks":["discovery:network"],"notes":null,"links":["https://cloud.google.com/load-balancing/docs/health-checks","https://cloud.google.com/sdk/gcloud/reference/compute/http-health-checks","https://cloud.google.com/compute/docs/reference/rest/v1/httpHealthChecks"],"seeAlso":["compute.healthChecks","compute.httpsHealthChecks","compute.regionalHealthChecks"]},"compute.httpHealthChecks.list":{"id":"compute.httpHealthChecks.list","name":"Compute Engine health checks","scope":"MEDIUM","parent":{"notes":"Exploitation relies on multiple additional exercisable risks, including poorly secured backend endpoints, the ability to route to this infrastructure, and provisioned forwarding rules to the subject backends.","description":"Create and manage legacy HTTP health checks used by Cloud load balancers."},"risks":["discovery:network"],"notes":null,"links":["https://cloud.google.com/load-balancing/docs/health-checks","https://cloud.google.com/sdk/gcloud/reference/compute/http-health-checks","https://cloud.google.com/compute/docs/reference/rest/v1/httpHealthChecks"],"seeAlso":["compute.healthChecks","compute.httpsHealthChecks","compute.regionalHealthChecks"]},"compute.httpHealthChecks.update":{"id":"compute.httpHealthChecks.update","name":"Compute Engine health checks","scope":"HIGH","parent":{"notes":"Exploitation relies on multiple additional exercisable risks, including poorly secured backend endpoints, the ability to route to this infrastructure, and provisioned forwarding rules to the subject backends.","description":"Create and manage legacy HTTP health checks used by Cloud load balancers."},"risks":["destruction:infra","destruction:network","impact:dos"],"notes":"May make backend infrastructure unroutable for intended uses.","links":["https://cloud.google.com/load-balancing/docs/health-checks","https://cloud.google.com/sdk/gcloud/reference/compute/http-health-checks","https://cloud.google.com/compute/docs/reference/rest/v1/httpHealthChecks"],"seeAlso":["compute.healthChecks","compute.httpsHealthChecks","compute.regionalHealthChecks"]},"compute.httpHealthChecks.use":{"id":"compute.httpHealthChecks.use","name":"Compute Engine health checks","scope":"MEDIUM","parent":{"notes":"Exploitation relies on multiple additional exercisable risks, including poorly secured backend endpoints, the ability to route to this infrastructure, and provisioned forwarding rules to the subject backends.","description":"Create and manage legacy HTTP health checks used by Cloud load balancers."},"risks":["impact:dos"],"notes":"When combined with tailored health checks, may make backend infrastructure unroutable for intended uses.","links":["https://cloud.google.com/load-balancing/docs/health-checks","https://cloud.google.com/sdk/gcloud/reference/compute/http-health-checks","https://cloud.google.com/compute/docs/reference/rest/v1/httpHealthChecks"],"seeAlso":["compute.healthChecks","compute.httpsHealthChecks","compute.regionalHealthChecks"]},"compute.httpHealthChecks.useReadOnly":{"id":"compute.httpHealthChecks.useReadOnly","name":"Compute Engine health checks","scope":"MEDIUM","parent":{"notes":"Exploitation relies on multiple additional exercisable risks, including poorly secured backend endpoints, the ability to route to this infrastructure, and provisioned forwarding rules to the subject backends.","description":"Create and manage legacy HTTP health checks used by Cloud load balancers."},"risks":["impact:dos"],"notes":"When combined with tailored health checks, may make backend infrastructure unroutable for intended uses.","links":["https://cloud.google.com/load-balancing/docs/health-checks","https://cloud.google.com/sdk/gcloud/reference/compute/http-health-checks","https://cloud.google.com/compute/docs/reference/rest/v1/httpHealthChecks"],"seeAlso":["compute.healthChecks","compute.httpsHealthChecks","compute.regionalHealthChecks"]},"compute.httpsHealthChecks.create":{"id":"compute.httpsHealthChecks.create","name":"Compute Engine health checks","scope":"MEDIUM","parent":{"notes":"Exploitation relies on multiple additional exercisable risks, including poorly secured backend endpoints, the ability to route to this infrastructure, and provisioned forwarding rules to the subject backends.","description":"Create and manage legacy HTTPS health checks used by Cloud load balancers."},"risks":["impact:dos"],"notes":null,"links":["https://cloud.google.com/load-balancing/docs/health-checks","https://cloud.google.com/sdk/gcloud/reference/compute/https-health-checks","https://cloud.google.com/compute/docs/reference/rest/v1/httpsHealthChecks"],"seeAlso":["compute.healthChecks","compute.httpHealthChecks","compute.regionalHealthChecks"]},"compute.httpsHealthChecks.delete":{"id":"compute.httpsHealthChecks.delete","name":"Compute Engine health checks","scope":"HIGH","parent":{"notes":"Exploitation relies on multiple additional exercisable risks, including poorly secured backend endpoints, the ability to route to this infrastructure, and provisioned forwarding rules to the subject backends.","description":"Create and manage legacy HTTPS health checks used by Cloud load balancers."},"risks":["destruction:network"],"notes":"May make backend infrastructure unroutable for intended uses.","links":["https://cloud.google.com/load-balancing/docs/health-checks","https://cloud.google.com/sdk/gcloud/reference/compute/https-health-checks","https://cloud.google.com/compute/docs/reference/rest/v1/httpsHealthChecks"],"seeAlso":["compute.healthChecks","compute.httpHealthChecks","compute.regionalHealthChecks"]},"compute.httpsHealthChecks.get":{"id":"compute.httpsHealthChecks.get","name":"Compute Engine health checks","scope":"MEDIUM","parent":{"notes":"Exploitation relies on multiple additional exercisable risks, including poorly secured backend endpoints, the ability to route to this infrastructure, and provisioned forwarding rules to the subject backends.","description":"Create and manage legacy HTTPS health checks used by Cloud load balancers."},"risks":["discovery:network"],"notes":null,"links":["https://cloud.google.com/load-balancing/docs/health-checks","https://cloud.google.com/sdk/gcloud/reference/compute/https-health-checks","https://cloud.google.com/compute/docs/reference/rest/v1/httpsHealthChecks"],"seeAlso":["compute.healthChecks","compute.httpHealthChecks","compute.regionalHealthChecks"]},"compute.httpsHealthChecks.list":{"id":"compute.httpsHealthChecks.list","name":"Compute Engine health checks","scope":"MEDIUM","parent":{"notes":"Exploitation relies on multiple additional exercisable risks, including poorly secured backend endpoints, the ability to route to this infrastructure, and provisioned forwarding rules to the subject backends.","description":"Create and manage legacy HTTPS health checks used by Cloud load balancers."},"risks":["discovery:network"],"notes":null,"links":["https://cloud.google.com/load-balancing/docs/health-checks","https://cloud.google.com/sdk/gcloud/reference/compute/https-health-checks","https://cloud.google.com/compute/docs/reference/rest/v1/httpsHealthChecks"],"seeAlso":["compute.healthChecks","compute.httpHealthChecks","compute.regionalHealthChecks"]},"compute.httpsHealthChecks.update":{"id":"compute.httpsHealthChecks.update","name":"Compute Engine health checks","scope":"HIGH","parent":{"notes":"Exploitation relies on multiple additional exercisable risks, including poorly secured backend endpoints, the ability to route to this infrastructure, and provisioned forwarding rules to the subject backends.","description":"Create and manage legacy HTTPS health checks used by Cloud load balancers."},"risks":["destruction:infra","destruction:network","impact:dos"],"notes":"May make backend infrastructure unroutable for intended uses.","links":["https://cloud.google.com/load-balancing/docs/health-checks","https://cloud.google.com/sdk/gcloud/reference/compute/https-health-checks","https://cloud.google.com/compute/docs/reference/rest/v1/httpsHealthChecks"],"seeAlso":["compute.healthChecks","compute.httpHealthChecks","compute.regionalHealthChecks"]},"compute.httpsHealthChecks.use":{"id":"compute.httpsHealthChecks.use","name":"Compute Engine health checks","scope":"MEDIUM","parent":{"notes":"Exploitation relies on multiple additional exercisable risks, including poorly secured backend endpoints, the ability to route to this infrastructure, and provisioned forwarding rules to the subject backends.","description":"Create and manage legacy HTTPS health checks used by Cloud load balancers."},"risks":["impact:dos"],"notes":"When combined with tailored health checks, may make backend infrastructure unroutable for intended uses.","links":["https://cloud.google.com/load-balancing/docs/health-checks","https://cloud.google.com/sdk/gcloud/reference/compute/https-health-checks","https://cloud.google.com/compute/docs/reference/rest/v1/httpsHealthChecks"],"seeAlso":["compute.healthChecks","compute.httpHealthChecks","compute.regionalHealthChecks"]},"compute.httpsHealthChecks.useReadOnly":{"id":"compute.httpsHealthChecks.useReadOnly","name":"Compute Engine health checks","scope":"MEDIUM","parent":{"notes":"Exploitation relies on multiple additional exercisable risks, including poorly secured backend endpoints, the ability to route to this infrastructure, and provisioned forwarding rules to the subject backends.","description":"Create and manage legacy HTTPS health checks used by Cloud load balancers."},"risks":["impact:dos"],"notes":"When combined with tailored health checks, may make backend infrastructure unroutable for intended uses.","links":["https://cloud.google.com/load-balancing/docs/health-checks","https://cloud.google.com/sdk/gcloud/reference/compute/https-health-checks","https://cloud.google.com/compute/docs/reference/rest/v1/httpsHealthChecks"],"seeAlso":["compute.healthChecks","compute.httpHealthChecks","compute.regionalHealthChecks"]},"compute.images.create":{"id":"compute.images.create","name":"Compute Engine images","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. Risks generally require exploiting multiple privileges.","description":"Manage disk images."},"risks":["exfiltration:data"],"notes":"When combined with a compromised source, a compromised storage bucket, and a known encryption key, can allow an attacker to exfiltrate a disk image.","links":["https://cloud.google.com/compute/docs/images","https://cloud.google.com/sdk/gcloud/reference/compute/images","https://cloud.google.com/compute/docs/reference/rest/v1/images"],"seeAlso":[]},"compute.images.createTagBinding":{"id":"compute.images.createTagBinding","name":"Compute Engine images","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. Risks generally require exploiting multiple privileges.","description":"Manage disk images."},"risks":["impact:access","escalation:privilege"],"notes":"An attacker can exploit tag-based IAM policies to gain access to image data.","links":["https://cloud.google.com/compute/docs/images","https://cloud.google.com/sdk/gcloud/reference/compute/images","https://cloud.google.com/compute/docs/reference/rest/v1/images"],"seeAlso":[]},"compute.images.delete":{"id":"compute.images.delete","name":"Compute Engine images","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. Risks generally require exploiting multiple privileges.","description":"Manage disk images."},"risks":["destruction:data"],"notes":null,"links":["https://cloud.google.com/compute/docs/images","https://cloud.google.com/sdk/gcloud/reference/compute/images","https://cloud.google.com/compute/docs/reference/rest/v1/images"],"seeAlso":[]},"compute.images.deleteTagBinding":{"id":"compute.images.deleteTagBinding","name":"Compute Engine images","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. Risks generally require exploiting multiple privileges.","description":"Manage disk images."},"risks":["escalation:privilege","destruction:policy","impact:access"],"notes":"An attacker can exploit tag-based IAM policies to gain access to image data.","links":["https://cloud.google.com/compute/docs/images","https://cloud.google.com/sdk/gcloud/reference/compute/images","https://cloud.google.com/compute/docs/reference/rest/v1/images"],"seeAlso":[]},"compute.images.deprecate":{"id":"compute.images.deprecate","name":"Compute Engine images","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. Risks generally require exploiting multiple privileges.","description":"Manage disk images."},"risks":[],"notes":"No particular impact.","links":["https://cloud.google.com/compute/docs/images","https://cloud.google.com/sdk/gcloud/reference/compute/images","https://cloud.google.com/compute/docs/reference/rest/v1/images"],"seeAlso":[]},"compute.images.get":{"id":"compute.images.get","name":"Compute Engine images","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. Risks generally require exploiting multiple privileges.","description":"Manage disk images."},"risks":["discovery:metadata"],"notes":"The customer managed key ids, configured for the image, are be returned in the api. No raw encryption keys are exposed.","links":["https://cloud.google.com/compute/docs/images","https://cloud.google.com/sdk/gcloud/reference/compute/images","https://cloud.google.com/compute/docs/reference/rest/v1/images"],"seeAlso":[]},"compute.images.getFromFamily":{"id":"compute.images.getFromFamily","name":"Compute Engine images","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. Risks generally require exploiting multiple privileges.","description":"Manage disk images."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/compute/docs/images","https://cloud.google.com/sdk/gcloud/reference/compute/images","https://cloud.google.com/compute/docs/reference/rest/v1/images"],"seeAlso":[]},"compute.images.getIamPolicy":{"id":"compute.images.getIamPolicy","name":"Compute Engine images","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. Risks generally require exploiting multiple privileges.","description":"Manage disk images."},"risks":["discovery:account","discovery:policy"],"notes":null,"links":["https://cloud.google.com/compute/docs/images","https://cloud.google.com/sdk/gcloud/reference/compute/images","https://cloud.google.com/compute/docs/reference/rest/v1/images"],"seeAlso":[]},"compute.images.list":{"id":"compute.images.list","name":"Compute Engine images","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. Risks generally require exploiting multiple privileges.","description":"Manage disk images."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/compute/docs/images","https://cloud.google.com/sdk/gcloud/reference/compute/images","https://cloud.google.com/compute/docs/reference/rest/v1/images"],"seeAlso":[]},"compute.images.listEffectiveTags":{"id":"compute.images.listEffectiveTags","name":"Compute Engine images","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. Risks generally require exploiting multiple privileges.","description":"Manage disk images."},"risks":["discovery:policy"],"notes":null,"links":["https://cloud.google.com/compute/docs/images","https://cloud.google.com/sdk/gcloud/reference/compute/images","https://cloud.google.com/compute/docs/reference/rest/v1/images"],"seeAlso":[]},"compute.images.listTagBindings":{"id":"compute.images.listTagBindings","name":"Compute Engine images","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. Risks generally require exploiting multiple privileges.","description":"Manage disk images."},"risks":["discovery:policy"],"notes":null,"links":["https://cloud.google.com/compute/docs/images","https://cloud.google.com/sdk/gcloud/reference/compute/images","https://cloud.google.com/compute/docs/reference/rest/v1/images"],"seeAlso":[]},"compute.images.setIamPolicy":{"id":"compute.images.setIamPolicy","name":"Compute Engine images","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. Risks generally require exploiting multiple privileges.","description":"Manage disk images."},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/compute/docs/images","https://cloud.google.com/sdk/gcloud/reference/compute/images","https://cloud.google.com/compute/docs/reference/rest/v1/images"],"seeAlso":[]},"compute.images.setLabels":{"id":"compute.images.setLabels","name":"Compute Engine images","scope":"LOW","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. Risks generally require exploiting multiple privileges.","description":"Manage disk images."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/compute/docs/images","https://cloud.google.com/sdk/gcloud/reference/compute/images","https://cloud.google.com/compute/docs/reference/rest/v1/images"],"seeAlso":[]},"compute.images.update":{"id":"compute.images.update","name":"Compute Engine images","scope":"LOW","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. Risks generally require exploiting multiple privileges.","description":"Manage disk images."},"risks":["destruction:infra"],"notes":null,"links":["https://cloud.google.com/compute/docs/images","https://cloud.google.com/sdk/gcloud/reference/compute/images","https://cloud.google.com/compute/docs/reference/rest/v1/images"],"seeAlso":[]},"compute.images.useReadOnly":{"id":"compute.images.useReadOnly","name":"Compute Engine images","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. Risks generally require exploiting multiple privileges.","description":"Manage disk images."},"risks":["escalation:data"],"notes":"When combined with compute.instances.create, can allow access to image data.","links":["https://cloud.google.com/compute/docs/images","https://cloud.google.com/sdk/gcloud/reference/compute/images","https://cloud.google.com/compute/docs/reference/rest/v1/images"],"seeAlso":[]},"compute.instanceGroupManagers.create":{"id":"compute.instanceGroupManagers.create","name":"Compute Engine managed instance groups","scope":"MEDIUM","parent":{"notes":"Allows creation, modification, and destruction of auto-scaling instance groups. Except for resizing, can not critically impact organizational functions.","description":"Create and alter managed instance groups."},"risks":["impact:spend","impact:hijack"],"notes":"Can be exploited for cryptojacking purposes, but additionally requires creation of corresponding instance templates. Instances may be accessible via addition to target groups.","links":["https://cloud.google.com/compute/docs/instance-groups","https://cloud.google.com/sdk/gcloud/reference/compute/instance-groups/managed","https://cloud.google.com/compute/docs/reference/rest/v1/instanceGroupManagers"],"seeAlso":["compute.instances","compute.instanceGroups","compute.regionInstanceGroupManagers"]},"compute.instanceGroupManagers.delete":{"id":"compute.instanceGroupManagers.delete","name":"Compute Engine managed instance groups","scope":"HIGH","parent":{"notes":"Allows creation, modification, and destruction of auto-scaling instance groups. Except for resizing, can not critically impact organizational functions.","description":"Create and alter managed instance groups."},"risks":["destruction:infra","destruction:network"],"notes":"Does not delete instances themselves, but can effectively remove network access to instances.","links":["https://cloud.google.com/compute/docs/instance-groups","https://cloud.google.com/sdk/gcloud/reference/compute/instance-groups/managed","https://cloud.google.com/compute/docs/reference/rest/v1/instanceGroupManagers"],"seeAlso":["compute.instances","compute.instanceGroups","compute.regionInstanceGroupManagers"]},"compute.instanceGroupManagers.get":{"id":"compute.instanceGroupManagers.get","name":"Compute Engine managed instance groups","scope":"MEDIUM","parent":{"notes":"Allows creation, modification, and destruction of auto-scaling instance groups. Except for resizing, can not critically impact organizational functions.","description":"Create and alter managed instance groups."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/compute/docs/instance-groups","https://cloud.google.com/sdk/gcloud/reference/compute/instance-groups/managed","https://cloud.google.com/compute/docs/reference/rest/v1/instanceGroupManagers"],"seeAlso":["compute.instances","compute.instanceGroups","compute.regionInstanceGroupManagers"]},"compute.instanceGroupManagers.list":{"id":"compute.instanceGroupManagers.list","name":"Compute Engine managed instance groups","scope":"MEDIUM","parent":{"notes":"Allows creation, modification, and destruction of auto-scaling instance groups. Except for resizing, can not critically impact organizational functions.","description":"Create and alter managed instance groups."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/compute/docs/instance-groups","https://cloud.google.com/sdk/gcloud/reference/compute/instance-groups/managed","https://cloud.google.com/compute/docs/reference/rest/v1/instanceGroupManagers"],"seeAlso":["compute.instances","compute.instanceGroups","compute.regionInstanceGroupManagers"]},"compute.instanceGroupManagers.update":{"id":"compute.instanceGroupManagers.update","name":"Compute Engine managed instance groups","scope":"CRITICAL","parent":{"notes":"Allows creation, modification, and destruction of auto-scaling instance groups. Except for resizing, can not critically impact organizational functions.","description":"Create and alter managed instance groups."},"risks":["impact:spend","destruction:infra","destruction:data","destruction:network","escalation:lateral"],"notes":"Groups can be resized, either increasing spend or destroying infrastructure. Groups can be added to target pools, granting access via unsecured network endpoints.","links":["https://cloud.google.com/compute/docs/instance-groups","https://cloud.google.com/sdk/gcloud/reference/compute/instance-groups/managed","https://cloud.google.com/compute/docs/reference/rest/v1/instanceGroupManagers"],"seeAlso":["compute.instances","compute.instanceGroups","compute.regionInstanceGroupManagers"]},"compute.instanceGroupManagers.use":{"id":"compute.instanceGroupManagers.use","name":"Compute Engine managed instance groups","scope":"MEDIUM","parent":{"notes":"Allows creation, modification, and destruction of auto-scaling instance groups. Except for resizing, can not critically impact organizational functions.","description":"Create and alter managed instance groups."},"risks":["escalation:lateral"],"notes":"No known or documented application; may be necessary to assign the group to a load balancer.","links":["https://cloud.google.com/compute/docs/instance-groups","https://cloud.google.com/sdk/gcloud/reference/compute/instance-groups/managed","https://cloud.google.com/compute/docs/reference/rest/v1/instanceGroupManagers"],"seeAlso":["compute.instances","compute.instanceGroups","compute.regionInstanceGroupManagers"]},"compute.instanceGroups.create":{"id":"compute.instanceGroups.create","name":"Compute Engine instance groups","scope":"MEDIUM","parent":{"notes":"Allows creation, modification, and destruction of manually managed instance groups. Generally requires exercise of multiple risks to exploit.","description":"Create and alter (unmanaged) instance groups."},"risks":[],"notes":"Instances must be manually added to the group; therefore no directly impactful risks.","links":["https://cloud.google.com/compute/docs/instance-groups","https://cloud.google.com/sdk/gcloud/reference/compute/instance-groups/unmanaged","https://cloud.google.com/compute/docs/reference/rest/v1/instanceGroups"],"seeAlso":["compute.instances","compute.instanceGroupManagers"]},"compute.instanceGroups.delete":{"id":"compute.instanceGroups.delete","name":"Compute Engine instance groups","scope":"MEDIUM","parent":{"notes":"Allows creation, modification, and destruction of manually managed instance groups. Generally requires exercise of multiple risks to exploit.","description":"Create and alter (unmanaged) instance groups."},"risks":["destruction:infra"],"notes":null,"links":["https://cloud.google.com/compute/docs/instance-groups","https://cloud.google.com/sdk/gcloud/reference/compute/instance-groups/unmanaged","https://cloud.google.com/compute/docs/reference/rest/v1/instanceGroups"],"seeAlso":["compute.instances","compute.instanceGroupManagers"]},"compute.instanceGroups.get":{"id":"compute.instanceGroups.get","name":"Compute Engine instance groups","scope":"MEDIUM","parent":{"notes":"Allows creation, modification, and destruction of manually managed instance groups. Generally requires exercise of multiple risks to exploit.","description":"Create and alter (unmanaged) instance groups."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/compute/docs/instance-groups","https://cloud.google.com/sdk/gcloud/reference/compute/instance-groups/unmanaged","https://cloud.google.com/compute/docs/reference/rest/v1/instanceGroups"],"seeAlso":["compute.instances","compute.instanceGroupManagers"]},"compute.instanceGroups.list":{"id":"compute.instanceGroups.list","name":"Compute Engine instance groups","scope":"MEDIUM","parent":{"notes":"Allows creation, modification, and destruction of manually managed instance groups. Generally requires exercise of multiple risks to exploit.","description":"Create and alter (unmanaged) instance groups."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/compute/docs/instance-groups","https://cloud.google.com/sdk/gcloud/reference/compute/instance-groups/unmanaged","https://cloud.google.com/compute/docs/reference/rest/v1/instanceGroups"],"seeAlso":["compute.instances","compute.instanceGroupManagers"]},"compute.instanceGroups.update":{"id":"compute.instanceGroups.update","name":"Compute Engine instance groups","scope":"HIGH","parent":{"notes":"Allows creation, modification, and destruction of manually managed instance groups. Generally requires exercise of multiple risks to exploit.","description":"Create and alter (unmanaged) instance groups."},"risks":["escalation:lateral","destruction:network"],"notes":"Can provide access to a VM by connecting instances to a compromised load-balancing rule; or, remove necessary infrastructure from network access.","links":["https://cloud.google.com/compute/docs/instance-groups","https://cloud.google.com/sdk/gcloud/reference/compute/instance-groups/unmanaged","https://cloud.google.com/compute/docs/reference/rest/v1/instanceGroups"],"seeAlso":["compute.instances","compute.instanceGroupManagers"]},"compute.instanceGroups.use":{"id":"compute.instanceGroups.use","name":"Compute Engine instance groups","scope":"MEDIUM","parent":{"notes":"Allows creation, modification, and destruction of manually managed instance groups. Generally requires exercise of multiple risks to exploit.","description":"Create and alter (unmanaged) instance groups."},"risks":["escalation:lateral"],"notes":"No known or documented application; may be necessary to assign the group to a load balancer.","links":["https://cloud.google.com/compute/docs/instance-groups","https://cloud.google.com/sdk/gcloud/reference/compute/instance-groups/unmanaged","https://cloud.google.com/compute/docs/reference/rest/v1/instanceGroups"],"seeAlso":["compute.instances","compute.instanceGroupManagers"]},"compute.instances.addAccessConfig":{"id":"compute.instances.addAccessConfig","name":"Compute Engine managed instances","scope":"HIGH","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["escalation:privilege"],"notes":"Allows a public IP address to be assigned to the instance. Further access depends on the instance's firewall rules.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances"],"seeAlso":[]},"compute.instances.addMaintenancePolicies":{"id":"compute.instances.addMaintenancePolicies","name":"Compute Engine managed instances","scope":"CRITICAL","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":[],"notes":"Appears to be unused, or replaced with `setScheduling`.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances"],"seeAlso":[]},"compute.instances.addResourcePolicies":{"id":"compute.instances.addResourcePolicies","name":"Compute Engine managed instances","scope":"HIGH","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["impact:dos","impact:spend"],"notes":"Requires an existing resource policy and `compute.resourcePolicies.use` or `compute.resourcePolicies.useReadOnly` on the policy. Resource policies can automatically start or stop instances.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances","https://cloud.google.com/compute/docs/instances/schedule-instance-start-stop"],"seeAlso":[]},"compute.instances.attachDisk":{"id":"compute.instances.attachDisk","name":"Compute Engine managed instances","scope":"HIGH","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["escalation:lateral"],"notes":"When combined with `compute.disks.use`, can escalate access to disk data.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances"],"seeAlso":[]},"compute.instances.create":{"id":"compute.instances.create","name":"Compute Engine managed instances","scope":"CRITICAL","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["discovery:network","discovery:policy","escalation:network","impact:spend","impact:hijack"],"notes":"Creating an instance can export the instance's service account credentials to an external server using the VM's local access to the instance metadata, including disk encryption keys and short-lived service account tokens. Allows access to network instances to which the VM is connected (e.g. VPCs). Created instances can be used to hijack resources, or create extra spend. Creating an instance with an attached service account requires permissions to impersonate the service account, so access to the service-account token does not present a privilege escalation.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances","https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/","https://cloud.google.com/compute/docs/metadata/default-metadata-values"],"seeAlso":[]},"compute.instances.createTagBinding":{"id":"compute.instances.createTagBinding","name":"Compute Engine managed instances","scope":"CRITICAL","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["impact:access","escalation:privilege"],"notes":"Depending on IAM policy configuration, can gain access to, or remove access from, the instance.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances"],"seeAlso":[]},"compute.instances.delete":{"id":"compute.instances.delete","name":"Compute Engine managed instances","scope":"CRITICAL","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["destruction:infra","destruction:data","destruction:logs"],"notes":null,"links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances"],"seeAlso":[]},"compute.instances.deleteAccessConfig":{"id":"compute.instances.deleteAccessConfig","name":"Compute Engine managed instances","scope":"CRITICAL","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["destruction:network"],"notes":"Can remove public IP addresses from the instance.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances"],"seeAlso":[]},"compute.instances.deleteTagBinding":{"id":"compute.instances.deleteTagBinding","name":"Compute Engine managed instances","scope":"CRITICAL","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["escalation:privilege","destruction:policy","impact:access"],"notes":"Depending on IAM policy configuration, can gain access to, or remove access from, the instance.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances"],"seeAlso":[]},"compute.instances.detachDisk":{"id":"compute.instances.detachDisk","name":"Compute Engine managed instances","scope":"CRITICAL","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["destruction:infra"],"notes":null,"links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances"],"seeAlso":[]},"compute.instances.get":{"id":"compute.instances.get","name":"Compute Engine managed instances","scope":"CRITICAL","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["discovery:account","discovery:network","discovery:policy"],"notes":"Allows access to a wide array of metadata including account public keys, network configuration, and service account permissions. Note that, although the Google API documentation suggests that access is also granted to secret material such as disk encryption keys or service-account tokens, these are not included in the API response returned by the API.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances","https://cloud.google.com/compute/docs/metadata/default-metadata-values"],"seeAlso":[]},"compute.instances.getEffectiveFirewalls":{"id":"compute.instances.getEffectiveFirewalls","name":"Compute Engine managed instances","scope":"CRITICAL","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["discovery:policy"],"notes":null,"links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances"],"seeAlso":[]},"compute.instances.getGuestAttributes":{"id":"compute.instances.getGuestAttributes","name":"Compute Engine managed instances","scope":"MEDIUM","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["exfiltration:data"],"notes":"Guest attributes may be used by applications to store small quantities of quasi-static data.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances","https://cloud.google.com/compute/docs/metadata/overview"],"seeAlso":[]},"compute.instances.getIamPolicy":{"id":"compute.instances.getIamPolicy","name":"Compute Engine managed instances","scope":"CRITICAL","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["discovery:account","discovery:policy"],"notes":null,"links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances"],"seeAlso":[]},"compute.instances.getScreenshot":{"id":"compute.instances.getScreenshot","name":"Compute Engine managed instances","scope":"HIGH","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["exfiltration:data"],"notes":"Requires sensitive data to appear in the VM's screen output.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances","https://cloud.google.com/compute/docs/troubleshooting/capturing-vm-screenshots"],"seeAlso":[]},"compute.instances.getSerialPortOutput":{"id":"compute.instances.getSerialPortOutput","name":"Compute Engine managed instances","scope":"HIGH","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["exfiltration:data"],"notes":"Allows reading data from an instance even if exfiltration is otherwise prevented via firewall rules / limited console access. Requires an additional exploit to write data to the serial port.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances","https://cloud.google.com/compute/docs/troubleshooting/viewing-serial-port-output","https://www.mitiga.io/blog/misconfiguration-hidden-dangers-cloud-control-plane"],"seeAlso":[]},"compute.instances.getShieldedInstanceIdentity":{"id":"compute.instances.getShieldedInstanceIdentity","name":"Compute Engine managed instances","scope":"LOW","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["discovery:account"],"notes":"Provides access to the public components of the instance's virtual trusted platform module (vTPM). While labeled \"public\", these components may not be intended for consumption by the broader public.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances","https://cloud.google.com/compute/shielded-vm/docs/shielded-vm"],"seeAlso":[]},"compute.instances.getShieldedVmIdentity":{"id":"compute.instances.getShieldedVmIdentity","name":"Compute Engine managed instances","scope":"LOW","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["discovery:account"],"notes":"Provides access to the public components of the VM's virtual trusted platform module (vTPM). While labeled \"public\", these components may not be intended for consumption by the broader public.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances","https://cloud.google.com/compute/shielded-vm/docs/shielded-vm"],"seeAlso":[]},"compute.instances.list":{"id":"compute.instances.list","name":"Compute Engine managed instances","scope":"CRITICAL","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["discovery:account","discovery:network","discovery:policy"],"notes":"Per compute.instances.get.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances","https://cloud.google.com/compute/docs/metadata/default-metadata-values"],"seeAlso":[]},"compute.instances.listEffectiveTags":{"id":"compute.instances.listEffectiveTags","name":"Compute Engine managed instances","scope":"CRITICAL","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["discovery:policy"],"notes":null,"links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances"],"seeAlso":[]},"compute.instances.listReferrers":{"id":"compute.instances.listReferrers","name":"Compute Engine managed instances","scope":"CRITICAL","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances"],"seeAlso":[]},"compute.instances.listTagBindings":{"id":"compute.instances.listTagBindings","name":"Compute Engine managed instances","scope":"CRITICAL","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["discovery:policy"],"notes":null,"links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances"],"seeAlso":[]},"compute.instances.osAdminLogin":{"id":"compute.instances.osAdminLogin","name":"Compute Engine managed instances","scope":"CRITICAL","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["collection:data","destruction:data","destruction:logs","destruction:network","discovery:network","discovery:policy","escalation:lateral","exfiltration:data","impact:defacement","impact:hijack"],"notes":"Allows root-level access to the instance, effectively allowing full control of all services hosted on the instance. Allows full access to instance metadata, similar to risks of `get`. Allows access to all data stored on the instance. Allows access to bound service accounts, granting access to all resources accessible by the service account (potentially including data repositories). Allows access to any networks to which the instance is bound. Allows alteration of logs, potentially allowing the attacker to conceal their presence. If the instance has a service account, additionally requires permission to act as that service account.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances"],"seeAlso":[]},"compute.instances.osLogin":{"id":"compute.instances.osLogin","name":"Compute Engine managed instances","scope":"CRITICAL","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["collection:data","destruction:data","discovery:network","discovery:policy","escalation:lateral","exfiltration:data","impact:defacement","impact:hijack"],"notes":"Specific risks depend on the instance configuration, but can include most of the risks of `osAdminLogin`, subject to privileges granted within the instance OS and file systems. If the instance has a service account, additionally requires permission to act as that service account. Assuming traditionally root-level permissions are unavailable to users that log in via this privilege, alteration of services, logs, and networks, as well as metadata exfiltration, may be prevented. Compute resources may still be consumed assuming relatively liberal instance user limits. Backend services that serve or store data in accessible locations may be altered, or their data collected.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances"],"seeAlso":[]},"compute.instances.removeMaintenancePolicies":{"id":"compute.instances.removeMaintenancePolicies","name":"Compute Engine managed instances","scope":"CRITICAL","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":[],"notes":"Appears to be unused, or replaced with `setScheduling`.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances"],"seeAlso":[]},"compute.instances.removeResourcePolicies":{"id":"compute.instances.removeResourcePolicies","name":"Compute Engine managed instances","scope":"CRITICAL","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["impact:dos","impact:spend"],"notes":"Resource policies can automatically start or stop instances, leading to denial-of-service (if instances are no longer started), or additional spend (if instances are no longer stopped).","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances","https://cloud.google.com/compute/docs/instances/schedule-instance-start-stop"],"seeAlso":[]},"compute.instances.reset":{"id":"compute.instances.reset","name":"Compute Engine managed instances","scope":"CRITICAL","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["destruction:data","impact:dos"],"notes":null,"links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances"],"seeAlso":[]},"compute.instances.resume":{"id":"compute.instances.resume","name":"Compute Engine managed instances","scope":"CRITICAL","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["impact:spend"],"notes":null,"links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances"],"seeAlso":[]},"compute.instances.sendDiagnosticInterrupt":{"id":"compute.instances.sendDiagnosticInterrupt","name":"Compute Engine managed instances","scope":"HIGH","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["collection:data"],"notes":"Requires additional privileges to exploit: for Linux systems, the ability to configure NMI response behavior and to read crash logs; for Windows systems, the ability to read the console.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances","https://cloud.google.com/compute/docs/troubleshooting/collecting-core-dumps"],"seeAlso":[]},"compute.instances.setDeletionProtection":{"id":"compute.instances.setDeletionProtection","name":"Compute Engine managed instances","scope":"HIGH","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["destruction:infra","destruction:data","destruction:logs"],"notes":"Additionally requires the ability to delete the instance.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances"],"seeAlso":[]},"compute.instances.setDiskAutoDelete":{"id":"compute.instances.setDiskAutoDelete","name":"Compute Engine managed instances","scope":"CRITICAL","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["destruction:infra","destruction:data","destruction:logs"],"notes":"Leads to destruction when the instance is deleted.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances"],"seeAlso":[]},"compute.instances.setIamPolicy":{"id":"compute.instances.setIamPolicy","name":"Compute Engine managed instances","scope":"CRITICAL","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances"],"seeAlso":[]},"compute.instances.setLabels":{"id":"compute.instances.setLabels","name":"Compute Engine managed instances","scope":"LOW","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["destruction:infra"],"notes":"Used generally for filtering instance lists.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances"],"seeAlso":[]},"compute.instances.setMachineResources":{"id":"compute.instances.setMachineResources","name":"Compute Engine managed instances","scope":"MEDIUM","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["impact:dos"],"notes":"Allows the replacement of attached GPUs. The machine must be stopped. Could potentially lead to a denial-of-service if the instance is restarted and is undersized for its workload.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances"],"seeAlso":[]},"compute.instances.setMachineType":{"id":"compute.instances.setMachineType","name":"Compute Engine managed instances","scope":"MEDIUM","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["impact:dos"],"notes":"Allows reconfiguration of the instance machine type. The machine must be stopped. Could potentially lead to a denial-of-service if the instance is restarted and is undersized for its workload.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances"],"seeAlso":[]},"compute.instances.setMetadata":{"id":"compute.instances.setMetadata","name":"Compute Engine managed instances","scope":"LOW","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["destruction:data"],"notes":"Only allows setting of custom metadata.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances"],"seeAlso":[]},"compute.instances.setMinCpuPlatform":{"id":"compute.instances.setMinCpuPlatform","name":"Compute Engine managed instances","scope":"MEDIUM","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["impact:dos"],"notes":"Allows reconfiguration of the minimum CPU platform (microarchitecture) the instance can use. The machine must be stopped. Could potentially interrupt services that require features from a specific CPU platform (e.g. a specific number of available threads, vCPUs, or instructions).","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances"],"seeAlso":[]},"compute.instances.setName":{"id":"compute.instances.setName","name":"Compute Engine managed instances","scope":"MEDIUM","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["destruction:infra"],"notes":"Can break instance references when instances are referred to by name rather than resource ID.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances"],"seeAlso":[]},"compute.instances.setScheduling":{"id":"compute.instances.setScheduling","name":"Compute Engine managed instances","scope":"MEDIUM","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["destruction:data","destruction:logs"],"notes":"Can lead to data or log destruction when the instance is configured to terminate on host maintenance. May be used to prevent crashed hosts from automatically restarting. Requires the ability to crash the instance to exploit. Can only be applied to a stopped instance.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances","https://cloud.google.com/compute/docs/instances/setting-vm-host-options"],"seeAlso":[]},"compute.instances.setServiceAccount":{"id":"compute.instances.setServiceAccount","name":"Compute Engine managed instances","scope":"CRITICAL","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["destruction:infra","escalation:lateral"],"notes":"Set a service account removes any existing service account access from the machine, preventing any requests to other resources that rely on that account. When the newly attached service account is already compromised, can allow lateral escalation to the instance.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances","https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances"],"seeAlso":[]},"compute.instances.setShieldedInstanceIntegrityPolicy":{"id":"compute.instances.setShieldedInstanceIntegrityPolicy","name":"Compute Engine managed instances","scope":"CRITICAL","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["destruction:defense"],"notes":"Resets the baseline for monitoring instance integrity, allowing an attacker to evade detection. The instance must be running.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances","https://cloud.google.com/compute/shielded-vm/docs/integrity-monitoring"],"seeAlso":[]},"compute.instances.setShieldedVmIntegrityPolicy":{"id":"compute.instances.setShieldedVmIntegrityPolicy","name":"Compute Engine managed instances","scope":"CRITICAL","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["destruction:defense"],"notes":"Can be used to disable integrity monitoring on a shielded instance. The instance must be stopped.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances","https://cloud.google.com/compute/shielded-vm/docs/modifying-shielded-vm"],"seeAlso":[]},"compute.instances.setTags":{"id":"compute.instances.setTags","name":"Compute Engine managed instances","scope":"CRITICAL","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["destruction:policy","escalation:lateral"],"notes":"Tags are used to control access.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances"],"seeAlso":[]},"compute.instances.simulateMaintenanceEvent":{"id":"compute.instances.simulateMaintenanceEvent","name":"Compute Engine managed instances","scope":"CRITICAL","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["destruction:data","destruction:network","impact:dos"],"notes":"Executes maintenance events, which can move instances between hosts, preempt jobs, or stop or restart instances. Inherits the risks of those actions.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances","https://cloud.google.com/compute/docs/instances/simulating-host-maintenance"],"seeAlso":[]},"compute.instances.start":{"id":"compute.instances.start","name":"Compute Engine managed instances","scope":"CRITICAL","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["impact:spend"],"notes":"Can induce spend with arbitrary instances.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances"],"seeAlso":[]},"compute.instances.startWithEncryptionKey":{"id":"compute.instances.startWithEncryptionKey","name":"Compute Engine managed instances","scope":"CRITICAL","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["impact:spend"],"notes":"The specified disk encryption key must be already known.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances"],"seeAlso":[]},"compute.instances.stop":{"id":"compute.instances.stop","name":"Compute Engine managed instances","scope":"CRITICAL","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["destruction:data","impact:dos"],"notes":"Stopping instances with local SSD will delete the disk and result in data loss if the command is issued without the `discard-local-ssd=false`. Instances with persistent storage are not impacted.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances/stop","https://cloud.google.com/compute/docs/disks/local-ssd#local_ssd_performance"],"seeAlso":[]},"compute.instances.suspend":{"id":"compute.instances.suspend","name":"Compute Engine managed instances","scope":"CRITICAL","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["impact:dos"],"notes":"Ephemeral machine state is saved on suspend.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances"],"seeAlso":[]},"compute.instances.update":{"id":"compute.instances.update","name":"Compute Engine managed instances","scope":"CRITICAL","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["destruction:data","destruction:infra","destruction:network","impact:spend"],"notes":"Certain updates can reset the machine. Most sensitive update methods (e.g. adding disks) require `.use` permissions on any added resources. However, resources (e.g. disks, network interfaces, service accounts) can generally be removed without additional permissions. However, instance scheduling and shielded-instance config can be altered without additional permissions.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances","https://cloud.google.com/compute/docs/instances/update-instance-properties#updatable-properties","https://cloud.google.com/compute/docs/reference/rest/v1/instances/update"],"seeAlso":[]},"compute.instances.updateAccessConfig":{"id":"compute.instances.updateAccessConfig","name":"Compute Engine managed instances","scope":"HIGH","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["destruction:network","escalation:privilege"],"notes":"Allows a public IP address to be assigned to or removed from the instance. Further access depends on the instance's firewall rules.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances"],"seeAlso":[]},"compute.instances.updateDisplayDevice":{"id":"compute.instances.updateDisplayDevice","name":"Compute Engine managed instances","scope":"CRITICAL","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":[],"notes":"No known risks.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances"],"seeAlso":[]},"compute.instances.updateNetworkInterface":{"id":"compute.instances.updateNetworkInterface","name":"Compute Engine managed instances","scope":"CRITICAL","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["destruction:network","escalation:lateral","escalation:privilege"],"notes":"Allows alteration of the instance's joined network (for example, the instance can be moved to a different VPC), external IP addresses, and DNS records. May allow access to infrastructure on new networks. Further access depends on this and other instance's firewall rules.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances"],"seeAlso":[]},"compute.instances.updateSecurity":{"id":"compute.instances.updateSecurity","name":"Compute Engine managed instances","scope":"CRITICAL","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":[],"notes":"No known usage of this privilege.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances"],"seeAlso":[]},"compute.instances.updateShieldedInstanceConfig":{"id":"compute.instances.updateShieldedInstanceConfig","name":"Compute Engine managed instances","scope":"CRITICAL","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["destruction:infra","destruction:defense"],"notes":"Can be used to disable secure boot, remove the vTPM from the instance, or disable integrity monitoring. Requires the instance to be stopped.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances"],"seeAlso":[]},"compute.instances.updateShieldedVmConfig":{"id":"compute.instances.updateShieldedVmConfig","name":"Compute Engine managed instances","scope":"CRITICAL","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["destruction:infra","destruction:defense"],"notes":"Can be used to disable secure boot, remove the vTPM from the instance, or disable integrity monitoring. Requires the instance to be stopped.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances"],"seeAlso":[]},"compute.instances.use":{"id":"compute.instances.use","name":"Compute Engine managed instances","scope":"HIGH","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["escalation:network"],"notes":"Can be used to connect the instance to other components, potentially allowing additional access. For example, adding the instance to an instance group can allow the instance's network to be accessible.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances"],"seeAlso":[]},"compute.instances.useReadOnly":{"id":"compute.instances.useReadOnly","name":"Compute Engine managed instances","scope":"HIGH","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["escalation:network"],"notes":"Can be used to connect the instance to other components, potentially allowing additional access. For example, adding the instance to an instance group can allow the instance's network to be accessible.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances"],"seeAlso":[]},"compute.interconnectLocations.get":{"id":"compute.interconnectLocations.get","name":"Compute Engine interconnect locations","scope":"PUBLIC","parent":{"notes":"Access to public data only.","description":"View and list interconnect colocation facilities."},"risks":[],"notes":null,"links":["https://cloud.google.com/network-connectivity/docs/interconnect/how-to/dedicated/listing-locations"],"seeAlso":[]},"compute.interconnectLocations.list":{"id":"compute.interconnectLocations.list","name":"Compute Engine interconnect locations","scope":"PUBLIC","parent":{"notes":"Access to public data only.","description":"View and list interconnect colocation facilities."},"risks":[],"notes":null,"links":["https://cloud.google.com/network-connectivity/docs/interconnect/how-to/dedicated/listing-locations"],"seeAlso":[]},"compute.interconnectRemoteLocations.get":{"id":"compute.interconnectRemoteLocations.get","name":"Compute Engine interconnect locations","scope":"PUBLIC","parent":{"notes":null,"description":"No known use. The privilege set implies public use analogous to interconnectLocations."},"risks":[],"notes":null,"links":[],"seeAlso":[]},"compute.interconnectRemoteLocations.list":{"id":"compute.interconnectRemoteLocations.list","name":"Compute Engine interconnect locations","scope":"PUBLIC","parent":{"notes":null,"description":"No known use. The privilege set implies public use analogous to interconnectLocations."},"risks":[],"notes":null,"links":[],"seeAlso":[]},"compute.interconnects.create":{"id":"compute.interconnects.create","name":"Compute Engine interconnects","scope":"MEDIUM","parent":{"notes":"Abuse of interconnect resources generally requires the ability to add interconnects as attachments to an already compromised system. For more information see compute.interconnectsAttachments.","description":"Interconnects provide connectivity between Compute Engine infrastructure and on-premises systems."},"risks":["impact:spend"],"notes":null,"links":["https://cloud.google.com/network-connectivity/docs/interconnect/concepts/overview","https://cloud.google.com/sdk/gcloud/reference/compute/interconnects","https://cloud.google.com/compute/docs/reference/rest/v1/interconnects"],"seeAlso":[]},"compute.interconnects.delete":{"id":"compute.interconnects.delete","name":"Compute Engine interconnects","scope":"MEDIUM","parent":{"notes":"Abuse of interconnect resources generally requires the ability to add interconnects as attachments to an already compromised system. For more information see compute.interconnectsAttachments.","description":"Interconnects provide connectivity between Compute Engine infrastructure and on-premises systems."},"risks":["destruction:infra"],"notes":"Interconnects can only be deleted when no attachments use them.","links":["https://cloud.google.com/network-connectivity/docs/interconnect/concepts/overview","https://cloud.google.com/sdk/gcloud/reference/compute/interconnects","https://cloud.google.com/compute/docs/reference/rest/v1/interconnects"],"seeAlso":[]},"compute.interconnects.get":{"id":"compute.interconnects.get","name":"Compute Engine interconnects","scope":"MEDIUM","parent":{"notes":"Abuse of interconnect resources generally requires the ability to add interconnects as attachments to an already compromised system. For more information see compute.interconnectsAttachments.","description":"Interconnects provide connectivity between Compute Engine infrastructure and on-premises systems."},"risks":["discovery:network"],"notes":"Exposes interconnect IP and MAC address.","links":["https://cloud.google.com/network-connectivity/docs/interconnect/concepts/overview","https://cloud.google.com/sdk/gcloud/reference/compute/interconnects","https://cloud.google.com/compute/docs/reference/rest/v1/interconnects"],"seeAlso":[]},"compute.interconnects.list":{"id":"compute.interconnects.list","name":"Compute Engine interconnects","scope":"MEDIUM","parent":{"notes":"Abuse of interconnect resources generally requires the ability to add interconnects as attachments to an already compromised system. For more information see compute.interconnectsAttachments.","description":"Interconnects provide connectivity between Compute Engine infrastructure and on-premises systems."},"risks":["discovery:network"],"notes":"Per get.","links":["https://cloud.google.com/network-connectivity/docs/interconnect/concepts/overview","https://cloud.google.com/sdk/gcloud/reference/compute/interconnects","https://cloud.google.com/compute/docs/reference/rest/v1/interconnects"],"seeAlso":[]},"compute.interconnects.setLabels":{"id":"compute.interconnects.setLabels","name":"Compute Engine interconnects","scope":"LOW","parent":{"notes":"Abuse of interconnect resources generally requires the ability to add interconnects as attachments to an already compromised system. For more information see compute.interconnectsAttachments.","description":"Interconnects provide connectivity between Compute Engine infrastructure and on-premises systems."},"risks":["destruction:infra"],"notes":null,"links":["https://cloud.google.com/network-connectivity/docs/interconnect/concepts/overview","https://cloud.google.com/sdk/gcloud/reference/compute/interconnects","https://cloud.google.com/compute/docs/reference/rest/v1/interconnects"],"seeAlso":[]},"compute.interconnects.update":{"id":"compute.interconnects.update","name":"Compute Engine interconnects","scope":"HIGH","parent":{"notes":"Abuse of interconnect resources generally requires the ability to add interconnects as attachments to an already compromised system. For more information see compute.interconnectsAttachments.","description":"Interconnects provide connectivity between Compute Engine infrastructure and on-premises systems."},"risks":["impact:dos","escalation:network"],"notes":"Can be used to enable, disable, or resize attached interconnects. Requires the interconnect to be attached.","links":["https://cloud.google.com/network-connectivity/docs/interconnect/concepts/overview","https://cloud.google.com/sdk/gcloud/reference/compute/interconnects","https://cloud.google.com/compute/docs/reference/rest/v1/interconnects"],"seeAlso":[]},"compute.interconnects.use":{"id":"compute.interconnects.use","name":"Compute Engine interconnects","scope":"HIGH","parent":{"notes":"Abuse of interconnect resources generally requires the ability to add interconnects as attachments to an already compromised system. For more information see compute.interconnectsAttachments.","description":"Interconnects provide connectivity between Compute Engine infrastructure and on-premises systems."},"risks":["escalation:network"],"notes":"When combined with the ability to attach the interconnect, allows network escalation. When further combined with the ability to create an interconnect, may allow for arbitrary connection of the compute VPC to any network.","links":["https://cloud.google.com/network-connectivity/docs/interconnect/concepts/overview","https://cloud.google.com/sdk/gcloud/reference/compute/interconnects","https://cloud.google.com/compute/docs/reference/rest/v1/interconnects"],"seeAlso":[]},"compute.interconnectsAttachments.create":{"id":"compute.interconnectsAttachments.create","name":"Compute Engine interconnect attachments","scope":"MEDIUM","parent":{"notes":"This privilege set may allow connection or disconnection of networks between multiple critical systems. To abuse creation of interconnects, multiple concurrent risks must be exploited, as abusing interconnects require access to a valid target on-premise facility, the ability to create interconnects, the ability to attach interconnects, and the ability to map interconnects to a compute router VLAN. The full set of privileges necessary to connect to a VLAN are: compute.interconnects.create, compute.interconnectAttachments.create, compute.interconnectAttachments.get, compute.routers.create, compute.routers.get, compute.routers.update.","description":"Interconnects provide connectivity between Compute Engine infrastructure and on-premises systems."},"risks":["escalation:network","impact:spend"],"notes":"Additionally requires the privileges described in this component's notes.","links":["https://cloud.google.com/network-connectivity/docs/interconnect/concepts/overview","https://cloud.google.com/sdk/gcloud/reference/compute/interconnects","https://cloud.google.com/compute/docs/reference/rest/v1/interconnects"],"seeAlso":[]},"compute.interconnectsAttachments.delete":{"id":"compute.interconnectsAttachments.delete","name":"Compute Engine interconnect attachments","scope":"HIGH","parent":{"notes":"This privilege set may allow connection or disconnection of networks between multiple critical systems. To abuse creation of interconnects, multiple concurrent risks must be exploited, as abusing interconnects require access to a valid target on-premise facility, the ability to create interconnects, the ability to attach interconnects, and the ability to map interconnects to a compute router VLAN. The full set of privileges necessary to connect to a VLAN are: compute.interconnects.create, compute.interconnectAttachments.create, compute.interconnectAttachments.get, compute.routers.create, compute.routers.get, compute.routers.update.","description":"Interconnects provide connectivity between Compute Engine infrastructure and on-premises systems."},"risks":["destruction:network"],"notes":null,"links":["https://cloud.google.com/network-connectivity/docs/interconnect/concepts/overview","https://cloud.google.com/sdk/gcloud/reference/compute/interconnects","https://cloud.google.com/compute/docs/reference/rest/v1/interconnects"],"seeAlso":[]},"compute.interconnectsAttachments.get":{"id":"compute.interconnectsAttachments.get","name":"Compute Engine interconnect attachments","scope":"HIGH","parent":{"notes":"This privilege set may allow connection or disconnection of networks between multiple critical systems. To abuse creation of interconnects, multiple concurrent risks must be exploited, as abusing interconnects require access to a valid target on-premise facility, the ability to create interconnects, the ability to attach interconnects, and the ability to map interconnects to a compute router VLAN. The full set of privileges necessary to connect to a VLAN are: compute.interconnects.create, compute.interconnectAttachments.create, compute.interconnectAttachments.get, compute.routers.create, compute.routers.get, compute.routers.update.","description":"Interconnects provide connectivity between Compute Engine infrastructure and on-premises systems."},"risks":["discovery:network"],"notes":"Exposes router IP addresses and VLAN tags.","links":["https://cloud.google.com/network-connectivity/docs/interconnect/concepts/overview","https://cloud.google.com/sdk/gcloud/reference/compute/interconnects","https://cloud.google.com/compute/docs/reference/rest/v1/interconnects"],"seeAlso":[]},"compute.interconnectsAttachments.list":{"id":"compute.interconnectsAttachments.list","name":"Compute Engine interconnect attachments","scope":"HIGH","parent":{"notes":"This privilege set may allow connection or disconnection of networks between multiple critical systems. To abuse creation of interconnects, multiple concurrent risks must be exploited, as abusing interconnects require access to a valid target on-premise facility, the ability to create interconnects, the ability to attach interconnects, and the ability to map interconnects to a compute router VLAN. The full set of privileges necessary to connect to a VLAN are: compute.interconnects.create, compute.interconnectAttachments.create, compute.interconnectAttachments.get, compute.routers.create, compute.routers.get, compute.routers.update.","description":"Interconnects provide connectivity between Compute Engine infrastructure and on-premises systems."},"risks":["discovery:network"],"notes":"Per get.","links":["https://cloud.google.com/network-connectivity/docs/interconnect/concepts/overview","https://cloud.google.com/sdk/gcloud/reference/compute/interconnects","https://cloud.google.com/compute/docs/reference/rest/v1/interconnects"],"seeAlso":[]},"compute.interconnectsAttachments.setLabels":{"id":"compute.interconnectsAttachments.setLabels","name":"Compute Engine interconnect attachments","scope":"LOW","parent":{"notes":"This privilege set may allow connection or disconnection of networks between multiple critical systems. To abuse creation of interconnects, multiple concurrent risks must be exploited, as abusing interconnects require access to a valid target on-premise facility, the ability to create interconnects, the ability to attach interconnects, and the ability to map interconnects to a compute router VLAN. The full set of privileges necessary to connect to a VLAN are: compute.interconnects.create, compute.interconnectAttachments.create, compute.interconnectAttachments.get, compute.routers.create, compute.routers.get, compute.routers.update.","description":"Interconnects provide connectivity between Compute Engine infrastructure and on-premises systems."},"risks":["destruction:infra"],"notes":null,"links":["https://cloud.google.com/network-connectivity/docs/interconnect/concepts/overview","https://cloud.google.com/sdk/gcloud/reference/compute/interconnects","https://cloud.google.com/compute/docs/reference/rest/v1/interconnects"],"seeAlso":[]},"compute.interconnectsAttachments.update":{"id":"compute.interconnectsAttachments.update","name":"Compute Engine interconnect attachments","scope":"HIGH","parent":{"notes":"This privilege set may allow connection or disconnection of networks between multiple critical systems. To abuse creation of interconnects, multiple concurrent risks must be exploited, as abusing interconnects require access to a valid target on-premise facility, the ability to create interconnects, the ability to attach interconnects, and the ability to map interconnects to a compute router VLAN. The full set of privileges necessary to connect to a VLAN are: compute.interconnects.create, compute.interconnectAttachments.create, compute.interconnectAttachments.get, compute.routers.create, compute.routers.get, compute.routers.update.","description":"Interconnects provide connectivity between Compute Engine infrastructure and on-premises systems."},"risks":["impact:dos","escalation:network"],"notes":"Can be used to resize or reroute the interconnect.","links":["https://cloud.google.com/network-connectivity/docs/interconnect/concepts/overview","https://cloud.google.com/sdk/gcloud/reference/compute/interconnects","https://cloud.google.com/compute/docs/reference/rest/v1/interconnects"],"seeAlso":[]},"compute.interconnectsAttachments.use":{"id":"compute.interconnectsAttachments.use","name":"Compute Engine interconnect attachments","scope":"MEDIUM","parent":{"notes":"This privilege set may allow connection or disconnection of networks between multiple critical systems. To abuse creation of interconnects, multiple concurrent risks must be exploited, as abusing interconnects require access to a valid target on-premise facility, the ability to create interconnects, the ability to attach interconnects, and the ability to map interconnects to a compute router VLAN. The full set of privileges necessary to connect to a VLAN are: compute.interconnects.create, compute.interconnectAttachments.create, compute.interconnectAttachments.get, compute.routers.create, compute.routers.get, compute.routers.update.","description":"Interconnects provide connectivity between Compute Engine infrastructure and on-premises systems."},"risks":["escalation:network"],"notes":"May allow an attachment to be used by an already compromised cloud router.","links":["https://cloud.google.com/network-connectivity/docs/interconnect/concepts/overview","https://cloud.google.com/sdk/gcloud/reference/compute/interconnects","https://cloud.google.com/compute/docs/reference/rest/v1/interconnects"],"seeAlso":[]},"compute.networkEndpointGroups.attachNetworkEndpoints":{"id":"compute.networkEndpointGroups.attachNetworkEndpoints","name":"Compute Engine network endpoint groups","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of network-endpoint rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage network endpoint groups (NEGs) for Google Cloud load balancers."},"risks":["escalation:lateral"],"notes":"With a NEG on an already accessible network, can be used to connect to sensitive backend services. Can be combined with `create` to broaden attack surface.","links":["https://cloud.google.com/load-balancing/docs/negs","https://cloud.google.com/sdk/gcloud/reference/compute/network-endpoint-groups","https://cloud.google.com/compute/docs/reference/rest/v1/networkEndpointGroups"],"seeAlso":["compute.globalNetworkEndpointGroups"]},"compute.networkEndpointGroups.create":{"id":"compute.networkEndpointGroups.create","name":"Compute Engine network endpoint groups","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of network-endpoint rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage network endpoint groups (NEGs) for Google Cloud load balancers."},"risks":["escalation:lateral"],"notes":"When combined with attachNetworkEndpoints, can be used to connect to sensitive backend services.","links":["https://cloud.google.com/load-balancing/docs/negs","https://cloud.google.com/sdk/gcloud/reference/compute/network-endpoint-groups","https://cloud.google.com/compute/docs/reference/rest/v1/networkEndpointGroups"],"seeAlso":["compute.globalNetworkEndpointGroups"]},"compute.networkEndpointGroups.delete":{"id":"compute.networkEndpointGroups.delete","name":"Compute Engine network endpoint groups","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of network-endpoint rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage network endpoint groups (NEGs) for Google Cloud load balancers."},"risks":["destruction:network"],"notes":null,"links":["https://cloud.google.com/load-balancing/docs/negs","https://cloud.google.com/sdk/gcloud/reference/compute/network-endpoint-groups","https://cloud.google.com/compute/docs/reference/rest/v1/networkEndpointGroups"],"seeAlso":["compute.globalNetworkEndpointGroups"]},"compute.networkEndpointGroups.detachNetworkEndpoints":{"id":"compute.networkEndpointGroups.detachNetworkEndpoints","name":"Compute Engine network endpoint groups","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of network-endpoint rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage network endpoint groups (NEGs) for Google Cloud load balancers."},"risks":["destruction:network"],"notes":null,"links":["https://cloud.google.com/load-balancing/docs/negs","https://cloud.google.com/sdk/gcloud/reference/compute/network-endpoint-groups","https://cloud.google.com/compute/docs/reference/rest/v1/networkEndpointGroups"],"seeAlso":["compute.globalNetworkEndpointGroups"]},"compute.networkEndpointGroups.get":{"id":"compute.networkEndpointGroups.get","name":"Compute Engine network endpoint groups","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of network-endpoint rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage network endpoint groups (NEGs) for Google Cloud load balancers."},"risks":["discovery:network"],"notes":null,"links":["https://cloud.google.com/load-balancing/docs/negs","https://cloud.google.com/sdk/gcloud/reference/compute/network-endpoint-groups","https://cloud.google.com/compute/docs/reference/rest/v1/networkEndpointGroups"],"seeAlso":["compute.globalNetworkEndpointGroups"]},"compute.networkEndpointGroups.getIamPolicy":{"id":"compute.networkEndpointGroups.getIamPolicy","name":"Compute Engine network endpoint groups","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of network-endpoint rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage network endpoint groups (NEGs) for Google Cloud load balancers."},"risks":["discovery:account","discovery:policy"],"notes":null,"links":["https://cloud.google.com/load-balancing/docs/negs","https://cloud.google.com/sdk/gcloud/reference/compute/network-endpoint-groups","https://cloud.google.com/compute/docs/reference/rest/v1/networkEndpointGroups"],"seeAlso":["compute.globalNetworkEndpointGroups"]},"compute.networkEndpointGroups.list":{"id":"compute.networkEndpointGroups.list","name":"Compute Engine network endpoint groups","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of network-endpoint rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage network endpoint groups (NEGs) for Google Cloud load balancers."},"risks":["discovery:network"],"notes":null,"links":["https://cloud.google.com/load-balancing/docs/negs","https://cloud.google.com/sdk/gcloud/reference/compute/network-endpoint-groups","https://cloud.google.com/compute/docs/reference/rest/v1/networkEndpointGroups"],"seeAlso":["compute.globalNetworkEndpointGroups"]},"compute.networkEndpointGroups.setIamPolicy":{"id":"compute.networkEndpointGroups.setIamPolicy","name":"Compute Engine network endpoint groups","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of network-endpoint rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage network endpoint groups (NEGs) for Google Cloud load balancers."},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/load-balancing/docs/negs","https://cloud.google.com/sdk/gcloud/reference/compute/network-endpoint-groups","https://cloud.google.com/compute/docs/reference/rest/v1/networkEndpointGroups"],"seeAlso":["compute.globalNetworkEndpointGroups"]},"compute.networkEndpointGroups.use":{"id":"compute.networkEndpointGroups.use","name":"Compute Engine network endpoint groups","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of network-endpoint rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage network endpoint groups (NEGs) for Google Cloud load balancers."},"risks":["impact:dos"],"notes":"In combination with the ability to alter health checks, allows creation of health checks based on NEGs. Could lead to DOS if health checks are sufficiently frequent, and the referenced endpoints sufficiently expensive.","links":["https://cloud.google.com/load-balancing/docs/negs","https://cloud.google.com/sdk/gcloud/reference/compute/network-endpoint-groups","https://cloud.google.com/compute/docs/reference/rest/v1/networkEndpointGroups","https://cloud.google.com/compute/docs/reference/rest/v1/regionHealthCheckServices/insert"],"seeAlso":["compute.globalNetworkEndpointGroups"]},"compute.networks.access":{"id":"compute.networks.access","name":"Compute Engine virtual-private-cloud networks","scope":"HIGH","parent":{"notes":"VPCs are generally highly sensitive. Alterations to, or destruction of, the VPC can prevent instances from serving applications, processing data, and the like. Obtaining access to the VPC can allow access to attached instance services. Finally, altering a VPC can allow data to be extracted from an otherwise compromised instance.","description":"Allows management of virtual-private-cloud networks (VPCs). A VPC is a logically isolated network, allowing communication of instances within the network, isolation of instances from entities outside the network, and policy-based network controls between instances within the network, and entities outside of it."},"risks":[],"notes":"The use of this permission within Google Cloud is unknown, although may be related to VPC access connectors (see the `vpcaccess` service).","links":["https://cloud.google.com/vpc/docs/vpc","https://cloud.google.com/sdk/gcloud/reference/compute/networks","https://cloud.google.com/compute/docs/reference/rest/v1/networks"],"seeAlso":[]},"compute.networks.addPeering":{"id":"compute.networks.addPeering","name":"Compute Engine virtual-private-cloud networks","scope":"HIGH","parent":{"notes":"VPCs are generally highly sensitive. Alterations to, or destruction of, the VPC can prevent instances from serving applications, processing data, and the like. Obtaining access to the VPC can allow access to attached instance services. Finally, altering a VPC can allow data to be extracted from an otherwise compromised instance.","description":"Allows management of virtual-private-cloud networks (VPCs). A VPC is a logically isolated network, allowing communication of instances within the network, isolation of instances from entities outside the network, and policy-based network controls between instances within the network, and entities outside of it."},"risks":["escalation:network"],"notes":"Connects two VPCs into one effective network. Allows access to one network when the other is already compromised.","links":["https://cloud.google.com/vpc/docs/vpc","https://cloud.google.com/sdk/gcloud/reference/compute/networks","https://cloud.google.com/compute/docs/reference/rest/v1/networks"],"seeAlso":[]},"compute.networks.create":{"id":"compute.networks.create","name":"Compute Engine virtual-private-cloud networks","scope":"HIGH","parent":{"notes":"VPCs are generally highly sensitive. Alterations to, or destruction of, the VPC can prevent instances from serving applications, processing data, and the like. Obtaining access to the VPC can allow access to attached instance services. Finally, altering a VPC can allow data to be extracted from an otherwise compromised instance.","description":"Allows management of virtual-private-cloud networks (VPCs). A VPC is a logically isolated network, allowing communication of instances within the network, isolation of instances from entities outside the network, and policy-based network controls between instances within the network, and entities outside of it."},"risks":[],"notes":"Newly created networks must be connected to resources to be exploitable. A network generally incurs cost only when it serves traffic.","links":["https://cloud.google.com/vpc/docs/vpc","https://cloud.google.com/sdk/gcloud/reference/compute/networks","https://cloud.google.com/compute/docs/reference/rest/v1/networks"],"seeAlso":[]},"compute.networks.delete":{"id":"compute.networks.delete","name":"Compute Engine virtual-private-cloud networks","scope":"HIGH","parent":{"notes":"VPCs are generally highly sensitive. Alterations to, or destruction of, the VPC can prevent instances from serving applications, processing data, and the like. Obtaining access to the VPC can allow access to attached instance services. Finally, altering a VPC can allow data to be extracted from an otherwise compromised instance.","description":"Allows management of virtual-private-cloud networks (VPCs). A VPC is a logically isolated network, allowing communication of instances within the network, isolation of instances from entities outside the network, and policy-based network controls between instances within the network, and entities outside of it."},"risks":["destruction:network"],"notes":null,"links":["https://cloud.google.com/vpc/docs/vpc","https://cloud.google.com/sdk/gcloud/reference/compute/networks","https://cloud.google.com/compute/docs/reference/rest/v1/networks"],"seeAlso":[]},"compute.networks.get":{"id":"compute.networks.get","name":"Compute Engine virtual-private-cloud networks","scope":"MEDIUM","parent":{"notes":"VPCs are generally highly sensitive. Alterations to, or destruction of, the VPC can prevent instances from serving applications, processing data, and the like. Obtaining access to the VPC can allow access to attached instance services. Finally, altering a VPC can allow data to be extracted from an otherwise compromised instance.","description":"Allows management of virtual-private-cloud networks (VPCs). A VPC is a logically isolated network, allowing communication of instances within the network, isolation of instances from entities outside the network, and policy-based network controls between instances within the network, and entities outside of it."},"risks":["discovery:network"],"notes":"Only allows discovery of peered VPC identifiers.","links":["https://cloud.google.com/vpc/docs/vpc","https://cloud.google.com/sdk/gcloud/reference/compute/networks","https://cloud.google.com/compute/docs/reference/rest/v1/networks"],"seeAlso":[]},"compute.networks.getEffectiveFirewalls":{"id":"compute.networks.getEffectiveFirewalls","name":"Compute Engine virtual-private-cloud networks","scope":"HIGH","parent":{"notes":"VPCs are generally highly sensitive. Alterations to, or destruction of, the VPC can prevent instances from serving applications, processing data, and the like. Obtaining access to the VPC can allow access to attached instance services. Finally, altering a VPC can allow data to be extracted from an otherwise compromised instance.","description":"Allows management of virtual-private-cloud networks (VPCs). A VPC is a logically isolated network, allowing communication of instances within the network, isolation of instances from entities outside the network, and policy-based network controls between instances within the network, and entities outside of it."},"risks":["discovery:policy"],"notes":null,"links":["https://cloud.google.com/vpc/docs/vpc","https://cloud.google.com/sdk/gcloud/reference/compute/networks","https://cloud.google.com/compute/docs/reference/rest/v1/networks"],"seeAlso":[]},"compute.networks.getRegionEffectiveFirewalls":{"id":"compute.networks.getRegionEffectiveFirewalls","name":"Compute Engine virtual-private-cloud networks","scope":"HIGH","parent":{"notes":"VPCs are generally highly sensitive. Alterations to, or destruction of, the VPC can prevent instances from serving applications, processing data, and the like. Obtaining access to the VPC can allow access to attached instance services. Finally, altering a VPC can allow data to be extracted from an otherwise compromised instance.","description":"Allows management of virtual-private-cloud networks (VPCs). A VPC is a logically isolated network, allowing communication of instances within the network, isolation of instances from entities outside the network, and policy-based network controls between instances within the network, and entities outside of it."},"risks":["discovery:policy"],"notes":"No documented use, but may reasonably be assumed to yield similar information as the `getEffectiveFirewalls` privilege.","links":["https://cloud.google.com/vpc/docs/vpc","https://cloud.google.com/sdk/gcloud/reference/compute/networks","https://cloud.google.com/compute/docs/reference/rest/v1/networks"],"seeAlso":[]},"compute.networks.list":{"id":"compute.networks.list","name":"Compute Engine virtual-private-cloud networks","scope":"MEDIUM","parent":{"notes":"VPCs are generally highly sensitive. Alterations to, or destruction of, the VPC can prevent instances from serving applications, processing data, and the like. Obtaining access to the VPC can allow access to attached instance services. Finally, altering a VPC can allow data to be extracted from an otherwise compromised instance.","description":"Allows management of virtual-private-cloud networks (VPCs). A VPC is a logically isolated network, allowing communication of instances within the network, isolation of instances from entities outside the network, and policy-based network controls between instances within the network, and entities outside of it."},"risks":["discovery:network"],"notes":"See `get`.","links":["https://cloud.google.com/vpc/docs/vpc","https://cloud.google.com/sdk/gcloud/reference/compute/networks","https://cloud.google.com/compute/docs/reference/rest/v1/networks"],"seeAlso":[]},"compute.networks.listPeeringRoutes":{"id":"compute.networks.listPeeringRoutes","name":"Compute Engine virtual-private-cloud networks","scope":"HIGH","parent":{"notes":"VPCs are generally highly sensitive. Alterations to, or destruction of, the VPC can prevent instances from serving applications, processing data, and the like. Obtaining access to the VPC can allow access to attached instance services. Finally, altering a VPC can allow data to be extracted from an otherwise compromised instance.","description":"Allows management of virtual-private-cloud networks (VPCs). A VPC is a logically isolated network, allowing communication of instances within the network, isolation of instances from entities outside the network, and policy-based network controls between instances within the network, and entities outside of it."},"risks":["discovery:network"],"notes":null,"links":["https://cloud.google.com/vpc/docs/vpc","https://cloud.google.com/sdk/gcloud/reference/compute/networks","https://cloud.google.com/compute/docs/reference/rest/v1/networks"],"seeAlso":[]},"compute.networks.mirror":{"id":"compute.networks.mirror","name":"Compute Engine virtual-private-cloud networks","scope":"HIGH","parent":{"notes":"VPCs are generally highly sensitive. Alterations to, or destruction of, the VPC can prevent instances from serving applications, processing data, and the like. Obtaining access to the VPC can allow access to attached instance services. Finally, altering a VPC can allow data to be extracted from an otherwise compromised instance.","description":"Allows management of virtual-private-cloud networks (VPCs). A VPC is a logically isolated network, allowing communication of instances within the network, isolation of instances from entities outside the network, and policy-based network controls between instances within the network, and entities outside of it."},"risks":["collection:data","impact:spend"],"notes":"Packet mirroring duplicates packets sent over the VPC and forwards them to another instance. If that instance is compromised, can allow direct read access on all network traffic. Since networks are billed by network traffic, can also significantly increase cloud spend. Exploitation requires additional compute.packetMirrorings permissions.","links":["https://cloud.google.com/vpc/docs/vpc","https://cloud.google.com/sdk/gcloud/reference/compute/networks","https://cloud.google.com/compute/docs/reference/rest/v1/networks","https://cloud.google.com/sdk/gcloud/reference/compute/packet-mirrorings"],"seeAlso":[]},"compute.networks.removePeering":{"id":"compute.networks.removePeering","name":"Compute Engine virtual-private-cloud networks","scope":"HIGH","parent":{"notes":"VPCs are generally highly sensitive. Alterations to, or destruction of, the VPC can prevent instances from serving applications, processing data, and the like. Obtaining access to the VPC can allow access to attached instance services. Finally, altering a VPC can allow data to be extracted from an otherwise compromised instance.","description":"Allows management of virtual-private-cloud networks (VPCs). A VPC is a logically isolated network, allowing communication of instances within the network, isolation of instances from entities outside the network, and policy-based network controls between instances within the network, and entities outside of it."},"risks":["destruction:network"],"notes":"Disconnects two VPCs from each other. Prevents communication between network resources split between the disconnected VPCs.","links":["https://cloud.google.com/vpc/docs/vpc","https://cloud.google.com/sdk/gcloud/reference/compute/networks","https://cloud.google.com/compute/docs/reference/rest/v1/networks"],"seeAlso":[]},"compute.networks.setFirewallPolicy":{"id":"compute.networks.setFirewallPolicy","name":"Compute Engine virtual-private-cloud networks","scope":"HIGH","parent":{"notes":"VPCs are generally highly sensitive. Alterations to, or destruction of, the VPC can prevent instances from serving applications, processing data, and the like. Obtaining access to the VPC can allow access to attached instance services. Finally, altering a VPC can allow data to be extracted from an otherwise compromised instance.","description":"Allows management of virtual-private-cloud networks (VPCs). A VPC is a logically isolated network, allowing communication of instances within the network, isolation of instances from entities outside the network, and policy-based network controls between instances within the network, and entities outside of it."},"risks":["destruction:policy","escalation:network","impact:access","impact:dos"],"notes":"When used to allow additional access, can either allow access to compute network endpoints, or allow outbound exfiltration of data from otherwise compromised instances. When used to remove access, can prevent service operation or account access.","links":["https://cloud.google.com/vpc/docs/vpc","https://cloud.google.com/sdk/gcloud/reference/compute/networks","https://cloud.google.com/compute/docs/reference/rest/v1/networks"],"seeAlso":[]},"compute.networks.switchToCustomMode":{"id":"compute.networks.switchToCustomMode","name":"Compute Engine virtual-private-cloud networks","scope":"HIGH","parent":{"notes":"VPCs are generally highly sensitive. Alterations to, or destruction of, the VPC can prevent instances from serving applications, processing data, and the like. Obtaining access to the VPC can allow access to attached instance services. Finally, altering a VPC can allow data to be extracted from an otherwise compromised instance.","description":"Allows management of virtual-private-cloud networks (VPCs). A VPC is a logically isolated network, allowing communication of instances within the network, isolation of instances from entities outside the network, and policy-based network controls between instances within the network, and entities outside of it."},"risks":[],"notes":"Custom mode VPCs are not automatically created with subnets.","links":["https://cloud.google.com/vpc/docs/vpc","https://cloud.google.com/sdk/gcloud/reference/compute/networks","https://cloud.google.com/compute/docs/reference/rest/v1/networks"],"seeAlso":[]},"compute.networks.update":{"id":"compute.networks.update","name":"Compute Engine virtual-private-cloud networks","scope":"HIGH","parent":{"notes":"VPCs are generally highly sensitive. Alterations to, or destruction of, the VPC can prevent instances from serving applications, processing data, and the like. Obtaining access to the VPC can allow access to attached instance services. Finally, altering a VPC can allow data to be extracted from an otherwise compromised instance.","description":"Allows management of virtual-private-cloud networks (VPCs). A VPC is a logically isolated network, allowing communication of instances within the network, isolation of instances from entities outside the network, and policy-based network controls between instances within the network, and entities outside of it."},"risks":[],"notes":"Can be used to change firewall application order, modify BGP routing mode, or put the VPC in custom mode.","links":["https://cloud.google.com/vpc/docs/vpc","https://cloud.google.com/sdk/gcloud/reference/compute/networks","https://cloud.google.com/compute/docs/reference/rest/v1/networks"],"seeAlso":[]},"compute.networks.updatePeering":{"id":"compute.networks.updatePeering","name":"Compute Engine virtual-private-cloud networks","scope":"MEDIUM","parent":{"notes":"VPCs are generally highly sensitive. Alterations to, or destruction of, the VPC can prevent instances from serving applications, processing data, and the like. Obtaining access to the VPC can allow access to attached instance services. Finally, altering a VPC can allow data to be extracted from an otherwise compromised instance.","description":"Allows management of virtual-private-cloud networks (VPCs). A VPC is a logically isolated network, allowing communication of instances within the network, isolation of instances from entities outside the network, and policy-based network controls between instances within the network, and entities outside of it."},"risks":["impact:access"],"notes":"Can be used to alter how routes are shared between VPCs, or prevent IPv6 traffic between VPCs.","links":["https://cloud.google.com/vpc/docs/vpc","https://cloud.google.com/sdk/gcloud/reference/compute/networks","https://cloud.google.com/compute/docs/reference/rest/v1/networks"],"seeAlso":[]},"compute.networks.updatePolicy":{"id":"compute.networks.updatePolicy","name":"Compute Engine virtual-private-cloud networks","scope":"HIGH","parent":{"notes":"VPCs are generally highly sensitive. Alterations to, or destruction of, the VPC can prevent instances from serving applications, processing data, and the like. Obtaining access to the VPC can allow access to attached instance services. Finally, altering a VPC can allow data to be extracted from an otherwise compromised instance.","description":"Allows management of virtual-private-cloud networks (VPCs). A VPC is a logically isolated network, allowing communication of instances within the network, isolation of instances from entities outside the network, and policy-based network controls between instances within the network, and entities outside of it."},"risks":[],"notes":"No documented use.","links":["https://cloud.google.com/vpc/docs/vpc","https://cloud.google.com/sdk/gcloud/reference/compute/networks","https://cloud.google.com/compute/docs/reference/rest/v1/networks"],"seeAlso":[]},"compute.networks.use":{"id":"compute.networks.use","name":"Compute Engine virtual-private-cloud networks","scope":"HIGH","parent":{"notes":"VPCs are generally highly sensitive. Alterations to, or destruction of, the VPC can prevent instances from serving applications, processing data, and the like. Obtaining access to the VPC can allow access to attached instance services. Finally, altering a VPC can allow data to be extracted from an otherwise compromised instance.","description":"Allows management of virtual-private-cloud networks (VPCs). A VPC is a logically isolated network, allowing communication of instances within the network, isolation of instances from entities outside the network, and policy-based network controls between instances within the network, and entities outside of it."},"risks":["escalation:network"],"notes":"Likely necessary to add an instance to a VPC. Can gain access to an instance from a compromised network or vice-versa.","links":["https://cloud.google.com/vpc/docs/vpc","https://cloud.google.com/sdk/gcloud/reference/compute/networks","https://cloud.google.com/compute/docs/reference/rest/v1/networks"],"seeAlso":[]},"compute.networks.useExternalIp":{"id":"compute.networks.useExternalIp","name":"Compute Engine virtual-private-cloud networks","scope":"HIGH","parent":{"notes":"VPCs are generally highly sensitive. Alterations to, or destruction of, the VPC can prevent instances from serving applications, processing data, and the like. Obtaining access to the VPC can allow access to attached instance services. Finally, altering a VPC can allow data to be extracted from an otherwise compromised instance.","description":"Allows management of virtual-private-cloud networks (VPCs). A VPC is a logically isolated network, allowing communication of instances within the network, isolation of instances from entities outside the network, and policy-based network controls between instances within the network, and entities outside of it."},"risks":[],"notes":"No documented use (external IPs are generally attached directly to instances).","links":["https://cloud.google.com/vpc/docs/vpc","https://cloud.google.com/sdk/gcloud/reference/compute/networks","https://cloud.google.com/compute/docs/reference/rest/v1/networks"],"seeAlso":[]},"compute.packetMirrorings.create":{"id":"compute.packetMirrorings.create","name":"Compute Engine packet mirroring","scope":"MEDIUM","parent":{"notes":"Packet mirroring allows inspection of network traffic, allowing access to unencrypted network data.","description":"Packet mirroring allows duplication and forwarding of packets on a virtual private cloud."},"risks":["collection:data","impact:consumption","impact:spend"],"notes":"Consumes mirroring quota and incurs spend proportional to the amount of mirrored network data. When combined with a compromised instance (used as the packet collector), allows collection of network data.","links":["https://cloud.google.com/vpc/docs/packet-mirroring","https://cloud.google.com/sdk/gcloud/reference/compute/packet-mirrorings","https://cloud.google.com/compute/docs/reference/rest/v1/packetMirrorings"],"seeAlso":[]},"compute.packetMirrorings.delete":{"id":"compute.packetMirrorings.delete","name":"Compute Engine packet mirroring","scope":"MEDIUM","parent":{"notes":"Packet mirroring allows inspection of network traffic, allowing access to unencrypted network data.","description":"Packet mirroring allows duplication and forwarding of packets on a virtual private cloud."},"risks":["destruction:defense"],"notes":"Primary packet-mirroring use cases include intrusion-detection systems (IDS) and deep-packet inspection (DPI) tools. Disabling packet-mirroring prevents these systems from functioning.","links":["https://cloud.google.com/vpc/docs/packet-mirroring","https://cloud.google.com/sdk/gcloud/reference/compute/packet-mirrorings","https://cloud.google.com/compute/docs/reference/rest/v1/packetMirrorings"],"seeAlso":[]},"compute.packetMirrorings.get":{"id":"compute.packetMirrorings.get","name":"Compute Engine packet mirroring","scope":"MEDIUM","parent":{"notes":"Packet mirroring allows inspection of network traffic, allowing access to unencrypted network data.","description":"Packet mirroring allows duplication and forwarding of packets on a virtual private cloud."},"risks":["discovery:network"],"notes":null,"links":["https://cloud.google.com/vpc/docs/packet-mirroring","https://cloud.google.com/sdk/gcloud/reference/compute/packet-mirrorings","https://cloud.google.com/compute/docs/reference/rest/v1/packetMirrorings"],"seeAlso":[]},"compute.packetMirrorings.list":{"id":"compute.packetMirrorings.list","name":"Compute Engine packet mirroring","scope":"MEDIUM","parent":{"notes":"Packet mirroring allows inspection of network traffic, allowing access to unencrypted network data.","description":"Packet mirroring allows duplication and forwarding of packets on a virtual private cloud."},"risks":["discovery:network"],"notes":null,"links":["https://cloud.google.com/vpc/docs/packet-mirroring","https://cloud.google.com/sdk/gcloud/reference/compute/packet-mirrorings","https://cloud.google.com/compute/docs/reference/rest/v1/packetMirrorings"],"seeAlso":[]},"compute.packetMirrorings.update":{"id":"compute.packetMirrorings.update","name":"Compute Engine packet mirroring","scope":"MEDIUM","parent":{"notes":"Packet mirroring allows inspection of network traffic, allowing access to unencrypted network data.","description":"Packet mirroring allows duplication and forwarding of packets on a virtual private cloud."},"risks":["collection:data","destruction:defense","impact:consumption","impact:spend"],"notes":"Can be used to modify which network components are mirrored and how they are filtered, leading to either increased network collection or defeated security monitoring.","links":["https://cloud.google.com/vpc/docs/packet-mirroring","https://cloud.google.com/sdk/gcloud/reference/compute/packet-mirrorings","https://cloud.google.com/compute/docs/reference/rest/v1/packetMirrorings"],"seeAlso":[]},"container.apiServices.create":{"id":"container.apiServices.create","name":"APIServices","scope":"MEDIUM","parent":{"notes":"API Services can be used to track the availability and health of API servers and extensions  in the cluster. For custom resources can set the insecureSkipTLSVerify to true which allows unauthenticated communication with the custom resource's endpoints.","description":"API Services provide a way to advertise a Kubernetes API that is implemented across  multiple versions of Kubernetes. It is used to register and expose APIs for Kubernetes  extensions and custom resources. It also provides a way to specify the resource schema  for a custom resource, which enables client-side validation and discovery of resources."},"risks":["escalation:network"],"notes":"Together with the ability to deploy a new Kubernetes service in the cluster an attacker can configure an APIService to expose that new service with custom authentication settings which opens a backdoor to the cluster.","links":[],"seeAlso":[]},"container.apiServices.delete":{"id":"container.apiServices.delete","name":"APIServices","scope":"MEDIUM","parent":{"notes":"API Services can be used to track the availability and health of API servers and extensions  in the cluster. For custom resources can set the insecureSkipTLSVerify to true which allows unauthenticated communication with the custom resource's endpoints.","description":"API Services provide a way to advertise a Kubernetes API that is implemented across  multiple versions of Kubernetes. It is used to register and expose APIs for Kubernetes  extensions and custom resources. It also provides a way to specify the resource schema  for a custom resource, which enables client-side validation and discovery of resources."},"risks":["destruction:infra"],"notes":"Only API Services that expose custom CRDs can be deleted. API Services automanaged by Kubernetes, such as core v1, apps/v1, batch/v1, extensions/v1beta1 APIs cannot be deleted or modified.","links":[],"seeAlso":[]},"container.apiServices.get":{"id":"container.apiServices.get","name":"APIServices","scope":"LOW","parent":{"notes":"API Services can be used to track the availability and health of API servers and extensions  in the cluster. For custom resources can set the insecureSkipTLSVerify to true which allows unauthenticated communication with the custom resource's endpoints.","description":"API Services provide a way to advertise a Kubernetes API that is implemented across  multiple versions of Kubernetes. It is used to register and expose APIs for Kubernetes  extensions and custom resources. It also provides a way to specify the resource schema  for a custom resource, which enables client-side validation and discovery of resources."},"risks":["discovery:infra"],"notes":null,"links":[],"seeAlso":[]},"container.apiServices.getStatus":{"id":"container.apiServices.getStatus","name":"APIServices","scope":"LOW","parent":{"notes":"API Services can be used to track the availability and health of API servers and extensions  in the cluster. For custom resources can set the insecureSkipTLSVerify to true which allows unauthenticated communication with the custom resource's endpoints.","description":"API Services provide a way to advertise a Kubernetes API that is implemented across  multiple versions of Kubernetes. It is used to register and expose APIs for Kubernetes  extensions and custom resources. It also provides a way to specify the resource schema  for a custom resource, which enables client-side validation and discovery of resources."},"risks":["discovery:infra"],"notes":null,"links":[],"seeAlso":[]},"container.apiServices.list":{"id":"container.apiServices.list","name":"APIServices","scope":"LOW","parent":{"notes":"API Services can be used to track the availability and health of API servers and extensions  in the cluster. For custom resources can set the insecureSkipTLSVerify to true which allows unauthenticated communication with the custom resource's endpoints.","description":"API Services provide a way to advertise a Kubernetes API that is implemented across  multiple versions of Kubernetes. It is used to register and expose APIs for Kubernetes  extensions and custom resources. It also provides a way to specify the resource schema  for a custom resource, which enables client-side validation and discovery of resources."},"risks":["discovery:infra"],"notes":null,"links":[],"seeAlso":[]},"container.apiServices.update":{"id":"container.apiServices.update","name":"APIServices","scope":"MEDIUM","parent":{"notes":"API Services can be used to track the availability and health of API servers and extensions  in the cluster. For custom resources can set the insecureSkipTLSVerify to true which allows unauthenticated communication with the custom resource's endpoints.","description":"API Services provide a way to advertise a Kubernetes API that is implemented across  multiple versions of Kubernetes. It is used to register and expose APIs for Kubernetes  extensions and custom resources. It also provides a way to specify the resource schema  for a custom resource, which enables client-side validation and discovery of resources."},"risks":["escalation:network"],"notes":null,"links":[],"seeAlso":[]},"container.apiServices.updateStatus":{"id":"container.apiServices.updateStatus","name":"APIServices","scope":"MEDIUM","parent":{"notes":"API Services can be used to track the availability and health of API servers and extensions  in the cluster. For custom resources can set the insecureSkipTLSVerify to true which allows unauthenticated communication with the custom resource's endpoints.","description":"API Services provide a way to advertise a Kubernetes API that is implemented across  multiple versions of Kubernetes. It is used to register and expose APIs for Kubernetes  extensions and custom resources. It also provides a way to specify the resource schema  for a custom resource, which enables client-side validation and discovery of resources."},"risks":[],"notes":"While this permission is exposed, updating the status of a custom APIService is not allowed. Status is managed by Kubernetes.","links":[],"seeAlso":[]},"container.backendConfigs.create":{"id":"container.backendConfigs.create","name":"BackendConfig custom resource definition for Google Kubernetes Engine","scope":"MEDIUM","parent":{"notes":"Backend Config is a piece of reusable configuration for an Ingress object.  A BackendConfig does not take effect unless it is associated with an Ingress object.","description":"BackendConfig objects are reusable configurations for Kubernetes Service objects. BackendConfigs set the destination Service for incoming requests, thus they pertain to external-to-internal communications.  Other ingress parameters of a BackendConfig include service response timeout, Cloud CDN,  HTTP access logging, Session Affinity."},"risks":["destruction:network"],"notes":"An attacker may manipulate Ingress settings if they are also allowed to associate BackendConfig objects with Ingress objects using container.ingresses.update or container.ingresses.create permissions.","links":[],"seeAlso":[]},"container.backendConfigs.delete":{"id":"container.backendConfigs.delete","name":"BackendConfig custom resource definition for Google Kubernetes Engine","scope":"CRITICAL","parent":{"notes":"Backend Config is a piece of reusable configuration for an Ingress object.  A BackendConfig does not take effect unless it is associated with an Ingress object.","description":"BackendConfig objects are reusable configurations for Kubernetes Service objects. BackendConfigs set the destination Service for incoming requests, thus they pertain to external-to-internal communications.  Other ingress parameters of a BackendConfig include service response timeout, Cloud CDN,  HTTP access logging, Session Affinity."},"risks":["destruction:network"],"notes":"BackendConfigs that are associated with a Service can be deleted without first removing the reference to them. Access to a Service can be disrupted by deleting a BackendConfig that is associated with a Service.","links":[],"seeAlso":[]},"container.backendConfigs.get":{"id":"container.backendConfigs.get","name":"BackendConfig custom resource definition for Google Kubernetes Engine","scope":"LOW","parent":{"notes":"Backend Config is a piece of reusable configuration for an Ingress object.  A BackendConfig does not take effect unless it is associated with an Ingress object.","description":"BackendConfig objects are reusable configurations for Kubernetes Service objects. BackendConfigs set the destination Service for incoming requests, thus they pertain to external-to-internal communications.  Other ingress parameters of a BackendConfig include service response timeout, Cloud CDN,  HTTP access logging, Session Affinity."},"risks":["discovery:infra"],"notes":null,"links":[],"seeAlso":[]},"container.backendConfigs.list":{"id":"container.backendConfigs.list","name":"BackendConfig custom resource definition for Google Kubernetes Engine","scope":"LOW","parent":{"notes":"Backend Config is a piece of reusable configuration for an Ingress object.  A BackendConfig does not take effect unless it is associated with an Ingress object.","description":"BackendConfig objects are reusable configurations for Kubernetes Service objects. BackendConfigs set the destination Service for incoming requests, thus they pertain to external-to-internal communications.  Other ingress parameters of a BackendConfig include service response timeout, Cloud CDN,  HTTP access logging, Session Affinity."},"risks":["discovery:infra"],"notes":null,"links":[],"seeAlso":[]},"container.backendConfigs.update":{"id":"container.backendConfigs.update","name":"BackendConfig custom resource definition for Google Kubernetes Engine","scope":"CRITICAL","parent":{"notes":"Backend Config is a piece of reusable configuration for an Ingress object.  A BackendConfig does not take effect unless it is associated with an Ingress object.","description":"BackendConfig objects are reusable configurations for Kubernetes Service objects. BackendConfigs set the destination Service for incoming requests, thus they pertain to external-to-internal communications.  Other ingress parameters of a BackendConfig include service response timeout, Cloud CDN,  HTTP access logging, Session Affinity."},"risks":["destruction:defense","destruction:network"],"notes":"For BackendConfigs that are associated with Service, an update may remove a Cloud Armor Security Policy or route requests to a non-existent or malicious service.","links":[],"seeAlso":[]},"container.clusterRoleBindings.create":{"id":"container.clusterRoleBindings.create","name":"ClusterRoleBindings","scope":"CRITICAL","parent":{"notes":"ClusterRoles are only definitions of permissions. A role does not take effect unless assigned to principal via a ClusterRoleBinding.","description":"A ClusterRoleBinding is used to associate a ClusterRole with one or more principals (users, groups, or service accounts).  It establishes a connection between a set of permissions defined in a ClusterRole and the entities that should have those permissions. ClusterRoles are scoped to the entire Kubernetes cluster."},"risks":[],"notes":"Kubernetes does not allow the creation or update of a ClusterRoleBinding unless at least one of the following two conditions is met: 1) the caller has the permission it is granting 2) the caller has the `clusterRoles.bind` permission","links":["https://kubernetes.io/docs/reference/access-authn-authz/rbac/#restrictions-on-role-binding-creation-or-update"],"seeAlso":[]},"container.clusterRoleBindings.delete":{"id":"container.clusterRoleBindings.delete","name":"ClusterRoleBindings","scope":"CRITICAL","parent":{"notes":"ClusterRoles are only definitions of permissions. A role does not take effect unless assigned to principal via a ClusterRoleBinding.","description":"A ClusterRoleBinding is used to associate a ClusterRole with one or more principals (users, groups, or service accounts).  It establishes a connection between a set of permissions defined in a ClusterRole and the entities that should have those permissions. ClusterRoles are scoped to the entire Kubernetes cluster."},"risks":["destruction:policy"],"notes":"Deleting a ClusterRoleBinding removes the permissions of the ClusterRole from a list of principals","links":[],"seeAlso":[]},"container.clusterRoleBindings.get":{"id":"container.clusterRoleBindings.get","name":"ClusterRoleBindings","scope":"CRITICAL","parent":{"notes":"ClusterRoles are only definitions of permissions. A role does not take effect unless assigned to principal via a ClusterRoleBinding.","description":"A ClusterRoleBinding is used to associate a ClusterRole with one or more principals (users, groups, or service accounts).  It establishes a connection between a set of permissions defined in a ClusterRole and the entities that should have those permissions. ClusterRoles are scoped to the entire Kubernetes cluster."},"risks":["discovery:policy"],"notes":"Retrieves the list of principals and the role in a specific ClusterRoleBinding","links":[],"seeAlso":[]},"container.clusterRoleBindings.list":{"id":"container.clusterRoleBindings.list","name":"ClusterRoleBindings","scope":"CRITICAL","parent":{"notes":"ClusterRoles are only definitions of permissions. A role does not take effect unless assigned to principal via a ClusterRoleBinding.","description":"A ClusterRoleBinding is used to associate a ClusterRole with one or more principals (users, groups, or service accounts).  It establishes a connection between a set of permissions defined in a ClusterRole and the entities that should have those permissions. ClusterRoles are scoped to the entire Kubernetes cluster."},"risks":["discovery:policy"],"notes":"List all ClusterRoleBindings within a namespace","links":[],"seeAlso":[]},"container.clusterRoleBindings.update":{"id":"container.clusterRoleBindings.update","name":"ClusterRoleBindings","scope":"MEDIUM","parent":{"notes":"ClusterRoles are only definitions of permissions. A role does not take effect unless assigned to principal via a ClusterRoleBinding.","description":"A ClusterRoleBinding is used to associate a ClusterRole with one or more principals (users, groups, or service accounts).  It establishes a connection between a set of permissions defined in a ClusterRole and the entities that should have those permissions. ClusterRoles are scoped to the entire Kubernetes cluster."},"risks":[],"notes":"Kubernetes does not allow the creation or update of a ClusterRoleBinding unless one of the following two conditions are met: 1) the caller has the permission it is granting 2) the caller has the `clusterRoles.bind` permission","links":[],"seeAlso":[]},"container.clusterRoles.bind":{"id":"container.clusterRoles.bind","name":"ClusterRoles","scope":"CRITICAL","parent":{"notes":"ClusterRoles are only definitions of permissions. A role does not take effect unless assigned to principal via a ClusterRoleBinding.","description":"A cluster role is a set of permissions that defines a specific level of access to resources within a single namespace. It consists of rules that specify which API operations can be performed on specific resource types. ClusterRoles are scoped to the entire cluster."},"risks":["escalation:privilege"],"notes":"Allows escalating the current or other users' permissions by binding a ClusterRole to them.  Also requires the `clusterRoleBindings.create` or `clusterRoleBindings.update` permission.","links":["https://kubernetes.io/docs/reference/access-authn-authz/rbac/#restrictions-on-role-binding-creation-or-update"],"seeAlso":[]},"container.clusterRoles.create":{"id":"container.clusterRoles.create","name":"ClusterRoles","scope":"CRITICAL","parent":{"notes":"ClusterRoles are only definitions of permissions. A role does not take effect unless assigned to principal via a ClusterRoleBinding.","description":"A cluster role is a set of permissions that defines a specific level of access to resources within a single namespace. It consists of rules that specify which API operations can be performed on specific resource types. ClusterRoles are scoped to the entire cluster."},"risks":[],"notes":"ClusterRoles are only definitions of permissions. A role does not take effect unless assigned to principal via a ClusterRoleBinding. Kubernetes does not allow the creation or update of a ClusterRole unless one of the following two conditions are met: 1) the caller already has the permissions contained in the role 2) the caller has the `clusterRoles.escalate` permission","links":[],"seeAlso":[]},"container.clusterRoles.delete":{"id":"container.clusterRoles.delete","name":"ClusterRoles","scope":"CRITICAL","parent":{"notes":"ClusterRoles are only definitions of permissions. A role does not take effect unless assigned to principal via a ClusterRoleBinding.","description":"A cluster role is a set of permissions that defines a specific level of access to resources within a single namespace. It consists of rules that specify which API operations can be performed on specific resource types. ClusterRoles are scoped to the entire cluster."},"risks":["destruction:policy"],"notes":"ClusterRoles that are attached to principals via a ClusterRoleBinding can be deleted in Kubernetes.","links":[],"seeAlso":[]},"container.clusterRoles.escalate":{"id":"container.clusterRoles.escalate","name":"ClusterRoles","scope":"CRITICAL","parent":{"notes":"ClusterRoles are only definitions of permissions. A role does not take effect unless assigned to principal via a ClusterRoleBinding.","description":"A cluster role is a set of permissions that defines a specific level of access to resources within a single namespace. It consists of rules that specify which API operations can be performed on specific resource types. ClusterRoles are scoped to the entire cluster."},"risks":["escalation:lateral","escalation:privilege"],"notes":"Allows escalating the current or other users' permissions by creating a new ClusterRole or updating an existing ClusterRole. Also requires the `clusterRoles.create` or `clusterRoles.update` permission.","links":["https://kubernetes.io/docs/reference/access-authn-authz/rbac/#restrictions-on-role-creation-or-update"],"seeAlso":[]},"container.clusterRoles.get":{"id":"container.clusterRoles.get","name":"ClusterRoles","scope":"CRITICAL","parent":{"notes":"ClusterRoles are only definitions of permissions. A role does not take effect unless assigned to principal via a ClusterRoleBinding.","description":"A cluster role is a set of permissions that defines a specific level of access to resources within a single namespace. It consists of rules that specify which API operations can be performed on specific resource types. ClusterRoles are scoped to the entire cluster."},"risks":["discovery:policy"],"notes":"Retrieves the permissions contained in a specific ClusterRole.","links":[],"seeAlso":[]},"container.clusterRoles.list":{"id":"container.clusterRoles.list","name":"ClusterRoles","scope":"CRITICAL","parent":{"notes":"ClusterRoles are only definitions of permissions. A role does not take effect unless assigned to principal via a ClusterRoleBinding.","description":"A cluster role is a set of permissions that defines a specific level of access to resources within a single namespace. It consists of rules that specify which API operations can be performed on specific resource types. ClusterRoles are scoped to the entire cluster."},"risks":["discovery:policy"],"notes":"List all ClusterRoles","links":[],"seeAlso":[]},"container.clusterRoles.update":{"id":"container.clusterRoles.update","name":"ClusterRoles","scope":"CRITICAL","parent":{"notes":"ClusterRoles are only definitions of permissions. A role does not take effect unless assigned to principal via a ClusterRoleBinding.","description":"A cluster role is a set of permissions that defines a specific level of access to resources within a single namespace. It consists of rules that specify which API operations can be performed on specific resource types. ClusterRoles are scoped to the entire cluster."},"risks":[],"notes":"Kubernetes does not allow the creation or update of a ClusterRole unless one of the following two conditions are met: 1) the caller already has the permissions contained in the role 2) the caller has the `clusterRoles.escalate` permission","links":[],"seeAlso":[]},"container.clusters.create":{"id":"container.clusters.create","name":"Kubernetes Engine Clusters","scope":"CRITICAL","parent":{"notes":"One independent instance of a Kubernetes cluster, consisting of a node-pool and the Kubernetes objects such as deployments, statefulsets, pods, jobs that represents workloads and configuration running on the cluster, managed by Kubernetes.","description":"Manages Kubernetes clusters on Google Kubernetes Engine"},"risks":["impact:spend","impact:hijack"],"notes":"Allows creating a new Kubernetes cluster. Also requires access to a Compute Engine service account. By default, GKE uses the Compute Engine default service account, and cluster creation fails unless the user has the `iam.serviceAccounts.actAs` permission to the service account.","links":[],"seeAlso":[]},"container.clusters.createTagBinding":{"id":"container.clusters.createTagBinding","name":"Kubernetes Engine Clusters","scope":"CRITICAL","parent":{"notes":"One independent instance of a Kubernetes cluster, consisting of a node-pool and the Kubernetes objects such as deployments, statefulsets, pods, jobs that represents workloads and configuration running on the cluster, managed by Kubernetes.","description":"Manages Kubernetes clusters on Google Kubernetes Engine"},"risks":["impact:access","escalation:privilege"],"notes":"Attach a tag to a cluster as a key-value pair. Tags can conditionally allow or deny policies.","links":["https://cloud.google.com/kubernetes-engine/docs/how-to/tags#overview"],"seeAlso":[]},"container.clusters.delete":{"id":"container.clusters.delete","name":"Kubernetes Engine Clusters","scope":"CRITICAL","parent":{"notes":"One independent instance of a Kubernetes cluster, consisting of a node-pool and the Kubernetes objects such as deployments, statefulsets, pods, jobs that represents workloads and configuration running on the cluster, managed by Kubernetes.","description":"Manages Kubernetes clusters on Google Kubernetes Engine"},"risks":["destruction:data","destruction:infra","destruction:network"],"notes":"Deletes a cluster and related resources: control plane resources, nodes, pods, firewalls, routes, ephemeral volumes. It will also attempt to delete external and internal load balancers created by the cluster, as well as persistent disk volumes.","links":["https://cloud.google.com/sdk/gcloud/reference/container/clusters/delete"],"seeAlso":[]},"container.clusters.deleteTagBinding":{"id":"container.clusters.deleteTagBinding","name":"Kubernetes Engine Clusters","scope":"CRITICAL","parent":{"notes":"One independent instance of a Kubernetes cluster, consisting of a node-pool and the Kubernetes objects such as deployments, statefulsets, pods, jobs that represents workloads and configuration running on the cluster, managed by Kubernetes.","description":"Manages Kubernetes clusters on Google Kubernetes Engine"},"risks":["escalation:privilege","destruction:policy","impact:access"],"notes":"Tags can conditionally allow or deny IAM policies. Privilege escalation is possible since removing tags may lead to additional IAM bindings matching the principal.","links":[],"seeAlso":[]},"container.clusters.get":{"id":"container.clusters.get","name":"Kubernetes Engine Clusters","scope":"CRITICAL","parent":{"notes":"One independent instance of a Kubernetes cluster, consisting of a node-pool and the Kubernetes objects such as deployments, statefulsets, pods, jobs that represents workloads and configuration running on the cluster, managed by Kubernetes.","description":"Manages Kubernetes clusters on Google Kubernetes Engine"},"risks":["discovery:infra"],"notes":"Retrieves cluster information including public and private endpoint IP address, and cluster certificate. The information contained allows configuring Kubernetes API access to the cluster, similar to the `container.clusters.getCredentials` permission.","links":[],"seeAlso":[]},"container.clusters.getCredentials":{"id":"container.clusters.getCredentials","name":"Kubernetes Engine Clusters","scope":"CRITICAL","parent":{"notes":"One independent instance of a Kubernetes cluster, consisting of a node-pool and the Kubernetes objects such as deployments, statefulsets, pods, jobs that represents workloads and configuration running on the cluster, managed by Kubernetes.","description":"Manages Kubernetes clusters on Google Kubernetes Engine"},"risks":["discovery:infra"],"notes":"Allows configuring Kubernetes API access to the cluster. To actually execute any API calls, other `container` permissions are also required.","links":[],"seeAlso":[]},"container.clusters.impersonate":{"id":"container.clusters.impersonate","name":"Kubernetes Engine Clusters","scope":"CRITICAL","parent":{"notes":"One independent instance of a Kubernetes cluster, consisting of a node-pool and the Kubernetes objects such as deployments, statefulsets, pods, jobs that represents workloads and configuration running on the cluster, managed by Kubernetes.","description":"Manages Kubernetes clusters on Google Kubernetes Engine"},"risks":["escalation:lateral"],"notes":"This permission is used by the Kubernetes Engine Service Agent role (among others) to impersonate a Workload Identity. Thus, it is meant to be used by machine identities, workloads running on the Kubernetes cluster that need to access other Google Cloud services. Access to this permission leads to lateral movement by allowing human principals to  act as Kubernetes workloads.","links":["https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity"],"seeAlso":[]},"container.clusters.list":{"id":"container.clusters.list","name":"Kubernetes Engine Clusters","scope":"CRITICAL","parent":{"notes":"One independent instance of a Kubernetes cluster, consisting of a node-pool and the Kubernetes objects such as deployments, statefulsets, pods, jobs that represents workloads and configuration running on the cluster, managed by Kubernetes.","description":"Manages Kubernetes clusters on Google Kubernetes Engine"},"risks":["discovery:infra","discovery:network"],"notes":"Reveals the master IP, and additional limited metadata about clusters.","links":[],"seeAlso":[]},"container.clusters.listEffectiveTags":{"id":"container.clusters.listEffectiveTags","name":"Kubernetes Engine Clusters","scope":"CRITICAL","parent":{"notes":"One independent instance of a Kubernetes cluster, consisting of a node-pool and the Kubernetes objects such as deployments, statefulsets, pods, jobs that represents workloads and configuration running on the cluster, managed by Kubernetes.","description":"Manages Kubernetes clusters on Google Kubernetes Engine"},"risks":["discovery:policy"],"notes":null,"links":[],"seeAlso":[]},"container.clusters.listTagBindings":{"id":"container.clusters.listTagBindings","name":"Kubernetes Engine Clusters","scope":"CRITICAL","parent":{"notes":"One independent instance of a Kubernetes cluster, consisting of a node-pool and the Kubernetes objects such as deployments, statefulsets, pods, jobs that represents workloads and configuration running on the cluster, managed by Kubernetes.","description":"Manages Kubernetes clusters on Google Kubernetes Engine"},"risks":["discovery:policy"],"notes":null,"links":[],"seeAlso":[]},"container.clusters.update":{"id":"container.clusters.update","name":"Kubernetes Engine Clusters","scope":"CRITICAL","parent":{"notes":"One independent instance of a Kubernetes cluster, consisting of a node-pool and the Kubernetes objects such as deployments, statefulsets, pods, jobs that represents workloads and configuration running on the cluster, managed by Kubernetes.","description":"Manages Kubernetes clusters on Google Kubernetes Engine"},"risks":["destruction:data","destruction:defense","destruction:infra","destruction:network","impact:spend"],"notes":"Allows modifying various parameters of the cluster that are critical for the healthy functioning and protection of the cluster. In addition, it allows resizing the cluster node pool, and upgrading the Kubernetes version.","links":["https://cloud.google.com/sdk/gcloud/reference/container/clusters/update","https://cloud.google.com/sdk/gcloud/reference/container/clusters/resize","https://cloud.google.com/sdk/gcloud/reference/container/clusters/upgrade"],"seeAlso":[]},"container.daemonSets.create":{"id":"container.daemonSets.create","name":"DaemonSets","scope":"CRITICAL","parent":{"notes":"DaemonSets manage pods, similar to ReplicaSets and StatefulSets. A DaemonSet ensures there is the desired number of pods running on each node. If DaemonSets are allowed to connect to the public internet, it may open up the door for arbitrary code execution for an attacker. See notes on `container/deployments` for mitigations.","description":"Control Kubernetes DaemonSets objects."},"risks":["impact:spend","impact:hijack","escalation:lateral","escalation:network"],"notes":"Creation of DaemonSets allows running an image inside the Kubernetes cluster. This may allow arbitrary code execution, if the cluster has access to the public internet. The code may execute with service account privileges, leading to new permissions that may allow access to other services.  Secondly, creating DaemonSets drains the limited resources available to other Kubernetes workloads.","links":[],"seeAlso":[]},"container.daemonSets.delete":{"id":"container.daemonSets.delete","name":"DaemonSets","scope":"CRITICAL","parent":{"notes":"DaemonSets manage pods, similar to ReplicaSets and StatefulSets. A DaemonSet ensures there is the desired number of pods running on each node. If DaemonSets are allowed to connect to the public internet, it may open up the door for arbitrary code execution for an attacker. See notes on `container/deployments` for mitigations.","description":"Control Kubernetes DaemonSets objects."},"risks":["destruction:infra","destruction:logs"],"notes":"Deleting a DaemonSets deletes its pods and ephemeral volumes. Logs of the deleted pods disappear permanently when the pods shut down, unless they are exported to an external system for persistence.","links":[],"seeAlso":[]},"container.daemonSets.get":{"id":"container.daemonSets.get","name":"DaemonSets","scope":"CRITICAL","parent":{"notes":"DaemonSets manage pods, similar to ReplicaSets and StatefulSets. A DaemonSet ensures there is the desired number of pods running on each node. If DaemonSets are allowed to connect to the public internet, it may open up the door for arbitrary code execution for an attacker. See notes on `container/deployments` for mitigations.","description":"Control Kubernetes DaemonSets objects."},"risks":["discovery:infra","discovery:network"],"notes":"Describes detailed metadata about the DaemonSet, and Pods and Containers in it, such as ports, IP address, replicas, attached volumes, containers and the images they are running.","links":[],"seeAlso":[]},"container.daemonSets.getStatus":{"id":"container.daemonSets.getStatus","name":"DaemonSets","scope":"CRITICAL","parent":{"notes":"DaemonSets manage pods, similar to ReplicaSets and StatefulSets. A DaemonSet ensures there is the desired number of pods running on each node. If DaemonSets are allowed to connect to the public internet, it may open up the door for arbitrary code execution for an attacker. See notes on `container/deployments` for mitigations.","description":"Control Kubernetes DaemonSets objects."},"risks":["discovery:infra","discovery:network"],"notes":"Equivalent to `daemonSets.get`. Allows reading the `/apis/apps/v1/namespaces/{namespace}/daemonsets/{name}/status` subresource which returns the same payload as the `/apis/apps/v1/namespaces/{namespace}/daemonsets/{name}` resource.","links":[],"seeAlso":[]},"container.daemonSets.list":{"id":"container.daemonSets.list","name":"DaemonSets","scope":"CRITICAL","parent":{"notes":"DaemonSets manage pods, similar to ReplicaSets and StatefulSets. A DaemonSet ensures there is the desired number of pods running on each node. If DaemonSets are allowed to connect to the public internet, it may open up the door for arbitrary code execution for an attacker. See notes on `container/deployments` for mitigations.","description":"Control Kubernetes DaemonSets objects."},"risks":["discovery:infra","discovery:network"],"notes":"Allows listing all ReplicaSets in a namespace.","links":[],"seeAlso":[]},"container.daemonSets.update":{"id":"container.daemonSets.update","name":"DaemonSets","scope":"CRITICAL","parent":{"notes":"DaemonSets manage pods, similar to ReplicaSets and StatefulSets. A DaemonSet ensures there is the desired number of pods running on each node. If DaemonSets are allowed to connect to the public internet, it may open up the door for arbitrary code execution for an attacker. See notes on `container/deployments` for mitigations.","description":"Control Kubernetes DaemonSets objects."},"risks":["destruction:infra","destruction:network","escalation:lateral","escalation:network","impact:hijack","impact:spend"],"notes":"An update may let an attacker change the container image that is running inside pods. This may allow arbitrary code execution, if the cluster has access to the public internet. The code may execute with service account privileges, leading to new permissions that may allow access to other services. Since DaemonSet runs a pod on multiple nodes, DaemonSets are especially great for a complete cluster takeover. Secondly, DaemonSet pods drain the limited resources available to other Kubernetes workloads.","links":[],"seeAlso":[]},"container.daemonSets.updateStatus":{"id":"container.daemonSets.updateStatus","name":"DaemonSets","scope":"LOW","parent":{"notes":"DaemonSets manage pods, similar to ReplicaSets and StatefulSets. A DaemonSet ensures there is the desired number of pods running on each node. If DaemonSets are allowed to connect to the public internet, it may open up the door for arbitrary code execution for an attacker. See notes on `container/deployments` for mitigations.","description":"Control Kubernetes DaemonSets objects."},"risks":[],"notes":"This subresource has no effect on the actual DaemonSets.","links":[],"seeAlso":[]},"container.deployments.create":{"id":"container.deployments.create","name":"Deployments","scope":"CRITICAL","parent":{"notes":"Deployments are declarative updates to Kubernetes Pods and ReplicaSets. They provide an abstraction layer that allows services to discover and connect to pods  running within a Deployment. Applications can scale, load balance, and seamlessly handle changes  in the underlying pod instances. Access to Deployments is sensitive because they are a primary interface for controlling applications running on Kubernetes. A Deployment specifies the container image to run, and may lead to arbitrary code execution in the cluster. A good mitigation strategy is to make Kubernetes clusters private, which effectively disables pulling images over the internet. Secondly, creating or updating the replica count of Deployments drains the limited resources available to other Kubernetes workloads.","description":"Control Kubernetes Deployment objects."},"risks":["impact:spend","impact:hijack","escalation:lateral","escalation:network","exfiltration:data"],"notes":"Deployments tie up compute resources in Kubernetes that cannot be allocated to another Kubernetes workload while the deployment is present. Deployments run a user-specified container image, which may allow an attacker to escalate their privileges by running arbitrary code inside the Kubernetes workload. Secondly, creating Deployments drains the limited resources available to other Kubernetes workloads.","links":["https://kubernetes.io/docs/concepts/workloads/controllers/deployment/"],"seeAlso":[]},"container.deployments.delete":{"id":"container.deployments.delete","name":"Deployments","scope":"CRITICAL","parent":{"notes":"Deployments are declarative updates to Kubernetes Pods and ReplicaSets. They provide an abstraction layer that allows services to discover and connect to pods  running within a Deployment. Applications can scale, load balance, and seamlessly handle changes  in the underlying pod instances. Access to Deployments is sensitive because they are a primary interface for controlling applications running on Kubernetes. A Deployment specifies the container image to run, and may lead to arbitrary code execution in the cluster. A good mitigation strategy is to make Kubernetes clusters private, which effectively disables pulling images over the internet. Secondly, creating or updating the replica count of Deployments drains the limited resources available to other Kubernetes workloads.","description":"Control Kubernetes Deployment objects."},"risks":["destruction:infra","destruction:logs"],"notes":"Deleting a Deployment deletes its pods and ephemeral volumes. Persistent Volumes attached to the Deployment are left intact. Logs of the deleted pods disappear permanently when the pods shut down, unless they are exported to an external system for persistence.","links":["https://kubernetes.io/docs/concepts/workloads/controllers/deployment/"],"seeAlso":[]},"container.deployments.get":{"id":"container.deployments.get","name":"Deployments","scope":"MEDIUM","parent":{"notes":"Deployments are declarative updates to Kubernetes Pods and ReplicaSets. They provide an abstraction layer that allows services to discover and connect to pods  running within a Deployment. Applications can scale, load balance, and seamlessly handle changes  in the underlying pod instances. Access to Deployments is sensitive because they are a primary interface for controlling applications running on Kubernetes. A Deployment specifies the container image to run, and may lead to arbitrary code execution in the cluster. A good mitigation strategy is to make Kubernetes clusters private, which effectively disables pulling images over the internet. Secondly, creating or updating the replica count of Deployments drains the limited resources available to other Kubernetes workloads.","description":"Control Kubernetes Deployment objects."},"risks":["discovery:infra","discovery:network"],"notes":"Describes detailed metadata about the Deployment, and Pods and Containers in it,  such as ports, IP address, replicas, attached volumes, containers and the images they are running.","links":["https://kubernetes.io/docs/concepts/workloads/controllers/deployment/"],"seeAlso":[]},"container.deployments.getScale":{"id":"container.deployments.getScale","name":"Deployments","scope":"LOW","parent":{"notes":"Deployments are declarative updates to Kubernetes Pods and ReplicaSets. They provide an abstraction layer that allows services to discover and connect to pods  running within a Deployment. Applications can scale, load balance, and seamlessly handle changes  in the underlying pod instances. Access to Deployments is sensitive because they are a primary interface for controlling applications running on Kubernetes. A Deployment specifies the container image to run, and may lead to arbitrary code execution in the cluster. A good mitigation strategy is to make Kubernetes clusters private, which effectively disables pulling images over the internet. Secondly, creating or updating the replica count of Deployments drains the limited resources available to other Kubernetes workloads.","description":"Control Kubernetes Deployment objects."},"risks":["discovery:infra"],"notes":"Allows reading the `/apis/apps/v1/namespaces/{namespace}/deployments/{name}/scale` subresource which returns the number of desired replicas in the Deployment. The `deployments.get` permission already includes the ability to read this subresource.","links":["https://kubernetes.io/docs/concepts/workloads/controllers/deployment/","https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#types-kinds"],"seeAlso":[]},"container.deployments.getStatus":{"id":"container.deployments.getStatus","name":"Deployments","scope":"MEDIUM","parent":{"notes":"Deployments are declarative updates to Kubernetes Pods and ReplicaSets. They provide an abstraction layer that allows services to discover and connect to pods  running within a Deployment. Applications can scale, load balance, and seamlessly handle changes  in the underlying pod instances. Access to Deployments is sensitive because they are a primary interface for controlling applications running on Kubernetes. A Deployment specifies the container image to run, and may lead to arbitrary code execution in the cluster. A good mitigation strategy is to make Kubernetes clusters private, which effectively disables pulling images over the internet. Secondly, creating or updating the replica count of Deployments drains the limited resources available to other Kubernetes workloads.","description":"Control Kubernetes Deployment objects."},"risks":["discovery:infra","discovery:network"],"notes":"Equivalent to `deployments.get`. Allows reading the `/apis/apps/v1/namespaces/{namespace}/deployments/{name}/status` subresource which returns the same payload as the `/apis/apps/v1/namespaces/{namespace}/deployments/{name}` resource.","links":["https://kubernetes.io/docs/concepts/workloads/controllers/deployment/"],"seeAlso":[]},"container.deployments.list":{"id":"container.deployments.list","name":"Deployments","scope":"MEDIUM","parent":{"notes":"Deployments are declarative updates to Kubernetes Pods and ReplicaSets. They provide an abstraction layer that allows services to discover and connect to pods  running within a Deployment. Applications can scale, load balance, and seamlessly handle changes  in the underlying pod instances. Access to Deployments is sensitive because they are a primary interface for controlling applications running on Kubernetes. A Deployment specifies the container image to run, and may lead to arbitrary code execution in the cluster. A good mitigation strategy is to make Kubernetes clusters private, which effectively disables pulling images over the internet. Secondly, creating or updating the replica count of Deployments drains the limited resources available to other Kubernetes workloads.","description":"Control Kubernetes Deployment objects."},"risks":["discovery:infra","discovery:network"],"notes":"Allows listing all Deployments in a namespace.","links":["https://kubernetes.io/docs/concepts/workloads/controllers/deployment/"],"seeAlso":[]},"container.deployments.rollback":{"id":"container.deployments.rollback","name":"Deployments","scope":"CRITICAL","parent":{"notes":"Deployments are declarative updates to Kubernetes Pods and ReplicaSets. They provide an abstraction layer that allows services to discover and connect to pods  running within a Deployment. Applications can scale, load balance, and seamlessly handle changes  in the underlying pod instances. Access to Deployments is sensitive because they are a primary interface for controlling applications running on Kubernetes. A Deployment specifies the container image to run, and may lead to arbitrary code execution in the cluster. A good mitigation strategy is to make Kubernetes clusters private, which effectively disables pulling images over the internet. Secondly, creating or updating the replica count of Deployments drains the limited resources available to other Kubernetes workloads.","description":"Control Kubernetes Deployment objects."},"risks":["destruction:infra"],"notes":"Allows reverting to a previous version of the Deployment spec from the rollout history.","links":["https://kubernetes.io/docs/concepts/workloads/controllers/deployment/","https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#checking-rollout-history-of-a-deployment"],"seeAlso":[]},"container.deployments.update":{"id":"container.deployments.update","name":"Deployments","scope":"CRITICAL","parent":{"notes":"Deployments are declarative updates to Kubernetes Pods and ReplicaSets. They provide an abstraction layer that allows services to discover and connect to pods  running within a Deployment. Applications can scale, load balance, and seamlessly handle changes  in the underlying pod instances. Access to Deployments is sensitive because they are a primary interface for controlling applications running on Kubernetes. A Deployment specifies the container image to run, and may lead to arbitrary code execution in the cluster. A good mitigation strategy is to make Kubernetes clusters private, which effectively disables pulling images over the internet. Secondly, creating or updating the replica count of Deployments drains the limited resources available to other Kubernetes workloads.","description":"Control Kubernetes Deployment objects."},"risks":["destruction:infra","destruction:network","escalation:lateral","escalation:network","exfiltration:data","impact:hijack","impact:spend"],"notes":"An update may set the replica count to 0 which effectively deletes the application. An update may also let an attacker change the container image that is running inside pods, potentially leading to a complete takeover of the Kubernetes cluster. Secondly, increasing the replica count in Deployments drains the limited resources available to  other Kubernetes workloads. Also, persistent volumes may be attached to the Pods, which may provide access to sensitive data.","links":["https://kubernetes.io/docs/concepts/workloads/controllers/deployment/"],"seeAlso":[]},"container.deployments.updateScale":{"id":"container.deployments.updateScale","name":"Deployments","scope":"CRITICAL","parent":{"notes":"Deployments are declarative updates to Kubernetes Pods and ReplicaSets. They provide an abstraction layer that allows services to discover and connect to pods  running within a Deployment. Applications can scale, load balance, and seamlessly handle changes  in the underlying pod instances. Access to Deployments is sensitive because they are a primary interface for controlling applications running on Kubernetes. A Deployment specifies the container image to run, and may lead to arbitrary code execution in the cluster. A good mitigation strategy is to make Kubernetes clusters private, which effectively disables pulling images over the internet. Secondly, creating or updating the replica count of Deployments drains the limited resources available to other Kubernetes workloads.","description":"Control Kubernetes Deployment objects."},"risks":["destruction:infra","impact:hijack","impact:spend"],"notes":"Allows updating the replica count, including setting replicas to 0. If properties other than replicas are updated in the PATCH request, those are quietly ignored. Secondly, increasing the replica count in Deployments drains the limited resources available to  other Kubernetes workloads.","links":["https://kubernetes.io/docs/concepts/workloads/controllers/deployment/"],"seeAlso":[]},"container.deployments.updateStatus":{"id":"container.deployments.updateStatus","name":"Deployments","scope":"LOW","parent":{"notes":"Deployments are declarative updates to Kubernetes Pods and ReplicaSets. They provide an abstraction layer that allows services to discover and connect to pods  running within a Deployment. Applications can scale, load balance, and seamlessly handle changes  in the underlying pod instances. Access to Deployments is sensitive because they are a primary interface for controlling applications running on Kubernetes. A Deployment specifies the container image to run, and may lead to arbitrary code execution in the cluster. A good mitigation strategy is to make Kubernetes clusters private, which effectively disables pulling images over the internet. Secondly, creating or updating the replica count of Deployments drains the limited resources available to other Kubernetes workloads.","description":"Control Kubernetes Deployment objects."},"risks":[],"notes":"Allows updating the status object of the Deployment with different \"replicas\", \"updatedReplicas\", \"readyReplicas\", and \"availableReplicas\" counts than the actual counts in the Deployment's current ReplicaSet. However, these values don't take effect, despite a successful API call.","links":["https://kubernetes.io/docs/concepts/workloads/controllers/deployment/"],"seeAlso":[]},"container.endpointSlices.create":{"id":"container.endpointSlices.create","name":"EndpointSlices","scope":"MEDIUM","parent":{"notes":"Typically endpoint slices are not managed directly. Endpoint slices are a lower-level abstraction managed by a Service object. Endpoint slices are a newer addition to Kubernetes, and serve the same purpose as endpoints. However, they slice the potentially large Endpoint object into multiple smaller slices for reduced network traffic between nodes when pods are updated.","description":"A Kubernetes endpoint slice contains up to 100 mapping entries from an IP address and a port to target reference, mostly a Pod. The same IP and port may map to multiple Pods to describe a load balancing scheme."},"risks":["escalation:network"],"notes":"Creating an endpoint may open up access to Pods from the public Internet.","links":["https://kubernetes.io/docs/concepts/services-networking/endpoint-slices","https://kubernetes.io/docs/concepts/services-networking/service/#endpoints"],"seeAlso":[]},"container.endpointSlices.delete":{"id":"container.endpointSlices.delete","name":"EndpointSlices","scope":"MEDIUM","parent":{"notes":"Typically endpoint slices are not managed directly. Endpoint slices are a lower-level abstraction managed by a Service object. Endpoint slices are a newer addition to Kubernetes, and serve the same purpose as endpoints. However, they slice the potentially large Endpoint object into multiple smaller slices for reduced network traffic between nodes when pods are updated.","description":"A Kubernetes endpoint slice contains up to 100 mapping entries from an IP address and a port to target reference, mostly a Pod. The same IP and port may map to multiple Pods to describe a load balancing scheme."},"risks":["destruction:network"],"notes":"Deleting an endpoint may partially or completely disrupt public access to Kubernetes Pods.","links":["https://kubernetes.io/docs/concepts/services-networking/endpoint-slices","https://kubernetes.io/docs/concepts/services-networking/service/#endpoints"],"seeAlso":[]},"container.endpointSlices.get":{"id":"container.endpointSlices.get","name":"EndpointSlices","scope":"MEDIUM","parent":{"notes":"Typically endpoint slices are not managed directly. Endpoint slices are a lower-level abstraction managed by a Service object. Endpoint slices are a newer addition to Kubernetes, and serve the same purpose as endpoints. However, they slice the potentially large Endpoint object into multiple smaller slices for reduced network traffic between nodes when pods are updated.","description":"A Kubernetes endpoint slice contains up to 100 mapping entries from an IP address and a port to target reference, mostly a Pod. The same IP and port may map to multiple Pods to describe a load balancing scheme."},"risks":["discovery:network"],"notes":"Retrieve metadata about a specific endpoint: the IP address, port, and target reference, typically a Pod.","links":["https://kubernetes.io/docs/concepts/services-networking/endpoint-slices","https://kubernetes.io/docs/concepts/services-networking/service/#endpoints"],"seeAlso":[]},"container.endpointSlices.list":{"id":"container.endpointSlices.list","name":"EndpointSlices","scope":"MEDIUM","parent":{"notes":"Typically endpoint slices are not managed directly. Endpoint slices are a lower-level abstraction managed by a Service object. Endpoint slices are a newer addition to Kubernetes, and serve the same purpose as endpoints. However, they slice the potentially large Endpoint object into multiple smaller slices for reduced network traffic between nodes when pods are updated.","description":"A Kubernetes endpoint slice contains up to 100 mapping entries from an IP address and a port to target reference, mostly a Pod. The same IP and port may map to multiple Pods to describe a load balancing scheme."},"risks":["discovery:network"],"notes":"Retrieve  about all endpoints: the IP address, port, and target reference, typically a Pod.","links":["https://kubernetes.io/docs/concepts/services-networking/endpoint-slices","https://kubernetes.io/docs/concepts/services-networking/service/#endpoints"],"seeAlso":[]},"container.endpointSlices.update":{"id":"container.endpointSlices.update","name":"EndpointSlices","scope":"MEDIUM","parent":{"notes":"Typically endpoint slices are not managed directly. Endpoint slices are a lower-level abstraction managed by a Service object. Endpoint slices are a newer addition to Kubernetes, and serve the same purpose as endpoints. However, they slice the potentially large Endpoint object into multiple smaller slices for reduced network traffic between nodes when pods are updated.","description":"A Kubernetes endpoint slice contains up to 100 mapping entries from an IP address and a port to target reference, mostly a Pod. The same IP and port may map to multiple Pods to describe a load balancing scheme."},"risks":["destruction:network","escalation:network"],"notes":"An endpoint update allows remapping IP addresses and ports to different Pods.","links":["https://kubernetes.io/docs/concepts/services-networking/endpoint-slices","https://kubernetes.io/docs/concepts/services-networking/service/#endpoints"],"seeAlso":[]},"container.endpoints.create":{"id":"container.endpoints.create","name":"Endpoints","scope":"MEDIUM","parent":{"notes":"Typically endpoints are not managed directly. Endpoints are a lower-level abstraction managed by a Service object. Endpoint slices are a newer addition to Kubernetes, and serve the same purpose as endpoints. However, they slice the potentially large Endpoint object into multiple smaller slices for reduced network traffic between nodes when pods are updated.","description":"A Kubernetes endpoint is a mapping of an IP address and a port to target reference, mostly a Pod. The same IP and port may map to multiple Pods to describe a load balancing scheme."},"risks":["escalation:network"],"notes":"Creating an endpoint slice may open up access to Pods from the public Internet.","links":["https://kubernetes.io/docs/concepts/services-networking/endpoint-slices/","https://kubernetes.io/blog/2020/09/02/scaling-kubernetes-networking-with-endpointslices/"],"seeAlso":[]},"container.endpoints.delete":{"id":"container.endpoints.delete","name":"Endpoints","scope":"MEDIUM","parent":{"notes":"Typically endpoints are not managed directly. Endpoints are a lower-level abstraction managed by a Service object. Endpoint slices are a newer addition to Kubernetes, and serve the same purpose as endpoints. However, they slice the potentially large Endpoint object into multiple smaller slices for reduced network traffic between nodes when pods are updated.","description":"A Kubernetes endpoint is a mapping of an IP address and a port to target reference, mostly a Pod. The same IP and port may map to multiple Pods to describe a load balancing scheme."},"risks":["destruction:network"],"notes":"Deleting an endpoint slice may partially or completely disrupt public access to Kubernetes Pods.","links":["https://kubernetes.io/docs/concepts/services-networking/endpoint-slices/","https://kubernetes.io/blog/2020/09/02/scaling-kubernetes-networking-with-endpointslices/"],"seeAlso":[]},"container.endpoints.get":{"id":"container.endpoints.get","name":"Endpoints","scope":"MEDIUM","parent":{"notes":"Typically endpoints are not managed directly. Endpoints are a lower-level abstraction managed by a Service object. Endpoint slices are a newer addition to Kubernetes, and serve the same purpose as endpoints. However, they slice the potentially large Endpoint object into multiple smaller slices for reduced network traffic between nodes when pods are updated.","description":"A Kubernetes endpoint is a mapping of an IP address and a port to target reference, mostly a Pod. The same IP and port may map to multiple Pods to describe a load balancing scheme."},"risks":["discovery:network"],"notes":"Retrieve metadata about a specific endpoint slice: the IP address, port, and target reference, typically a Pod.","links":["https://kubernetes.io/docs/concepts/services-networking/endpoint-slices/","https://kubernetes.io/blog/2020/09/02/scaling-kubernetes-networking-with-endpointslices/"],"seeAlso":[]},"container.endpoints.list":{"id":"container.endpoints.list","name":"Endpoints","scope":"MEDIUM","parent":{"notes":"Typically endpoints are not managed directly. Endpoints are a lower-level abstraction managed by a Service object. Endpoint slices are a newer addition to Kubernetes, and serve the same purpose as endpoints. However, they slice the potentially large Endpoint object into multiple smaller slices for reduced network traffic between nodes when pods are updated.","description":"A Kubernetes endpoint is a mapping of an IP address and a port to target reference, mostly a Pod. The same IP and port may map to multiple Pods to describe a load balancing scheme."},"risks":["discovery:network"],"notes":"Retrieve  about all endpoint slices: the IP address, port, and target reference, typically a Pod.","links":["https://kubernetes.io/docs/concepts/services-networking/endpoint-slices/","https://kubernetes.io/blog/2020/09/02/scaling-kubernetes-networking-with-endpointslices/"],"seeAlso":[]},"container.endpoints.update":{"id":"container.endpoints.update","name":"Endpoints","scope":"MEDIUM","parent":{"notes":"Typically endpoints are not managed directly. Endpoints are a lower-level abstraction managed by a Service object. Endpoint slices are a newer addition to Kubernetes, and serve the same purpose as endpoints. However, they slice the potentially large Endpoint object into multiple smaller slices for reduced network traffic between nodes when pods are updated.","description":"A Kubernetes endpoint is a mapping of an IP address and a port to target reference, mostly a Pod. The same IP and port may map to multiple Pods to describe a load balancing scheme."},"risks":["destruction:network","escalation:network"],"notes":"An endpoint update allows remapping IP addresses and ports to different Pods.","links":["https://kubernetes.io/docs/concepts/services-networking/endpoint-slices/","https://kubernetes.io/blog/2020/09/02/scaling-kubernetes-networking-with-endpointslices/"],"seeAlso":[]},"container.frontendConfigs.create":{"id":"container.frontendConfigs.create","name":"Frontend config custom resource definition for Google Kubernetes Engine","scope":"HIGH","parent":{"notes":"FrontendConfig is a piece of reusable configuration for an Ingress object.  A FrontendConfig does not take effect unless it is associated with an Ingress object via annotations.","description":"FrontendConfig objects configure two ingress features on Kubernetes Engine: 1) SSL proxy 2) HTTPS-to-HTTP redirect"},"risks":["destruction:network"],"notes":"An attacker may manipulate Ingress settings if they are also allowed to associate BackendConfig objects with Ingress objects using container.ingresses.update or container.ingresses.create permissions.","links":["https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-configuration#configuring_ingress_features_through_frontendconfig_parameters","https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-configuration#associating_frontendconfig_with_your_ingress"],"seeAlso":[]},"container.frontendConfigs.delete":{"id":"container.frontendConfigs.delete","name":"Frontend config custom resource definition for Google Kubernetes Engine","scope":"HIGH","parent":{"notes":"FrontendConfig is a piece of reusable configuration for an Ingress object.  A FrontendConfig does not take effect unless it is associated with an Ingress object via annotations.","description":"FrontendConfig objects configure two ingress features on Kubernetes Engine: 1) SSL proxy 2) HTTPS-to-HTTP redirect"},"risks":["destruction:network"],"notes":"FrontendConfigs that are associated with an Ingress can be deleted without first removing the reference to them. Access to a Service can be disrupted by deleting a BackendConfig that is associated with an Ingress.","links":["https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-configuration#configuring_ingress_features_through_frontendconfig_parameters","https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-configuration#associating_frontendconfig_with_your_ingress"],"seeAlso":[]},"container.frontendConfigs.get":{"id":"container.frontendConfigs.get","name":"Frontend config custom resource definition for Google Kubernetes Engine","scope":"HIGH","parent":{"notes":"FrontendConfig is a piece of reusable configuration for an Ingress object.  A FrontendConfig does not take effect unless it is associated with an Ingress object via annotations.","description":"FrontendConfig objects configure two ingress features on Kubernetes Engine: 1) SSL proxy 2) HTTPS-to-HTTP redirect"},"risks":[],"notes":"Retrieve metadata about a specific FrontendConfig.","links":["https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-configuration#configuring_ingress_features_through_frontendconfig_parameters","https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-configuration#associating_frontendconfig_with_your_ingress"],"seeAlso":[]},"container.frontendConfigs.list":{"id":"container.frontendConfigs.list","name":"Frontend config custom resource definition for Google Kubernetes Engine","scope":"HIGH","parent":{"notes":"FrontendConfig is a piece of reusable configuration for an Ingress object.  A FrontendConfig does not take effect unless it is associated with an Ingress object via annotations.","description":"FrontendConfig objects configure two ingress features on Kubernetes Engine: 1) SSL proxy 2) HTTPS-to-HTTP redirect"},"risks":[],"notes":"Retrieve metadata about all FrontendConfigs.","links":["https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-configuration#configuring_ingress_features_through_frontendconfig_parameters","https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-configuration#associating_frontendconfig_with_your_ingress"],"seeAlso":[]},"container.frontendConfigs.update":{"id":"container.frontendConfigs.update","name":"Frontend config custom resource definition for Google Kubernetes Engine","scope":"HIGH","parent":{"notes":"FrontendConfig is a piece of reusable configuration for an Ingress object.  A FrontendConfig does not take effect unless it is associated with an Ingress object via annotations.","description":"FrontendConfig objects configure two ingress features on Kubernetes Engine: 1) SSL proxy 2) HTTPS-to-HTTP redirect"},"risks":["destruction:network"],"notes":"For FrontendConfigs that are associated with an Ingress, an update may remove SSL proxy or HTTPS redirect configuration.","links":["https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-configuration#configuring_ingress_features_through_frontendconfig_parameters","https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-configuration#associating_frontendconfig_with_your_ingress"],"seeAlso":[]},"container.ingresses.create":{"id":"container.ingresses.create","name":"Ingress for Google Kubernetes Engine","scope":"CRITICAL","parent":{"notes":"Creating an Ingress does not automatically expose Services. It also needs an Ingress Controller. Kubernetes Engine ships with a Google-hosted Ingress Controller. However, you can also choose to deploy another Ingress Controller, such as Nginx. Configuring other controllers requires manual setup of other Google Cloud components, like NAT gateway, Firewall rules, and VPC network.","description":"Ingress exposes HTTP and HTTPS routes from outside the cluster to services within the cluster. Traffic routing is controlled by rules defined on the Ingress resource."},"risks":["escalation:network"],"notes":"Ingress configures public access to a Kubernetes backend service.","links":["https://kubernetes.io/docs/concepts/services-networking/ingress","https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-configuration","https://cloud.google.com/community/tutorials/nginx-ingress-gke"],"seeAlso":[]},"container.ingresses.delete":{"id":"container.ingresses.delete","name":"Ingress for Google Kubernetes Engine","scope":"CRITICAL","parent":{"notes":"Creating an Ingress does not automatically expose Services. It also needs an Ingress Controller. Kubernetes Engine ships with a Google-hosted Ingress Controller. However, you can also choose to deploy another Ingress Controller, such as Nginx. Configuring other controllers requires manual setup of other Google Cloud components, like NAT gateway, Firewall rules, and VPC network.","description":"Ingress exposes HTTP and HTTPS routes from outside the cluster to services within the cluster. Traffic routing is controlled by rules defined on the Ingress resource."},"risks":["destruction:network"],"notes":"Deleting an Ingress removes public access to potentially business-critical Kubernetes services.","links":["https://kubernetes.io/docs/concepts/services-networking/ingress","https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-configuration","https://cloud.google.com/community/tutorials/nginx-ingress-gke"],"seeAlso":[]},"container.ingresses.get":{"id":"container.ingresses.get","name":"Ingress for Google Kubernetes Engine","scope":"CRITICAL","parent":{"notes":"Creating an Ingress does not automatically expose Services. It also needs an Ingress Controller. Kubernetes Engine ships with a Google-hosted Ingress Controller. However, you can also choose to deploy another Ingress Controller, such as Nginx. Configuring other controllers requires manual setup of other Google Cloud components, like NAT gateway, Firewall rules, and VPC network.","description":"Ingress exposes HTTP and HTTPS routes from outside the cluster to services within the cluster. Traffic routing is controlled by rules defined on the Ingress resource."},"risks":["discovery:network"],"notes":"Retrieve metadata about Ingress configuration, such as references to FrontendConfig, BackendConfig, and routing rules.","links":["https://kubernetes.io/docs/concepts/services-networking/ingress","https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-configuration","https://cloud.google.com/community/tutorials/nginx-ingress-gke"],"seeAlso":[]},"container.ingresses.getStatus":{"id":"container.ingresses.getStatus","name":"Ingress for Google Kubernetes Engine","scope":"CRITICAL","parent":{"notes":"Creating an Ingress does not automatically expose Services. It also needs an Ingress Controller. Kubernetes Engine ships with a Google-hosted Ingress Controller. However, you can also choose to deploy another Ingress Controller, such as Nginx. Configuring other controllers requires manual setup of other Google Cloud components, like NAT gateway, Firewall rules, and VPC network.","description":"Ingress exposes HTTP and HTTPS routes from outside the cluster to services within the cluster. Traffic routing is controlled by rules defined on the Ingress resource."},"risks":["discovery:network"],"notes":"Retrieve metadata about Ingress configuration, such as references to FrontendConfig, BackendConfig, and routing rules. This endpoint returns the same data as `","links":["https://kubernetes.io/docs/concepts/services-networking/ingress","https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-configuration","https://cloud.google.com/community/tutorials/nginx-ingress-gke"],"seeAlso":[]},"container.ingresses.list":{"id":"container.ingresses.list","name":"Ingress for Google Kubernetes Engine","scope":"CRITICAL","parent":{"notes":"Creating an Ingress does not automatically expose Services. It also needs an Ingress Controller. Kubernetes Engine ships with a Google-hosted Ingress Controller. However, you can also choose to deploy another Ingress Controller, such as Nginx. Configuring other controllers requires manual setup of other Google Cloud components, like NAT gateway, Firewall rules, and VPC network.","description":"Ingress exposes HTTP and HTTPS routes from outside the cluster to services within the cluster. Traffic routing is controlled by rules defined on the Ingress resource."},"risks":["discovery:network"],"notes":"Retrieve metadata about Ingress configuration, such as references to FrontendConfig, BackendConfig, and routing rules.","links":["https://kubernetes.io/docs/concepts/services-networking/ingress","https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-configuration","https://cloud.google.com/community/tutorials/nginx-ingress-gke"],"seeAlso":[]},"container.ingresses.update":{"id":"container.ingresses.update","name":"Ingress for Google Kubernetes Engine","scope":"CRITICAL","parent":{"notes":"Creating an Ingress does not automatically expose Services. It also needs an Ingress Controller. Kubernetes Engine ships with a Google-hosted Ingress Controller. However, you can also choose to deploy another Ingress Controller, such as Nginx. Configuring other controllers requires manual setup of other Google Cloud components, like NAT gateway, Firewall rules, and VPC network.","description":"Ingress exposes HTTP and HTTPS routes from outside the cluster to services within the cluster. Traffic routing is controlled by rules defined on the Ingress resource."},"risks":["destruction:network","escalation:network"],"notes":"Ingress updates may take down public internet connection to Kubernetes services, or establish new connections, potentially opening up services for further exploitation by an attacker.","links":["https://kubernetes.io/docs/concepts/services-networking/ingress","https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-configuration","https://cloud.google.com/community/tutorials/nginx-ingress-gke"],"seeAlso":[]},"container.ingresses.updateStatus":{"id":"container.ingresses.updateStatus","name":"Ingress for Google Kubernetes Engine","scope":"CRITICAL","parent":{"notes":"Creating an Ingress does not automatically expose Services. It also needs an Ingress Controller. Kubernetes Engine ships with a Google-hosted Ingress Controller. However, you can also choose to deploy another Ingress Controller, such as Nginx. Configuring other controllers requires manual setup of other Google Cloud components, like NAT gateway, Firewall rules, and VPC network.","description":"Ingress exposes HTTP and HTTPS routes from outside the cluster to services within the cluster. Traffic routing is controlled by rules defined on the Ingress resource."},"risks":[],"notes":"While this permission is exposed, updating the status of an Ingress does not take effect. Status is managed by Kubernetes.","links":["https://kubernetes.io/docs/concepts/services-networking/ingress","https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-configuration","https://cloud.google.com/community/tutorials/nginx-ingress-gke"],"seeAlso":[]},"container.jobs.create":{"id":"container.jobs.create","name":"Jobs","scope":"CRITICAL","parent":{"notes":"The security implications of Jobs are similar to other controllers, like Deployments. Jobs ultimately lead to running a container image, and may allow arbitrary code execution in the cluster. That code runs with the service-account privileges that the Pod runs with, thus may lead to privilege escalation. Creating Jobs drains the  limited resources available to other Kubernetes workloads. Attaching Persistent Volumes to a Job may expose  the data on that volume to attackers.","description":"A Kubernetes Job is a type of controller that runs one or more Pods until they successfully complete,  by retrying (restarting) the Pods if necessary. The Pod and its resources are released when the Job completes.  Jobs are typically used for batch processes, report generation or maintenance tasks."},"risks":["impact:spend","impact:hijack","escalation:lateral","escalation:network","exfiltration:data"],"notes":"Jobs tie up compute resources in Kubernetes that cannot be allocated to another Kubernetes workload while the Job is present. Jobs run a user-specified container image, which may allow an attacker to escalate their privileges by running arbitrary code inside the Kubernetes workload with service account privileges. Persistent Volumes may be  attached to jobs, meaning data can be exposed to the Kubernetes workload.","links":["https://kubernetes.io/docs/concepts/workloads/controllers/job"],"seeAlso":[]},"container.jobs.delete":{"id":"container.jobs.delete","name":"Jobs","scope":"CRITICAL","parent":{"notes":"The security implications of Jobs are similar to other controllers, like Deployments. Jobs ultimately lead to running a container image, and may allow arbitrary code execution in the cluster. That code runs with the service-account privileges that the Pod runs with, thus may lead to privilege escalation. Creating Jobs drains the  limited resources available to other Kubernetes workloads. Attaching Persistent Volumes to a Job may expose  the data on that volume to attackers.","description":"A Kubernetes Job is a type of controller that runs one or more Pods until they successfully complete,  by retrying (restarting) the Pods if necessary. The Pod and its resources are released when the Job completes.  Jobs are typically used for batch processes, report generation or maintenance tasks."},"risks":["destruction:infra","destruction:logs"],"notes":"Deleting a Job deletes its pods and ephemeral volumes. Persistent Volumes attached to the Job are left intact. Logs of the deleted pods disappear permanently when the job completes and the pods shut down, unless they are exported to an external system for persistence.","links":["https://kubernetes.io/docs/concepts/workloads/controllers/job"],"seeAlso":[]},"container.jobs.get":{"id":"container.jobs.get","name":"Jobs","scope":"CRITICAL","parent":{"notes":"The security implications of Jobs are similar to other controllers, like Deployments. Jobs ultimately lead to running a container image, and may allow arbitrary code execution in the cluster. That code runs with the service-account privileges that the Pod runs with, thus may lead to privilege escalation. Creating Jobs drains the  limited resources available to other Kubernetes workloads. Attaching Persistent Volumes to a Job may expose  the data on that volume to attackers.","description":"A Kubernetes Job is a type of controller that runs one or more Pods until they successfully complete,  by retrying (restarting) the Pods if necessary. The Pod and its resources are released when the Job completes.  Jobs are typically used for batch processes, report generation or maintenance tasks."},"risks":["discovery:infra","discovery:network"],"notes":"Describes detailed metadata about the Job, Pods and Containers in it,  such as ports, IP address, replicas, attached volumes, containers and the images they are running.","links":["https://kubernetes.io/docs/concepts/workloads/controllers/job"],"seeAlso":[]},"container.jobs.getStatus":{"id":"container.jobs.getStatus","name":"Jobs","scope":"CRITICAL","parent":{"notes":"The security implications of Jobs are similar to other controllers, like Deployments. Jobs ultimately lead to running a container image, and may allow arbitrary code execution in the cluster. That code runs with the service-account privileges that the Pod runs with, thus may lead to privilege escalation. Creating Jobs drains the  limited resources available to other Kubernetes workloads. Attaching Persistent Volumes to a Job may expose  the data on that volume to attackers.","description":"A Kubernetes Job is a type of controller that runs one or more Pods until they successfully complete,  by retrying (restarting) the Pods if necessary. The Pod and its resources are released when the Job completes.  Jobs are typically used for batch processes, report generation or maintenance tasks."},"risks":["discovery:infra","discovery:network"],"notes":"Equivalent to `jobs.get`. Allows reading the `/apis/batch/v1/namespaces/{namespace}/deployments/{name}/status` subresource which returns the same payload as the `/apis/batch/v1/namespaces/{namespace}/deployments/{name}` resource.","links":["https://kubernetes.io/docs/concepts/workloads/controllers/job"],"seeAlso":[]},"container.jobs.list":{"id":"container.jobs.list","name":"Jobs","scope":"CRITICAL","parent":{"notes":"The security implications of Jobs are similar to other controllers, like Deployments. Jobs ultimately lead to running a container image, and may allow arbitrary code execution in the cluster. That code runs with the service-account privileges that the Pod runs with, thus may lead to privilege escalation. Creating Jobs drains the  limited resources available to other Kubernetes workloads. Attaching Persistent Volumes to a Job may expose  the data on that volume to attackers.","description":"A Kubernetes Job is a type of controller that runs one or more Pods until they successfully complete,  by retrying (restarting) the Pods if necessary. The Pod and its resources are released when the Job completes.  Jobs are typically used for batch processes, report generation or maintenance tasks."},"risks":["discovery:infra","discovery:network"],"notes":"Allows listing all Jobs in a namespace.","links":["https://kubernetes.io/docs/concepts/workloads/controllers/job"],"seeAlso":[]},"container.jobs.update":{"id":"container.jobs.update","name":"Jobs","scope":"CRITICAL","parent":{"notes":"The security implications of Jobs are similar to other controllers, like Deployments. Jobs ultimately lead to running a container image, and may allow arbitrary code execution in the cluster. That code runs with the service-account privileges that the Pod runs with, thus may lead to privilege escalation. Creating Jobs drains the  limited resources available to other Kubernetes workloads. Attaching Persistent Volumes to a Job may expose  the data on that volume to attackers.","description":"A Kubernetes Job is a type of controller that runs one or more Pods until they successfully complete,  by retrying (restarting) the Pods if necessary. The Pod and its resources are released when the Job completes.  Jobs are typically used for batch processes, report generation or maintenance tasks."},"risks":["destruction:infra","escalation:lateral","escalation:network","exfiltration:data","impact:hijack","impact:spend"],"notes":"An update may suspend the job which prevents the controller from creating Pods, effectively disabling the Job.  An update may also let an attacker change the container image that is running inside pods, potentially leading to a arbitrary code execution. Secondly, increasing the parallelism in Jobs or the amount of resources dedicated to Pods drains the  limited resources available to other Kubernetes workloads. Also, persistent volumes may be attached to the Pods,  which may provide access to sensitive data.","links":["https://kubernetes.io/docs/concepts/workloads/controllers/job"],"seeAlso":[]},"container.jobs.updateStatus":{"id":"container.jobs.updateStatus","name":"Jobs","scope":"LOW","parent":{"notes":"The security implications of Jobs are similar to other controllers, like Deployments. Jobs ultimately lead to running a container image, and may allow arbitrary code execution in the cluster. That code runs with the service-account privileges that the Pod runs with, thus may lead to privilege escalation. Creating Jobs drains the  limited resources available to other Kubernetes workloads. Attaching Persistent Volumes to a Job may expose  the data on that volume to attackers.","description":"A Kubernetes Job is a type of controller that runs one or more Pods until they successfully complete,  by retrying (restarting) the Pods if necessary. The Pod and its resources are released when the Job completes.  Jobs are typically used for batch processes, report generation or maintenance tasks."},"risks":[],"notes":"Allows updating the status object of the Jobs with different \"active\", \"failed\", \"ready\", and \"succeeded\" counts. However, these values don't take effect, despite a successful API call. The status is managed by Kubernetes.","links":["https://kubernetes.io/docs/concepts/workloads/controllers/job"],"seeAlso":[]},"container.namespaces.create":{"id":"container.namespaces.create","name":"Namespaces","scope":"LOW","parent":{"notes":"","description":"Namespaces isolate resources within a Kubernetes cluster. This is a logical isolation, that allows you to group and segregate resources like Pods, Services, Deployments. Kubernetes role-based access control (RBAC) defines Roles and ClusterRoles. The former is scoped to a specific namespaces, meaning Roles only grant permissions within the scope of one namespace."},"risks":[],"notes":"Namespace is a logical resource, and creating one does not carry risks by itself.","links":["https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/"],"seeAlso":[]},"container.namespaces.delete":{"id":"container.namespaces.delete","name":"Namespaces","scope":"CRITICAL","parent":{"notes":"","description":"Namespaces isolate resources within a Kubernetes cluster. This is a logical isolation, that allows you to group and segregate resources like Pods, Services, Deployments. Kubernetes role-based access control (RBAC) defines Roles and ClusterRoles. The former is scoped to a specific namespaces, meaning Roles only grant permissions within the scope of one namespace."},"risks":["destruction:data","destruction:infra","destruction:logs","destruction:network","destruction:policy"],"notes":"Deleting a namespace also deletes all other Kubernetes resources inside it.","links":["https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/"],"seeAlso":[]},"container.namespaces.finalize":{"id":"container.namespaces.finalize","name":"Namespaces","scope":"LOW","parent":{"notes":"","description":"Namespaces isolate resources within a Kubernetes cluster. This is a logical isolation, that allows you to group and segregate resources like Pods, Services, Deployments. Kubernetes role-based access control (RBAC) defines Roles and ClusterRoles. The former is scoped to a specific namespaces, meaning Roles only grant permissions within the scope of one namespace."},"risks":["destruction:defense"],"notes":"Allows updating the list of finalizers. Finalizers check if a certain condition is met before deleting a  namespace. They may either implement garbage-collection, and are responsible for cleaning up all resources inside  a namespace when that namespace is deleted. Or, they may implement a protective measure and prevent the deletion of a namespace, for instance the `kubernetes.io/pvc-protection` finalizer prevents accidental deletion of data. As such, the edit and removal of finalizers may remove protection measures.","links":["https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/","https://kubernetes.io/docs/concepts/overview/working-with-objects/finalizers/"],"seeAlso":[]},"container.namespaces.get":{"id":"container.namespaces.get","name":"Namespaces","scope":"LOW","parent":{"notes":"","description":"Namespaces isolate resources within a Kubernetes cluster. This is a logical isolation, that allows you to group and segregate resources like Pods, Services, Deployments. Kubernetes role-based access control (RBAC) defines Roles and ClusterRoles. The former is scoped to a specific namespaces, meaning Roles only grant permissions within the scope of one namespace."},"risks":["discovery:infra"],"notes":"Retrieve metadata about a namespace.","links":["https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/"],"seeAlso":[]},"container.namespaces.getStatus":{"id":"container.namespaces.getStatus","name":"Namespaces","scope":"LOW","parent":{"notes":"","description":"Namespaces isolate resources within a Kubernetes cluster. This is a logical isolation, that allows you to group and segregate resources like Pods, Services, Deployments. Kubernetes role-based access control (RBAC) defines Roles and ClusterRoles. The former is scoped to a specific namespaces, meaning Roles only grant permissions within the scope of one namespace."},"risks":["discovery:infra"],"notes":"Allows see the same namespace metadata as `namespaces.get`.","links":["https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/"],"seeAlso":[]},"container.namespaces.list":{"id":"container.namespaces.list","name":"Namespaces","scope":"LOW","parent":{"notes":"","description":"Namespaces isolate resources within a Kubernetes cluster. This is a logical isolation, that allows you to group and segregate resources like Pods, Services, Deployments. Kubernetes role-based access control (RBAC) defines Roles and ClusterRoles. The former is scoped to a specific namespaces, meaning Roles only grant permissions within the scope of one namespace."},"risks":["discovery:infra"],"notes":"Allows listing namespaces.","links":["https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/"],"seeAlso":[]},"container.namespaces.update":{"id":"container.namespaces.update","name":"Namespaces","scope":"LOW","parent":{"notes":"","description":"Namespaces isolate resources within a Kubernetes cluster. This is a logical isolation, that allows you to group and segregate resources like Pods, Services, Deployments. Kubernetes role-based access control (RBAC) defines Roles and ClusterRoles. The former is scoped to a specific namespaces, meaning Roles only grant permissions within the scope of one namespace."},"risks":["destruction:defense"],"notes":"Allows editing the finalizers array. See `namespaces.finalize` permission.","links":["https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/"],"seeAlso":[]},"container.namespaces.updateStatus":{"id":"container.namespaces.updateStatus","name":"Namespaces","scope":"LOW","parent":{"notes":"","description":"Namespaces isolate resources within a Kubernetes cluster. This is a logical isolation, that allows you to group and segregate resources like Pods, Services, Deployments. Kubernetes role-based access control (RBAC) defines Roles and ClusterRoles. The former is scoped to a specific namespaces, meaning Roles only grant permissions within the scope of one namespace."},"risks":[],"notes":"Status is managed by the Kubernetes control plane, updating it does not take effect.","links":["https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/"],"seeAlso":[]},"container.nodes.create":{"id":"container.nodes.create","name":"Nodes","scope":"CRITICAL","parent":{"notes":"Nodes can be configured in multiple ways, and the configuration has a significant impact on Node security. In general, nodes should not be publicly accessible, block ssh access if possible (already enforced in AutoPilot mode), isolation between containers running on the  same node, isolation between the host operating system on the node and the workload running inside a container, performing timely upgrades of the node OS, Kubernetes, and the container runtime.","description":"Nodes are physical or virtual machines that serve as a worker in the cluster. Nodes provide the underlying pool of CPU, memory, storage, and network connectivity  resources for running containers and other tasks assigned by the control plane."},"risks":[],"notes":"There are two ways to create a node: self-registration from the kubelet running on the node using a kubeconfig file or by manually registering the node via the Kubernetes API. The `node.create`  permission allows the latter. Creating a node object manually only creates an internal node representation. The control plane then ensures that a node object described is valid: is available and healthy. Only then does it become eligible to run a Pod. This permission alone is not enough to add a new Node to a cluster.","links":["https://kubernetes.io/docs/concepts/architecture/nodes/","https://kubernetes.io/docs/concepts/architecture/nodes/#management","https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/"],"seeAlso":[]},"container.nodes.delete":{"id":"container.nodes.delete","name":"Nodes","scope":"CRITICAL","parent":{"notes":"Nodes can be configured in multiple ways, and the configuration has a significant impact on Node security. In general, nodes should not be publicly accessible, block ssh access if possible (already enforced in AutoPilot mode), isolation between containers running on the  same node, isolation between the host operating system on the node and the workload running inside a container, performing timely upgrades of the node OS, Kubernetes, and the container runtime.","description":"Nodes are physical or virtual machines that serve as a worker in the cluster. Nodes provide the underlying pool of CPU, memory, storage, and network connectivity  resources for running containers and other tasks assigned by the control plane."},"risks":["destruction:infra","destruction:data","destruction:logs"],"notes":"Deleting a node immediately destroys all workloads running on it. This is an unsafe action and is likely to disrupt normal operations. Instead, a node can be cordoned to prevent new pods from being scheduled on it. Cordoning requires the `nodes.update` permission. To safely move workloads to other nodes, the node must be drained. The `kubectl drain` command uses listing commands (list pods, replicasets, daemonsets, etc.), and the `pods.evict` permission.","links":["https://kubernetes.io/docs/concepts/architecture/nodes/","https://kubernetes.io/docs/concepts/architecture/nodes/#manual-node-administration","https://kubernetes.io/docs/tasks/administer-cluster/safely-drain-node/"],"seeAlso":[]},"container.nodes.get":{"id":"container.nodes.get","name":"Nodes","scope":"CRITICAL","parent":{"notes":"Nodes can be configured in multiple ways, and the configuration has a significant impact on Node security. In general, nodes should not be publicly accessible, block ssh access if possible (already enforced in AutoPilot mode), isolation between containers running on the  same node, isolation between the host operating system on the node and the workload running inside a container, performing timely upgrades of the node OS, Kubernetes, and the container runtime.","description":"Nodes are physical or virtual machines that serve as a worker in the cluster. Nodes provide the underlying pool of CPU, memory, storage, and network connectivity  resources for running containers and other tasks assigned by the control plane."},"risks":["discovery:infra","discovery:network"],"notes":"The response payload contains container image IDs stored on the nodes, as well as IP addresses, Pod CIDR ranges, health check statuses, and other metadata.","links":["https://kubernetes.io/docs/concepts/architecture/nodes/"],"seeAlso":[]},"container.nodes.getStatus":{"id":"container.nodes.getStatus","name":"Nodes","scope":"CRITICAL","parent":{"notes":"Nodes can be configured in multiple ways, and the configuration has a significant impact on Node security. In general, nodes should not be publicly accessible, block ssh access if possible (already enforced in AutoPilot mode), isolation between containers running on the  same node, isolation between the host operating system on the node and the workload running inside a container, performing timely upgrades of the node OS, Kubernetes, and the container runtime.","description":"Nodes are physical or virtual machines that serve as a worker in the cluster. Nodes provide the underlying pool of CPU, memory, storage, and network connectivity  resources for running containers and other tasks assigned by the control plane."},"risks":["discovery:infra","discovery:network"],"notes":"Allows access to the same information as `nodes.get`.","links":["https://kubernetes.io/docs/concepts/architecture/nodes/"],"seeAlso":[]},"container.nodes.list":{"id":"container.nodes.list","name":"Nodes","scope":"CRITICAL","parent":{"notes":"Nodes can be configured in multiple ways, and the configuration has a significant impact on Node security. In general, nodes should not be publicly accessible, block ssh access if possible (already enforced in AutoPilot mode), isolation between containers running on the  same node, isolation between the host operating system on the node and the workload running inside a container, performing timely upgrades of the node OS, Kubernetes, and the container runtime.","description":"Nodes are physical or virtual machines that serve as a worker in the cluster. Nodes provide the underlying pool of CPU, memory, storage, and network connectivity  resources for running containers and other tasks assigned by the control plane."},"risks":["discovery:infra","discovery:network"],"notes":"List all nodes.","links":["https://kubernetes.io/docs/concepts/architecture/nodes/"],"seeAlso":[]},"container.nodes.proxy":{"id":"container.nodes.proxy","name":"Nodes","scope":"CRITICAL","parent":{"notes":"Nodes can be configured in multiple ways, and the configuration has a significant impact on Node security. In general, nodes should not be publicly accessible, block ssh access if possible (already enforced in AutoPilot mode), isolation between containers running on the  same node, isolation between the host operating system on the node and the workload running inside a container, performing timely upgrades of the node OS, Kubernetes, and the container runtime.","description":"Nodes are physical or virtual machines that serve as a worker in the cluster. Nodes provide the underlying pool of CPU, memory, storage, and network connectivity  resources for running containers and other tasks assigned by the control plane."},"risks":["escalation:privilege","escalation:lateral"],"notes":"This permission allows calling the `api/v1/nodes/{node}/proxy/{path?}` endpoint with any HTTP method, which executes the request directly against the kubelet API on the kubelet running on the node, without further authorization checks. It is theoretically possible to call other endpoints of the kubelet API, such as `/exec` `/portForward`, that allow reading the node service account token to act as the service account, or executing code on the node.","links":["https://kubernetes.io/docs/concepts/architecture/nodes/","https://www.deepnetwork.com/blog/2020/01/13/kubelet-api.html","https://blog.aquasec.com/privilege-escalation-kubernetes-rbac"],"seeAlso":[]},"container.nodes.update":{"id":"container.nodes.update","name":"Nodes","scope":"CRITICAL","parent":{"notes":"Nodes can be configured in multiple ways, and the configuration has a significant impact on Node security. In general, nodes should not be publicly accessible, block ssh access if possible (already enforced in AutoPilot mode), isolation between containers running on the  same node, isolation between the host operating system on the node and the workload running inside a container, performing timely upgrades of the node OS, Kubernetes, and the container runtime.","description":"Nodes are physical or virtual machines that serve as a worker in the cluster. Nodes provide the underlying pool of CPU, memory, storage, and network connectivity  resources for running containers and other tasks assigned by the control plane."},"risks":["impact:manipulation","destruction:metadata"],"notes":"The things that you can typically update are the metadata labels and annotations, and fields in the `spec` section of the node manifest: taints, which prevent certain pods to be scheduled on the node, and the  `unschedulable` property, which effectively cordons the node.  With enough nodes cordoned or tainted the  cluster may become \"paralyzed\" because workloads cannot be scheduled efficiently or not at all.","links":["https://kubernetes.io/docs/concepts/architecture/nodes/","https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#nodespec-v1-core"],"seeAlso":[]},"container.nodes.updateStatus":{"id":"container.nodes.updateStatus","name":"Nodes","scope":"CRITICAL","parent":{"notes":"Nodes can be configured in multiple ways, and the configuration has a significant impact on Node security. In general, nodes should not be publicly accessible, block ssh access if possible (already enforced in AutoPilot mode), isolation between containers running on the  same node, isolation between the host operating system on the node and the workload running inside a container, performing timely upgrades of the node OS, Kubernetes, and the container runtime.","description":"Nodes are physical or virtual machines that serve as a worker in the cluster. Nodes provide the underlying pool of CPU, memory, storage, and network connectivity  resources for running containers and other tasks assigned by the control plane."},"risks":[],"notes":"Allows updating only the status component of a node. Does not have any real effect since status is managed by Kubernetes.","links":["https://kubernetes.io/docs/concepts/architecture/nodes/"],"seeAlso":[]},"container.pods.attach":{"id":"container.pods.attach","name":"Pods","scope":"HIGH","parent":{"notes":"The risks associated with Pods is similar to Deployments, StatefulSets, and DaemonSets. Pods consume CPU, memory, and  network resources of the cluster, thus they are susceptible to exhaustion attacks. Containers inside Pods run a specific image, and may lead to arbitrary code execution in the cluster if an attacker is able to run their image.  Pods also need access to other resources within the cluster, and outside the cluster, often using other services of the cloud provider. In order to do so, Pods have service account credentials, which, if leaked, allow one to move laterally by authenticating as the service account.","description":"A Kubernetes Pod is a logical host that encapsulates one or more Containers. It is the smallest and most basic unit of deployment. Containers can communicate with each other via localhost. Pod lifecycle is typically managed by a higher level controller, such as a Deployment, StatefulSet, or DaemonSet."},"risks":["destruction:infra","impact:access"],"notes":"Allows attaching to a process that is already running inside an existing container. An attacker accesses the stdout output, and is able to send stdin input to the running process, for instance ctrl+c to stop the process.","links":[],"seeAlso":[]},"container.pods.create":{"id":"container.pods.create","name":"Pods","scope":"HIGH","parent":{"notes":"The risks associated with Pods is similar to Deployments, StatefulSets, and DaemonSets. Pods consume CPU, memory, and  network resources of the cluster, thus they are susceptible to exhaustion attacks. Containers inside Pods run a specific image, and may lead to arbitrary code execution in the cluster if an attacker is able to run their image.  Pods also need access to other resources within the cluster, and outside the cluster, often using other services of the cloud provider. In order to do so, Pods have service account credentials, which, if leaked, allow one to move laterally by authenticating as the service account.","description":"A Kubernetes Pod is a logical host that encapsulates one or more Containers. It is the smallest and most basic unit of deployment. Containers can communicate with each other via localhost. Pod lifecycle is typically managed by a higher level controller, such as a Deployment, StatefulSet, or DaemonSet."},"risks":["impact:spend","impact:hijack","escalation:lateral","escalation:network","exfiltration:data"],"notes":"It is possible to create standalone pods not managed by a Deployment or other controller in Kubernetes. This action bears the risk of pulling in an arbitrary image (if the cluster is open to the internet) to hijack resources, or to move laterally by assuming the privileges of the pod's or node's service account. It also drains the cluster's limited resource pool.","links":[],"seeAlso":[]},"container.pods.delete":{"id":"container.pods.delete","name":"Pods","scope":"MEDIUM","parent":{"notes":"The risks associated with Pods is similar to Deployments, StatefulSets, and DaemonSets. Pods consume CPU, memory, and  network resources of the cluster, thus they are susceptible to exhaustion attacks. Containers inside Pods run a specific image, and may lead to arbitrary code execution in the cluster if an attacker is able to run their image.  Pods also need access to other resources within the cluster, and outside the cluster, often using other services of the cloud provider. In order to do so, Pods have service account credentials, which, if leaked, allow one to move laterally by authenticating as the service account.","description":"A Kubernetes Pod is a logical host that encapsulates one or more Containers. It is the smallest and most basic unit of deployment. Containers can communicate with each other via localhost. Pod lifecycle is typically managed by a higher level controller, such as a Deployment, StatefulSet, or DaemonSet."},"risks":["destruction:infra","destruction:logs"],"notes":"Deleting a pod deletes its pods and ephemeral volumes. PersistentVolumes attached to the pod are left intact. Logs of the deleted pod disappear permanently when the pods shut down, unless they are exported to an external system for persistence.","links":[],"seeAlso":[]},"container.pods.evict":{"id":"container.pods.evict","name":"Pods","scope":"HIGH","parent":{"notes":"The risks associated with Pods is similar to Deployments, StatefulSets, and DaemonSets. Pods consume CPU, memory, and  network resources of the cluster, thus they are susceptible to exhaustion attacks. Containers inside Pods run a specific image, and may lead to arbitrary code execution in the cluster if an attacker is able to run their image.  Pods also need access to other resources within the cluster, and outside the cluster, often using other services of the cloud provider. In order to do so, Pods have service account credentials, which, if leaked, allow one to move laterally by authenticating as the service account.","description":"A Kubernetes Pod is a logical host that encapsulates one or more Containers. It is the smallest and most basic unit of deployment. Containers can communicate with each other via localhost. Pod lifecycle is typically managed by a higher level controller, such as a Deployment, StatefulSet, or DaemonSet."},"risks":["impact:consumption"],"notes":"Eviction moves the pod to another node. An attacker may disrupt normal operations with many evictions, draining cluster resources.","links":[],"seeAlso":[]},"container.pods.exec":{"id":"container.pods.exec","name":"Pods","scope":"CRITICAL","parent":{"notes":"The risks associated with Pods is similar to Deployments, StatefulSets, and DaemonSets. Pods consume CPU, memory, and  network resources of the cluster, thus they are susceptible to exhaustion attacks. Containers inside Pods run a specific image, and may lead to arbitrary code execution in the cluster if an attacker is able to run their image.  Pods also need access to other resources within the cluster, and outside the cluster, often using other services of the cloud provider. In order to do so, Pods have service account credentials, which, if leaked, allow one to move laterally by authenticating as the service account.","description":"A Kubernetes Pod is a logical host that encapsulates one or more Containers. It is the smallest and most basic unit of deployment. Containers can communicate with each other via localhost. Pod lifecycle is typically managed by a higher level controller, such as a Deployment, StatefulSet, or DaemonSet."},"risks":["escalation:privilege","escalation:lateral"],"notes":"The exec operation is similar to the `attach` operation, but instead of attaching to an existing process inside the container, it allows launching a new process from a command and attaching to it. Most often this command is opening the shell, dropping an attacker in a terminal inside the container. The risks arising are container and  application-specific. However, process run inside the container are authenticated as the service account, leading to privilege escalation, and potentially lateral movement into other cloud services.","links":[],"seeAlso":[]},"container.pods.get":{"id":"container.pods.get","name":"Pods","scope":"MEDIUM","parent":{"notes":"The risks associated with Pods is similar to Deployments, StatefulSets, and DaemonSets. Pods consume CPU, memory, and  network resources of the cluster, thus they are susceptible to exhaustion attacks. Containers inside Pods run a specific image, and may lead to arbitrary code execution in the cluster if an attacker is able to run their image.  Pods also need access to other resources within the cluster, and outside the cluster, often using other services of the cloud provider. In order to do so, Pods have service account credentials, which, if leaked, allow one to move laterally by authenticating as the service account.","description":"A Kubernetes Pod is a logical host that encapsulates one or more Containers. It is the smallest and most basic unit of deployment. Containers can communicate with each other via localhost. Pod lifecycle is typically managed by a higher level controller, such as a Deployment, StatefulSet, or DaemonSet."},"risks":["discovery:infra","discovery:network"],"notes":"Describes detailed metadata about the Deployment, and Pods and Containers in it,  such as ports, IP address, replicas, attached volumes, containers and the images they are running.","links":[],"seeAlso":[]},"container.pods.getLogs":{"id":"container.pods.getLogs","name":"Pods","scope":"HIGH","parent":{"notes":"The risks associated with Pods is similar to Deployments, StatefulSets, and DaemonSets. Pods consume CPU, memory, and  network resources of the cluster, thus they are susceptible to exhaustion attacks. Containers inside Pods run a specific image, and may lead to arbitrary code execution in the cluster if an attacker is able to run their image.  Pods also need access to other resources within the cluster, and outside the cluster, often using other services of the cloud provider. In order to do so, Pods have service account credentials, which, if leaked, allow one to move laterally by authenticating as the service account.","description":"A Kubernetes Pod is a logical host that encapsulates one or more Containers. It is the smallest and most basic unit of deployment. Containers can communicate with each other via localhost. Pod lifecycle is typically managed by a higher level controller, such as a Deployment, StatefulSet, or DaemonSet."},"risks":["discovery:infra"],"notes":"Logs of the application running on any of the pod's containers can be read with the `getLogs` permission.","links":[],"seeAlso":[]},"container.pods.getStatus":{"id":"container.pods.getStatus","name":"Pods","scope":"HIGH","parent":{"notes":"The risks associated with Pods is similar to Deployments, StatefulSets, and DaemonSets. Pods consume CPU, memory, and  network resources of the cluster, thus they are susceptible to exhaustion attacks. Containers inside Pods run a specific image, and may lead to arbitrary code execution in the cluster if an attacker is able to run their image.  Pods also need access to other resources within the cluster, and outside the cluster, often using other services of the cloud provider. In order to do so, Pods have service account credentials, which, if leaked, allow one to move laterally by authenticating as the service account.","description":"A Kubernetes Pod is a logical host that encapsulates one or more Containers. It is the smallest and most basic unit of deployment. Containers can communicate with each other via localhost. Pod lifecycle is typically managed by a higher level controller, such as a Deployment, StatefulSet, or DaemonSet."},"risks":["discovery:infra"],"notes":"Allows reading the same Pod metadata as `pods.get`.","links":[],"seeAlso":[]},"container.pods.initialize":{"id":"container.pods.initialize","name":"Pods","scope":"HIGH","parent":{"notes":"The risks associated with Pods is similar to Deployments, StatefulSets, and DaemonSets. Pods consume CPU, memory, and  network resources of the cluster, thus they are susceptible to exhaustion attacks. Containers inside Pods run a specific image, and may lead to arbitrary code execution in the cluster if an attacker is able to run their image.  Pods also need access to other resources within the cluster, and outside the cluster, often using other services of the cloud provider. In order to do so, Pods have service account credentials, which, if leaked, allow one to move laterally by authenticating as the service account.","description":"A Kubernetes Pod is a logical host that encapsulates one or more Containers. It is the smallest and most basic unit of deployment. Containers can communicate with each other via localhost. Pod lifecycle is typically managed by a higher level controller, such as a Deployment, StatefulSet, or DaemonSet."},"risks":[],"notes":"Documentation is lacking on this permission. It may be related to init-containers, or the initialization process of a Pod.","links":[],"seeAlso":[]},"container.pods.list":{"id":"container.pods.list","name":"Pods","scope":"HIGH","parent":{"notes":"The risks associated with Pods is similar to Deployments, StatefulSets, and DaemonSets. Pods consume CPU, memory, and  network resources of the cluster, thus they are susceptible to exhaustion attacks. Containers inside Pods run a specific image, and may lead to arbitrary code execution in the cluster if an attacker is able to run their image.  Pods also need access to other resources within the cluster, and outside the cluster, often using other services of the cloud provider. In order to do so, Pods have service account credentials, which, if leaked, allow one to move laterally by authenticating as the service account.","description":"A Kubernetes Pod is a logical host that encapsulates one or more Containers. It is the smallest and most basic unit of deployment. Containers can communicate with each other via localhost. Pod lifecycle is typically managed by a higher level controller, such as a Deployment, StatefulSet, or DaemonSet."},"risks":["discovery:infra"],"notes":"List metadata about all pods.","links":[],"seeAlso":[]},"container.pods.portForward":{"id":"container.pods.portForward","name":"Pods","scope":"HIGH","parent":{"notes":"The risks associated with Pods is similar to Deployments, StatefulSets, and DaemonSets. Pods consume CPU, memory, and  network resources of the cluster, thus they are susceptible to exhaustion attacks. Containers inside Pods run a specific image, and may lead to arbitrary code execution in the cluster if an attacker is able to run their image.  Pods also need access to other resources within the cluster, and outside the cluster, often using other services of the cloud provider. In order to do so, Pods have service account credentials, which, if leaked, allow one to move laterally by authenticating as the service account.","description":"A Kubernetes Pod is a logical host that encapsulates one or more Containers. It is the smallest and most basic unit of deployment. Containers can communicate with each other via localhost. Pod lifecycle is typically managed by a higher level controller, such as a Deployment, StatefulSet, or DaemonSet."},"risks":["escalation:network","impact:access"],"notes":"Forwards a local port to a port on the Pod. This allows interaction with the application, if the application listens on any ports. An attacker may exploit application risks with the ability to port-forward.","links":[],"seeAlso":[]},"container.pods.proxy":{"id":"container.pods.proxy","name":"Pods","scope":"HIGH","parent":{"notes":"The risks associated with Pods is similar to Deployments, StatefulSets, and DaemonSets. Pods consume CPU, memory, and  network resources of the cluster, thus they are susceptible to exhaustion attacks. Containers inside Pods run a specific image, and may lead to arbitrary code execution in the cluster if an attacker is able to run their image.  Pods also need access to other resources within the cluster, and outside the cluster, often using other services of the cloud provider. In order to do so, Pods have service account credentials, which, if leaked, allow one to move laterally by authenticating as the service account.","description":"A Kubernetes Pod is a logical host that encapsulates one or more Containers. It is the smallest and most basic unit of deployment. Containers can communicate with each other via localhost. Pod lifecycle is typically managed by a higher level controller, such as a Deployment, StatefulSet, or DaemonSet."},"risks":["escalation:network","impact:access"],"notes":"The proxy action forwards the HTTP request to a specific port and request path inside the container. If a process is listening on that port and path, this is similar in effect to port forwarding, and may allow an attacker to exploit application-level risks.","links":[],"seeAlso":[]},"container.pods.update":{"id":"container.pods.update","name":"Pods","scope":"HIGH","parent":{"notes":"The risks associated with Pods is similar to Deployments, StatefulSets, and DaemonSets. Pods consume CPU, memory, and  network resources of the cluster, thus they are susceptible to exhaustion attacks. Containers inside Pods run a specific image, and may lead to arbitrary code execution in the cluster if an attacker is able to run their image.  Pods also need access to other resources within the cluster, and outside the cluster, often using other services of the cloud provider. In order to do so, Pods have service account credentials, which, if leaked, allow one to move laterally by authenticating as the service account.","description":"A Kubernetes Pod is a logical host that encapsulates one or more Containers. It is the smallest and most basic unit of deployment. Containers can communicate with each other via localhost. Pod lifecycle is typically managed by a higher level controller, such as a Deployment, StatefulSet, or DaemonSet."},"risks":[],"notes":"An update is limited to a few fields in the Pod spec: may not change fields other than  spec.containers[*].image, spec.initContainers[*].image, spec.activeDeadlineSeconds, spec.tolerations (only additions to existing tolerations) or `spec.terminationGracePeriodSeconds` (allow it to be set to 1 if it was previously negative).  In practice even the image update is not possible since pods are typically run via a controller. In those cases an update to the `image` field has no effect.","links":["https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#pod-v1-core"],"seeAlso":[]},"container.pods.updateStatus":{"id":"container.pods.updateStatus","name":"Pods","scope":"HIGH","parent":{"notes":"The risks associated with Pods is similar to Deployments, StatefulSets, and DaemonSets. Pods consume CPU, memory, and  network resources of the cluster, thus they are susceptible to exhaustion attacks. Containers inside Pods run a specific image, and may lead to arbitrary code execution in the cluster if an attacker is able to run their image.  Pods also need access to other resources within the cluster, and outside the cluster, often using other services of the cloud provider. In order to do so, Pods have service account credentials, which, if leaked, allow one to move laterally by authenticating as the service account.","description":"A Kubernetes Pod is a logical host that encapsulates one or more Containers. It is the smallest and most basic unit of deployment. Containers can communicate with each other via localhost. Pod lifecycle is typically managed by a higher level controller, such as a Deployment, StatefulSet, or DaemonSet."},"risks":[],"notes":"Has no effect on the actual status, as it is managed by Kubernetes.","links":[],"seeAlso":[]},"container.replicaSets.create":{"id":"container.replicaSets.create","name":"ReplicaSets","scope":"MEDIUM","parent":{"notes":"ReplicaSets allow maintaining a desired number of replicas and handle situations like pod failures or manual scaling. Typically, ReplicaSets are not created directly but are managed by a Deployment. When that is the case, the ReplicaSet cannot be updated directly using the `update` endpoints. ReplicaSets expose very similar risks to Deployments, the key privilege being the ability to specify a container image to run in the Pods managed by the ReplicaSet. If coupled with a cluster that can connect to the internet, this opens up arbitrary code execution by fetching and running potentially malicious images. Secondly, creating or updating the replica count of ReplicaSets drains the limited resources available to other Kubernetes workloads.","description":"Control Kubernetes ReplicaSet objects."},"risks":["impact:spend","impact:hijack","escalation:lateral","escalation:network","exfiltration:data"],"notes":"Creation of standalone ReplicaSet allows running an image inside the Kubernetes cluster. This may allow arbitrary code execution, if the cluster has access to the public internet. Secondly, creating ReplicaSets drains the limited resources available to other Kubernetes workloads.","links":[],"seeAlso":[]},"container.replicaSets.delete":{"id":"container.replicaSets.delete","name":"ReplicaSets","scope":"MEDIUM","parent":{"notes":"ReplicaSets allow maintaining a desired number of replicas and handle situations like pod failures or manual scaling. Typically, ReplicaSets are not created directly but are managed by a Deployment. When that is the case, the ReplicaSet cannot be updated directly using the `update` endpoints. ReplicaSets expose very similar risks to Deployments, the key privilege being the ability to specify a container image to run in the Pods managed by the ReplicaSet. If coupled with a cluster that can connect to the internet, this opens up arbitrary code execution by fetching and running potentially malicious images. Secondly, creating or updating the replica count of ReplicaSets drains the limited resources available to other Kubernetes workloads.","description":"Control Kubernetes ReplicaSet objects."},"risks":["destruction:infra","destruction:logs"],"notes":"Deleting a ReplicaSet deletes its pods and ephemeral volumes. PersistentVolumes attached to the ReplicaSet are left intact. Logs of the deleted pods disappear permanently when the pods shut down, unless they are exported to an external system for persistence.","links":[],"seeAlso":[]},"container.replicaSets.get":{"id":"container.replicaSets.get","name":"ReplicaSets","scope":"MEDIUM","parent":{"notes":"ReplicaSets allow maintaining a desired number of replicas and handle situations like pod failures or manual scaling. Typically, ReplicaSets are not created directly but are managed by a Deployment. When that is the case, the ReplicaSet cannot be updated directly using the `update` endpoints. ReplicaSets expose very similar risks to Deployments, the key privilege being the ability to specify a container image to run in the Pods managed by the ReplicaSet. If coupled with a cluster that can connect to the internet, this opens up arbitrary code execution by fetching and running potentially malicious images. Secondly, creating or updating the replica count of ReplicaSets drains the limited resources available to other Kubernetes workloads.","description":"Control Kubernetes ReplicaSet objects."},"risks":["discovery:infra","discovery:network"],"notes":"Describes detailed metadata about the ReplicaSet, and Pods and Containers in it,  such as ports, IP address, replicas, attached volumes, containers and the images they are running.","links":[],"seeAlso":[]},"container.replicaSets.getScale":{"id":"container.replicaSets.getScale","name":"ReplicaSets","scope":"LOW","parent":{"notes":"ReplicaSets allow maintaining a desired number of replicas and handle situations like pod failures or manual scaling. Typically, ReplicaSets are not created directly but are managed by a Deployment. When that is the case, the ReplicaSet cannot be updated directly using the `update` endpoints. ReplicaSets expose very similar risks to Deployments, the key privilege being the ability to specify a container image to run in the Pods managed by the ReplicaSet. If coupled with a cluster that can connect to the internet, this opens up arbitrary code execution by fetching and running potentially malicious images. Secondly, creating or updating the replica count of ReplicaSets drains the limited resources available to other Kubernetes workloads.","description":"Control Kubernetes ReplicaSet objects."},"risks":["discovery:infra"],"notes":"Allows reading the `/apis/apps/v1/namespaces/{namespace}/replicasets/{name}/scale` subresource which returns the number of desired replicas in the ReplicaSet. The `replicaSets.get` permission already includes the ability to read this subresource.","links":[],"seeAlso":[]},"container.replicaSets.getStatus":{"id":"container.replicaSets.getStatus","name":"ReplicaSets","scope":"MEDIUM","parent":{"notes":"ReplicaSets allow maintaining a desired number of replicas and handle situations like pod failures or manual scaling. Typically, ReplicaSets are not created directly but are managed by a Deployment. When that is the case, the ReplicaSet cannot be updated directly using the `update` endpoints. ReplicaSets expose very similar risks to Deployments, the key privilege being the ability to specify a container image to run in the Pods managed by the ReplicaSet. If coupled with a cluster that can connect to the internet, this opens up arbitrary code execution by fetching and running potentially malicious images. Secondly, creating or updating the replica count of ReplicaSets drains the limited resources available to other Kubernetes workloads.","description":"Control Kubernetes ReplicaSet objects."},"risks":["discovery:infra","discovery:network"],"notes":"Equivalent to `replicaSets.get`. Allows reading the `/apis/apps/v1/namespaces/{namespace}/replicasets/{name}/status` subresource which returns the same payload as the `/apis/apps/v1/namespaces/{namespace}/replicasets/{name}` resource.","links":[],"seeAlso":[]},"container.replicaSets.list":{"id":"container.replicaSets.list","name":"ReplicaSets","scope":"MEDIUM","parent":{"notes":"ReplicaSets allow maintaining a desired number of replicas and handle situations like pod failures or manual scaling. Typically, ReplicaSets are not created directly but are managed by a Deployment. When that is the case, the ReplicaSet cannot be updated directly using the `update` endpoints. ReplicaSets expose very similar risks to Deployments, the key privilege being the ability to specify a container image to run in the Pods managed by the ReplicaSet. If coupled with a cluster that can connect to the internet, this opens up arbitrary code execution by fetching and running potentially malicious images. Secondly, creating or updating the replica count of ReplicaSets drains the limited resources available to other Kubernetes workloads.","description":"Control Kubernetes ReplicaSet objects."},"risks":["discovery:infra","discovery:network"],"notes":"Allows listing all ReplicaSets in a namespace.","links":[],"seeAlso":[]},"container.replicaSets.update":{"id":"container.replicaSets.update","name":"ReplicaSets","scope":"MEDIUM","parent":{"notes":"ReplicaSets allow maintaining a desired number of replicas and handle situations like pod failures or manual scaling. Typically, ReplicaSets are not created directly but are managed by a Deployment. When that is the case, the ReplicaSet cannot be updated directly using the `update` endpoints. ReplicaSets expose very similar risks to Deployments, the key privilege being the ability to specify a container image to run in the Pods managed by the ReplicaSet. If coupled with a cluster that can connect to the internet, this opens up arbitrary code execution by fetching and running potentially malicious images. Secondly, creating or updating the replica count of ReplicaSets drains the limited resources available to other Kubernetes workloads.","description":"Control Kubernetes ReplicaSet objects."},"risks":["destruction:infra","destruction:network","escalation:lateral","escalation:network","exfiltration:data","impact:hijack","impact:spend"],"notes":"Only ReplicaSets without a Deployment may be updated. Updates to ReplicaSets owned by a Deployment will succeed but have no effect on the ReplicaSet. An update may set the replica count to 0 which effectively deletes the application. An update may also let an attacker change the container image that is running inside pods, potentially leading to a complete takeover of the Kubernetes cluster. Secondly, increasing the replica count in ReplicaSets drains the limited resources available to other Kubernetes workloads. Also, persistent volumes may be attached to the Pods, which may provide access to sensitive data.","links":[],"seeAlso":[]},"container.replicaSets.updateScale":{"id":"container.replicaSets.updateScale","name":"ReplicaSets","scope":"MEDIUM","parent":{"notes":"ReplicaSets allow maintaining a desired number of replicas and handle situations like pod failures or manual scaling. Typically, ReplicaSets are not created directly but are managed by a Deployment. When that is the case, the ReplicaSet cannot be updated directly using the `update` endpoints. ReplicaSets expose very similar risks to Deployments, the key privilege being the ability to specify a container image to run in the Pods managed by the ReplicaSet. If coupled with a cluster that can connect to the internet, this opens up arbitrary code execution by fetching and running potentially malicious images. Secondly, creating or updating the replica count of ReplicaSets drains the limited resources available to other Kubernetes workloads.","description":"Control Kubernetes ReplicaSet objects."},"risks":["destruction:infra","impact:hijack","impact:spend"],"notes":"Only ReplicaSets without a Deployment may be updated. Updates to ReplicaSets owned by a Deployment will succeed but have no effect on the ReplicaSet. Allows updating the replica count, including setting replicas to 0. If properties other than replicas are updated in the PATCH request, those are quietly ignored. Secondly, increasing the replica count in ReplicaSets drains the limited resources available to  other Kubernetes workloads.","links":[],"seeAlso":[]},"container.replicaSets.updateStatus":{"id":"container.replicaSets.updateStatus","name":"ReplicaSets","scope":"LOW","parent":{"notes":"ReplicaSets allow maintaining a desired number of replicas and handle situations like pod failures or manual scaling. Typically, ReplicaSets are not created directly but are managed by a Deployment. When that is the case, the ReplicaSet cannot be updated directly using the `update` endpoints. ReplicaSets expose very similar risks to Deployments, the key privilege being the ability to specify a container image to run in the Pods managed by the ReplicaSet. If coupled with a cluster that can connect to the internet, this opens up arbitrary code execution by fetching and running potentially malicious images. Secondly, creating or updating the replica count of ReplicaSets drains the limited resources available to other Kubernetes workloads.","description":"Control Kubernetes ReplicaSet objects."},"risks":[],"notes":"Allows updating the status object of the ReplicaSet with different \"replicas\", \"updatedReplicas\", \"readyReplicas\", and \"availableReplicas\" counts than the actual counts in the Replicasets's current ReplicaSet. However, these values don't take effect, despite a successful API call.","links":[],"seeAlso":[]},"container.roleBindings.create":{"id":"container.roleBindings.create","name":"RoleBindings","scope":"CRITICAL","parent":{"notes":"Roles are only definitions of permissions. A role does not take effect unless assigned to principal via a RoleBinding.","description":"A RoleBinding is used to associate a Role with one or more principals (users, groups, or service accounts).  It establishes a connection between a set of permissions defined in a Role and the entities that should have those permissions. Roles are scoped to a specific Kubernetes namespace."},"risks":[],"notes":"Kubernetes does not allow the creation or update of a RoleBinding unless at least one of the following two conditions is met: 1) the caller has the permission it is granting 2) the caller has the `roles.bind` permission","links":["https://kubernetes.io/docs/reference/access-authn-authz/rbac/#restrictions-on-role-binding-creation-or-update"],"seeAlso":[]},"container.roleBindings.delete":{"id":"container.roleBindings.delete","name":"RoleBindings","scope":"CRITICAL","parent":{"notes":"Roles are only definitions of permissions. A role does not take effect unless assigned to principal via a RoleBinding.","description":"A RoleBinding is used to associate a Role with one or more principals (users, groups, or service accounts).  It establishes a connection between a set of permissions defined in a Role and the entities that should have those permissions. Roles are scoped to a specific Kubernetes namespace."},"risks":["destruction:policy"],"notes":"Deleting a RoleBinding removes the permissions of the Role from a list of principals","links":[],"seeAlso":[]},"container.roleBindings.get":{"id":"container.roleBindings.get","name":"RoleBindings","scope":"CRITICAL","parent":{"notes":"Roles are only definitions of permissions. A role does not take effect unless assigned to principal via a RoleBinding.","description":"A RoleBinding is used to associate a Role with one or more principals (users, groups, or service accounts).  It establishes a connection between a set of permissions defined in a Role and the entities that should have those permissions. Roles are scoped to a specific Kubernetes namespace."},"risks":["discovery:policy"],"notes":"Retrieves the list of principals and the role in a specific RoleBinding","links":[],"seeAlso":[]},"container.roleBindings.list":{"id":"container.roleBindings.list","name":"RoleBindings","scope":"CRITICAL","parent":{"notes":"Roles are only definitions of permissions. A role does not take effect unless assigned to principal via a RoleBinding.","description":"A RoleBinding is used to associate a Role with one or more principals (users, groups, or service accounts).  It establishes a connection between a set of permissions defined in a Role and the entities that should have those permissions. Roles are scoped to a specific Kubernetes namespace."},"risks":["discovery:policy"],"notes":"List all RoleBindings within a namespace","links":[],"seeAlso":[]},"container.roleBindings.update":{"id":"container.roleBindings.update","name":"RoleBindings","scope":"CRITICAL","parent":{"notes":"Roles are only definitions of permissions. A role does not take effect unless assigned to principal via a RoleBinding.","description":"A RoleBinding is used to associate a Role with one or more principals (users, groups, or service accounts).  It establishes a connection between a set of permissions defined in a Role and the entities that should have those permissions. Roles are scoped to a specific Kubernetes namespace."},"risks":[],"notes":"Kubernetes does not allow the creation or update of a RoleBinding unless one of the following two conditions are met: 1) the caller has the permission it is granting 2) the caller has the `roles.bind` permission","links":[],"seeAlso":[]},"container.roles.bind":{"id":"container.roles.bind","name":"Roles","scope":"CRITICAL","parent":{"notes":"Roles are only definitions of permissions. A role does not take effect unless assigned to principal via a RoleBinding.","description":"A role is a set of permissions that defines a specific level of access to resources within a single namespace. It consists of rules that specify which API operations can be performed on specific resource types. Roles are scoped to a specific Kubernetes namespace."},"risks":["escalation:lateral","escalation:privilege"],"notes":"Allows escalating the current or other users' permissions by binding a Role to them.  Also requires the `roleBindings.create` or `roleBindings.update` permission.","links":["https://kubernetes.io/docs/reference/access-authn-authz/rbac/#restrictions-on-role-binding-creation-or-update"],"seeAlso":[]},"container.roles.create":{"id":"container.roles.create","name":"Roles","scope":"CRITICAL","parent":{"notes":"Roles are only definitions of permissions. A role does not take effect unless assigned to principal via a RoleBinding.","description":"A role is a set of permissions that defines a specific level of access to resources within a single namespace. It consists of rules that specify which API operations can be performed on specific resource types. Roles are scoped to a specific Kubernetes namespace."},"risks":[],"notes":"Roles are only definitions of permissions. A role does not take effect unless assigned to principal via a RoleBinding. Kubernetes does not allow the creation or update of a Role unless one of the following two conditions are met: 1) the caller already has the permissions contained in the role 2) the caller has the `roles.escalate` permission","links":[],"seeAlso":[]},"container.roles.delete":{"id":"container.roles.delete","name":"Roles","scope":"CRITICAL","parent":{"notes":"Roles are only definitions of permissions. A role does not take effect unless assigned to principal via a RoleBinding.","description":"A role is a set of permissions that defines a specific level of access to resources within a single namespace. It consists of rules that specify which API operations can be performed on specific resource types. Roles are scoped to a specific Kubernetes namespace."},"risks":["destruction:policy"],"notes":"Roles that are attached to principals via a RoleBinding can be deleted in Kubernetes.","links":[],"seeAlso":[]},"container.roles.escalate":{"id":"container.roles.escalate","name":"Roles","scope":"CRITICAL","parent":{"notes":"Roles are only definitions of permissions. A role does not take effect unless assigned to principal via a RoleBinding.","description":"A role is a set of permissions that defines a specific level of access to resources within a single namespace. It consists of rules that specify which API operations can be performed on specific resource types. Roles are scoped to a specific Kubernetes namespace."},"risks":["escalation:lateral","escalation:privilege"],"notes":"Allows escalating the current or other users' permissions by creating a new Role or updating an existing Role. Also requires the `roles.create` or `roles.update` permission.","links":["https://kubernetes.io/docs/reference/access-authn-authz/rbac/#restrictions-on-role-creation-or-update"],"seeAlso":[]},"container.roles.get":{"id":"container.roles.get","name":"Roles","scope":"CRITICAL","parent":{"notes":"Roles are only definitions of permissions. A role does not take effect unless assigned to principal via a RoleBinding.","description":"A role is a set of permissions that defines a specific level of access to resources within a single namespace. It consists of rules that specify which API operations can be performed on specific resource types. Roles are scoped to a specific Kubernetes namespace."},"risks":["discovery:policy"],"notes":"Retrieves the permissions contained in a specific role.","links":[],"seeAlso":[]},"container.roles.list":{"id":"container.roles.list","name":"Roles","scope":"CRITICAL","parent":{"notes":"Roles are only definitions of permissions. A role does not take effect unless assigned to principal via a RoleBinding.","description":"A role is a set of permissions that defines a specific level of access to resources within a single namespace. It consists of rules that specify which API operations can be performed on specific resource types. Roles are scoped to a specific Kubernetes namespace."},"risks":["discovery:policy"],"notes":"List all roles within a namespace","links":[],"seeAlso":[]},"container.roles.update":{"id":"container.roles.update","name":"Roles","scope":"CRITICAL","parent":{"notes":"Roles are only definitions of permissions. A role does not take effect unless assigned to principal via a RoleBinding.","description":"A role is a set of permissions that defines a specific level of access to resources within a single namespace. It consists of rules that specify which API operations can be performed on specific resource types. Roles are scoped to a specific Kubernetes namespace."},"risks":[],"notes":"Kubernetes does not allow the creation or update of a Role unless one of the following two conditions are met: 1) the caller already has the permissions contained in the role 2) the caller has the `roles.escalate` permission","links":[],"seeAlso":[]},"container.secrets.create":{"id":"container.secrets.create","name":"Secrets","scope":"CRITICAL","parent":{"notes":"By default, secrets are stored unencrypted, and anyone who can read a Secret can read its contents (its `data` field). The Secret contents are mounted inside pods as files in the file system. Someone with ability to gain access into a Pod may freely read the contents of the secret.","description":"A Kubernetes Secret is mounted as a volume on Pods. Secrets are similar to ConfigMaps but are meant for storing sensitive data."},"risks":[],"notes":"Creating a secret does not represent a security risk by itself.","links":["https://kubernetes.io/docs/concepts/configuration/secret","https://kubernetes.io/docs/concepts/security/secrets-good-practices/"],"seeAlso":[]},"container.secrets.delete":{"id":"container.secrets.delete","name":"Secrets","scope":"CRITICAL","parent":{"notes":"By default, secrets are stored unencrypted, and anyone who can read a Secret can read its contents (its `data` field). The Secret contents are mounted inside pods as files in the file system. Someone with ability to gain access into a Pod may freely read the contents of the secret.","description":"A Kubernetes Secret is mounted as a volume on Pods. Secrets are similar to ConfigMaps but are meant for storing sensitive data."},"risks":["destruction:infra"],"notes":"Deleting a secret may disrupt communication of workloads with the Kubernetes API server, or other services.","links":["https://kubernetes.io/docs/concepts/configuration/secret","https://kubernetes.io/docs/concepts/security/secrets-good-practices/"],"seeAlso":[]},"container.secrets.get":{"id":"container.secrets.get","name":"Secrets","scope":"CRITICAL","parent":{"notes":"By default, secrets are stored unencrypted, and anyone who can read a Secret can read its contents (its `data` field). The Secret contents are mounted inside pods as files in the file system. Someone with ability to gain access into a Pod may freely read the contents of the secret.","description":"A Kubernetes Secret is mounted as a volume on Pods. Secrets are similar to ConfigMaps but are meant for storing sensitive data."},"risks":["discovery:data","discovery:infra","exfiltration:crypto","exfiltration:data"],"notes":"By default, secrets are stored unencrypted in Kubernetes, and anyone who can read the secret has access to its contents.","links":["https://kubernetes.io/docs/concepts/configuration/secret","https://kubernetes.io/docs/concepts/security/secrets-good-practices/"],"seeAlso":[]},"container.secrets.list":{"id":"container.secrets.list","name":"Secrets","scope":"CRITICAL","parent":{"notes":"By default, secrets are stored unencrypted, and anyone who can read a Secret can read its contents (its `data` field). The Secret contents are mounted inside pods as files in the file system. Someone with ability to gain access into a Pod may freely read the contents of the secret.","description":"A Kubernetes Secret is mounted as a volume on Pods. Secrets are similar to ConfigMaps but are meant for storing sensitive data."},"risks":["discovery:data","discovery:infra","exfiltration:crypto","exfiltration:data"],"notes":"List all secrets in a specific namespace. Listing also allows reading the data field of each secret.","links":["https://kubernetes.io/docs/concepts/configuration/secret","https://kubernetes.io/docs/concepts/security/secrets-good-practices/"],"seeAlso":[]},"container.secrets.update":{"id":"container.secrets.update","name":"Secrets","scope":"CRITICAL","parent":{"notes":"By default, secrets are stored unencrypted, and anyone who can read a Secret can read its contents (its `data` field). The Secret contents are mounted inside pods as files in the file system. Someone with ability to gain access into a Pod may freely read the contents of the secret.","description":"A Kubernetes Secret is mounted as a volume on Pods. Secrets are similar to ConfigMaps but are meant for storing sensitive data."},"risks":["destruction:infra"],"notes":"Allows updating the contents of the secret (the `data` field) unless `immutable` property was set to true.","links":["https://kubernetes.io/docs/concepts/configuration/secret","https://kubernetes.io/docs/concepts/security/secrets-good-practices/"],"seeAlso":[]},"container.serviceAccounts.create":{"id":"container.serviceAccounts.create","name":"ServiceAccounts","scope":"CRITICAL","parent":{"notes":"Each service account has a unique token associated with it, which is used to authenticate requests.  This token is automatically mounted as a secret within the container running the workload, and workloads (such as Pods) use it to authenticate against the Kubernetes API server. The token is a long-lived token, however, it is re-created each time the Pods are re-created. Service accounts may also hold an `imagePullSecret` object used to authenticate against a container image repository.","description":"A Kubernetes service account is a machine identity for Kubernetes workloads.  It provides an authentication mechanism for applications and processes running within a Kubernetes cluster. Service accounts are primarily used to authenticate requests made to the Kubernetes API server."},"risks":[],"notes":"Creating a service account by itself does not represent a security risk. Service accounts need to be granted permissions via Roles.","links":["https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account"],"seeAlso":[]},"container.serviceAccounts.createToken":{"id":"container.serviceAccounts.createToken","name":"ServiceAccounts","scope":"CRITICAL","parent":{"notes":"Each service account has a unique token associated with it, which is used to authenticate requests.  This token is automatically mounted as a secret within the container running the workload, and workloads (such as Pods) use it to authenticate against the Kubernetes API server. The token is a long-lived token, however, it is re-created each time the Pods are re-created. Service accounts may also hold an `imagePullSecret` object used to authenticate against a container image repository.","description":"A Kubernetes service account is a machine identity for Kubernetes workloads.  It provides an authentication mechanism for applications and processes running within a Kubernetes cluster. Service accounts are primarily used to authenticate requests made to the Kubernetes API server."},"risks":["escalation:lateral"],"notes":"Allows sending a TokenRequest to the API server. This request issues a new token and binds the token to a service account. The token is also returned to the caller, allowing it to act as  the service account bound to that token.","links":["https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account","https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#tokenrequestspec-v1-authentication-k8s-io","https://securitylabs.datadoghq.com/articles/kubernetes-tokenrequest-api/"],"seeAlso":[]},"container.serviceAccounts.delete":{"id":"container.serviceAccounts.delete","name":"ServiceAccounts","scope":"CRITICAL","parent":{"notes":"Each service account has a unique token associated with it, which is used to authenticate requests.  This token is automatically mounted as a secret within the container running the workload, and workloads (such as Pods) use it to authenticate against the Kubernetes API server. The token is a long-lived token, however, it is re-created each time the Pods are re-created. Service accounts may also hold an `imagePullSecret` object used to authenticate against a container image repository.","description":"A Kubernetes service account is a machine identity for Kubernetes workloads.  It provides an authentication mechanism for applications and processes running within a Kubernetes cluster. Service accounts are primarily used to authenticate requests made to the Kubernetes API server."},"risks":["destruction:infra"],"notes":"Deleting a service account may disrupt communication of workloads with the Kubernetes API server.","links":["https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account"],"seeAlso":[]},"container.serviceAccounts.get":{"id":"container.serviceAccounts.get","name":"ServiceAccounts","scope":"CRITICAL","parent":{"notes":"Each service account has a unique token associated with it, which is used to authenticate requests.  This token is automatically mounted as a secret within the container running the workload, and workloads (such as Pods) use it to authenticate against the Kubernetes API server. The token is a long-lived token, however, it is re-created each time the Pods are re-created. Service accounts may also hold an `imagePullSecret` object used to authenticate against a container image repository.","description":"A Kubernetes service account is a machine identity for Kubernetes workloads.  It provides an authentication mechanism for applications and processes running within a Kubernetes cluster. Service accounts are primarily used to authenticate requests made to the Kubernetes API server."},"risks":["discovery:infra"],"notes":"Read which secrets are associated with a specific service account. The secret contents cannot be read with this permission.","links":["https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account"],"seeAlso":[]},"container.serviceAccounts.list":{"id":"container.serviceAccounts.list","name":"ServiceAccounts","scope":"CRITICAL","parent":{"notes":"Each service account has a unique token associated with it, which is used to authenticate requests.  This token is automatically mounted as a secret within the container running the workload, and workloads (such as Pods) use it to authenticate against the Kubernetes API server. The token is a long-lived token, however, it is re-created each time the Pods are re-created. Service accounts may also hold an `imagePullSecret` object used to authenticate against a container image repository.","description":"A Kubernetes service account is a machine identity for Kubernetes workloads.  It provides an authentication mechanism for applications and processes running within a Kubernetes cluster. Service accounts are primarily used to authenticate requests made to the Kubernetes API server."},"risks":["discovery:infra"],"notes":"Read all service accounts in a namespace.","links":["https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account"],"seeAlso":[]},"container.serviceAccounts.update":{"id":"container.serviceAccounts.update","name":"ServiceAccounts","scope":"CRITICAL","parent":{"notes":"Each service account has a unique token associated with it, which is used to authenticate requests.  This token is automatically mounted as a secret within the container running the workload, and workloads (such as Pods) use it to authenticate against the Kubernetes API server. The token is a long-lived token, however, it is re-created each time the Pods are re-created. Service accounts may also hold an `imagePullSecret` object used to authenticate against a container image repository.","description":"A Kubernetes service account is a machine identity for Kubernetes workloads.  It provides an authentication mechanism for applications and processes running within a Kubernetes cluster. Service accounts are primarily used to authenticate requests made to the Kubernetes API server."},"risks":["destruction:infra"],"notes":"An update may remove or add more secrets. In particular, a removal may remove the imagePullSecret of service account or the Kubernetes API secret.","links":["https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account"],"seeAlso":[]},"container.services.create":{"id":"container.services.create","name":"Services","scope":"CRITICAL","parent":{"notes":"Services control how your Kubernetes Pods are exposed on the Kubernetes network.","description":"Services provide a stable network endpoint for one or more pods, allowing them to be  accessed by other pods or external clients."},"risks":["escalation:network"],"notes":"Services open up communication to your pods from other Kubernetes workloads. Depending on other settings in the Kubernetes cluster and the presence of ingress controllers, it may allow public exposure as well.","links":["https://kubernetes.io/docs/concepts/services-networking/service"],"seeAlso":[]},"container.services.delete":{"id":"container.services.delete","name":"Services","scope":"CRITICAL","parent":{"notes":"Services control how your Kubernetes Pods are exposed on the Kubernetes network.","description":"Services provide a stable network endpoint for one or more pods, allowing them to be  accessed by other pods or external clients."},"risks":["destruction:network"],"notes":"Deleting a service may disrupt communication to Pods, taking down an application completely.","links":["https://kubernetes.io/docs/concepts/services-networking/service"],"seeAlso":[]},"container.services.get":{"id":"container.services.get","name":"Services","scope":"MEDIUM","parent":{"notes":"Services control how your Kubernetes Pods are exposed on the Kubernetes network.","description":"Services provide a stable network endpoint for one or more pods, allowing them to be  accessed by other pods or external clients."},"risks":["discovery:network"],"notes":"Retrieve status information such as Pod selector, IP (virtual), port. Additionally, load-balancer information is returned, if any: public IP, port, host name.","links":["https://kubernetes.io/docs/concepts/services-networking/service","https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#loadbalancerstatus-v1-core"],"seeAlso":[]},"container.services.getStatus":{"id":"container.services.getStatus","name":"Services","scope":"MEDIUM","parent":{"notes":"Services control how your Kubernetes Pods are exposed on the Kubernetes network.","description":"Services provide a stable network endpoint for one or more pods, allowing them to be  accessed by other pods or external clients."},"risks":["discovery:network"],"notes":"While this is a different permission from `services.get`, calling the `GET api/v1/namespaces/default/services/{{service-name}}/status` endpoint retrieves the same information as the `GET api/v1/namespaces/default/services/{{service-name}}` endpoint.","links":["https://kubernetes.io/docs/concepts/services-networking/service"],"seeAlso":[]},"container.services.list":{"id":"container.services.list","name":"Services","scope":"MEDIUM","parent":{"notes":"Services control how your Kubernetes Pods are exposed on the Kubernetes network.","description":"Services provide a stable network endpoint for one or more pods, allowing them to be  accessed by other pods or external clients."},"risks":["discovery:network"],"notes":"List all services and their description to the same detail as the `GET api/v1/namespaces/default/services/{{service-name}}` endpoint.","links":["https://kubernetes.io/docs/concepts/services-networking/service"],"seeAlso":[]},"container.services.proxy":{"id":"container.services.proxy","name":"Services","scope":"CRITICAL","parent":{"notes":"Services control how your Kubernetes Pods are exposed on the Kubernetes network.","description":"Services provide a stable network endpoint for one or more pods, allowing them to be  accessed by other pods or external clients."},"risks":["escalation:lateral","escalation:network","exfiltration:data","impact:manipulation"],"notes":"Allows an attacker to interact with your application as if they were inside the Kubernetes cluster. Creates a proxy server or between localhost and a specified service running on Kubernetes. This service can be a kube-system service started by Kubernetes and retrieved by the `kubectl cluster-info` command or a user-defined Service object. The resulting proxy allows sending payloads to the targeted Service which otherwise would be unreachable. This is different from the `kubectl proxy` command which creates a proxy for  the Kubernetes API server - this endpoint acts like a bastion and exposes the user-defined application endpoints  of a Service.","links":["https://kubernetes.io/docs/concepts/services-networking/service","https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#create-connect-proxy-service-v1-core","https://kubernetes.io/docs/concepts/cluster-administration/proxies/"],"seeAlso":[]},"container.services.update":{"id":"container.services.update","name":"Services","scope":"CRITICAL","parent":{"notes":"Services control how your Kubernetes Pods are exposed on the Kubernetes network.","description":"Services provide a stable network endpoint for one or more pods, allowing them to be  accessed by other pods or external clients."},"risks":["destruction:network","escalation:network"],"notes":"Modifying a Service may render Pods unreachable to other Kubernetes workloads or establish new connections to Pods.","links":["https://kubernetes.io/docs/concepts/services-networking/service"],"seeAlso":[]},"container.services.updateStatus":{"id":"container.services.updateStatus","name":"Services","scope":"MEDIUM","parent":{"notes":"Services control how your Kubernetes Pods are exposed on the Kubernetes network.","description":"Services provide a stable network endpoint for one or more pods, allowing them to be  accessed by other pods or external clients."},"risks":["discovery:network"],"notes":"Updating the status metadata has no effect on the actual status of the Service. Services are managed by controllers. However, the response returns the entire Service object, with the same information as the `GET api/v1/namespaces/default/services/{{service-name}}` endpoint, allowing discovery of Service parameters.","links":["https://kubernetes.io/docs/concepts/services-networking/service"],"seeAlso":[]},"container.statefulSets.create":{"id":"container.statefulSets.create","name":"StatefulSets","scope":"CRITICAL","parent":{"notes":"StatefulSets manage Pods, with different guarantees but similar to Deployments, ReplicaSets, and DaemonSets. As such, the primary security concerns are the container images that are running on these Pods, and the resources the Pods consume from the Kubernetes cluster.","description":"Control Kubernetes StatefulSets objects."},"risks":["impact:spend","impact:hijack","escalation:lateral","escalation:network","exfiltration:data"],"notes":"Creation of StatefulSets allows running an image inside the Kubernetes cluster. This may allow arbitrary code execution, if the cluster has access to the public internet. Secondly, creating StatefulSets drains the limited  resources available to other Kubernetes workloads. Persistent volumes may be attached to the Pods, which may provide access to sensitive data.","links":[],"seeAlso":[]},"container.statefulSets.delete":{"id":"container.statefulSets.delete","name":"StatefulSets","scope":"CRITICAL","parent":{"notes":"StatefulSets manage Pods, with different guarantees but similar to Deployments, ReplicaSets, and DaemonSets. As such, the primary security concerns are the container images that are running on these Pods, and the resources the Pods consume from the Kubernetes cluster.","description":"Control Kubernetes StatefulSets objects."},"risks":["destruction:infra","destruction:logs"],"notes":"Deleting a DaemonSets deletes its pods and ephemeral volumes. Persistent Volumes are retained. Logs of the deleted pods disappear permanently when the pods shut down, unless they are exported to an external system for persistence.","links":[],"seeAlso":[]},"container.statefulSets.get":{"id":"container.statefulSets.get","name":"StatefulSets","scope":"MEDIUM","parent":{"notes":"StatefulSets manage Pods, with different guarantees but similar to Deployments, ReplicaSets, and DaemonSets. As such, the primary security concerns are the container images that are running on these Pods, and the resources the Pods consume from the Kubernetes cluster.","description":"Control Kubernetes StatefulSets objects."},"risks":["discovery:infra","discovery:network"],"notes":"Describes detailed metadata about the StatefulSet, and Pods and Containers in it, such as ports, IP address, replicas, attached volumes, containers and the images they are running.","links":[],"seeAlso":[]},"container.statefulSets.getScale":{"id":"container.statefulSets.getScale","name":"StatefulSets","scope":"LOW","parent":{"notes":"StatefulSets manage Pods, with different guarantees but similar to Deployments, ReplicaSets, and DaemonSets. As such, the primary security concerns are the container images that are running on these Pods, and the resources the Pods consume from the Kubernetes cluster.","description":"Control Kubernetes StatefulSets objects."},"risks":["discovery:infra"],"notes":"Allows reading the `/apis/apps/v1/namespaces/{namespace}/statefulsets/{name}/scale` subresource which returns the number of desired replicas in the StatefulSet. The `statefulSets.get` permission already includes the ability to read this subresource.","links":[],"seeAlso":[]},"container.statefulSets.getStatus":{"id":"container.statefulSets.getStatus","name":"StatefulSets","scope":"MEDIUM","parent":{"notes":"StatefulSets manage Pods, with different guarantees but similar to Deployments, ReplicaSets, and DaemonSets. As such, the primary security concerns are the container images that are running on these Pods, and the resources the Pods consume from the Kubernetes cluster.","description":"Control Kubernetes StatefulSets objects."},"risks":["discovery:infra","discovery:network"],"notes":"Equivalent to `statefulSets.get`. Allows reading the `/apis/apps/v1/namespaces/{namespace}/statefulsets/{name}/status` subresource which returns the same payload as the `/apis/apps/v1/namespaces/{namespace}/statefulsets/{name}` resource.","links":[],"seeAlso":[]},"container.statefulSets.list":{"id":"container.statefulSets.list","name":"StatefulSets","scope":"MEDIUM","parent":{"notes":"StatefulSets manage Pods, with different guarantees but similar to Deployments, ReplicaSets, and DaemonSets. As such, the primary security concerns are the container images that are running on these Pods, and the resources the Pods consume from the Kubernetes cluster.","description":"Control Kubernetes StatefulSets objects."},"risks":["discovery:infra","discovery:network"],"notes":"Allows listing all StatefulSets in a namespace.","links":[],"seeAlso":[]},"container.statefulSets.update":{"id":"container.statefulSets.update","name":"StatefulSets","scope":"CRITICAL","parent":{"notes":"StatefulSets manage Pods, with different guarantees but similar to Deployments, ReplicaSets, and DaemonSets. As such, the primary security concerns are the container images that are running on these Pods, and the resources the Pods consume from the Kubernetes cluster.","description":"Control Kubernetes StatefulSets objects."},"risks":["destruction:infra","destruction:network","escalation:lateral","escalation:network","exfiltration:data","impact:hijack","impact:spend"],"notes":"An update may set the replica count to 0 which effectively deletes the application. An update may also let an attacker change the container image that is running inside pods, potentially leading to a complete takeover of the Kubernetes cluster. Secondly, increasing the replica count in StatefulSets may cause disruption to stateful services, depending on the behavior of the stateful service in a scaling event. Scaling may drain the limited resources available to other Kubernetes workloads. Also, persistent volumes may be attached to the Pods, which may provide access to sensitive data.","links":[],"seeAlso":[]},"container.statefulSets.updateScale":{"id":"container.statefulSets.updateScale","name":"StatefulSets","scope":"CRITICAL","parent":{"notes":"StatefulSets manage Pods, with different guarantees but similar to Deployments, ReplicaSets, and DaemonSets. As such, the primary security concerns are the container images that are running on these Pods, and the resources the Pods consume from the Kubernetes cluster.","description":"Control Kubernetes StatefulSets objects."},"risks":["destruction:infra","impact:hijack","impact:spend"],"notes":"If properties other than replicas are updated in the PATCH request, those are quietly ignored.  Secondly, increasing the replica count in StatefulSets may disrupt stateful service and/or drain the limited resources  available to other Kubernetes workloads.","links":[],"seeAlso":[]},"container.statefulSets.updateStatus":{"id":"container.statefulSets.updateStatus","name":"StatefulSets","scope":"CRITICAL","parent":{"notes":"StatefulSets manage Pods, with different guarantees but similar to Deployments, ReplicaSets, and DaemonSets. As such, the primary security concerns are the container images that are running on these Pods, and the resources the Pods consume from the Kubernetes cluster.","description":"Control Kubernetes StatefulSets objects."},"risks":[],"notes":"This subresource has no effect on the actual StatefulSets.","links":[],"seeAlso":[]},"dataproc.clusters.create":{"id":"dataproc.clusters.create","name":"Dataproc clusters","scope":"MEDIUM","parent":{"notes":"Allows access to machine-learning pipelines. Creating a cluster allows exfiltration of the default service account tokens.","description":"Create and manage Dataproc clusters. Dataproc clusters provide a platform for running Apache Hadoop, Hive, Pig, and Spark jobs."},"risks":["impact:spend"],"notes":"Creating a Dataproc cluster provides access to the cluster's short-lived service account token. `serviceAccount.actAs` permission is necessary to create a cluster with this account.","links":["https://cloud.google.com/dataproc/docs/concepts/overview","https://cloud.google.com/sdk/gcloud/reference/dataproc/clusters","https://cloud.google.com/dataproc/docs/reference/rest/v1/projects.regions.clusters","https://www.youtube.com/watch?v=kyqeBGNSEIc","https://www.blackhat.com/us-20/briefings/schedule/#lateral-movement-and-privilege-escalation-in-gcp-compromise-any-organization-without-dropping-an-implant-19435"],"seeAlso":[]},"dataproc.clusters.delete":{"id":"dataproc.clusters.delete","name":"Dataproc clusters","scope":"MEDIUM","parent":{"notes":"Allows access to machine-learning pipelines. Creating a cluster allows exfiltration of the default service account tokens.","description":"Create and manage Dataproc clusters. Dataproc clusters provide a platform for running Apache Hadoop, Hive, Pig, and Spark jobs."},"risks":["destruction:infra"],"notes":null,"links":["https://cloud.google.com/dataproc/docs/concepts/overview","https://cloud.google.com/sdk/gcloud/reference/dataproc/clusters","https://cloud.google.com/dataproc/docs/reference/rest/v1/projects.regions.clusters"],"seeAlso":[]},"dataproc.clusters.get":{"id":"dataproc.clusters.get","name":"Dataproc clusters","scope":"MEDIUM","parent":{"notes":"Allows access to machine-learning pipelines. Creating a cluster allows exfiltration of the default service account tokens.","description":"Create and manage Dataproc clusters. Dataproc clusters provide a platform for running Apache Hadoop, Hive, Pig, and Spark jobs."},"risks":[],"notes":"Allows retrieval of the cluster's configuration and status only.","links":["https://cloud.google.com/dataproc/docs/concepts/overview","https://cloud.google.com/sdk/gcloud/reference/dataproc/clusters","https://cloud.google.com/dataproc/docs/reference/rest/v1/projects.regions.clusters"],"seeAlso":[]},"dataproc.clusters.getIamPolicy":{"id":"dataproc.clusters.getIamPolicy","name":"Dataproc clusters","scope":"MEDIUM","parent":{"notes":"Allows access to machine-learning pipelines. Creating a cluster allows exfiltration of the default service account tokens.","description":"Create and manage Dataproc clusters. Dataproc clusters provide a platform for running Apache Hadoop, Hive, Pig, and Spark jobs."},"risks":["discovery:account","discovery:policy"],"notes":null,"links":["https://cloud.google.com/dataproc/docs/concepts/overview","https://cloud.google.com/sdk/gcloud/reference/dataproc/clusters","https://cloud.google.com/dataproc/docs/reference/rest/v1/projects.regions.clusters"],"seeAlso":[]},"dataproc.clusters.list":{"id":"dataproc.clusters.list","name":"Dataproc clusters","scope":"MEDIUM","parent":{"notes":"Allows access to machine-learning pipelines. Creating a cluster allows exfiltration of the default service account tokens.","description":"Create and manage Dataproc clusters. Dataproc clusters provide a platform for running Apache Hadoop, Hive, Pig, and Spark jobs."},"risks":["discovery:infra"],"notes":"See `get`.","links":["https://cloud.google.com/dataproc/docs/concepts/overview","https://cloud.google.com/sdk/gcloud/reference/dataproc/clusters","https://cloud.google.com/dataproc/docs/reference/rest/v1/projects.regions.clusters"],"seeAlso":[]},"dataproc.clusters.setIamPolicy":{"id":"dataproc.clusters.setIamPolicy","name":"Dataproc clusters","scope":"MEDIUM","parent":{"notes":"Allows access to machine-learning pipelines. Creating a cluster allows exfiltration of the default service account tokens.","description":"Create and manage Dataproc clusters. Dataproc clusters provide a platform for running Apache Hadoop, Hive, Pig, and Spark jobs."},"risks":["destruction:policy","escalation:privilege","impact:access"],"notes":null,"links":["https://cloud.google.com/dataproc/docs/concepts/overview","https://cloud.google.com/sdk/gcloud/reference/dataproc/clusters","https://cloud.google.com/dataproc/docs/reference/rest/v1/projects.regions.clusters"],"seeAlso":[]},"dataproc.clusters.start":{"id":"dataproc.clusters.start","name":"Dataproc clusters","scope":"MEDIUM","parent":{"notes":"Allows access to machine-learning pipelines. Creating a cluster allows exfiltration of the default service account tokens.","description":"Create and manage Dataproc clusters. Dataproc clusters provide a platform for running Apache Hadoop, Hive, Pig, and Spark jobs."},"risks":["impact:spend"],"notes":null,"links":["https://cloud.google.com/dataproc/docs/concepts/overview","https://cloud.google.com/sdk/gcloud/reference/dataproc/clusters","https://cloud.google.com/dataproc/docs/reference/rest/v1/projects.regions.clusters"],"seeAlso":[]},"dataproc.clusters.stop":{"id":"dataproc.clusters.stop","name":"Dataproc clusters","scope":"MEDIUM","parent":{"notes":"Allows access to machine-learning pipelines. Creating a cluster allows exfiltration of the default service account tokens.","description":"Create and manage Dataproc clusters. Dataproc clusters provide a platform for running Apache Hadoop, Hive, Pig, and Spark jobs."},"risks":[],"notes":"Job state will be lost, but in general jobs will be idempotent.","links":["https://cloud.google.com/dataproc/docs/concepts/overview","https://cloud.google.com/sdk/gcloud/reference/dataproc/clusters","https://cloud.google.com/dataproc/docs/reference/rest/v1/projects.regions.clusters"],"seeAlso":[]},"dataproc.clusters.update":{"id":"dataproc.clusters.update","name":"Dataproc clusters","scope":"MEDIUM","parent":{"notes":"Allows access to machine-learning pipelines. Creating a cluster allows exfiltration of the default service account tokens.","description":"Create and manage Dataproc clusters. Dataproc clusters provide a platform for running Apache Hadoop, Hive, Pig, and Spark jobs."},"risks":["impact:spend"],"notes":"Allows the caller to update the number of instances the job uses.","links":["https://cloud.google.com/dataproc/docs/concepts/overview","https://cloud.google.com/sdk/gcloud/reference/dataproc/clusters","https://cloud.google.com/dataproc/docs/reference/rest/v1/projects.regions.clusters"],"seeAlso":[]},"dataproc.clusters.use":{"id":"dataproc.clusters.use","name":"Dataproc clusters","scope":"MEDIUM","parent":{"notes":"Allows access to machine-learning pipelines. Creating a cluster allows exfiltration of the default service account tokens.","description":"Create and manage Dataproc clusters. Dataproc clusters provide a platform for running Apache Hadoop, Hive, Pig, and Spark jobs."},"risks":["impact:spend"],"notes":"Allows the caller to submit a job to the cluster. Jobs may gain access to the cluster's short-lived service-account credentials.","links":["https://cloud.google.com/dataproc/docs/concepts/overview","https://cloud.google.com/sdk/gcloud/reference/dataproc/clusters","https://cloud.google.com/dataproc/docs/reference/rest/v1/projects.regions.clusters","https://www.youtube.com/watch?v=kyqeBGNSEIc","https://www.blackhat.com/us-20/briefings/schedule/#lateral-movement-and-privilege-escalation-in-gcp-compromise-any-organization-without-dropping-an-implant-19435"],"seeAlso":[]},"datastore.entities.allocateIds":{"id":"datastore.entities.allocateIds","name":"Entities","scope":"HIGH","parent":{"notes":"Permissions to create, edit and delete entities can result in spend towards write, read and storage quotas. Access to Entities storing sensitive information can result in data exfiltration.","description":"Data objects in Firestore in Datastore mode are known as entities. An entity has one or more named properties,  each of which can have one or more values. Properties can store data of various types, including strings, numbers,  dates, and binary data. An entity is limited to 1 megabyte when stored. Entities operations are billed per operation  and per gigabyte per month."},"risks":[],"notes":null,"links":["https://cloud.google.com/datastore/docs/concepts/entities","https://cloud.google.com/datastore/pricing"],"seeAlso":[]},"datastore.entities.create":{"id":"datastore.entities.create","name":"Entities","scope":"HIGH","parent":{"notes":"Permissions to create, edit and delete entities can result in spend towards write, read and storage quotas. Access to Entities storing sensitive information can result in data exfiltration.","description":"Data objects in Firestore in Datastore mode are known as entities. An entity has one or more named properties,  each of which can have one or more values. Properties can store data of various types, including strings, numbers,  dates, and binary data. An entity is limited to 1 megabyte when stored. Entities operations are billed per operation  and per gigabyte per month."},"risks":["impact:consumption","impact:spend"],"notes":"Creating an entity also uses storage quota, which is billed per gigabyte per month along with write to the datastore.","links":["https://cloud.google.com/datastore/docs/concepts/entities","https://cloud.google.com/datastore/pricing"],"seeAlso":[]},"datastore.entities.delete":{"id":"datastore.entities.delete","name":"Entities","scope":"HIGH","parent":{"notes":"Permissions to create, edit and delete entities can result in spend towards write, read and storage quotas. Access to Entities storing sensitive information can result in data exfiltration.","description":"Data objects in Firestore in Datastore mode are known as entities. An entity has one or more named properties,  each of which can have one or more values. Properties can store data of various types, including strings, numbers,  dates, and binary data. An entity is limited to 1 megabyte when stored. Entities operations are billed per operation  and per gigabyte per month."},"risks":["destruction:data","impact:spend"],"notes":null,"links":["https://cloud.google.com/datastore/docs/concepts/entities","https://cloud.google.com/datastore/pricing"],"seeAlso":[]},"datastore.entities.get":{"id":"datastore.entities.get","name":"Entities","scope":"HIGH","parent":{"notes":"Permissions to create, edit and delete entities can result in spend towards write, read and storage quotas. Access to Entities storing sensitive information can result in data exfiltration.","description":"Data objects in Firestore in Datastore mode are known as entities. An entity has one or more named properties,  each of which can have one or more values. Properties can store data of various types, including strings, numbers,  dates, and binary data. An entity is limited to 1 megabyte when stored. Entities operations are billed per operation  and per gigabyte per month."},"risks":["discovery:data","collection:data","exfiltration:data","impact:spend"],"notes":"Getting an entity also uses read quota from the datastore.","links":["https://cloud.google.com/datastore/docs/concepts/entities","https://cloud.google.com/datastore/pricing"],"seeAlso":[]},"datastore.entities.list":{"id":"datastore.entities.list","name":"Entities","scope":"HIGH","parent":{"notes":"Permissions to create, edit and delete entities can result in spend towards write, read and storage quotas. Access to Entities storing sensitive information can result in data exfiltration.","description":"Data objects in Firestore in Datastore mode are known as entities. An entity has one or more named properties,  each of which can have one or more values. Properties can store data of various types, including strings, numbers,  dates, and binary data. An entity is limited to 1 megabyte when stored. Entities operations are billed per operation  and per gigabyte per month."},"risks":["discovery:data","impact:spend"],"notes":null,"links":["https://cloud.google.com/datastore/docs/concepts/entities","https://cloud.google.com/datastore/pricing"],"seeAlso":[]},"datastore.entities.update":{"id":"datastore.entities.update","name":"Entities","scope":"HIGH","parent":{"notes":"Permissions to create, edit and delete entities can result in spend towards write, read and storage quotas. Access to Entities storing sensitive information can result in data exfiltration.","description":"Data objects in Firestore in Datastore mode are known as entities. An entity has one or more named properties,  each of which can have one or more values. Properties can store data of various types, including strings, numbers,  dates, and binary data. An entity is limited to 1 megabyte when stored. Entities operations are billed per operation  and per gigabyte per month."},"risks":["destruction:data","impact:spend"],"notes":"Entity fields can be deleted by updating the document without fields. this will delete all fields in the entity.","links":["https://cloud.google.com/datastore/docs/concepts/entities","https://cloud.google.com/datastore/pricing"],"seeAlso":[]},"datastore.indexes.list":{"id":"datastore.indexes.list","name":"indexes","scope":"MEDIUM","parent":{"notes":null,"description":"Cloud Datastore indices enable fast and optimized data queries in Firestore in Datastore mode.  However, altering indices can lead to increased costs, longer index build times, operation limitations,  and temporary performance impacts. By default, all entity properties are automatically indexed,  but creating custom indices incurs storage and operation costs. Deleting indices can negatively  impact query performance, and functionality, and require index rebuilding, potentially resulting  in slower queries and incomplete results, along with increased costs for index rebuilding."},"risks":["discovery:infra","discovery:data"],"notes":null,"links":["https://cloud.google.com/datastore/docs/concepts/indexes#index_limits","https://cloud.google.com/datastore/docs/concepts/indexes#datastore-indexes-and-index-configuration-files","https://cloud.google.com/datastore/docs/reference/admin/rest/v1/projects.indexes"],"seeAlso":[]},"datastore.indexes.create":{"id":"datastore.indexes.create","name":"indexes","scope":"MEDIUM","parent":{"notes":null,"description":"Cloud Datastore indices enable fast and optimized data queries in Firestore in Datastore mode.  However, altering indices can lead to increased costs, longer index build times, operation limitations,  and temporary performance impacts. By default, all entity properties are automatically indexed,  but creating custom indices incurs storage and operation costs. Deleting indices can negatively  impact query performance, and functionality, and require index rebuilding, potentially resulting  in slower queries and incomplete results, along with increased costs for index rebuilding."},"risks":["impact:consumption","impact:spend"],"notes":"An attacker can create too many indexes and hit the index limits.","links":["https://cloud.google.com/datastore/docs/concepts/indexes#index_limits","https://cloud.google.com/datastore/docs/concepts/indexes#datastore-indexes-and-index-configuration-files","https://cloud.google.com/datastore/docs/reference/admin/rest/v1/projects.indexes"],"seeAlso":[]},"datastore.indexes.delete":{"id":"datastore.indexes.delete","name":"indexes","scope":"MEDIUM","parent":{"notes":null,"description":"Cloud Datastore indices enable fast and optimized data queries in Firestore in Datastore mode.  However, altering indices can lead to increased costs, longer index build times, operation limitations,  and temporary performance impacts. By default, all entity properties are automatically indexed,  but creating custom indices incurs storage and operation costs. Deleting indices can negatively  impact query performance, and functionality, and require index rebuilding, potentially resulting  in slower queries and incomplete results, along with increased costs for index rebuilding."},"risks":["impact:dos","destruction:infra"],"notes":"An attacker can delete indexes and cause queries to execute slowly or to fail.","links":["https://cloud.google.com/datastore/docs/concepts/indexes#index_limits","https://cloud.google.com/datastore/docs/concepts/indexes#datastore-indexes-and-index-configuration-files","https://cloud.google.com/datastore/docs/reference/admin/rest/v1/projects.indexes"],"seeAlso":[]},"datastore.indexes.get":{"id":"datastore.indexes.get","name":"indexes","scope":"MEDIUM","parent":{"notes":null,"description":"Cloud Datastore indices enable fast and optimized data queries in Firestore in Datastore mode.  However, altering indices can lead to increased costs, longer index build times, operation limitations,  and temporary performance impacts. By default, all entity properties are automatically indexed,  but creating custom indices incurs storage and operation costs. Deleting indices can negatively  impact query performance, and functionality, and require index rebuilding, potentially resulting  in slower queries and incomplete results, along with increased costs for index rebuilding."},"risks":["discovery:data"],"notes":null,"links":["https://cloud.google.com/datastore/docs/concepts/indexes#index_limits","https://cloud.google.com/datastore/docs/concepts/indexes#datastore-indexes-and-index-configuration-files","https://cloud.google.com/datastore/docs/reference/admin/rest/v1/projects.indexes"],"seeAlso":[]},"datastore.indexes.update":{"id":"datastore.indexes.update","name":"indexes","scope":"MEDIUM","parent":{"notes":null,"description":"Cloud Datastore indices enable fast and optimized data queries in Firestore in Datastore mode.  However, altering indices can lead to increased costs, longer index build times, operation limitations,  and temporary performance impacts. By default, all entity properties are automatically indexed,  but creating custom indices incurs storage and operation costs. Deleting indices can negatively  impact query performance, and functionality, and require index rebuilding, potentially resulting  in slower queries and incomplete results, along with increased costs for index rebuilding."},"risks":["impact:dos","impact:spend"],"notes":"An attacker can update indexes, which can consume time, or cause queries to execute slowly or to fail. Indexes also incur spend.","links":["https://cloud.google.com/datastore/docs/concepts/indexes#index_limits","https://cloud.google.com/datastore/docs/concepts/indexes#datastore-indexes-and-index-configuration-files","https://cloud.google.com/datastore/docs/reference/admin/rest/v1/projects.indexes"],"seeAlso":[]},"datastore.namespaces.get":{"id":"datastore.namespaces.get","name":"namespaces","scope":"LOW","parent":{"notes":"Information of namespaces has minimal impact without access to the data in the namespace,  although in a misconfigured system using client names as namespaces leads to client enumeration.","description":"Datastore mode enables multi-tenancy using namespaces. Namespaces are only for organizing data and are not security boundaries."},"risks":["discovery:data"],"notes":null,"links":["https://cloud.google.com/datastore/docs/concepts/multitenancy"],"seeAlso":[]},"datastore.namespaces.list":{"id":"datastore.namespaces.list","name":"namespaces","scope":"LOW","parent":{"notes":"Information of namespaces has minimal impact without access to the data in the namespace,  although in a misconfigured system using client names as namespaces leads to client enumeration.","description":"Datastore mode enables multi-tenancy using namespaces. Namespaces are only for organizing data and are not security boundaries."},"risks":["discovery:data"],"notes":null,"links":["https://cloud.google.com/datastore/docs/concepts/multitenancy"],"seeAlso":[]},"datastore.operations.cancel":{"id":"datastore.operations.cancel","name":"Operations","scope":"MEDIUM","parent":{"notes":"Long running operations incur costs and infrastructure, having cancel privileges results in spend.","description":"Manages Cloud Datastore admin operations that include importing and exporting large amounts of data, running complex queries analyze data and generate reports."},"risks":["impact:spend"],"notes":"Cancel a currently-running Cloud Datastore admin operation. Cancelling a long running operation might result in the operation being re-run thereby incurring spend.","links":["https://cloud.google.com/datastore/docs/export-import-entities#listing_all_long-running_operations","https://cloud.google.com/datastore/docs/reference/admin/rest/v1/projects.operations"],"seeAlso":[]},"datastore.operations.delete":{"id":"datastore.operations.delete","name":"Operations","scope":"MEDIUM","parent":{"notes":"Long running operations incur costs and infrastructure, having cancel privileges results in spend.","description":"Manages Cloud Datastore admin operations that include importing and exporting large amounts of data, running complex queries analyze data and generate reports."},"risks":["destruction:logs"],"notes":"Deletes a completed Cloud Datastore admin operation. This results in loss of history of operations that are performed in the system.","links":["https://cloud.google.com/datastore/docs/export-import-entities#listing_all_long-running_operations","https://cloud.google.com/datastore/docs/reference/admin/rest/v1/projects.operations"],"seeAlso":[]},"datastore.operations.get":{"id":"datastore.operations.get","name":"Operations","scope":"MEDIUM","parent":{"notes":"Long running operations incur costs and infrastructure, having cancel privileges results in spend.","description":"Manages Cloud Datastore admin operations that include importing and exporting large amounts of data, running complex queries analyze data and generate reports."},"risks":["discovery:metadata"],"notes":"Gets the latest state of a long-running operation.","links":["https://cloud.google.com/datastore/docs/export-import-entities#listing_all_long-running_operations","https://cloud.google.com/datastore/docs/reference/admin/rest/v1/projects.operations"],"seeAlso":[]},"datastore.operations.list":{"id":"datastore.operations.list","name":"Operations","scope":"MEDIUM","parent":{"notes":"Long running operations incur costs and infrastructure, having cancel privileges results in spend.","description":"Manages Cloud Datastore admin operations that include importing and exporting large amounts of data, running complex queries analyze data and generate reports."},"risks":[],"notes":"\tLists operations that match the specified filter in the request.","links":["https://cloud.google.com/datastore/docs/export-import-entities#listing_all_long-running_operations","https://cloud.google.com/datastore/docs/reference/admin/rest/v1/projects.operations"],"seeAlso":[]},"datastore.statistics.get":{"id":"datastore.statistics.get","name":"Statistics","scope":"LOW","parent":{"notes":null,"description":"Firestore in Datastore mode maintains statistics about the data stored in an application.  An attacker could use the statistics to gain information about the application's data,  such as the number of entities in each kind, the total size of the data, and  the most recent time the data was updated."},"risks":["discovery:metadata"],"notes":null,"links":["https://cloud.google.com/datastore/docs/concepts/stats","https://cloud.google.com/datastore/docs/console/datastore-statistics"],"seeAlso":[]},"datastore.statistics.list":{"id":"datastore.statistics.list","name":"Statistics","scope":"LOW","parent":{"notes":null,"description":"Firestore in Datastore mode maintains statistics about the data stored in an application.  An attacker could use the statistics to gain information about the application's data,  such as the number of entities in each kind, the total size of the data, and  the most recent time the data was updated."},"risks":["discovery:metadata"],"notes":null,"links":["https://cloud.google.com/datastore/docs/concepts/stats","https://cloud.google.com/datastore/docs/console/datastore-statistics"],"seeAlso":[]},"dns.changes.create":{"id":"dns.changes.create","name":"Cloud DNS Changes","scope":"LOW","parent":{"notes":null,"description":"A Cloud DNS Change contains a set of additions and deletions atomically applied to a record managed by Cloud DNS."},"risks":[],"notes":"In order to actually update or delete DNS records, you need permissions on the appropriate ResourceRecordSet, so changes.create on its own has no risks.","links":["https://cloud.google.com/dns/docs/access-control","https://cloud.google.com/dns/docs/reference/v1/changes#resource","https://cloud.google.com/dns/docs/records"],"seeAlso":[]},"dns.changes.get":{"id":"dns.changes.get","name":"Cloud DNS Changes","scope":"LOW","parent":{"notes":null,"description":"A Cloud DNS Change contains a set of additions and deletions atomically applied to a record managed by Cloud DNS."},"risks":["discovery:network"],"notes":"Allows viewing DNS record changelogs. This includes private DNS records.","links":["https://cloud.google.com/dns/docs/access-control","https://cloud.google.com/dns/docs/reference/v1/changes#resource","https://cloud.google.com/dns/docs/records"],"seeAlso":[]},"dns.changes.list":{"id":"dns.changes.list","name":"Cloud DNS Changes","scope":"LOW","parent":{"notes":null,"description":"A Cloud DNS Change contains a set of additions and deletions atomically applied to a record managed by Cloud DNS."},"risks":["discovery:network"],"notes":"Allows viewing DNS record changelogs. This includes private DNS records.","links":["https://cloud.google.com/dns/docs/access-control","https://cloud.google.com/dns/docs/reference/v1/changes#resource","https://cloud.google.com/dns/docs/records"],"seeAlso":[]},"dns.dnsKeys.get":{"id":"dns.dnsKeys.get","name":"DNS Keys","scope":"PUBLIC","parent":{"notes":"Private keys are automatically managed by Google. Only public keys and metadata are viewable.","description":"Automatically managed DNS keys for Cloud DNS records."},"risks":[],"notes":null,"links":["https://cloud.google.com/dns/docs/access-control","https://cloud.google.com/dns/docs/dnskeys","https://cloud.google.com/dns/docs/reference/v1/dnsKeys"],"seeAlso":[]},"dns.dnsKeys.list":{"id":"dns.dnsKeys.list","name":"DNS Keys","scope":"PUBLIC","parent":{"notes":"Private keys are automatically managed by Google. Only public keys and metadata are viewable.","description":"Automatically managed DNS keys for Cloud DNS records."},"risks":[],"notes":null,"links":["https://cloud.google.com/dns/docs/access-control","https://cloud.google.com/dns/docs/dnskeys","https://cloud.google.com/dns/docs/reference/v1/dnsKeys"],"seeAlso":[]},"dns.gkeClusters.bindDNSResponsePolicy":{"id":"dns.gkeClusters.bindDNSResponsePolicy","name":"Cloud DNS GKE Clusters","scope":"MEDIUM","parent":{"notes":null,"description":"Resources used by Cloud DNS to bind a private DNS zone or a DNS response policy with a GKE cluster."},"risks":["impact:dos","takeover:domain"],"notes":"If the cluster is in a private DNS zone, an attacker can change DNS  resolution behavior by binding a response policy. This can create a DOS. If the attacker additionally has permissions to create or update response policy rules, allows domain takeover.","links":["https://cloud.google.com/dns/docs/access-control","https://cloud.google.com/dns/docs/zones/configure-scopes"],"seeAlso":[]},"dns.gkeClusters.bindPrivateDNSZone":{"id":"dns.gkeClusters.bindPrivateDNSZone","name":"Cloud DNS GKE Clusters","scope":"MEDIUM","parent":{"notes":null,"description":"Resources used by Cloud DNS to bind a private DNS zone or a DNS response policy with a GKE cluster."},"risks":["impact:dos"],"notes":"If Cloud DNS is enabled on the cluster already,  binding a new private DNS zone can change DNS resolution behavior, potentially creating a DOS. If the attacker additionally has permissions to create or update records in any zone, allows domain takeover.","links":["https://cloud.google.com/dns/docs/access-control","https://cloud.google.com/dns/docs/zones/configure-scopes"],"seeAlso":[]},"dns.managedZoneOperations.get":{"id":"dns.managedZoneOperations.get","name":"Cloud DNS Managed Zone Operations","scope":"LOW","parent":{"notes":null,"description":"An operation represents a successful mutation performed on a Cloud DNS resource."},"risks":["discovery:network"],"notes":"May expose information about private Cloud DNS zones.","links":["https://cloud.google.com/dns/docs/access-control","https://cloud.google.com/dns/docs/reference/v1/managedZoneOperations"],"seeAlso":[]},"dns.managedZoneOperations.list":{"id":"dns.managedZoneOperations.list","name":"Cloud DNS Managed Zone Operations","scope":"LOW","parent":{"notes":null,"description":"An operation represents a successful mutation performed on a Cloud DNS resource."},"risks":["discovery:network"],"notes":"May expose information about private Cloud DNS zones.","links":["https://cloud.google.com/dns/docs/access-control","https://cloud.google.com/dns/docs/reference/v1/managedZoneOperations"],"seeAlso":[]},"dns.managedZones.create":{"id":"dns.managedZones.create","name":"Cloud DNS Managed Zone","scope":"MEDIUM","parent":{"notes":"Cloud DNS supports a variety of different public and private zones, including forwarding zones and peering zones.","description":"A DNS zone hosted and managed by the Cloud DNS service."},"risks":["impact:spend"],"notes":null,"links":["https://cloud.google.com/dns/docs/access-control","https://cloud.google.com/dns/docs/reference/v1/managedZones#resource"],"seeAlso":[]},"dns.managedZones.delete":{"id":"dns.managedZones.delete","name":"Cloud DNS Managed Zone","scope":"MEDIUM","parent":{"notes":"Cloud DNS supports a variety of different public and private zones, including forwarding zones and peering zones.","description":"A DNS zone hosted and managed by the Cloud DNS service."},"risks":["impact:dos","destruction:network","takeover:domain"],"notes":"Deleting the managed zone without deleting the records inside it leave those domains  open for takeover.","links":["https://cloud.google.com/dns/docs/access-control","https://cloud.google.com/dns/docs/reference/v1/managedZones#resource","https://xebia.com/blog/how-to-take-over-a-subdomain-in-google-cloud-dns/"],"seeAlso":[]},"dns.managedZones.get":{"id":"dns.managedZones.get","name":"Cloud DNS Managed Zone","scope":"MEDIUM","parent":{"notes":"Cloud DNS supports a variety of different public and private zones, including forwarding zones and peering zones.","description":"A DNS zone hosted and managed by the Cloud DNS service."},"risks":["discovery:network"],"notes":"Can expose information about private DNS zones.","links":["https://cloud.google.com/dns/docs/access-control","https://cloud.google.com/dns/docs/reference/v1/managedZones#resource"],"seeAlso":[]},"dns.managedZones.getIamPolicy":{"id":"dns.managedZones.getIamPolicy","name":"Cloud DNS Managed Zone","scope":"MEDIUM","parent":{"notes":"Cloud DNS supports a variety of different public and private zones, including forwarding zones and peering zones.","description":"A DNS zone hosted and managed by the Cloud DNS service."},"risks":["discovery:policy","discovery:account"],"notes":null,"links":["https://cloud.google.com/dns/docs/access-control","https://cloud.google.com/dns/docs/reference/v1/managedZones#resource"],"seeAlso":[]},"dns.managedZones.list":{"id":"dns.managedZones.list","name":"Cloud DNS Managed Zone","scope":"MEDIUM","parent":{"notes":"Cloud DNS supports a variety of different public and private zones, including forwarding zones and peering zones.","description":"A DNS zone hosted and managed by the Cloud DNS service."},"risks":["discovery:network"],"notes":"Can expose information about private DNS zones.","links":["https://cloud.google.com/dns/docs/access-control","https://cloud.google.com/dns/docs/reference/v1/managedZones#resource"],"seeAlso":[]},"dns.managedZones.setIamPolicy":{"id":"dns.managedZones.setIamPolicy","name":"Cloud DNS Managed Zone","scope":"MEDIUM","parent":{"notes":"Cloud DNS supports a variety of different public and private zones, including forwarding zones and peering zones.","description":"A DNS zone hosted and managed by the Cloud DNS service."},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/dns/docs/access-control","https://cloud.google.com/dns/docs/reference/v1/managedZones#resource"],"seeAlso":[]},"dns.managedZones.update":{"id":"dns.managedZones.update","name":"Cloud DNS Managed Zone","scope":"MEDIUM","parent":{"notes":"Cloud DNS supports a variety of different public and private zones, including forwarding zones and peering zones.","description":"A DNS zone hosted and managed by the Cloud DNS service."},"risks":["impact:dos","discovery:network","destruction:defense","destruction:metadata"],"notes":"Can change the forwarding config, peering config, or visibility in order to create a DOS.  Can change the visibility of the zone to public. Can update metadata.","links":["https://cloud.google.com/dns/docs/access-control","https://cloud.google.com/dns/docs/reference/v1/managedZones#resource"],"seeAlso":[]},"dns.networks.bindDNSResponsePolicy":{"id":"dns.networks.bindDNSResponsePolicy","name":"Cloud DNS Networks","scope":"MEDIUM","parent":{"notes":null,"description":"Resources used by Cloud DNS to bind DNS zones or policies with VPC networks."},"risks":["impact:dos","takeover:domain"],"notes":"If the network is in a private DNS zone, an attacker can change DNS  resolution behavior by binding a response policy. This can create a DOS. If the attacker additionally has permissions to create or update response policy rules, allows domain takeover.","links":["https://cloud.google.com/dns/docs/access-control","https://cloud.google.com/dns/docs/policies-overview"],"seeAlso":[]},"dns.networks.bindPrivateDNSZone":{"id":"dns.networks.bindPrivateDNSZone","name":"Cloud DNS Networks","scope":"MEDIUM","parent":{"notes":null,"description":"Resources used by Cloud DNS to bind DNS zones or policies with VPC networks."},"risks":["impact:dos","takeover:domain"],"notes":"Binding a new private DNS zone can change DNS resolution behavior, potentially creating a DOS. If the attacker additionally has permissions to create or update records in any zone, allows domain takeover.","links":["https://cloud.google.com/dns/docs/access-control","https://cloud.google.com/dns/docs/policies-overview"],"seeAlso":[]},"dns.networks.bindPrivateDNSPolicy":{"id":"dns.networks.bindPrivateDNSPolicy","name":"Cloud DNS Networks","scope":"MEDIUM","parent":{"notes":null,"description":"Resources used by Cloud DNS to bind DNS zones or policies with VPC networks."},"risks":["impact:dos"],"notes":"Allows binding a server policy to a VPC network. This can create a DOS because it can disable  resolution with any name servers other than the ones specified in the policy.","links":["https://cloud.google.com/dns/docs/access-control","https://cloud.google.com/dns/docs/policies-overview"],"seeAlso":[]},"dns.networks.targetWithPeeringZone":{"id":"dns.networks.targetWithPeeringZone","name":"Cloud DNS Networks","scope":"MEDIUM","parent":{"notes":null,"description":"Resources used by Cloud DNS to bind DNS zones or policies with VPC networks."},"risks":["impact:dos","takeover:domain"],"notes":"This permission allows you to configure a network with DNS peering, so that DNS requests in the network \"forwarded\" to the peer network. This can change DNS resolution behavior, which can potentially create a DOS. If the attacker additionally has permissions to create or update records in any zone, allows domain takeover.","links":["https://cloud.google.com/dns/docs/access-control","https://cloud.google.com/dns/docs/policies-overview"],"seeAlso":[]},"dns.networks.useHealthSignals":{"id":"dns.networks.useHealthSignals","name":"Cloud DNS Networks","scope":"MEDIUM","parent":{"notes":null,"description":"Resources used by Cloud DNS to bind DNS zones or policies with VPC networks."},"risks":[],"notes":"Allows using Cloud DNS health checking on the network.  This is used to create routing policies that will automatically failover to healthy endpoints in the case of health check failures.","links":["https://cloud.google.com/dns/docs/access-control","https://cloud.google.com/dns/docs/policies-overview"],"seeAlso":[]},"dns.policies.create":{"id":"dns.policies.create","name":"Cloud DNS Server Policies","scope":"MEDIUM","parent":{"notes":null,"description":"Specifies inbound and DNS forwarding for a VPC network. Each VPC network can have up to one server policy configured."},"risks":[],"notes":"Creation does nothing without permission to bind the policy to a network.","links":["https://cloud.google.com/dns/docs/access-control","https://cloud.google.com/dns/docs/server-policies-overview","https://cloud.google.com/dns/docs/reference/v1beta2/policies"],"seeAlso":[]},"dns.policies.delete":{"id":"dns.policies.delete","name":"Cloud DNS Server Policies","scope":"MEDIUM","parent":{"notes":null,"description":"Specifies inbound and DNS forwarding for a VPC network. Each VPC network can have up to one server policy configured."},"risks":["impact:dos","destruction:policy"],"notes":"Removing the correct DNS forwarding rules may cause a DOS.","links":["https://cloud.google.com/dns/docs/access-control","https://cloud.google.com/dns/docs/server-policies-overview","https://cloud.google.com/dns/docs/reference/v1beta2/policies"],"seeAlso":[]},"dns.policies.get":{"id":"dns.policies.get","name":"Cloud DNS Server Policies","scope":"MEDIUM","parent":{"notes":null,"description":"Specifies inbound and DNS forwarding for a VPC network. Each VPC network can have up to one server policy configured."},"risks":["discovery:network"],"notes":null,"links":["https://cloud.google.com/dns/docs/access-control","https://cloud.google.com/dns/docs/server-policies-overview","https://cloud.google.com/dns/docs/reference/v1beta2/policies"],"seeAlso":[]},"dns.policies.getIamPolicy":{"id":"dns.policies.getIamPolicy","name":"Cloud DNS Server Policies","scope":"MEDIUM","parent":{"notes":null,"description":"Specifies inbound and DNS forwarding for a VPC network. Each VPC network can have up to one server policy configured."},"risks":["discovery:policy","discovery:account"],"notes":null,"links":["https://cloud.google.com/dns/docs/access-control","https://cloud.google.com/dns/docs/server-policies-overview","https://cloud.google.com/dns/docs/reference/v1beta2/policies"],"seeAlso":[]},"dns.policies.list":{"id":"dns.policies.list","name":"Cloud DNS Server Policies","scope":"MEDIUM","parent":{"notes":null,"description":"Specifies inbound and DNS forwarding for a VPC network. Each VPC network can have up to one server policy configured."},"risks":["discovery:network"],"notes":null,"links":["https://cloud.google.com/dns/docs/access-control","https://cloud.google.com/dns/docs/server-policies-overview","https://cloud.google.com/dns/docs/reference/v1beta2/policies"],"seeAlso":[]},"dns.policies.setIamPolicy":{"id":"dns.policies.setIamPolicy","name":"Cloud DNS Server Policies","scope":"MEDIUM","parent":{"notes":null,"description":"Specifies inbound and DNS forwarding for a VPC network. Each VPC network can have up to one server policy configured."},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/dns/docs/access-control","https://cloud.google.com/dns/docs/server-policies-overview","https://cloud.google.com/dns/docs/reference/v1beta2/policies"],"seeAlso":[]},"dns.policies.update":{"id":"dns.policies.update","name":"Cloud DNS Server Policies","scope":"MEDIUM","parent":{"notes":null,"description":"Specifies inbound and DNS forwarding for a VPC network. Each VPC network can have up to one server policy configured."},"risks":["impact:dos"],"notes":"Update allows enabling or disabling both inbound or outbound forwarding, which can impact proper name resolution.","links":["https://cloud.google.com/dns/docs/access-control","https://cloud.google.com/dns/docs/server-policies-overview","https://cloud.google.com/dns/docs/reference/v1beta2/policies"],"seeAlso":[]},"dns.projects.get":{"id":"dns.projects.get","name":"Cloud DNS Projects","scope":"LOW","parent":{"notes":null,"description":"A DNS project is the top-level resource that contains all Cloud DNS resources within the Google project."},"risks":["discovery:network"],"notes":"Allows viewing statistics about the total number of DNS records, zones, policies of each type in the project.","links":["https://cloud.google.com/dns/docs/access-control","https://cloud.google.com/dns/docs/reference/v1/projects"],"seeAlso":[]},"dns.resourceRecordSets.create":{"id":"dns.resourceRecordSets.create","name":"Resource Record Set","scope":"CRITICAL","parent":{"notes":null,"description":"A resource record set either contains a DNS record managed by Cloud DNS or a routing policy.  This includes both public and private DNS records."},"risks":["takeover:domain"],"notes":"By creating DNS records in an active managed zone, an attacker can cause some of the traffic to your  domains to be directed to them.","links":["https://cloud.google.com/dns/docs/reference/v1/resourceRecordSets","https://cloud.google.com/dns/docs/access-control","https://cloud.google.com/dns/docs/records","https://cloud.google.com/dns/docs/zones/manage-routing-policies"],"seeAlso":[]},"dns.resourceRecordSets.delete":{"id":"dns.resourceRecordSets.delete","name":"Resource Record Set","scope":"MEDIUM","parent":{"notes":null,"description":"A resource record set either contains a DNS record managed by Cloud DNS or a routing policy.  This includes both public and private DNS records."},"risks":["impact:dos","destruction:network"],"notes":null,"links":["https://cloud.google.com/dns/docs/reference/v1/resourceRecordSets","https://cloud.google.com/dns/docs/access-control","https://cloud.google.com/dns/docs/records","https://cloud.google.com/dns/docs/zones/manage-routing-policies"],"seeAlso":[]},"dns.resourceRecordSets.get":{"id":"dns.resourceRecordSets.get","name":"Resource Record Set","scope":"MEDIUM","parent":{"notes":null,"description":"A resource record set either contains a DNS record managed by Cloud DNS or a routing policy.  This includes both public and private DNS records."},"risks":["discovery:network"],"notes":null,"links":["https://cloud.google.com/dns/docs/reference/v1/resourceRecordSets","https://cloud.google.com/dns/docs/access-control","https://cloud.google.com/dns/docs/records","https://cloud.google.com/dns/docs/zones/manage-routing-policies"],"seeAlso":[]},"dns.resourceRecordSets.list":{"id":"dns.resourceRecordSets.list","name":"Resource Record Set","scope":"MEDIUM","parent":{"notes":null,"description":"A resource record set either contains a DNS record managed by Cloud DNS or a routing policy.  This includes both public and private DNS records."},"risks":["discovery:network"],"notes":null,"links":["https://cloud.google.com/dns/docs/reference/v1/resourceRecordSets","https://cloud.google.com/dns/docs/access-control","https://cloud.google.com/dns/docs/records","https://cloud.google.com/dns/docs/zones/manage-routing-policies"],"seeAlso":[]},"dns.resourceRecordSets.update":{"id":"dns.resourceRecordSets.update","name":"Resource Record Set","scope":"CRITICAL","parent":{"notes":null,"description":"A resource record set either contains a DNS record managed by Cloud DNS or a routing policy.  This includes both public and private DNS records."},"risks":["impact:dos","takeover:domain"],"notes":"Edit access to DNS records.","links":["https://cloud.google.com/dns/docs/reference/v1/resourceRecordSets","https://cloud.google.com/dns/docs/access-control","https://cloud.google.com/dns/docs/records","https://cloud.google.com/dns/docs/zones/manage-routing-policies"],"seeAlso":[]},"dns.responsePolicies.create":{"id":"dns.responsePolicies.create","name":"Cloud DNS Response Policies","scope":"MEDIUM","parent":{"notes":null,"description":"A Response Policy is a collection of rules attached to a VPC network that will be used for DNS lookups."},"risks":[],"notes":"A created response policy cannot be used on a VPC networks without permissions on the network. Creating a response policy just attaches it to the network, adding any rules requires separate permissions on rules.","links":["https://cloud.google.com/dns/docs/reference/v1/responsePolicies","https://cloud.google.com/dns/docs/access-control","https://cloud.google.com/dns/docs/zones/manage-response-policies"],"seeAlso":[]},"dns.responsePolicies.delete":{"id":"dns.responsePolicies.delete","name":"Cloud DNS Response Policies","scope":"MEDIUM","parent":{"notes":null,"description":"A Response Policy is a collection of rules attached to a VPC network that will be used for DNS lookups."},"risks":["impact:dos","destruction:policy"],"notes":null,"links":["https://cloud.google.com/dns/docs/reference/v1/responsePolicies","https://cloud.google.com/dns/docs/access-control","https://cloud.google.com/dns/docs/zones/manage-response-policies"],"seeAlso":[]},"dns.responsePolicies.get":{"id":"dns.responsePolicies.get","name":"Cloud DNS Response Policies","scope":"MEDIUM","parent":{"notes":null,"description":"A Response Policy is a collection of rules attached to a VPC network that will be used for DNS lookups."},"risks":["discovery:policy"],"notes":null,"links":["https://cloud.google.com/dns/docs/reference/v1/responsePolicies","https://cloud.google.com/dns/docs/access-control","https://cloud.google.com/dns/docs/zones/manage-response-policies"],"seeAlso":[]},"dns.responsePolicies.list":{"id":"dns.responsePolicies.list","name":"Cloud DNS Response Policies","scope":"MEDIUM","parent":{"notes":null,"description":"A Response Policy is a collection of rules attached to a VPC network that will be used for DNS lookups."},"risks":["discovery:policy"],"notes":null,"links":["https://cloud.google.com/dns/docs/reference/v1/responsePolicies","https://cloud.google.com/dns/docs/access-control","https://cloud.google.com/dns/docs/zones/manage-response-policies"],"seeAlso":[]},"dns.responsePolicies.update":{"id":"dns.responsePolicies.update","name":"Cloud DNS Response Policies","scope":"MEDIUM","parent":{"notes":null,"description":"A Response Policy is a collection of rules attached to a VPC network that will be used for DNS lookups."},"risks":["impact:dos"],"notes":"Updating an existing response policy can create a DOS by removing it from the attached network. Updating any rules requires permissions on rules.","links":["https://cloud.google.com/dns/docs/reference/v1/responsePolicies","https://cloud.google.com/dns/docs/access-control","https://cloud.google.com/dns/docs/zones/manage-response-policies"],"seeAlso":[]},"dns.responsePolicyRules.create":{"id":"dns.responsePolicyRules.create","name":"Response Policy Rule","scope":"HIGH","parent":{"notes":null,"description":"A response policy rule contains a selector and optionally DNS records or  configured behavior for answering DNS queries that match the selector."},"risks":["impact:dos","takeover:domain"],"notes":"A response policy rule can effectively be used by an attacker to redirect traffic on a domain  within the VPC network the policy is attached to.","links":["https://cloud.google.com/dns/docs/reference/v1beta2/responsePolicyRules","https://cloud.google.com/dns/docs/access-control","https://cloud.google.com/dns/docs/zones/manage-response-policies"],"seeAlso":[]},"dns.responsePolicyRules.delete":{"id":"dns.responsePolicyRules.delete","name":"Response Policy Rule","scope":"MEDIUM","parent":{"notes":null,"description":"A response policy rule contains a selector and optionally DNS records or  configured behavior for answering DNS queries that match the selector."},"risks":["impact:dos","destruction:network"],"notes":null,"links":["https://cloud.google.com/dns/docs/reference/v1beta2/responsePolicyRules","https://cloud.google.com/dns/docs/access-control","https://cloud.google.com/dns/docs/zones/manage-response-policies"],"seeAlso":[]},"dns.responsePolicyRules.get":{"id":"dns.responsePolicyRules.get","name":"Response Policy Rule","scope":"MEDIUM","parent":{"notes":null,"description":"A response policy rule contains a selector and optionally DNS records or  configured behavior for answering DNS queries that match the selector."},"risks":["discovery:policy"],"notes":null,"links":["https://cloud.google.com/dns/docs/reference/v1beta2/responsePolicyRules","https://cloud.google.com/dns/docs/access-control","https://cloud.google.com/dns/docs/zones/manage-response-policies"],"seeAlso":[]},"dns.responsePolicyRules.list":{"id":"dns.responsePolicyRules.list","name":"Response Policy Rule","scope":"MEDIUM","parent":{"notes":null,"description":"A response policy rule contains a selector and optionally DNS records or  configured behavior for answering DNS queries that match the selector."},"risks":["discovery:policy"],"notes":null,"links":["https://cloud.google.com/dns/docs/reference/v1beta2/responsePolicyRules","https://cloud.google.com/dns/docs/access-control","https://cloud.google.com/dns/docs/zones/manage-response-policies"],"seeAlso":[]},"dns.responsePolicyRules.update":{"id":"dns.responsePolicyRules.update","name":"Response Policy Rule","scope":"HIGH","parent":{"notes":null,"description":"A response policy rule contains a selector and optionally DNS records or  configured behavior for answering DNS queries that match the selector."},"risks":["impact:dos","takeover:domain"],"notes":"A response policy rule can effectively be used by an attacker to redirect traffic on a domain  within the VPC network the policy is attached to.","links":["https://cloud.google.com/dns/docs/reference/v1beta2/responsePolicyRules","https://cloud.google.com/dns/docs/access-control","https://cloud.google.com/dns/docs/zones/manage-response-policies"],"seeAlso":[]},"domains.locations.list":{"id":"domains.locations.list","name":"Cloud Domains Locations","scope":"PUBLIC","parent":{"notes":"This resource contains public information about Google's location offerings for Cloud Domains.","description":"Infrastructure regions available for Google Cloud Domains."},"risks":[],"notes":null,"links":["https://cloud.google.com/domains/docs/access-control"],"seeAlso":[]},"domains.operations.get":{"id":"domains.operations.get","name":"Cloud domains operations","scope":"PUBLIC","parent":{"notes":"Domain registrations are public, so though operations expose registration info, it is not sensitive.","description":"Operations represent long-running cloud domain API calls.  They are used for create, delete, update, and configuration operations on domain registrations."},"risks":[],"notes":null,"links":["https://cloud.google.com/domains/docs/access-control","https://cloud.google.com/domains/docs/reference/rest/v1beta1/projects.locations.operations"],"seeAlso":[]},"domains.operations.list":{"id":"domains.operations.list","name":"Cloud domains operations","scope":"PUBLIC","parent":{"notes":"Domain registrations are public, so though operations expose registration info, it is not sensitive.","description":"Operations represent long-running cloud domain API calls.  They are used for create, delete, update, and configuration operations on domain registrations."},"risks":[],"notes":null,"links":["https://cloud.google.com/domains/docs/access-control","https://cloud.google.com/domains/docs/reference/rest/v1beta1/projects.locations.operations"],"seeAlso":[]},"domains.operations.cancel":{"id":"domains.operations.cancel","name":"Cloud domains operations","scope":"MEDIUM","parent":{"notes":"Domain registrations are public, so though operations expose registration info, it is not sensitive.","description":"Operations represent long-running cloud domain API calls.  They are used for create, delete, update, and configuration operations on domain registrations."},"risks":["impact:dos"],"notes":"Can cancel running operations on registrations, such as configuration changes.","links":["https://cloud.google.com/domains/docs/access-control","https://cloud.google.com/domains/docs/reference/rest/v1beta1/projects.locations.operations"],"seeAlso":[]},"domains.registrations.configureContact":{"id":"domains.registrations.configureContact","name":"Cloud domains registration","scope":"HIGH","parent":{"notes":"Though the contents of domain registrations are public, this resource contains many permissions to update and configure domain registrations which are highly sensitive.","description":"A registration is a resource representing a domain registration managed by Cloud Domains.  It facilitates managing and configuring domain name registrations"},"risks":[],"notes":"Only allows updating a registration's contact settings.","links":["https://cloud.google.com/domains/docs/access-control","https://cloud.google.com/domains/docs/reference/rest/v1beta1/projects.locations.registrations","https://cloud.google.com/domains/docs/overview"],"seeAlso":[]},"domains.registrations.configureDns":{"id":"domains.registrations.configureDns","name":"Cloud domains registration","scope":"HIGH","parent":{"notes":"Though the contents of domain registrations are public, this resource contains many permissions to update and configure domain registrations which are highly sensitive.","description":"A registration is a resource representing a domain registration managed by Cloud Domains.  It facilitates managing and configuring domain name registrations"},"risks":["impact:dos","takeover:domain"],"notes":"Allows updating DNS settings, including specifying custom name servers.  Allows an attacker to route traffic on the domain.","links":["https://cloud.google.com/domains/docs/access-control","https://cloud.google.com/domains/docs/reference/rest/v1beta1/projects.locations.registrations","https://cloud.google.com/domains/docs/overview"],"seeAlso":[]},"domains.registrations.configureManagement":{"id":"domains.registrations.configureManagement","name":"Cloud domains registration","scope":"HIGH","parent":{"notes":"Though the contents of domain registrations are public, this resource contains many permissions to update and configure domain registrations which are highly sensitive.","description":"A registration is a resource representing a domain registration managed by Cloud Domains.  It facilitates managing and configuring domain name registrations"},"risks":["destruction:infra","takeover:domain"],"notes":"Allows updating domain settings, such as  renewal settings and whether the domain is locked from being transferred to another registrar. Also allows exporting the domain so that it is no longer managed by Cloud Domains (it is still accessible through Google Domains). Additionally allows retrieving the authorization code for transferring the domain to another registrar. These permissions combined can allow an attacker to gain control over the domain by transferring it  to another registrar.","links":["https://cloud.google.com/domains/docs/access-control","https://cloud.google.com/domains/docs/reference/rest/v1beta1/projects.locations.registrations","https://cloud.google.com/domains/docs/overview"],"seeAlso":[]},"domains.registrations.create":{"id":"domains.registrations.create","name":"Cloud domains registration","scope":"HIGH","parent":{"notes":"Though the contents of domain registrations are public, this resource contains many permissions to update and configure domain registrations which are highly sensitive.","description":"A registration is a resource representing a domain registration managed by Cloud Domains.  It facilitates managing and configuring domain name registrations"},"risks":["impact:spend"],"notes":null,"links":["https://cloud.google.com/domains/docs/access-control","https://cloud.google.com/domains/docs/reference/rest/v1beta1/projects.locations.registrations","https://cloud.google.com/domains/docs/overview"],"seeAlso":[]},"domains.registrations.createTagBinding":{"id":"domains.registrations.createTagBinding","name":"Cloud domains registration","scope":"HIGH","parent":{"notes":"Though the contents of domain registrations are public, this resource contains many permissions to update and configure domain registrations which are highly sensitive.","description":"A registration is a resource representing a domain registration managed by Cloud Domains.  It facilitates managing and configuring domain name registrations"},"risks":["impact:access","escalation:privilege"],"notes":"A common use case of tag bindings is for use in IAM policy conditions. The risks apply if the tag is used in any policies.","links":["https://cloud.google.com/domains/docs/access-control","https://cloud.google.com/domains/docs/reference/rest/v1beta1/projects.locations.registrations","https://cloud.google.com/domains/docs/overview"],"seeAlso":[]},"domains.registrations.delete":{"id":"domains.registrations.delete","name":"Cloud domains registration","scope":"HIGH","parent":{"notes":"Though the contents of domain registrations are public, this resource contains many permissions to update and configure domain registrations which are highly sensitive.","description":"A registration is a resource representing a domain registration managed by Cloud Domains.  It facilitates managing and configuring domain name registrations"},"risks":["destruction:infra"],"notes":"If an active domain registration is deleted, the domain can still be managed through Google Domains until its expiry. This just deletes the domain's managed registration in Cloud Domains.","links":["https://cloud.google.com/domains/docs/access-control","https://cloud.google.com/domains/docs/reference/rest/v1beta1/projects.locations.registrations","https://cloud.google.com/domains/docs/overview","https://cloud.google.com/domains/docs/delete-domain"],"seeAlso":[]},"domains.registrations.deleteTagBinding":{"id":"domains.registrations.deleteTagBinding","name":"Cloud domains registration","scope":"HIGH","parent":{"notes":"Though the contents of domain registrations are public, this resource contains many permissions to update and configure domain registrations which are highly sensitive.","description":"A registration is a resource representing a domain registration managed by Cloud Domains.  It facilitates managing and configuring domain name registrations"},"risks":["escalation:privilege","destruction:policy","impact:access"],"notes":"A common use case of tag bindings is for use in IAM policy conditions. The risks apply if the tag is used in any policies","links":["https://cloud.google.com/domains/docs/access-control","https://cloud.google.com/domains/docs/reference/rest/v1beta1/projects.locations.registrations","https://cloud.google.com/domains/docs/overview"],"seeAlso":[]},"domains.registrations.get":{"id":"domains.registrations.get","name":"Cloud domains registration","scope":"PUBLIC","parent":{"notes":"Though the contents of domain registrations are public, this resource contains many permissions to update and configure domain registrations which are highly sensitive.","description":"A registration is a resource representing a domain registration managed by Cloud Domains.  It facilitates managing and configuring domain name registrations"},"risks":[],"notes":null,"links":["https://cloud.google.com/domains/docs/access-control","https://cloud.google.com/domains/docs/reference/rest/v1beta1/projects.locations.registrations","https://cloud.google.com/domains/docs/overview"],"seeAlso":[]},"domains.registrations.getIamPolicy":{"id":"domains.registrations.getIamPolicy","name":"Cloud domains registration","scope":"HIGH","parent":{"notes":"Though the contents of domain registrations are public, this resource contains many permissions to update and configure domain registrations which are highly sensitive.","description":"A registration is a resource representing a domain registration managed by Cloud Domains.  It facilitates managing and configuring domain name registrations"},"risks":["discovery:account","discovery:policy"],"notes":null,"links":["https://cloud.google.com/domains/docs/access-control","https://cloud.google.com/domains/docs/reference/rest/v1beta1/projects.locations.registrations","https://cloud.google.com/domains/docs/overview"],"seeAlso":[]},"domains.registrations.list":{"id":"domains.registrations.list","name":"Cloud domains registration","scope":"PUBLIC","parent":{"notes":"Though the contents of domain registrations are public, this resource contains many permissions to update and configure domain registrations which are highly sensitive.","description":"A registration is a resource representing a domain registration managed by Cloud Domains.  It facilitates managing and configuring domain name registrations"},"risks":[],"notes":null,"links":["https://cloud.google.com/domains/docs/access-control","https://cloud.google.com/domains/docs/reference/rest/v1beta1/projects.locations.registrations","https://cloud.google.com/domains/docs/overview"],"seeAlso":[]},"domains.registrations.listEffectiveTags":{"id":"domains.registrations.listEffectiveTags","name":"Cloud domains registration","scope":"HIGH","parent":{"notes":"Though the contents of domain registrations are public, this resource contains many permissions to update and configure domain registrations which are highly sensitive.","description":"A registration is a resource representing a domain registration managed by Cloud Domains.  It facilitates managing and configuring domain name registrations"},"risks":["discovery:policy"],"notes":null,"links":["https://cloud.google.com/domains/docs/access-control","https://cloud.google.com/domains/docs/reference/rest/v1beta1/projects.locations.registrations","https://cloud.google.com/domains/docs/overview"],"seeAlso":[]},"domains.registrations.listTagBindings":{"id":"domains.registrations.listTagBindings","name":"Cloud domains registration","scope":"HIGH","parent":{"notes":"Though the contents of domain registrations are public, this resource contains many permissions to update and configure domain registrations which are highly sensitive.","description":"A registration is a resource representing a domain registration managed by Cloud Domains.  It facilitates managing and configuring domain name registrations"},"risks":["discovery:policy"],"notes":null,"links":["https://cloud.google.com/domains/docs/access-control","https://cloud.google.com/domains/docs/reference/rest/v1beta1/projects.locations.registrations","https://cloud.google.com/domains/docs/overview"],"seeAlso":[]},"domains.registrations.setIamPolicy":{"id":"domains.registrations.setIamPolicy","name":"Cloud domains registration","scope":"HIGH","parent":{"notes":"Though the contents of domain registrations are public, this resource contains many permissions to update and configure domain registrations which are highly sensitive.","description":"A registration is a resource representing a domain registration managed by Cloud Domains.  It facilitates managing and configuring domain name registrations"},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/domains/docs/access-control","https://cloud.google.com/domains/docs/reference/rest/v1beta1/projects.locations.registrations","https://cloud.google.com/domains/docs/overview"],"seeAlso":[]},"domains.registrations.update":{"id":"domains.registrations.update","name":"Cloud domains registration","scope":"HIGH","parent":{"notes":"Though the contents of domain registrations are public, this resource contains many permissions to update and configure domain registrations which are highly sensitive.","description":"A registration is a resource representing a domain registration managed by Cloud Domains.  It facilitates managing and configuring domain name registrations"},"risks":["destruction:metadata"],"notes":"Only allows updating labels on the registration.","links":["https://cloud.google.com/domains/docs/access-control","https://cloud.google.com/domains/docs/reference/rest/v1beta1/projects.locations.registrations","https://cloud.google.com/domains/docs/overview"],"seeAlso":[]},"firebase.projects.create":{"id":"firebase.projects.create","name":"Firebase project admin","scope":"HIGH","parent":{"notes":null,"description":"Manage Firebase projects programmatically: metadata, create, and delete."},"risks":["impact:consumption"],"notes":"Firebase has a soft limit on number of projects per Google Cloud account, and an attacker could theoretically exhaust this limit.","links":[],"seeAlso":[]},"firebase.projects.delete":{"id":"firebase.projects.delete","name":"Firebase project admin","scope":"CRITICAL","parent":{"notes":null,"description":"Manage Firebase projects programmatically: metadata, create, and delete."},"risks":["destruction:data","destruction:infra"],"notes":null,"links":[],"seeAlso":[]},"firebase.projects.update":{"id":"firebase.projects.update","name":"Firebase project admin","scope":"CRITICAL","parent":{"notes":null,"description":"Manage Firebase projects programmatically: metadata, create, and delete."},"risks":[],"notes":null,"links":[],"seeAlso":[]},"firebaserules.releases.create":{"id":"firebaserules.releases.create","name":"Firebase security rules publishing","scope":"HIGH","parent":{"notes":null,"description":"Manage security rules releases, which define which security rules are live and used by security rules-enabled services."},"risks":[],"notes":"You can technically create new releases for additional services that use security rules, but if one didn't already exist for that service, that means that the service is not in use and therefore does not represent a risk.","links":["https://firebase.google.com/docs/rules"],"seeAlso":[]},"firebaserules.releases.delete":{"id":"firebaserules.releases.delete","name":"Firebase security rules publishing","scope":"HIGH","parent":{"notes":null,"description":"Manage security rules releases, which define which security rules are live and used by security rules-enabled services."},"risks":["destruction:policy","impact:access"],"notes":"If an attacker deletes a project's firestore security rules, it will reset the rules to a default which denies all requests, therefore making the app unusable.","links":["https://firebase.google.com/docs/rules"],"seeAlso":[]},"firebaserules.releases.get":{"id":"firebaserules.releases.get","name":"Firebase security rules publishing","scope":"LOW","parent":{"notes":null,"description":"Manage security rules releases, which define which security rules are live and used by security rules-enabled services."},"risks":[],"notes":"Allows reading metadata about the release and a pointer to the ruleset, but not the rules themselves","links":["https://firebase.google.com/docs/rules","https://firebase.google.com/docs/reference/rules/rest/v1/projects.releases#Release"],"seeAlso":[]},"firebaserules.releases.getExecutable":{"id":"firebaserules.releases.getExecutable","name":"Firebase security rules publishing","scope":"LOW","parent":{"notes":null,"description":"Manage security rules releases, which define which security rules are live and used by security rules-enabled services."},"risks":[],"notes":"Gets an encoded executable string, not useful for an attacker.","links":["https://firebase.google.com/docs/rules"],"seeAlso":[]},"firebaserules.releases.list":{"id":"firebaserules.releases.list","name":"Firebase security rules publishing","scope":"LOW","parent":{"notes":null,"description":"Manage security rules releases, which define which security rules are live and used by security rules-enabled services."},"risks":[],"notes":null,"links":["https://firebase.google.com/docs/rules"],"seeAlso":[]},"firebaserules.releases.update":{"id":"firebaserules.releases.update","name":"Firebase security rules publishing","scope":"HIGH","parent":{"notes":null,"description":"Manage security rules releases, which define which security rules are live and used by security rules-enabled services."},"risks":["destruction:policy","escalation:data","impact:access"],"notes":"When combined with the ability to create arbitrary ruleset context, can allow data escalation. Used alone, an attacker could revert your environment to a known old, insecure ruleset.","links":["https://firebase.google.com/docs/rules"],"seeAlso":[]},"firebaserules.rulesets.create":{"id":"firebaserules.rulesets.create","name":"Firebase security rules publishing","scope":"HIGH","parent":{"notes":null,"description":"Manage security rules sources. By themselves, these don't do anything, but when they are referenced by the current release, they are the active rules."},"risks":["destruction:policy","escalation:data","impact:access"],"notes":"While creating a ruleset by itself doesn't do anything, when combined with access to update security rules releases, an attacker can hijack your security rules.","links":[],"seeAlso":[]},"firebaserules.rulesets.delete":{"id":"firebaserules.rulesets.delete","name":"Firebase security rules publishing","scope":"HIGH","parent":{"notes":null,"description":"Manage security rules sources. By themselves, these don't do anything, but when they are referenced by the current release, they are the active rules."},"risks":["destruction:logs"],"notes":"While an attacker cannot delete the currently used ruleset, they can delete older rulesets which may cause a loss of historical rules information.","links":[],"seeAlso":[]},"firebaserules.rulesets.get":{"id":"firebaserules.rulesets.get","name":"Firebase security rules publishing","scope":"HIGH","parent":{"notes":null,"description":"Manage security rules sources. By themselves, these don't do anything, but when they are referenced by the current release, they are the active rules."},"risks":["discovery:policy"],"notes":null,"links":[],"seeAlso":[]},"firebaserules.rulesets.list":{"id":"firebaserules.rulesets.list","name":"Firebase security rules publishing","scope":"HIGH","parent":{"notes":null,"description":"Manage security rules sources. By themselves, these don't do anything, but when they are referenced by the current release, they are the active rules."},"risks":[],"notes":"Lists metadata only.","links":[],"seeAlso":[]},"firebaserules.rulesets.test":{"id":"firebaserules.rulesets.test","name":"Firebase security rules publishing","scope":"HIGH","parent":{"notes":null,"description":"Manage security rules sources. By themselves, these don't do anything, but when they are referenced by the current release, they are the active rules."},"risks":[],"notes":"Test validity of security rules source code (basically syntax/error checking).","links":[],"seeAlso":[]},"iam.roles.create":{"id":"iam.roles.create","name":"IAM Roles","scope":"LOW","parent":{"notes":"This is a sensitive service since it exposes information about organizational IAM policies and allows for potential manipulation of access.","description":"IAM custom roles created for use in IAM policies."},"risks":["persistence:account"],"notes":null,"links":["https://cloud.google.com/iam/docs/creating-custom-roles","https://cloud.google.com/iam/docs/reference/rest/v1/projects.roles/delete"],"seeAlso":[]},"iam.roles.undelete":{"id":"iam.roles.undelete","name":"IAM Roles","scope":"CRITICAL","parent":{"notes":"This is a sensitive service since it exposes information about organizational IAM policies and allows for potential manipulation of access.","description":"IAM custom roles created for use in IAM policies."},"risks":["persistence:account"],"notes":"Undeleting a custom role will restore any bindings the role was part of at the time of deletion.","links":["https://cloud.google.com/iam/docs/creating-custom-roles","https://cloud.google.com/iam/docs/reference/rest/v1/projects.roles/delete"],"seeAlso":[]},"iam.roles.delete":{"id":"iam.roles.delete","name":"IAM Roles","scope":"CRITICAL","parent":{"notes":"This is a sensitive service since it exposes information about organizational IAM policies and allows for potential manipulation of access.","description":"IAM custom roles created for use in IAM policies."},"risks":["impact:access","destruction:policy"],"notes":"Deleting a custom role is possible even when it's present in bindings. The bindings remain, but are ineffectual.","links":["https://cloud.google.com/iam/docs/creating-custom-roles","https://cloud.google.com/iam/docs/reference/rest/v1/projects.roles/delete"],"seeAlso":[]},"iam.roles.update":{"id":"iam.roles.update","name":"IAM Roles","scope":"CRITICAL","parent":{"notes":"This is a sensitive service since it exposes information about organizational IAM policies and allows for potential manipulation of access.","description":"IAM custom roles created for use in IAM policies."},"risks":["escalation:privilege","impact:access"],"notes":"Only custom roles can be updated. An update automatically grants additional access for principals to resources  that the role is bound to. An attacker is able to grant additional permissions to a role they already have. Note that permissions are inherited by child resources. For example, updating role bound to a project can grant permissions on new services and new resources.","links":["https://cloud.google.com/iam/docs/creating-custom-roles","https://cloud.google.com/iam/docs/reference/rest/v1/projects.roles/delete"],"seeAlso":[]},"iam.roles.get":{"id":"iam.roles.get","name":"IAM Roles","scope":"CRITICAL","parent":{"notes":"This is a sensitive service since it exposes information about organizational IAM policies and allows for potential manipulation of access.","description":"IAM custom roles created for use in IAM policies."},"risks":["discovery:policy"],"notes":null,"links":["https://cloud.google.com/iam/docs/creating-custom-roles","https://cloud.google.com/iam/docs/reference/rest/v1/projects.roles/delete"],"seeAlso":[]},"iam.roles.list":{"id":"iam.roles.list","name":"IAM Roles","scope":"CRITICAL","parent":{"notes":"This is a sensitive service since it exposes information about organizational IAM policies and allows for potential manipulation of access.","description":"IAM custom roles created for use in IAM policies."},"risks":["discovery:policy"],"notes":null,"links":["https://cloud.google.com/iam/docs/creating-custom-roles","https://cloud.google.com/iam/docs/reference/rest/v1/projects.roles/delete"],"seeAlso":[]},"iam.serviceAccountKeys.create":{"id":"iam.serviceAccountKeys.create","name":"Service Account Keys","scope":"CRITICAL","parent":{"notes":"Service account keys are extremely sensitive since they allow users to authenticate as the service account.","description":"Service account keys are the credentials that service accounts use for authentication.  Service accounts are Google accounts used by applications or workloads for authentication, and as result may have  access to many Google services."},"risks":["takeover:account","persistence:account"],"notes":null,"links":["https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts.keys","https://cloud.google.com/iam/docs/best-practices-for-managing-service-account-keys"],"seeAlso":[]},"iam.serviceAccountKeys.delete":{"id":"iam.serviceAccountKeys.delete","name":"Service Account Keys","scope":"CRITICAL","parent":{"notes":"Service account keys are extremely sensitive since they allow users to authenticate as the service account.","description":"Service account keys are the credentials that service accounts use for authentication.  Service accounts are Google accounts used by applications or workloads for authentication, and as result may have  access to many Google services."},"risks":["impact:dos","impact:access","destruction:crypto"],"notes":"This leads to a DOS in any application that is using the service account key for authentication.","links":["https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts.keys","https://cloud.google.com/iam/docs/best-practices-for-managing-service-account-keys"],"seeAlso":[]},"iam.serviceAccountKeys.disable":{"id":"iam.serviceAccountKeys.disable","name":"Service Account Keys","scope":"CRITICAL","parent":{"notes":"Service account keys are extremely sensitive since they allow users to authenticate as the service account.","description":"Service account keys are the credentials that service accounts use for authentication.  Service accounts are Google accounts used by applications or workloads for authentication, and as result may have  access to many Google services."},"risks":["impact:dos","impact:access"],"notes":"This leads to a DOS in any application that is using the service account key for authentication.","links":["https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts.keys","https://cloud.google.com/iam/docs/best-practices-for-managing-service-account-keys"],"seeAlso":[]},"iam.serviceAccountKeys.enable":{"id":"iam.serviceAccountKeys.enable","name":"Service Account Keys","scope":"CRITICAL","parent":{"notes":"Service account keys are extremely sensitive since they allow users to authenticate as the service account.","description":"Service account keys are the credentials that service accounts use for authentication.  Service accounts are Google accounts used by applications or workloads for authentication, and as result may have  access to many Google services."},"risks":["escalation:lateral","persistence:account"],"notes":"This can allow a privilege escalation if the attacker is able to gain access to a disabled service account key.","links":["https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts.keys","https://cloud.google.com/iam/docs/best-practices-for-managing-service-account-keys"],"seeAlso":[]},"iam.serviceAccountKeys.get":{"id":"iam.serviceAccountKeys.get","name":"Service Account Keys","scope":"CRITICAL","parent":{"notes":"Service account keys are extremely sensitive since they allow users to authenticate as the service account.","description":"Service account keys are the credentials that service accounts use for authentication.  Service accounts are Google accounts used by applications or workloads for authentication, and as result may have  access to many Google services."},"risks":[],"notes":"This only shows public keys.","links":["https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts.keys","https://cloud.google.com/iam/docs/best-practices-for-managing-service-account-keys"],"seeAlso":[]},"iam.serviceAccountKeys.list":{"id":"iam.serviceAccountKeys.list","name":"Service Account Keys","scope":"CRITICAL","parent":{"notes":"Service account keys are extremely sensitive since they allow users to authenticate as the service account.","description":"Service account keys are the credentials that service accounts use for authentication.  Service accounts are Google accounts used by applications or workloads for authentication, and as result may have  access to many Google services."},"risks":[],"notes":"This only shows public keys.","links":["https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts.keys","https://cloud.google.com/iam/docs/best-practices-for-managing-service-account-keys"],"seeAlso":[]},"iam.serviceAccounts.actAs":{"id":"iam.serviceAccounts.actAs","name":"Service Accounts","scope":"CRITICAL","parent":{"notes":"Many of these permissions are extremely sensitive, because service accounts are frequently overprovisioned. A user with access to a service account effectively has access to all permissions the service account has, so broad access to service accounts can allow users to gain unintended access.","description":"Service accounts are Google accounts intended for use by applications or workloads for authentication. They can be either managed by Google or user-managed."},"risks":["escalation:lateral"],"notes":null,"links":["https://cloud.google.com/iam/docs/service-account-overview","https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1"],"seeAlso":[]},"iam.serviceAccounts.create":{"id":"iam.serviceAccounts.create","name":"Service Accounts","scope":"CRITICAL","parent":{"notes":"Many of these permissions are extremely sensitive, because service accounts are frequently overprovisioned. A user with access to a service account effectively has access to all permissions the service account has, so broad access to service accounts can allow users to gain unintended access.","description":"Service accounts are Google accounts intended for use by applications or workloads for authentication. They can be either managed by Google or user-managed."},"risks":["impact:spend","persistence:account"],"notes":null,"links":["https://cloud.google.com/iam/docs/service-account-overview","https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1"],"seeAlso":[]},"iam.serviceAccounts.delete":{"id":"iam.serviceAccounts.delete","name":"Service Accounts","scope":"CRITICAL","parent":{"notes":"Many of these permissions are extremely sensitive, because service accounts are frequently overprovisioned. A user with access to a service account effectively has access to all permissions the service account has, so broad access to service accounts can allow users to gain unintended access.","description":"Service accounts are Google accounts intended for use by applications or workloads for authentication. They can be either managed by Google or user-managed."},"risks":["impact:dos","destruction:account"],"notes":null,"links":["https://cloud.google.com/iam/docs/service-account-overview","https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1"],"seeAlso":[]},"iam.serviceAccounts.disable":{"id":"iam.serviceAccounts.disable","name":"Service Accounts","scope":"CRITICAL","parent":{"notes":"Many of these permissions are extremely sensitive, because service accounts are frequently overprovisioned. A user with access to a service account effectively has access to all permissions the service account has, so broad access to service accounts can allow users to gain unintended access.","description":"Service accounts are Google accounts intended for use by applications or workloads for authentication. They can be either managed by Google or user-managed."},"risks":["impact:dos"],"notes":null,"links":["https://cloud.google.com/iam/docs/service-account-overview","https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1"],"seeAlso":[]},"iam.serviceAccounts.enable":{"id":"iam.serviceAccounts.enable","name":"Service Accounts","scope":"CRITICAL","parent":{"notes":"Many of these permissions are extremely sensitive, because service accounts are frequently overprovisioned. A user with access to a service account effectively has access to all permissions the service account has, so broad access to service accounts can allow users to gain unintended access.","description":"Service accounts are Google accounts intended for use by applications or workloads for authentication. They can be either managed by Google or user-managed."},"risks":["impact:spend","persistence:account"],"notes":null,"links":["https://cloud.google.com/iam/docs/service-account-overview","https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1"],"seeAlso":[]},"iam.serviceAccounts.get":{"id":"iam.serviceAccounts.get","name":"Service Accounts","scope":"CRITICAL","parent":{"notes":"Many of these permissions are extremely sensitive, because service accounts are frequently overprovisioned. A user with access to a service account effectively has access to all permissions the service account has, so broad access to service accounts can allow users to gain unintended access.","description":"Service accounts are Google accounts intended for use by applications or workloads for authentication. They can be either managed by Google or user-managed."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/iam/docs/service-account-overview","https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1"],"seeAlso":[]},"iam.serviceAccounts.getAccessToken":{"id":"iam.serviceAccounts.getAccessToken","name":"Service Accounts","scope":"CRITICAL","parent":{"notes":"Many of these permissions are extremely sensitive, because service accounts are frequently overprovisioned. A user with access to a service account effectively has access to all permissions the service account has, so broad access to service accounts can allow users to gain unintended access.","description":"Service accounts are Google accounts intended for use by applications or workloads for authentication. They can be either managed by Google or user-managed."},"risks":["escalation:lateral"],"notes":"By default, the generated access token only persists for an hour. Longer access times (up to 12 hours) can be configured via the constraints/iam.allowServiceAccountCredentialLifetimeExtension organization policy.","links":["https://cloud.google.com/iam/docs/service-account-overview","https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1"],"seeAlso":[]},"iam.serviceAccounts.getIamPolicy":{"id":"iam.serviceAccounts.getIamPolicy","name":"Service Accounts","scope":"CRITICAL","parent":{"notes":"Many of these permissions are extremely sensitive, because service accounts are frequently overprovisioned. A user with access to a service account effectively has access to all permissions the service account has, so broad access to service accounts can allow users to gain unintended access.","description":"Service accounts are Google accounts intended for use by applications or workloads for authentication. They can be either managed by Google or user-managed."},"risks":["discovery:policy","discovery:account"],"notes":null,"links":["https://cloud.google.com/iam/docs/service-account-overview","https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1"],"seeAlso":[]},"iam.serviceAccounts.getOpenIdToken":{"id":"iam.serviceAccounts.getOpenIdToken","name":"Service Accounts","scope":"CRITICAL","parent":{"notes":"Many of these permissions are extremely sensitive, because service accounts are frequently overprovisioned. A user with access to a service account effectively has access to all permissions the service account has, so broad access to service accounts can allow users to gain unintended access.","description":"Service accounts are Google accounts intended for use by applications or workloads for authentication. They can be either managed by Google or user-managed."},"risks":["escalation:lateral"],"notes":null,"links":["https://cloud.google.com/iam/docs/service-account-overview","https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1"],"seeAlso":[]},"iam.serviceAccounts.implicitDelegation":{"id":"iam.serviceAccounts.implicitDelegation","name":"Service Accounts","scope":"CRITICAL","parent":{"notes":"Many of these permissions are extremely sensitive, because service accounts are frequently overprovisioned. A user with access to a service account effectively has access to all permissions the service account has, so broad access to service accounts can allow users to gain unintended access.","description":"Service accounts are Google accounts intended for use by applications or workloads for authentication. They can be either managed by Google or user-managed."},"risks":["escalation:lateral"],"notes":"Implicit delegation allows you to chain service account access token requests. This permission on a service account gives the user access to creating access tokens on any service accounts that service account has access to.","links":["https://cloud.google.com/iam/docs/service-account-overview","https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1"],"seeAlso":[]},"iam.serviceAccounts.setIamPolicy":{"id":"iam.serviceAccounts.setIamPolicy","name":"Service Accounts","scope":"CRITICAL","parent":{"notes":"Many of these permissions are extremely sensitive, because service accounts are frequently overprovisioned. A user with access to a service account effectively has access to all permissions the service account has, so broad access to service accounts can allow users to gain unintended access.","description":"Service accounts are Google accounts intended for use by applications or workloads for authentication. They can be either managed by Google or user-managed."},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/iam/docs/service-account-overview","https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1"],"seeAlso":[]},"iam.serviceAccounts.signBlob":{"id":"iam.serviceAccounts.signBlob","name":"Service Accounts","scope":"CRITICAL","parent":{"notes":"Many of these permissions are extremely sensitive, because service accounts are frequently overprovisioned. A user with access to a service account effectively has access to all permissions the service account has, so broad access to service accounts can allow users to gain unintended access.","description":"Service accounts are Google accounts intended for use by applications or workloads for authentication. They can be either managed by Google or user-managed."},"risks":["escalation:lateral","impact:manipulation"],"notes":"Allows for signing of arbitrarily payloads. Can be used for escalation by signing an access token request.","links":["https://cloud.google.com/iam/docs/service-account-overview","https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1"],"seeAlso":[]},"iam.serviceAccounts.signJwt":{"id":"iam.serviceAccounts.signJwt","name":"Service Accounts","scope":"CRITICAL","parent":{"notes":"Many of these permissions are extremely sensitive, because service accounts are frequently overprovisioned. A user with access to a service account effectively has access to all permissions the service account has, so broad access to service accounts can allow users to gain unintended access.","description":"Service accounts are Google accounts intended for use by applications or workloads for authentication. They can be either managed by Google or user-managed."},"risks":["escalation:lateral"],"notes":"Can be used for escalation by signing an access token request.","links":["https://cloud.google.com/iam/docs/service-account-overview","https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1"],"seeAlso":[]},"iam.serviceAccounts.list":{"id":"iam.serviceAccounts.list","name":"Service Accounts","scope":"CRITICAL","parent":{"notes":"Many of these permissions are extremely sensitive, because service accounts are frequently overprovisioned. A user with access to a service account effectively has access to all permissions the service account has, so broad access to service accounts can allow users to gain unintended access.","description":"Service accounts are Google accounts intended for use by applications or workloads for authentication. They can be either managed by Google or user-managed."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/iam/docs/service-account-overview","https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1"],"seeAlso":[]},"iam.serviceAccounts.undelete":{"id":"iam.serviceAccounts.undelete","name":"Service Accounts","scope":"CRITICAL","parent":{"notes":"Many of these permissions are extremely sensitive, because service accounts are frequently overprovisioned. A user with access to a service account effectively has access to all permissions the service account has, so broad access to service accounts can allow users to gain unintended access.","description":"Service accounts are Google accounts intended for use by applications or workloads for authentication. They can be either managed by Google or user-managed."},"risks":["impact:spend","persistence:account"],"notes":null,"links":["https://cloud.google.com/iam/docs/service-account-overview","https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1"],"seeAlso":[]},"iam.serviceAccounts.update":{"id":"iam.serviceAccounts.update","name":"Service Accounts","scope":"CRITICAL","parent":{"notes":"Many of these permissions are extremely sensitive, because service accounts are frequently overprovisioned. A user with access to a service account effectively has access to all permissions the service account has, so broad access to service accounts can allow users to gain unintended access.","description":"Service accounts are Google accounts intended for use by applications or workloads for authentication. They can be either managed by Google or user-managed."},"risks":[],"notes":"Only allows updating description and display name.","links":["https://cloud.google.com/iam/docs/service-account-overview","https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1"],"seeAlso":[]},"iap.projects.getSettings":{"id":"iap.projects.getSettings","name":"Identity Aware Proxy project.","scope":"CRITICAL","parent":{"notes":"IAP is used to control access to cloud services.  Changes to IAP related settings could remove access from mission-critical applications or  grant an attacker access to sensitive resources.","description":"Refers to all IAP secured resources in the project."},"risks":["discovery:network"],"notes":"Allows an attacker to read IAP related settings for this resource.","links":["https://cloud.google.com/iap/docs/customizing","https://cloud.google.com/iap/docs/reference/rest"],"seeAlso":[]},"iap.projects.updateSettings":{"id":"iap.projects.updateSettings","name":"Identity Aware Proxy project.","scope":"CRITICAL","parent":{"notes":"IAP is used to control access to cloud services.  Changes to IAP related settings could remove access from mission-critical applications or  grant an attacker access to sensitive resources.","description":"Refers to all IAP secured resources in the project."},"risks":["impact:dos","impact:defacement","impact:hijack","destruction:network"],"notes":"Allows an attacker to update settings related to IAP.  There is a risk of dos if an attacker removes any settings that are essential for authentication such as which domains are allowed access the app.   There is another setting that allows for creation of a custom Access Denied page.  This creates a risk of hijack or defacement where an attacker could put up a page of their own.","links":["https://cloud.google.com/iap/docs/customizing","https://cloud.google.com/iap/docs/reference/rest","https://cloud.google.com/iap/docs/reference/rest/v1/IapSettings","https://cloud.google.com/iap/docs/configuring-reauth"],"seeAlso":[]},"iap.tunnel.getIamPolicy":{"id":"iap.tunnel.getIamPolicy","name":"Identity Aware Proxy tunnel resource type.","scope":"CRITICAL","parent":{"notes":"IAP is used to control access to cloud services.  Changes to IAP related settings could remove access from mission-critical applications or  grant an attacker access to sensitive resources.","description":"Refers to every IAP secured VM in the project."},"risks":["discovery:policy","discovery:account"],"notes":null,"links":["https://cloud.google.com/iap/docs/customizing","https://cloud.google.com/iap/docs/reference/rest"],"seeAlso":[]},"iap.tunnel.setIamPolicy":{"id":"iap.tunnel.setIamPolicy","name":"Identity Aware Proxy tunnel resource type.","scope":"CRITICAL","parent":{"notes":"IAP is used to control access to cloud services.  Changes to IAP related settings could remove access from mission-critical applications or  grant an attacker access to sensitive resources.","description":"Refers to every IAP secured VM in the project."},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/iap/docs/customizing","https://cloud.google.com/iap/docs/reference/rest"],"seeAlso":[]},"iap.tunnelDestGroups.accessViaIAP":{"id":"iap.tunnelDestGroups.accessViaIAP","name":"Identity Aware Proxy tunnel destination groups resource type.","scope":"HIGH","parent":{"notes":"IAP is used to control access to cloud services.  Changes to IAP related settings could remove access from mission-critical applications or  grant an attacker access to sensitive resources.","description":"Refers to a particular group of VMs in you project.  VMs are collected in a list of either CIDRs or FQDNs."},"risks":[],"notes":"Gives a principal access to a particular IAP secured destination group.","links":["https://cloud.google.com/iap/docs/customizing","https://cloud.google.com/iap/docs/reference/rest","https://cloud.google.com/iap/docs/managing-access"],"seeAlso":[]},"iap.tunnelDestGroups.create":{"id":"iap.tunnelDestGroups.create","name":"Identity Aware Proxy tunnel destination groups resource type.","scope":"HIGH","parent":{"notes":"IAP is used to control access to cloud services.  Changes to IAP related settings could remove access from mission-critical applications or  grant an attacker access to sensitive resources.","description":"Refers to a particular group of VMs in you project.  VMs are collected in a list of either CIDRs or FQDNs."},"risks":[],"notes":"Creates a new destination group.","links":["https://cloud.google.com/iap/docs/customizing","https://cloud.google.com/iap/docs/reference/rest"],"seeAlso":[]},"iap.tunnelDestGroups.delete":{"id":"iap.tunnelDestGroups.delete","name":"Identity Aware Proxy tunnel destination groups resource type.","scope":"HIGH","parent":{"notes":"IAP is used to control access to cloud services.  Changes to IAP related settings could remove access from mission-critical applications or  grant an attacker access to sensitive resources.","description":"Refers to a particular group of VMs in you project.  VMs are collected in a list of either CIDRs or FQDNs."},"risks":["impact:dos","destruction:network"],"notes":"Deletes an existing tunnel destination group.  This could create a dos if the deleted item is used by other services since they would no longer have access.","links":["https://cloud.google.com/iap/docs/customizing","https://cloud.google.com/iap/docs/reference/rest"],"seeAlso":[]},"iap.tunnelDestGroups.get":{"id":"iap.tunnelDestGroups.get","name":"Identity Aware Proxy tunnel destination groups resource type.","scope":"HIGH","parent":{"notes":"IAP is used to control access to cloud services.  Changes to IAP related settings could remove access from mission-critical applications or  grant an attacker access to sensitive resources.","description":"Refers to a particular group of VMs in you project.  VMs are collected in a list of either CIDRs or FQDNs."},"risks":["discovery:network","discovery:infra"],"notes":"Retrieves an existing tunnel destination group.","links":["https://cloud.google.com/iap/docs/customizing","https://cloud.google.com/iap/docs/reference/rest"],"seeAlso":[]},"iap.tunnelDestGroups.getIamPolicy":{"id":"iap.tunnelDestGroups.getIamPolicy","name":"Identity Aware Proxy tunnel destination groups resource type.","scope":"HIGH","parent":{"notes":"IAP is used to control access to cloud services.  Changes to IAP related settings could remove access from mission-critical applications or  grant an attacker access to sensitive resources.","description":"Refers to a particular group of VMs in you project.  VMs are collected in a list of either CIDRs or FQDNs."},"risks":["discovery:policy","discovery:account"],"notes":null,"links":["https://cloud.google.com/iap/docs/customizing","https://cloud.google.com/iap/docs/reference/rest"],"seeAlso":[]},"iap.tunnelDestGroups.list":{"id":"iap.tunnelDestGroups.list","name":"Identity Aware Proxy tunnel destination groups resource type.","scope":"HIGH","parent":{"notes":"IAP is used to control access to cloud services.  Changes to IAP related settings could remove access from mission-critical applications or  grant an attacker access to sensitive resources.","description":"Refers to a particular group of VMs in you project.  VMs are collected in a list of either CIDRs or FQDNs."},"risks":["discovery:network","discovery:infra"],"notes":"Lists the existing tunnel destination groups.","links":["https://cloud.google.com/iap/docs/customizing","https://cloud.google.com/iap/docs/reference/rest"],"seeAlso":[]},"iap.tunnelDestGroups.remediate":{"id":"iap.tunnelDestGroups.remediate","name":"Identity Aware Proxy tunnel destination groups resource type.","scope":"HIGH","parent":{"notes":"IAP is used to control access to cloud services.  Changes to IAP related settings could remove access from mission-critical applications or  grant an attacker access to sensitive resources.","description":"Refers to a particular group of VMs in you project.  VMs are collected in a list of either CIDRs or FQDNs."},"risks":[],"notes":"If granted this permission, a principal will be allowed to remediate a failed authentication attempt.  The steps to remediate can be customized per resource and consist of steps like asking users to update their operating system or to use the application from a  company run network.","links":["https://cloud.google.com/iap/docs/customizing","https://cloud.google.com/iap/docs/reference/rest","-","h","t","t","p","s",":","/","/","c","l","o","u","d",".","g","o","o","g","l","e",".","c","o","m","/","b","e","y","o","n","d","c","o","r","p","-","e","n","t","e","r","p","r","i","s","e","/","d","o","c","s","/","p","o","l","i","c","y","-","r","e","m","e","d","i","a","t","o","r"],"seeAlso":[]},"iap.tunnelDestGroups.setIamPolicy":{"id":"iap.tunnelDestGroups.setIamPolicy","name":"Identity Aware Proxy tunnel destination groups resource type.","scope":"HIGH","parent":{"notes":"IAP is used to control access to cloud services.  Changes to IAP related settings could remove access from mission-critical applications or  grant an attacker access to sensitive resources.","description":"Refers to a particular group of VMs in you project.  VMs are collected in a list of either CIDRs or FQDNs."},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/iap/docs/customizing","https://cloud.google.com/iap/docs/reference/rest"],"seeAlso":[]},"iap.tunnelDestGroups.update":{"id":"iap.tunnelDestGroups.update","name":"Identity Aware Proxy tunnel destination groups resource type.","scope":"HIGH","parent":{"notes":"IAP is used to control access to cloud services.  Changes to IAP related settings could remove access from mission-critical applications or  grant an attacker access to sensitive resources.","description":"Refers to a particular group of VMs in you project.  VMs are collected in a list of either CIDRs or FQDNs."},"risks":["impact:dos","destruction:network","escalation:network"],"notes":"Updates an existing tunnel destination group.  This could create a dos if an attacker deletes items from the group.   It could also allow an attacker to gain access to machines by adding them to a group they have permission for.","links":["https://cloud.google.com/iap/docs/customizing","https://cloud.google.com/iap/docs/reference/rest"],"seeAlso":[]},"iap.tunnelInstances.accessViaIAP":{"id":"iap.tunnelInstances.accessViaIAP","name":"Identity Aware Proxy tunnel instances resource type.","scope":"HIGH","parent":{"notes":"IAP is used to control access to cloud services.  Changes to IAP related settings could remove access from mission-critical applications or  grant an attacker access to sensitive resources.","description":"Refers to a particular VM instance"},"risks":[],"notes":"Gives a principal access to a particular IAP secured VM.","links":["https://cloud.google.com/iap/docs/customizing","https://cloud.google.com/iap/docs/reference/rest"],"seeAlso":[]},"iap.tunnelInstances.getIamPolicy":{"id":"iap.tunnelInstances.getIamPolicy","name":"Identity Aware Proxy tunnel instances resource type.","scope":"HIGH","parent":{"notes":"IAP is used to control access to cloud services.  Changes to IAP related settings could remove access from mission-critical applications or  grant an attacker access to sensitive resources.","description":"Refers to a particular VM instance"},"risks":["discovery:policy","discovery:account"],"notes":null,"links":["https://cloud.google.com/iap/docs/customizing","https://cloud.google.com/iap/docs/reference/rest"],"seeAlso":[]},"iap.tunnelInstances.setIamPolicy":{"id":"iap.tunnelInstances.setIamPolicy","name":"Identity Aware Proxy tunnel instances resource type.","scope":"HIGH","parent":{"notes":"IAP is used to control access to cloud services.  Changes to IAP related settings could remove access from mission-critical applications or  grant an attacker access to sensitive resources.","description":"Refers to a particular VM instance"},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/iap/docs/customizing","https://cloud.google.com/iap/docs/reference/rest"],"seeAlso":[]},"iap.tunnelLocations.getIamPolicy":{"id":"iap.tunnelLocations.getIamPolicy","name":"Identity Aware Proxy tunnel locations resource type.","scope":"CRITICAL","parent":{"notes":"IAP is used to control access to cloud services.  Changes to IAP related settings could remove access from mission-critical applications or  grant an attacker access to sensitive resources.","description":"Refers to all IAP secured VMs in a particular region"},"risks":["discovery:policy","discovery:account"],"notes":null,"links":["https://cloud.google.com/iap/docs/customizing","https://cloud.google.com/iap/docs/reference/rest"],"seeAlso":[]},"iap.tunnelLocations.setIamPolicy":{"id":"iap.tunnelLocations.setIamPolicy","name":"Identity Aware Proxy tunnel locations resource type.","scope":"CRITICAL","parent":{"notes":"IAP is used to control access to cloud services.  Changes to IAP related settings could remove access from mission-critical applications or  grant an attacker access to sensitive resources.","description":"Refers to all IAP secured VMs in a particular region"},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/iap/docs/customizing","https://cloud.google.com/iap/docs/reference/rest"],"seeAlso":[]},"iap.tunnelZones.getIamPolicy":{"id":"iap.tunnelZones.getIamPolicy","name":"Identity Aware Proxy tunnel zones resource type.","scope":"CRITICAL","parent":{"notes":"IAP is used to control access to cloud services.  Changes to IAP related settings could remove access from mission-critical applications or  grant an attacker access to sensitive resources.","description":"Refers to all IAP secured VMs in a particular zone"},"risks":["discovery:policy","discovery:account"],"notes":null,"links":["https://cloud.google.com/iap/docs/customizing","https://cloud.google.com/iap/docs/reference/rest"],"seeAlso":[]},"iap.tunnelZones.setIamPolicy":{"id":"iap.tunnelZones.setIamPolicy","name":"Identity Aware Proxy tunnel zones resource type.","scope":"CRITICAL","parent":{"notes":"IAP is used to control access to cloud services.  Changes to IAP related settings could remove access from mission-critical applications or  grant an attacker access to sensitive resources.","description":"Refers to all IAP secured VMs in a particular zone"},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/iap/docs/customizing","https://cloud.google.com/iap/docs/reference/rest"],"seeAlso":[]},"iap.web.getIamPolicy":{"id":"iap.web.getIamPolicy","name":"Identity Aware Proxy web resource type.","scope":"CRITICAL","parent":{"notes":"IAP is used to control access to cloud services.  Changes to IAP related settings could remove access from mission-critical applications or  grant an attacker access to sensitive resources.","description":"Refers to every IAP secured web app in your project."},"risks":["discovery:policy","discovery:account"],"notes":null,"links":["https://cloud.google.com/iap/docs/customizing","https://cloud.google.com/iap/docs/reference/rest"],"seeAlso":[]},"iap.web.getSettings":{"id":"iap.web.getSettings","name":"Identity Aware Proxy web resource type.","scope":"CRITICAL","parent":{"notes":"IAP is used to control access to cloud services.  Changes to IAP related settings could remove access from mission-critical applications or  grant an attacker access to sensitive resources.","description":"Refers to every IAP secured web app in your project."},"risks":["discovery:network"],"notes":"Allows an attacker to read IAP related settings for this resource.","links":["https://cloud.google.com/iap/docs/customizing","https://cloud.google.com/iap/docs/reference/rest"],"seeAlso":[]},"iap.webServiceVersions.accessViaIAP":{"id":"iap.webServiceVersions.accessViaIAP","name":"Identity Aware Proxy web service versions resource type.","scope":"HIGH","parent":{"notes":"IAP is used to control access to cloud services.  Changes to IAP related settings could remove access from mission-critical applications or  grant an attacker access to sensitive resources.","description":"Refers to a particular version of an App Engine or Compute Engine service"},"risks":[],"notes":"Grants access to App Engine and Compute Engine resources secured by IAP.","links":["https://cloud.google.com/iap/docs/customizing","https://cloud.google.com/iap/docs/reference/rest","https://cloud.google.com/iap/docs/managing-access"],"seeAlso":[]},"iap.webServiceVersions.getIamPolicy":{"id":"iap.webServiceVersions.getIamPolicy","name":"Identity Aware Proxy web service versions resource type.","scope":"HIGH","parent":{"notes":"IAP is used to control access to cloud services.  Changes to IAP related settings could remove access from mission-critical applications or  grant an attacker access to sensitive resources.","description":"Refers to a particular version of an App Engine or Compute Engine service"},"risks":["discovery:policy","discovery:account"],"notes":null,"links":["https://cloud.google.com/iap/docs/customizing","https://cloud.google.com/iap/docs/reference/rest"],"seeAlso":[]},"iap.webServiceVersions.getSettings":{"id":"iap.webServiceVersions.getSettings","name":"Identity Aware Proxy web service versions resource type.","scope":"HIGH","parent":{"notes":"IAP is used to control access to cloud services.  Changes to IAP related settings could remove access from mission-critical applications or  grant an attacker access to sensitive resources.","description":"Refers to a particular version of an App Engine or Compute Engine service"},"risks":["discovery:network"],"notes":"Allows an attacker to read IAP related settings for this resource.","links":["https://cloud.google.com/iap/docs/customizing","https://cloud.google.com/iap/docs/reference/rest"],"seeAlso":[]},"iap.webServiceVersions.remediate":{"id":"iap.webServiceVersions.remediate","name":"Identity Aware Proxy web service versions resource type.","scope":"HIGH","parent":{"notes":"IAP is used to control access to cloud services.  Changes to IAP related settings could remove access from mission-critical applications or  grant an attacker access to sensitive resources.","description":"Refers to a particular version of an App Engine or Compute Engine service"},"risks":[],"notes":"If granted this permission, a principal will be allowed to remediate a failed authentication attempt.  The steps to remediate can be customized per resource and consist of steps like asking users to update their operating system or to use the application from a  company run network.","links":["https://cloud.google.com/iap/docs/customizing","https://cloud.google.com/iap/docs/reference/rest","-","h","t","t","p","s",":","/","/","c","l","o","u","d",".","g","o","o","g","l","e",".","c","o","m","/","b","e","y","o","n","d","c","o","r","p","-","e","n","t","e","r","p","r","i","s","e","/","d","o","c","s","/","p","o","l","i","c","y","-","r","e","m","e","d","i","a","t","o","r"],"seeAlso":[]},"iap.webServiceVersions.setIamPolicy":{"id":"iap.webServiceVersions.setIamPolicy","name":"Identity Aware Proxy web service versions resource type.","scope":"HIGH","parent":{"notes":"IAP is used to control access to cloud services.  Changes to IAP related settings could remove access from mission-critical applications or  grant an attacker access to sensitive resources.","description":"Refers to a particular version of an App Engine or Compute Engine service"},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/iap/docs/customizing","https://cloud.google.com/iap/docs/reference/rest"],"seeAlso":[]},"iap.webServiceVersions.updateSettings":{"id":"iap.webServiceVersions.updateSettings","name":"Identity Aware Proxy web service versions resource type.","scope":"HIGH","parent":{"notes":"IAP is used to control access to cloud services.  Changes to IAP related settings could remove access from mission-critical applications or  grant an attacker access to sensitive resources.","description":"Refers to a particular version of an App Engine or Compute Engine service"},"risks":["impact:dos","impact:defacement","impact:hijack","destruction:network"],"notes":"Allows an attacker to update settings related to IAP.  There is a risk of dos if an attacker removes any settings that are essential for authentication such as which domains are allowed access the app.   There is another setting that allows for creation of a custom Access Denied page.  This creates a risk of hijack or defacement where an attacker could put up a page of their own.","links":["https://cloud.google.com/iap/docs/customizing","https://cloud.google.com/iap/docs/reference/rest","https://cloud.google.com/iap/docs/reference/rest/v1/IapSettings","https://cloud.google.com/iap/docs/configuring-reauth"],"seeAlso":[]},"iap.webServices.getIamPolicy":{"id":"iap.webServices.getIamPolicy","name":"Identity Aware Proxy web services resource type.","scope":"HIGH","parent":{"notes":"IAP is used to control access to cloud services.  Changes to IAP related settings could remove access from mission-critical applications or  grant an attacker access to sensitive resources.","description":"Refers to a particular IAP secured web service."},"risks":["discovery:policy","discovery:account"],"notes":null,"links":["https://cloud.google.com/iap/docs/customizing","https://cloud.google.com/iap/docs/reference/rest"],"seeAlso":[]},"iap.webServices.getSettings":{"id":"iap.webServices.getSettings","name":"Identity Aware Proxy web services resource type.","scope":"HIGH","parent":{"notes":"IAP is used to control access to cloud services.  Changes to IAP related settings could remove access from mission-critical applications or  grant an attacker access to sensitive resources.","description":"Refers to a particular IAP secured web service."},"risks":["discovery:network"],"notes":"Allows an attacker to read IAP related settings for this resource.","links":["https://cloud.google.com/iap/docs/customizing","https://cloud.google.com/iap/docs/reference/rest"],"seeAlso":[]},"iap.webServices.setIamPolicy":{"id":"iap.webServices.setIamPolicy","name":"Identity Aware Proxy web services resource type.","scope":"HIGH","parent":{"notes":"IAP is used to control access to cloud services.  Changes to IAP related settings could remove access from mission-critical applications or  grant an attacker access to sensitive resources.","description":"Refers to a particular IAP secured web service."},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/iap/docs/customizing","https://cloud.google.com/iap/docs/reference/rest"],"seeAlso":[]},"iap.webServices.updateSettings":{"id":"iap.webServices.updateSettings","name":"Identity Aware Proxy web services resource type.","scope":"HIGH","parent":{"notes":"IAP is used to control access to cloud services.  Changes to IAP related settings could remove access from mission-critical applications or  grant an attacker access to sensitive resources.","description":"Refers to a particular IAP secured web service."},"risks":["impact:dos","impact:defacement","impact:hijack","destruction:network"],"notes":"Allows an attacker to update settings related to IAP.  There is a risk of dos if an attacker removes any settings that are essential for authentication such as which domains are allowed access the app.   There is another setting that allows for creation of a custom Access Denied page.  This creates a risk of hijack or defacement where an attacker could put up a page of their own.","links":["https://cloud.google.com/iap/docs/customizing","https://cloud.google.com/iap/docs/reference/rest","https://cloud.google.com/iap/docs/reference/rest/v1/IapSettings","https://cloud.google.com/iap/docs/configuring-reauth"],"seeAlso":[]},"iap.webTypes.getIamPolicy":{"id":"iap.webTypes.getIamPolicy","name":"Identity Aware Proxy web types resource type.","scope":"CRITICAL","parent":{"notes":"IAP is used to control access to cloud services.  Changes to IAP related settings could remove access from mission-critical applications or  grant an attacker access to sensitive resources.","description":"Refers to all IAP secured web apps in the project of a particular type.   The specified type can either be App Engine or Compute engine."},"risks":["discovery:policy","discovery:account"],"notes":null,"links":["https://cloud.google.com/iap/docs/customizing","https://cloud.google.com/iap/docs/reference/rest"],"seeAlso":[]},"iap.webTypes.getSettings":{"id":"iap.webTypes.getSettings","name":"Identity Aware Proxy web types resource type.","scope":"CRITICAL","parent":{"notes":"IAP is used to control access to cloud services.  Changes to IAP related settings could remove access from mission-critical applications or  grant an attacker access to sensitive resources.","description":"Refers to all IAP secured web apps in the project of a particular type.   The specified type can either be App Engine or Compute engine."},"risks":["discovery:network"],"notes":"Allows an attacker to read IAP related settings for this resource.","links":["https://cloud.google.com/iap/docs/customizing","https://cloud.google.com/iap/docs/reference/rest"],"seeAlso":[]},"iap.webTypes.setIamPolicy":{"id":"iap.webTypes.setIamPolicy","name":"Identity Aware Proxy web types resource type.","scope":"CRITICAL","parent":{"notes":"IAP is used to control access to cloud services.  Changes to IAP related settings could remove access from mission-critical applications or  grant an attacker access to sensitive resources.","description":"Refers to all IAP secured web apps in the project of a particular type.   The specified type can either be App Engine or Compute engine."},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/iap/docs/customizing","https://cloud.google.com/iap/docs/reference/rest"],"seeAlso":[]},"iap.webTypes.updateSettings":{"id":"iap.webTypes.updateSettings","name":"Identity Aware Proxy web types resource type.","scope":"CRITICAL","parent":{"notes":"IAP is used to control access to cloud services.  Changes to IAP related settings could remove access from mission-critical applications or  grant an attacker access to sensitive resources.","description":"Refers to all IAP secured web apps in the project of a particular type.   The specified type can either be App Engine or Compute engine."},"risks":["impact:dos","impact:defacement","impact:hijack","destruction:network"],"notes":"Allows an attacker to update settings related to IAP.  There is a risk of dos if an attacker removes any settings that are essential for authentication such as which domains are allowed access the app.   There is another setting that allows for creation of a custom Access Denied page.  This creates a risk of hijack or defacement where an attacker could put up a page of their own.","links":["https://cloud.google.com/iap/docs/customizing","https://cloud.google.com/iap/docs/reference/rest","https://cloud.google.com/iap/docs/reference/rest/v1/IapSettings","https://cloud.google.com/iap/docs/configuring-reauth"],"seeAlso":[]},"logging.buckets.copyLogEntries":{"id":"logging.buckets.copyLogEntries","name":"Cloud Logging Buckets","scope":"MEDIUM","parent":{"notes":null,"description":"A Cloud logging bucket is a container used by Cloud Logging to store and organize logs data."},"risks":["exfiltration:logs"],"notes":null,"links":["https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/buckets","https://cloud.google.com/logging/docs/routing/overview"],"seeAlso":[]},"logging.buckets.create":{"id":"logging.buckets.create","name":"Cloud Logging Buckets","scope":"MEDIUM","parent":{"notes":null,"description":"A Cloud logging bucket is a container used by Cloud Logging to store and organize logs data."},"risks":["impact:consumption"],"notes":null,"links":["https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/buckets","https://cloud.google.com/logging/docs/routing/overview"],"seeAlso":[]},"logging.buckets.delete":{"id":"logging.buckets.delete","name":"Cloud Logging Buckets","scope":"MEDIUM","parent":{"notes":null,"description":"A Cloud logging bucket is a container used by Cloud Logging to store and organize logs data."},"risks":["destruction:logs"],"notes":null,"links":["https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/buckets","https://cloud.google.com/logging/docs/routing/overview"],"seeAlso":[]},"logging.buckets.undelete":{"id":"logging.buckets.undelete","name":"Cloud Logging Buckets","scope":"MEDIUM","parent":{"notes":null,"description":"A Cloud logging bucket is a container used by Cloud Logging to store and organize logs data."},"risks":["impact:consumption"],"notes":null,"links":["https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/buckets","https://cloud.google.com/logging/docs/routing/overview"],"seeAlso":[]},"logging.buckets.update":{"id":"logging.buckets.update","name":"Cloud Logging Buckets","scope":"MEDIUM","parent":{"notes":null,"description":"A Cloud logging bucket is a container used by Cloud Logging to store and organize logs data."},"risks":["impact:encryption"],"notes":"Allows updating or adding a customer-managed encryption key  used to encrypt the bucket.","links":["https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/buckets","https://cloud.google.com/logging/docs/routing/overview"],"seeAlso":[]},"logging.buckets.write":{"id":"logging.buckets.write","name":"Cloud Logging Buckets","scope":"MEDIUM","parent":{"notes":null,"description":"A Cloud logging bucket is a container used by Cloud Logging to store and organize logs data."},"risks":["impact:spend"],"notes":"Allows routing logs to the bucket","links":["https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/buckets","https://cloud.google.com/logging/docs/routing/overview"],"seeAlso":[]},"logging.buckets.get":{"id":"logging.buckets.get","name":"Cloud Logging Buckets","scope":"MEDIUM","parent":{"notes":null,"description":"A Cloud logging bucket is a container used by Cloud Logging to store and organize logs data."},"risks":["discovery:infra"],"notes":"Does not allow viewing logs in the bucket.","links":["https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/buckets","https://cloud.google.com/logging/docs/routing/overview"],"seeAlso":[]},"logging.buckets.list":{"id":"logging.buckets.list","name":"Cloud Logging Buckets","scope":"MEDIUM","parent":{"notes":null,"description":"A Cloud logging bucket is a container used by Cloud Logging to store and organize logs data."},"risks":["discovery:infra"],"notes":"Does not allow viewing logs in the bucket.","links":["https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/buckets","https://cloud.google.com/logging/docs/routing/overview"],"seeAlso":[]},"logging.exclusions.create":{"id":"logging.exclusions.create","name":"Cloud Logging Exclusion","scope":"MEDIUM","parent":{"notes":"Exclusion operations apply to the _Default logging sink. An attacker may manipulate exclusions to hide their activity in order to evade detection.","description":"A Cloud Logging Exclusion specifies a set of log entries that are filtered out by a sink."},"risks":["destruction:defense"],"notes":null,"links":["https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/reference/v2/rest/v2/projects.exclusions"],"seeAlso":[]},"logging.exclusions.get":{"id":"logging.exclusions.get","name":"Cloud Logging Exclusion","scope":"MEDIUM","parent":{"notes":"Exclusion operations apply to the _Default logging sink. An attacker may manipulate exclusions to hide their activity in order to evade detection.","description":"A Cloud Logging Exclusion specifies a set of log entries that are filtered out by a sink."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/reference/v2/rest/v2/projects.exclusions"],"seeAlso":[]},"logging.exclusions.delete":{"id":"logging.exclusions.delete","name":"Cloud Logging Exclusion","scope":"MEDIUM","parent":{"notes":"Exclusion operations apply to the _Default logging sink. An attacker may manipulate exclusions to hide their activity in order to evade detection.","description":"A Cloud Logging Exclusion specifies a set of log entries that are filtered out by a sink."},"risks":["impact:spend"],"notes":null,"links":["https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/reference/v2/rest/v2/projects.exclusions"],"seeAlso":[]},"logging.exclusions.list":{"id":"logging.exclusions.list","name":"Cloud Logging Exclusion","scope":"MEDIUM","parent":{"notes":"Exclusion operations apply to the _Default logging sink. An attacker may manipulate exclusions to hide their activity in order to evade detection.","description":"A Cloud Logging Exclusion specifies a set of log entries that are filtered out by a sink."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/reference/v2/rest/v2/projects.exclusions"],"seeAlso":[]},"logging.exclusions.update":{"id":"logging.exclusions.update","name":"Cloud Logging Exclusion","scope":"MEDIUM","parent":{"notes":"Exclusion operations apply to the _Default logging sink. An attacker may manipulate exclusions to hide their activity in order to evade detection.","description":"A Cloud Logging Exclusion specifies a set of log entries that are filtered out by a sink."},"risks":["destruction:defense"],"notes":null,"links":["https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/reference/v2/rest/v2/projects.exclusions"],"seeAlso":[]},"logging.fields.access":{"id":"logging.fields.access","name":"Cloud Logging Fields","scope":"MEDIUM","parent":{"notes":"Cloud logging supports field-level access control. This resource is used to restrict access to sensitive fields.","description":"Individual fields in Cloud Logging entries"},"risks":["exfiltration:logs"],"notes":null,"links":["https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/field-level-acl"],"seeAlso":[]},"logging.links.create":{"id":"logging.links.create","name":"Cloud Logging Links","scope":null,"parent":{"notes":null,"description":"A Cloud Logging link is a link between a logs bucket and a BigQuery dataset  so that logs can be read from BigQuery."},"risks":["exfiltration:logs"],"notes":null,"links":["https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/reference/v2/rest/v2/folders.locations.buckets.links"],"seeAlso":[]},"logging.links.delete":{"id":"logging.links.delete","name":"Cloud Logging Links","scope":null,"parent":{"notes":null,"description":"A Cloud Logging link is a link between a logs bucket and a BigQuery dataset  so that logs can be read from BigQuery."},"risks":["destruction:infra"],"notes":null,"links":["https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/reference/v2/rest/v2/folders.locations.buckets.links"],"seeAlso":[]},"logging.links.get":{"id":"logging.links.get","name":"Cloud Logging Links","scope":null,"parent":{"notes":null,"description":"A Cloud Logging link is a link between a logs bucket and a BigQuery dataset  so that logs can be read from BigQuery."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/reference/v2/rest/v2/folders.locations.buckets.links"],"seeAlso":[]},"logging.links.list":{"id":"logging.links.list","name":"Cloud Logging Links","scope":null,"parent":{"notes":null,"description":"A Cloud Logging link is a link between a logs bucket and a BigQuery dataset  so that logs can be read from BigQuery."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/reference/v2/rest/v2/folders.locations.buckets.links"],"seeAlso":[]},"logging.locations.list":{"id":"logging.locations.list","name":"Cloud Logging Locations","scope":"PUBLIC","parent":{"notes":"This resource contains public information about Google's location offerings for Cloud logging.","description":"Infrastructure regions available for Google Cloud logging."},"risks":[],"notes":null,"links":["https://cloud.google.com/logging/docs/access-control"],"seeAlso":[]},"logging.locations.get":{"id":"logging.locations.get","name":"Cloud Logging Locations","scope":"PUBLIC","parent":{"notes":"This resource contains public information about Google's location offerings for Cloud logging.","description":"Infrastructure regions available for Google Cloud logging."},"risks":[],"notes":null,"links":["https://cloud.google.com/logging/docs/access-control"],"seeAlso":[]},"logging.logEntries.create":{"id":"logging.logEntries.create","name":"Cloud Logging Entries","scope":"MEDIUM","parent":{"notes":null,"description":"Log entries ingested and stored by Cloud Logging"},"risks":["impact:spend"],"notes":"Create and route together allow writing log entries via the Logging API","links":["https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/reference/v2/rest/v2/entries/list"],"seeAlso":[]},"logging.logEntries.download":{"id":"logging.logEntries.download","name":"Cloud Logging Entries","scope":"MEDIUM","parent":{"notes":null,"description":"Log entries ingested and stored by Cloud Logging"},"risks":["exfiltration:logs"],"notes":null,"links":["https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/reference/v2/rest/v2/entries/list"],"seeAlso":[]},"logging.logEntries.list":{"id":"logging.logEntries.list","name":"Cloud Logging Entries","scope":"MEDIUM","parent":{"notes":null,"description":"Log entries ingested and stored by Cloud Logging"},"risks":["exfiltration:logs"],"notes":"This provides access to log entries.","links":["https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/reference/v2/rest/v2/entries/list"],"seeAlso":[]},"logging.logEntries.route":{"id":"logging.logEntries.route","name":"Cloud Logging Entries","scope":"MEDIUM","parent":{"notes":null,"description":"Log entries ingested and stored by Cloud Logging"},"risks":["impact:spend"],"notes":"Create and route together allow writing log entries via the Logging API","links":["https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/reference/v2/rest/v2/entries/list"],"seeAlso":[]},"logging.logMetrics.create":{"id":"logging.logMetrics.create","name":"Cloud Log Metrics","scope":"LOW","parent":{"notes":null,"description":"Log metrics allow viewing statistics about the number of log entries that match filters."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/reference/v2/rest/v2/projects.metrics"],"seeAlso":[]},"logging.logMetrics.delete":{"id":"logging.logMetrics.delete","name":"Cloud Log Metrics","scope":"LOW","parent":{"notes":null,"description":"Log metrics allow viewing statistics about the number of log entries that match filters."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/reference/v2/rest/v2/projects.metrics"],"seeAlso":[]},"logging.logMetrics.get":{"id":"logging.logMetrics.get","name":"Cloud Log Metrics","scope":"LOW","parent":{"notes":null,"description":"Log metrics allow viewing statistics about the number of log entries that match filters."},"risks":["discovery:infra","exfiltration:metadata"],"notes":null,"links":["https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/reference/v2/rest/v2/projects.metrics"],"seeAlso":[]},"logging.logMetrics.list":{"id":"logging.logMetrics.list","name":"Cloud Log Metrics","scope":"LOW","parent":{"notes":null,"description":"Log metrics allow viewing statistics about the number of log entries that match filters."},"risks":["discovery:infra","exfiltration:metadata"],"notes":null,"links":["https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/reference/v2/rest/v2/projects.metrics"],"seeAlso":[]},"logging.logMetrics.update":{"id":"logging.logMetrics.update","name":"Cloud Log Metrics","scope":"LOW","parent":{"notes":null,"description":"Log metrics allow viewing statistics about the number of log entries that match filters."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/reference/v2/rest/v2/projects.metrics"],"seeAlso":[]},"logging.logs.delete":{"id":"logging.logs.delete","name":"Cloud Logging Logs","scope":"MEDIUM","parent":{"notes":null,"description":"A Cloud Logging log contains log entries."},"risks":["destruction:logs"],"notes":"Destroys all log entries.","links":["https://cloud.google.com/logging/docs/reference/v2/rest/v2/organizations.logs","https://cloud.google.com/logging/docs/access-control"],"seeAlso":[]},"logging.logs.list":{"id":"logging.logs.list","name":"Cloud Logging Logs","scope":"MEDIUM","parent":{"notes":null,"description":"A Cloud Logging log contains log entries."},"risks":[],"notes":"Does not allow viewing log entries.","links":["https://cloud.google.com/logging/docs/reference/v2/rest/v2/organizations.logs","https://cloud.google.com/logging/docs/access-control"],"seeAlso":[]},"logging.notificationRules.create":{"id":"logging.notificationRules.create","name":"Cloud Logging Notification Rules","scope":"MEDIUM","parent":{"notes":"By changing notification rules, an attacker can evade detection by preventing any alerts  that may be triggered by their activity.","description":"Notification rules allow configuring automated alerts based on logs."},"risks":[],"notes":null,"links":["https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/alerting/log-based-alerts"],"seeAlso":[]},"logging.notificationRules.delete":{"id":"logging.notificationRules.delete","name":"Cloud Logging Notification Rules","scope":"MEDIUM","parent":{"notes":"By changing notification rules, an attacker can evade detection by preventing any alerts  that may be triggered by their activity.","description":"Notification rules allow configuring automated alerts based on logs."},"risks":["destruction:defense"],"notes":null,"links":["https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/alerting/log-based-alerts"],"seeAlso":[]},"logging.notificationRules.get":{"id":"logging.notificationRules.get","name":"Cloud Logging Notification Rules","scope":"MEDIUM","parent":{"notes":"By changing notification rules, an attacker can evade detection by preventing any alerts  that may be triggered by their activity.","description":"Notification rules allow configuring automated alerts based on logs."},"risks":["discovery:logs"],"notes":null,"links":["https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/alerting/log-based-alerts"],"seeAlso":[]},"logging.notificationRules.list":{"id":"logging.notificationRules.list","name":"Cloud Logging Notification Rules","scope":"MEDIUM","parent":{"notes":"By changing notification rules, an attacker can evade detection by preventing any alerts  that may be triggered by their activity.","description":"Notification rules allow configuring automated alerts based on logs."},"risks":["discovery:logs"],"notes":null,"links":["https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/alerting/log-based-alerts"],"seeAlso":[]},"logging.notificationRules.update":{"id":"logging.notificationRules.update","name":"Cloud Logging Notification Rules","scope":"MEDIUM","parent":{"notes":"By changing notification rules, an attacker can evade detection by preventing any alerts  that may be triggered by their activity.","description":"Notification rules allow configuring automated alerts based on logs."},"risks":["destruction:defense"],"notes":null,"links":["https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/alerting/log-based-alerts"],"seeAlso":[]},"logging.privateLogEntries.list":{"id":"logging.privateLogEntries.list","name":"Cloud Logging Private Log Entries","scope":"MEDIUM","parent":{"notes":null,"description":"Private log entries contain Google's Data Access Audit logs."},"risks":["exfiltration:logs"],"notes":null,"links":["https://cloud.google.com/logging/docs/access-control"],"seeAlso":[]},"logging.queries.create":{"id":"logging.queries.create","name":"Cloud Logging Queries","scope":"LOW","parent":{"notes":"Permissions on queries is not sufficient in order to read log entries. To actually read log entries/view the result of queries, you additionally need permissions on the logs or log entries.","description":"Logging queries allow you to retrieve a specific set of logs."},"risks":["impact:spend"],"notes":null,"links":["https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/view/building-queries"],"seeAlso":[]},"logging.queries.list":{"id":"logging.queries.list","name":"Cloud Logging Queries","scope":"LOW","parent":{"notes":"Permissions on queries is not sufficient in order to read log entries. To actually read log entries/view the result of queries, you additionally need permissions on the logs or log entries.","description":"Logging queries allow you to retrieve a specific set of logs."},"risks":["discovery:logs"],"notes":null,"links":["https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/view/building-queries"],"seeAlso":[]},"logging.queries.get":{"id":"logging.queries.get","name":"Cloud Logging Queries","scope":"LOW","parent":{"notes":"Permissions on queries is not sufficient in order to read log entries. To actually read log entries/view the result of queries, you additionally need permissions on the logs or log entries.","description":"Logging queries allow you to retrieve a specific set of logs."},"risks":["discovery:logs"],"notes":null,"links":["https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/view/building-queries"],"seeAlso":[]},"logging.queries.share":{"id":"logging.queries.share","name":"Cloud Logging Queries","scope":"LOW","parent":{"notes":"Permissions on queries is not sufficient in order to read log entries. To actually read log entries/view the result of queries, you additionally need permissions on the logs or log entries.","description":"Logging queries allow you to retrieve a specific set of logs."},"risks":[],"notes":null,"links":["https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/view/building-queries"],"seeAlso":[]},"logging.queries.listShared":{"id":"logging.queries.listShared","name":"Cloud Logging Queries","scope":"LOW","parent":{"notes":"Permissions on queries is not sufficient in order to read log entries. To actually read log entries/view the result of queries, you additionally need permissions on the logs or log entries.","description":"Logging queries allow you to retrieve a specific set of logs."},"risks":["discovery:logs"],"notes":null,"links":["https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/view/building-queries"],"seeAlso":[]},"logging.queries.update":{"id":"logging.queries.update","name":"Cloud Logging Queries","scope":"LOW","parent":{"notes":"Permissions on queries is not sufficient in order to read log entries. To actually read log entries/view the result of queries, you additionally need permissions on the logs or log entries.","description":"Logging queries allow you to retrieve a specific set of logs."},"risks":["destruction:infra"],"notes":null,"links":["https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/view/building-queries"],"seeAlso":[]},"logging.queries.updateShared":{"id":"logging.queries.updateShared","name":"Cloud Logging Queries","scope":"LOW","parent":{"notes":"Permissions on queries is not sufficient in order to read log entries. To actually read log entries/view the result of queries, you additionally need permissions on the logs or log entries.","description":"Logging queries allow you to retrieve a specific set of logs."},"risks":["destruction:infra"],"notes":null,"links":["https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/view/building-queries"],"seeAlso":[]},"logging.queries.delete":{"id":"logging.queries.delete","name":"Cloud Logging Queries","scope":"LOW","parent":{"notes":"Permissions on queries is not sufficient in order to read log entries. To actually read log entries/view the result of queries, you additionally need permissions on the logs or log entries.","description":"Logging queries allow you to retrieve a specific set of logs."},"risks":["destruction:infra"],"notes":null,"links":["https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/view/building-queries"],"seeAlso":[]},"logging.settings.get":{"id":"logging.settings.get","name":"Cloud Logging Settings","scope":"MEDIUM","parent":{"notes":null,"description":"Settings for cloud logging, including locations for log storage, disabled _Default sinks,  and encryption keys."},"risks":["discovery:logs"],"notes":null,"links":["https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/default-settings"],"seeAlso":[]},"logging.settings.update":{"id":"logging.settings.update","name":"Cloud Logging Settings","scope":"MEDIUM","parent":{"notes":null,"description":"Settings for cloud logging, including locations for log storage, disabled _Default sinks,  and encryption keys."},"risks":["destruction:logs","impact:encryption"],"notes":"Disabling the _Default log sink can cause loss of log entry data.","links":["https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/default-settings"],"seeAlso":[]},"logging.sinks.create":{"id":"logging.sinks.create","name":"Cloud Logging Sinks","scope":"MEDIUM","parent":{"notes":null,"description":"Logging sinks control how logs are routed. They can be used to export logs to Cloud Storage, BigQuery, a Cloud Logging bucket, or a Pub/Sub topic."},"risks":["impact:spend"],"notes":null,"links":["https://cloud.google.com/logging/docs/routing/overview#sinks","https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/reference/v2/rest/v2/sinks"],"seeAlso":[]},"logging.sinks.delete":{"id":"logging.sinks.delete","name":"Cloud Logging Sinks","scope":"MEDIUM","parent":{"notes":null,"description":"Logging sinks control how logs are routed. They can be used to export logs to Cloud Storage, BigQuery, a Cloud Logging bucket, or a Pub/Sub topic."},"risks":["destruction:infra"],"notes":null,"links":["https://cloud.google.com/logging/docs/routing/overview#sinks","https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/reference/v2/rest/v2/sinks"],"seeAlso":[]},"logging.sinks.get":{"id":"logging.sinks.get","name":"Cloud Logging Sinks","scope":"MEDIUM","parent":{"notes":null,"description":"Logging sinks control how logs are routed. They can be used to export logs to Cloud Storage, BigQuery, a Cloud Logging bucket, or a Pub/Sub topic."},"risks":["discovery:logs"],"notes":null,"links":["https://cloud.google.com/logging/docs/routing/overview#sinks","https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/reference/v2/rest/v2/sinks"],"seeAlso":[]},"logging.sinks.list":{"id":"logging.sinks.list","name":"Cloud Logging Sinks","scope":"MEDIUM","parent":{"notes":null,"description":"Logging sinks control how logs are routed. They can be used to export logs to Cloud Storage, BigQuery, a Cloud Logging bucket, or a Pub/Sub topic."},"risks":["discovery:logs"],"notes":null,"links":["https://cloud.google.com/logging/docs/routing/overview#sinks","https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/reference/v2/rest/v2/sinks"],"seeAlso":[]},"logging.sinks.update":{"id":"logging.sinks.update","name":"Cloud Logging Sinks","scope":"MEDIUM","parent":{"notes":null,"description":"Logging sinks control how logs are routed. They can be used to export logs to Cloud Storage, BigQuery, a Cloud Logging bucket, or a Pub/Sub topic."},"risks":["destruction:defense"],"notes":"Updating a log sink can update the filter used to exclude logs from being routed by the sink. This can impair defenses by allowing an attacker to filter  out their activity in the system.","links":["https://cloud.google.com/logging/docs/routing/overview#sinks","https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/reference/v2/rest/v2/sinks"],"seeAlso":[]},"logging.views.access":{"id":"logging.views.access","name":"Cloud Logging Views","scope":"MEDIUM","parent":{"notes":null,"description":"A log view is a filtered view of log entries in a bucket. This provides more granular access control over logs."},"risks":[],"notes":"The specific use of this permission is unknown.","links":["https://cloud.google.com/logging/docs/routing/overview#log-views","https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/logs-views"],"seeAlso":[]},"logging.views.create":{"id":"logging.views.create","name":"Cloud Logging Views","scope":"MEDIUM","parent":{"notes":null,"description":"A log view is a filtered view of log entries in a bucket. This provides more granular access control over logs."},"risks":["impact:spend","impact:consumption"],"notes":"You can only have 30 log views on a bucket.","links":["https://cloud.google.com/logging/docs/routing/overview#log-views","https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/logs-views"],"seeAlso":[]},"logging.views.delete":{"id":"logging.views.delete","name":"Cloud Logging Views","scope":"MEDIUM","parent":{"notes":null,"description":"A log view is a filtered view of log entries in a bucket. This provides more granular access control over logs."},"risks":["destruction:infra","impact:access"],"notes":"Does not delete the log entries..  Because the primary use case of a view is to provide limited access to logs, deleting a view can result in users losing access to logs.","links":["https://cloud.google.com/logging/docs/routing/overview#log-views","https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/logs-views"],"seeAlso":[]},"logging.views.get":{"id":"logging.views.get","name":"Cloud Logging Views","scope":"MEDIUM","parent":{"notes":null,"description":"A log view is a filtered view of log entries in a bucket. This provides more granular access control over logs."},"risks":["discovery:logs"],"notes":"Does not provide access to log entries.","links":["https://cloud.google.com/logging/docs/routing/overview#log-views","https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/logs-views"],"seeAlso":[]},"logging.views.list":{"id":"logging.views.list","name":"Cloud Logging Views","scope":"MEDIUM","parent":{"notes":null,"description":"A log view is a filtered view of log entries in a bucket. This provides more granular access control over logs."},"risks":["discovery:logs"],"notes":"Does not provide access to log entries.","links":["https://cloud.google.com/logging/docs/routing/overview#log-views","https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/logs-views"],"seeAlso":[]},"logging.views.listLogs":{"id":"logging.views.listLogs","name":"Cloud Logging Views","scope":"MEDIUM","parent":{"notes":null,"description":"A log view is a filtered view of log entries in a bucket. This provides more granular access control over logs."},"risks":["exfiltration:logs"],"notes":null,"links":["https://cloud.google.com/logging/docs/routing/overview#log-views","https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/logs-views"],"seeAlso":[]},"logging.views.listResourceKeys":{"id":"logging.views.listResourceKeys","name":"Cloud Logging Views","scope":"MEDIUM","parent":{"notes":null,"description":"A log view is a filtered view of log entries in a bucket. This provides more granular access control over logs."},"risks":[],"notes":"The specific use of this permission is unknown.","links":["https://cloud.google.com/logging/docs/routing/overview#log-views","https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/logs-views"],"seeAlso":[]},"logging.views.listResourceValues":{"id":"logging.views.listResourceValues","name":"Cloud Logging Views","scope":"MEDIUM","parent":{"notes":null,"description":"A log view is a filtered view of log entries in a bucket. This provides more granular access control over logs."},"risks":[],"notes":"The specific use of this permission is unknown.","links":["https://cloud.google.com/logging/docs/routing/overview#log-views","https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/logs-views"],"seeAlso":[]},"logging.views.update":{"id":"logging.views.update","name":"Cloud Logging Views","scope":"MEDIUM","parent":{"notes":null,"description":"A log view is a filtered view of log entries in a bucket. This provides more granular access control over logs."},"risks":["exfiltration:logs"],"notes":"Allows updating the log filter on a view. If combined with listLogs access on any view, can allow arbitrary logs access.","links":["https://cloud.google.com/logging/docs/routing/overview#log-views","https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/logs-views"],"seeAlso":[]},"pubsub.schemas.attach":{"id":"pubsub.schemas.attach","name":"Pub/Sub schemas","scope":"MEDIUM","parent":{"notes":null,"description":"A Pub/Sub schema specifies the data format for a Pub/Sub message. Schemas are enforced by the Pub/Sub service."},"risks":["impact:dos"],"notes":"Can cause service interruptions by attaching an invalid schema.","links":["https://cloud.google.com/pubsub/docs/schemas"],"seeAlso":[]},"pubsub.schemas.commit":{"id":"pubsub.schemas.commit","name":"Pub/Sub schemas","scope":"MEDIUM","parent":{"notes":null,"description":"A Pub/Sub schema specifies the data format for a Pub/Sub message. Schemas are enforced by the Pub/Sub service."},"risks":["impact:dos"],"notes":"Can cause service interruptions by updating an existing schema to be invalid.","links":["https://cloud.google.com/pubsub/docs/schemas"],"seeAlso":[]},"pubsub.schemas.create":{"id":"pubsub.schemas.create","name":"Pub/Sub schemas","scope":"MEDIUM","parent":{"notes":null,"description":"A Pub/Sub schema specifies the data format for a Pub/Sub message. Schemas are enforced by the Pub/Sub service."},"risks":[],"notes":null,"links":["https://cloud.google.com/pubsub/docs/schemas"],"seeAlso":[]},"pubsub.schemas.delete":{"id":"pubsub.schemas.delete","name":"Pub/Sub schemas","scope":"MEDIUM","parent":{"notes":null,"description":"A Pub/Sub schema specifies the data format for a Pub/Sub message. Schemas are enforced by the Pub/Sub service."},"risks":["destruction:infra","impact:dos"],"notes":null,"links":["https://cloud.google.com/pubsub/docs/schemas"],"seeAlso":[]},"pubsub.schemas.get":{"id":"pubsub.schemas.get","name":"Pub/Sub schemas","scope":"MEDIUM","parent":{"notes":null,"description":"A Pub/Sub schema specifies the data format for a Pub/Sub message. Schemas are enforced by the Pub/Sub service."},"risks":["discovery:data","discovery:infra"],"notes":null,"links":["https://cloud.google.com/pubsub/docs/schemas"],"seeAlso":[]},"pubsub.schemas.getIamPolicy":{"id":"pubsub.schemas.getIamPolicy","name":"Pub/Sub schemas","scope":"MEDIUM","parent":{"notes":null,"description":"A Pub/Sub schema specifies the data format for a Pub/Sub message. Schemas are enforced by the Pub/Sub service."},"risks":["discovery:policy","discovery:account"],"notes":null,"links":["https://cloud.google.com/pubsub/docs/schemas"],"seeAlso":[]},"pubsub.schemas.list":{"id":"pubsub.schemas.list","name":"Pub/Sub schemas","scope":"MEDIUM","parent":{"notes":null,"description":"A Pub/Sub schema specifies the data format for a Pub/Sub message. Schemas are enforced by the Pub/Sub service."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/pubsub/docs/schemas"],"seeAlso":[]},"pubsub.schemas.listRevisions":{"id":"pubsub.schemas.listRevisions","name":"Pub/Sub schemas","scope":"MEDIUM","parent":{"notes":null,"description":"A Pub/Sub schema specifies the data format for a Pub/Sub message. Schemas are enforced by the Pub/Sub service."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/pubsub/docs/schemas"],"seeAlso":[]},"pubsub.schemas.rollback":{"id":"pubsub.schemas.rollback","name":"Pub/Sub schemas","scope":"MEDIUM","parent":{"notes":null,"description":"A Pub/Sub schema specifies the data format for a Pub/Sub message. Schemas are enforced by the Pub/Sub service."},"risks":["impact:dos"],"notes":"Can cause service interruptions by rolling back to an incompatible schema.","links":["https://cloud.google.com/pubsub/docs/schemas"],"seeAlso":[]},"pubsub.schemas.setIamPolicy":{"id":"pubsub.schemas.setIamPolicy","name":"Pub/Sub schemas","scope":"MEDIUM","parent":{"notes":null,"description":"A Pub/Sub schema specifies the data format for a Pub/Sub message. Schemas are enforced by the Pub/Sub service."},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/pubsub/docs/schemas"],"seeAlso":[]},"pubsub.schemas.validate":{"id":"pubsub.schemas.validate","name":"Pub/Sub schemas","scope":"MEDIUM","parent":{"notes":null,"description":"A Pub/Sub schema specifies the data format for a Pub/Sub message. Schemas are enforced by the Pub/Sub service."},"risks":[],"notes":"Validating lets you validate messages against a schema.","links":["https://cloud.google.com/pubsub/docs/schemas"],"seeAlso":[]},"pubsub.snapshots.create":{"id":"pubsub.snapshots.create","name":"Pub/Sub snapshot","scope":"HIGH","parent":{"notes":null,"description":"A Pub/Sub snapshot captures the state of a pub/sub subscription. It retains all unacknowledged messages in the source subscription at the time of creation, and any messages published after the snapshot was created."},"risks":["impact:spend"],"notes":null,"links":["https://cloud.google.com/pubsub/docs/replay-overview#seek_to_a_snapshot","https://cloud.google.com/sdk/gcloud/reference/pubsub/snapshots/create"],"seeAlso":[]},"pubsub.snapshots.delete":{"id":"pubsub.snapshots.delete","name":"Pub/Sub snapshot","scope":"HIGH","parent":{"notes":null,"description":"A Pub/Sub snapshot captures the state of a pub/sub subscription. It retains all unacknowledged messages in the source subscription at the time of creation, and any messages published after the snapshot was created."},"risks":["impact:dos","destruction:data"],"notes":null,"links":["https://cloud.google.com/pubsub/docs/replay-overview#seek_to_a_snapshot","https://cloud.google.com/sdk/gcloud/reference/pubsub/snapshots/create"],"seeAlso":[]},"pubsub.snapshots.get":{"id":"pubsub.snapshots.get","name":"Pub/Sub snapshot","scope":"HIGH","parent":{"notes":null,"description":"A Pub/Sub snapshot captures the state of a pub/sub subscription. It retains all unacknowledged messages in the source subscription at the time of creation, and any messages published after the snapshot was created."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/pubsub/docs/replay-overview#seek_to_a_snapshot","https://cloud.google.com/sdk/gcloud/reference/pubsub/snapshots/create"],"seeAlso":[]},"pubsub.snapshots.getIamPolicy":{"id":"pubsub.snapshots.getIamPolicy","name":"Pub/Sub snapshot","scope":"HIGH","parent":{"notes":null,"description":"A Pub/Sub snapshot captures the state of a pub/sub subscription. It retains all unacknowledged messages in the source subscription at the time of creation, and any messages published after the snapshot was created."},"risks":["discovery:policy","discovery:account"],"notes":null,"links":["https://cloud.google.com/pubsub/docs/replay-overview#seek_to_a_snapshot","https://cloud.google.com/sdk/gcloud/reference/pubsub/snapshots/create"],"seeAlso":[]},"pubsub.snapshots.list":{"id":"pubsub.snapshots.list","name":"Pub/Sub snapshot","scope":"HIGH","parent":{"notes":null,"description":"A Pub/Sub snapshot captures the state of a pub/sub subscription. It retains all unacknowledged messages in the source subscription at the time of creation, and any messages published after the snapshot was created."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/pubsub/docs/replay-overview#seek_to_a_snapshot","https://cloud.google.com/sdk/gcloud/reference/pubsub/snapshots/create"],"seeAlso":[]},"pubsub.snapshots.seek":{"id":"pubsub.snapshots.seek","name":"Pub/Sub snapshot","scope":"HIGH","parent":{"notes":null,"description":"A Pub/Sub snapshot captures the state of a pub/sub subscription. It retains all unacknowledged messages in the source subscription at the time of creation, and any messages published after the snapshot was created."},"risks":["exfiltration:data"],"notes":"The seek functionality allows for replay/redelivery of the messages in the snapshot. This can allow an attacker to read Pub/Sub messages, which may be sensitive.","links":["https://cloud.google.com/pubsub/docs/replay-overview#seek_to_a_snapshot","https://cloud.google.com/sdk/gcloud/reference/pubsub/snapshots/create"],"seeAlso":[]},"pubsub.snapshots.setIamPolicy":{"id":"pubsub.snapshots.setIamPolicy","name":"Pub/Sub snapshot","scope":"HIGH","parent":{"notes":null,"description":"A Pub/Sub snapshot captures the state of a pub/sub subscription. It retains all unacknowledged messages in the source subscription at the time of creation, and any messages published after the snapshot was created."},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/pubsub/docs/replay-overview#seek_to_a_snapshot","https://cloud.google.com/sdk/gcloud/reference/pubsub/snapshots/create"],"seeAlso":[]},"pubsub.snapshots.update":{"id":"pubsub.snapshots.update","name":"Pub/Sub snapshot","scope":"HIGH","parent":{"notes":null,"description":"A Pub/Sub snapshot captures the state of a pub/sub subscription. It retains all unacknowledged messages in the source subscription at the time of creation, and any messages published after the snapshot was created."},"risks":["impact:dos","destruction:data"],"notes":"This allows updating snapshot metadata. Potential DOS and data destruction risks if the expiration time is updated.","links":["https://cloud.google.com/pubsub/docs/replay-overview#seek_to_a_snapshot","https://cloud.google.com/sdk/gcloud/reference/pubsub/snapshots/create"],"seeAlso":[]},"pubsub.subscriptions.consume":{"id":"pubsub.subscriptions.consume","name":"Pub/Sub subscription","scope":"HIGH","parent":{"notes":"Subscriptions can allow an attacker to read Pub/Sub messages, which may contain sensitive information.","description":"A Pub/Sub subscription receives messages published to a Pub/Sub topic."},"risks":["exfiltration:data"],"notes":null,"links":["https://cloud.google.com/pubsub/docs/subscriber","https://cloud.google.com/pubsub/docs/access-control"],"seeAlso":[]},"pubsub.subscriptions.create":{"id":"pubsub.subscriptions.create","name":"Pub/Sub subscription","scope":"LOW","parent":{"notes":"Subscriptions can allow an attacker to read Pub/Sub messages, which may contain sensitive information.","description":"A Pub/Sub subscription receives messages published to a Pub/Sub topic."},"risks":["impact:spend"],"notes":"Creating a subscription does not provide access to Pub/Sub data on its own, since you cannot consume messages or attach the subscription to a topic.","links":["https://cloud.google.com/pubsub/docs/subscriber","https://cloud.google.com/pubsub/docs/access-control"],"seeAlso":[]},"pubsub.subscriptions.delete":{"id":"pubsub.subscriptions.delete","name":"Pub/Sub subscription","scope":"HIGH","parent":{"notes":"Subscriptions can allow an attacker to read Pub/Sub messages, which may contain sensitive information.","description":"A Pub/Sub subscription receives messages published to a Pub/Sub topic."},"risks":["impact:dos"],"notes":null,"links":["https://cloud.google.com/pubsub/docs/subscriber","https://cloud.google.com/pubsub/docs/access-control"],"seeAlso":[]},"pubsub.subscriptions.get":{"id":"pubsub.subscriptions.get","name":"Pub/Sub subscription","scope":"HIGH","parent":{"notes":"Subscriptions can allow an attacker to read Pub/Sub messages, which may contain sensitive information.","description":"A Pub/Sub subscription receives messages published to a Pub/Sub topic."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/pubsub/docs/subscriber","https://cloud.google.com/pubsub/docs/access-control"],"seeAlso":[]},"pubsub.subscriptions.getIamPolicy":{"id":"pubsub.subscriptions.getIamPolicy","name":"Pub/Sub subscription","scope":"HIGH","parent":{"notes":"Subscriptions can allow an attacker to read Pub/Sub messages, which may contain sensitive information.","description":"A Pub/Sub subscription receives messages published to a Pub/Sub topic."},"risks":["discovery:policy","discovery:account"],"notes":null,"links":["https://cloud.google.com/pubsub/docs/subscriber","https://cloud.google.com/pubsub/docs/access-control"],"seeAlso":[]},"pubsub.subscriptions.list":{"id":"pubsub.subscriptions.list","name":"Pub/Sub subscription","scope":"HIGH","parent":{"notes":"Subscriptions can allow an attacker to read Pub/Sub messages, which may contain sensitive information.","description":"A Pub/Sub subscription receives messages published to a Pub/Sub topic."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/pubsub/docs/subscriber","https://cloud.google.com/pubsub/docs/access-control"],"seeAlso":[]},"pubsub.subscriptions.setIamPolicy":{"id":"pubsub.subscriptions.setIamPolicy","name":"Pub/Sub subscription","scope":"HIGH","parent":{"notes":"Subscriptions can allow an attacker to read Pub/Sub messages, which may contain sensitive information.","description":"A Pub/Sub subscription receives messages published to a Pub/Sub topic."},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/pubsub/docs/subscriber","https://cloud.google.com/pubsub/docs/access-control"],"seeAlso":[]},"pubsub.subscriptions.update":{"id":"pubsub.subscriptions.update","name":"Pub/Sub subscription","scope":"HIGH","parent":{"notes":"Subscriptions can allow an attacker to read Pub/Sub messages, which may contain sensitive information.","description":"A Pub/Sub subscription receives messages published to a Pub/Sub topic."},"risks":["impact:dos"],"notes":null,"links":["https://cloud.google.com/pubsub/docs/subscriber","https://cloud.google.com/pubsub/docs/access-control"],"seeAlso":[]},"pubsub.topics.attachSubscription":{"id":"pubsub.topics.attachSubscription","name":"Pub/Sub topic","scope":"HIGH","parent":{"notes":"Pub/Sub messages may contain sensitive information.","description":"A Pub/Sub topic is a feed of messages that can be arbitrarily subscribed to."},"risks":["exfiltration:data"],"notes":null,"links":["https://cloud.google.com/pubsub/docs/create-topic","https://cloud.google.com/pubsub/docs/access-control"],"seeAlso":[]},"pubsub.topics.create":{"id":"pubsub.topics.create","name":"Pub/Sub topic","scope":"LOW","parent":{"notes":"Pub/Sub messages may contain sensitive information.","description":"A Pub/Sub topic is a feed of messages that can be arbitrarily subscribed to."},"risks":["impact:spend"],"notes":null,"links":["https://cloud.google.com/pubsub/docs/create-topic","https://cloud.google.com/pubsub/docs/access-control"],"seeAlso":[]},"pubsub.topics.delete":{"id":"pubsub.topics.delete","name":"Pub/Sub topic","scope":"HIGH","parent":{"notes":"Pub/Sub messages may contain sensitive information.","description":"A Pub/Sub topic is a feed of messages that can be arbitrarily subscribed to."},"risks":["impact:dos","destruction:data"],"notes":"This will delete any messages retained in the Pub/Sub topic. Depending on the configuration, this could be  up to 31 days of messages.","links":["https://cloud.google.com/pubsub/docs/create-topic","https://cloud.google.com/pubsub/docs/access-control"],"seeAlso":[]},"pubsub.topics.detachSubscription":{"id":"pubsub.topics.detachSubscription","name":"Pub/Sub topic","scope":"HIGH","parent":{"notes":"Pub/Sub messages may contain sensitive information.","description":"A Pub/Sub topic is a feed of messages that can be arbitrarily subscribed to."},"risks":["impact:dos"],"notes":null,"links":["https://cloud.google.com/pubsub/docs/create-topic","https://cloud.google.com/pubsub/docs/access-control"],"seeAlso":[]},"pubsub.topics.get":{"id":"pubsub.topics.get","name":"Pub/Sub topic","scope":"HIGH","parent":{"notes":"Pub/Sub messages may contain sensitive information.","description":"A Pub/Sub topic is a feed of messages that can be arbitrarily subscribed to."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/pubsub/docs/create-topic","https://cloud.google.com/pubsub/docs/access-control"],"seeAlso":[]},"pubsub.topics.getIamPolicy":{"id":"pubsub.topics.getIamPolicy","name":"Pub/Sub topic","scope":"HIGH","parent":{"notes":"Pub/Sub messages may contain sensitive information.","description":"A Pub/Sub topic is a feed of messages that can be arbitrarily subscribed to."},"risks":["discovery:policy","discovery:account"],"notes":null,"links":["https://cloud.google.com/pubsub/docs/create-topic","https://cloud.google.com/pubsub/docs/access-control"],"seeAlso":[]},"pubsub.topics.list":{"id":"pubsub.topics.list","name":"Pub/Sub topic","scope":"HIGH","parent":{"notes":"Pub/Sub messages may contain sensitive information.","description":"A Pub/Sub topic is a feed of messages that can be arbitrarily subscribed to."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/pubsub/docs/create-topic","https://cloud.google.com/pubsub/docs/access-control"],"seeAlso":[]},"pubsub.topics.publish":{"id":"pubsub.topics.publish","name":"Pub/Sub topic","scope":"HIGH","parent":{"notes":"Pub/Sub messages may contain sensitive information.","description":"A Pub/Sub topic is a feed of messages that can be arbitrarily subscribed to."},"risks":["impact:dos","impact:manipulation"],"notes":null,"links":["https://cloud.google.com/pubsub/docs/create-topic","https://cloud.google.com/pubsub/docs/access-control"],"seeAlso":[]},"pubsub.topics.setIamPolicy":{"id":"pubsub.topics.setIamPolicy","name":"Pub/Sub topic","scope":"HIGH","parent":{"notes":"Pub/Sub messages may contain sensitive information.","description":"A Pub/Sub topic is a feed of messages that can be arbitrarily subscribed to."},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/pubsub/docs/create-topic","https://cloud.google.com/pubsub/docs/access-control"],"seeAlso":[]},"pubsub.topics.update":{"id":"pubsub.topics.update","name":"Pub/Sub topic","scope":"HIGH","parent":{"notes":"Pub/Sub messages may contain sensitive information.","description":"A Pub/Sub topic is a feed of messages that can be arbitrarily subscribed to."},"risks":["impact:dos"],"notes":null,"links":["https://cloud.google.com/pubsub/docs/create-topic","https://cloud.google.com/pubsub/docs/access-control"],"seeAlso":[]},"pubsub.topics.updateTag":{"id":"pubsub.topics.updateTag","name":"Pub/Sub topic","scope":"HIGH","parent":{"notes":"Pub/Sub messages may contain sensitive information.","description":"A Pub/Sub topic is a feed of messages that can be arbitrarily subscribed to."},"risks":[],"notes":"This IAM permission doesn't have a corresponding API method. It's unclear what this permission is for.","links":["https://cloud.google.com/pubsub/docs/create-topic","https://cloud.google.com/pubsub/docs/access-control"],"seeAlso":[]},"recommender.cloudAssetInsights.get":{"id":"recommender.cloudAssetInsights.get","name":"Cloud Asset Insights","scope":"HIGH","parent":{"notes":"These insights include sensitive information about your Google Cloud resources and their IAM policies, as well as exposing information about users, groups, and service accounts.","description":"Cloud Asset Insights include changes to the IAM policies of your resources suggested by Google in order to improve your security posture"},"risks":["discovery:policy","discovery:account","discovery:infra"],"notes":null,"links":["https://cloud.google.com/asset-inventory/docs/using-asset-insights"],"seeAlso":[]},"recommender.cloudAssetInsights.list":{"id":"recommender.cloudAssetInsights.list","name":"Cloud Asset Insights","scope":"HIGH","parent":{"notes":"These insights include sensitive information about your Google Cloud resources and their IAM policies, as well as exposing information about users, groups, and service accounts.","description":"Cloud Asset Insights include changes to the IAM policies of your resources suggested by Google in order to improve your security posture"},"risks":["discovery:policy","discovery:account","discovery:infra"],"notes":null,"links":["https://cloud.google.com/asset-inventory/docs/using-asset-insights"],"seeAlso":[]},"recommender.iamPolicyInsights.get":{"id":"recommender.iamPolicyInsights.get","name":"IAM Policy Insights","scope":"HIGH","parent":{"notes":"These insights include sensitive information about your project-level IAM policies, as well as exposing information about users, groups, and service accounts.","description":"IAM policy insights include information on exercised permissions from project-level IAM policy bindings."},"risks":["discovery:policy","discovery:account"],"notes":null,"links":["https://cloud.google.com/policy-intelligence/docs/role-recommendations-overview"],"seeAlso":[]},"recommender.iamPolicyInsights.list":{"id":"recommender.iamPolicyInsights.list","name":"IAM Policy Insights","scope":"HIGH","parent":{"notes":"These insights include sensitive information about your project-level IAM policies, as well as exposing information about users, groups, and service accounts.","description":"IAM policy insights include information on exercised permissions from project-level IAM policy bindings."},"risks":["discovery:policy","discovery:account"],"notes":null,"links":["https://cloud.google.com/policy-intelligence/docs/role-recommendations-overview"],"seeAlso":[]},"recommender.iamPolicyInsights.update":{"id":"recommender.iamPolicyInsights.update","name":"IAM Policy Insights","scope":"LOW","parent":{"notes":"These insights include sensitive information about your project-level IAM policies, as well as exposing information about users, groups, and service accounts.","description":"IAM policy insights include information on exercised permissions from project-level IAM policy bindings."},"risks":[],"notes":"Updating an insight is extremely low impact since it only updates the insight metadata, for purposes such as marking the insight as accepted.","links":["https://cloud.google.com/policy-intelligence/docs/role-recommendations-overview"],"seeAlso":[]},"recommender.iamPolicyRecommendations.get":{"id":"recommender.iamPolicyRecommendations.get","name":"IAM Policy Recommendations","scope":"HIGH","parent":{"notes":"These recommendations include sensitive information about your project-level IAM policies, as well as exposing information about users, groups, and service accounts.","description":"IAM Policy Recommendations include changes to the IAM policies of your projects suggested by Google in order to improve your security posture."},"risks":["discovery:policy","discovery:account"],"notes":null,"links":["https://cloud.google.com/policy-intelligence/docs/review-apply-role-recommendations"],"seeAlso":[]},"recommender.iamPolicyRecommendations.list":{"id":"recommender.iamPolicyRecommendations.list","name":"IAM Policy Recommendations","scope":"HIGH","parent":{"notes":"These recommendations include sensitive information about your project-level IAM policies, as well as exposing information about users, groups, and service accounts.","description":"IAM Policy Recommendations include changes to the IAM policies of your projects suggested by Google in order to improve your security posture."},"risks":["discovery:policy","discovery:account"],"notes":null,"links":["https://cloud.google.com/policy-intelligence/docs/review-apply-role-recommendations"],"seeAlso":[]},"recommender.iamPolicyRecommendations.update":{"id":"recommender.iamPolicyRecommendations.update","name":"IAM Policy Recommendations","scope":"LOW","parent":{"notes":"These recommendations include sensitive information about your project-level IAM policies, as well as exposing information about users, groups, and service accounts.","description":"IAM Policy Recommendations include changes to the IAM policies of your projects suggested by Google in order to improve your security posture."},"risks":[],"notes":"Updating a recommendation is only updates the recommendation metadata, for purposes such as marking the recommendation as accepted.","links":["https://cloud.google.com/policy-intelligence/docs/review-apply-role-recommendations"],"seeAlso":[]},"resourcemanager.projects.create":{"id":"resourcemanager.projects.create","name":"Google Cloud Projects","scope":"CRITICAL","parent":{"notes":"This is a critical resource because impacting the project can impact any organizational functionality using the project. This can include all services running in the project and all data stored within it.","description":"A project is the base-level resource through which you interact with Google Cloud services."},"risks":["impact:spend","impact:consumption"],"notes":"Each organization has a limited quota of active projects they can create.","links":["https://cloud.google.com/resource-manager/docs/access-control-proj","https://cloud.google.com/billing/docs/reference/rest/v1/projects/updateBillingInfo"],"seeAlso":[]},"resourcemanager.projects.createBillingAssignment":{"id":"resourcemanager.projects.createBillingAssignment","name":"Google Cloud Projects","scope":"CRITICAL","parent":{"notes":"This is a critical resource because impacting the project can impact any organizational functionality using the project. This can include all services running in the project and all data stored within it.","description":"A project is the base-level resource through which you interact with Google Cloud services."},"risks":["impact:dos"],"notes":"Allows updating the billing assignment to remove the billing account.  This can cause an interruption of services.","links":["https://cloud.google.com/resource-manager/docs/access-control-proj","https://cloud.google.com/billing/docs/reference/rest/v1/projects/updateBillingInfo"],"seeAlso":[]},"resourcemanager.projects.delete":{"id":"resourcemanager.projects.delete","name":"Google Cloud Projects","scope":"CRITICAL","parent":{"notes":"This is a critical resource because impacting the project can impact any organizational functionality using the project. This can include all services running in the project and all data stored within it.","description":"A project is the base-level resource through which you interact with Google Cloud services."},"risks":["destruction:infra","destruction:crypto","destruction:data","destruction:logs","destruction:metadata","destruction:policy"],"notes":null,"links":["https://cloud.google.com/resource-manager/docs/access-control-proj","https://cloud.google.com/billing/docs/reference/rest/v1/projects/updateBillingInfo"],"seeAlso":[]},"resourcemanager.projects.deleteBillingAssignment":{"id":"resourcemanager.projects.deleteBillingAssignment","name":"Google Cloud Projects","scope":"CRITICAL","parent":{"notes":"This is a critical resource because impacting the project can impact any organizational functionality using the project. This can include all services running in the project and all data stored within it.","description":"A project is the base-level resource through which you interact with Google Cloud services."},"risks":["impact:dos"],"notes":"Removing a billing assignment can cause an interruption of services.","links":["https://cloud.google.com/resource-manager/docs/access-control-proj","https://cloud.google.com/billing/docs/reference/rest/v1/projects/updateBillingInfo"],"seeAlso":[]},"resourcemanager.projects.get":{"id":"resourcemanager.projects.get","name":"Google Cloud Projects","scope":"CRITICAL","parent":{"notes":"This is a critical resource because impacting the project can impact any organizational functionality using the project. This can include all services running in the project and all data stored within it.","description":"A project is the base-level resource through which you interact with Google Cloud services."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/resource-manager/docs/access-control-proj","https://cloud.google.com/billing/docs/reference/rest/v1/projects/updateBillingInfo"],"seeAlso":[]},"resourcemanager.projects.getIamPolicy":{"id":"resourcemanager.projects.getIamPolicy","name":"Google Cloud Projects","scope":"CRITICAL","parent":{"notes":"This is a critical resource because impacting the project can impact any organizational functionality using the project. This can include all services running in the project and all data stored within it.","description":"A project is the base-level resource through which you interact with Google Cloud services."},"risks":["discovery:policy","discovery:account"],"notes":null,"links":["https://cloud.google.com/resource-manager/docs/access-control-proj","https://cloud.google.com/billing/docs/reference/rest/v1/projects/updateBillingInfo"],"seeAlso":[]},"resourcemanager.projects.list":{"id":"resourcemanager.projects.list","name":"Google Cloud Projects","scope":"CRITICAL","parent":{"notes":"This is a critical resource because impacting the project can impact any organizational functionality using the project. This can include all services running in the project and all data stored within it.","description":"A project is the base-level resource through which you interact with Google Cloud services."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/resource-manager/docs/access-control-proj","https://cloud.google.com/billing/docs/reference/rest/v1/projects/updateBillingInfo"],"seeAlso":[]},"resourcemanager.projects.move":{"id":"resourcemanager.projects.move","name":"Google Cloud Projects","scope":"CRITICAL","parent":{"notes":"This is a critical resource because impacting the project can impact any organizational functionality using the project. This can include all services running in the project and all data stored within it.","description":"A project is the base-level resource through which you interact with Google Cloud services."},"risks":["impact:dos","impact:access","destruction:defense"],"notes":"Moving a project can impact both user and system access that was inherited from the old parent. This can cause a DOS if service account accesses are impaired. Moving a project also removes any  security policies that were inherited from the parent.","links":["https://cloud.google.com/resource-manager/docs/access-control-proj","https://cloud.google.com/billing/docs/reference/rest/v1/projects/updateBillingInfo"],"seeAlso":[]},"resourcemanager.projects.setIamPolicy":{"id":"resourcemanager.projects.setIamPolicy","name":"Google Cloud Projects","scope":"CRITICAL","parent":{"notes":"This is a critical resource because impacting the project can impact any organizational functionality using the project. This can include all services running in the project and all data stored within it.","description":"A project is the base-level resource through which you interact with Google Cloud services."},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/resource-manager/docs/access-control-proj","https://cloud.google.com/billing/docs/reference/rest/v1/projects/updateBillingInfo"],"seeAlso":[]},"resourcemanager.projects.undelete":{"id":"resourcemanager.projects.undelete","name":"Google Cloud Projects","scope":"CRITICAL","parent":{"notes":"This is a critical resource because impacting the project can impact any organizational functionality using the project. This can include all services running in the project and all data stored within it.","description":"A project is the base-level resource through which you interact with Google Cloud services."},"risks":["impact:spend"],"notes":null,"links":["https://cloud.google.com/resource-manager/docs/access-control-proj","https://cloud.google.com/billing/docs/reference/rest/v1/projects/updateBillingInfo"],"seeAlso":[]},"resourcemanager.projects.update":{"id":"resourcemanager.projects.update","name":"Google Cloud Projects","scope":"CRITICAL","parent":{"notes":"This is a critical resource because impacting the project can impact any organizational functionality using the project. This can include all services running in the project and all data stored within it.","description":"A project is the base-level resource through which you interact with Google Cloud services."},"risks":["destruction:metadata"],"notes":"Can only update project display name and labels.","links":["https://cloud.google.com/resource-manager/docs/access-control-proj","https://cloud.google.com/billing/docs/reference/rest/v1/projects/updateBillingInfo"],"seeAlso":[]},"resourcemanager.projects.updateLiens":{"id":"resourcemanager.projects.updateLiens","name":"Google Cloud Projects","scope":"CRITICAL","parent":{"notes":"This is a critical resource because impacting the project can impact any organizational functionality using the project. This can include all services running in the project and all data stored within it.","description":"A project is the base-level resource through which you interact with Google Cloud services."},"risks":["destruction:defense"],"notes":"Liens are used to prevention deletion of projects. This permission allows removing a lien from a project.","links":["https://cloud.google.com/resource-manager/docs/access-control-proj","https://cloud.google.com/billing/docs/reference/rest/v1/projects/updateBillingInfo"],"seeAlso":[]},"resourcemanager.tagholds.create":{"id":"resourcemanager.tagholds.create","name":"Google Cloud Tag Holds","scope":"LOW","parent":{"notes":null,"description":"A tag hold prevents the deletion of a tag value."},"risks":[],"notes":null,"links":["https://cloud.google.com/resource-manager/docs/tags/tags-overview"],"seeAlso":[]},"resourcemanager.tagholds.delete":{"id":"resourcemanager.tagholds.delete","name":"Google Cloud Tag Holds","scope":"LOW","parent":{"notes":null,"description":"A tag hold prevents the deletion of a tag value."},"risks":["destruction:defense"],"notes":null,"links":["https://cloud.google.com/resource-manager/docs/tags/tags-overview"],"seeAlso":[]},"resourcemanager.tagholds.list":{"id":"resourcemanager.tagholds.list","name":"Google Cloud Tag Holds","scope":"LOW","parent":{"notes":null,"description":"A tag hold prevents the deletion of a tag value."},"risks":["discovery:metadata"],"notes":null,"links":["https://cloud.google.com/resource-manager/docs/tags/tags-overview"],"seeAlso":[]},"resourcemanager.tagkeys.create":{"id":"resourcemanager.tagkeys.create","name":"Google Cloud Tag Keys","scope":"MEDIUM","parent":{"notes":null,"description":"Tags are metadata attached to resources in the form of key-value pairs, and are frequently used with conditional IAM policies."},"risks":["impact:consumption"],"notes":null,"links":["https://cloud.google.com/resource-manager/docs/tags/tags-overview"],"seeAlso":[]},"resourcemanager.tagkeys.delete":{"id":"resourcemanager.tagkeys.delete","name":"Google Cloud Tag Keys","scope":"MEDIUM","parent":{"notes":null,"description":"Tags are metadata attached to resources in the form of key-value pairs, and are frequently used with conditional IAM policies."},"risks":[],"notes":"Tag keys in use by any tag bindings cannot be deleted.","links":["https://cloud.google.com/resource-manager/docs/tags/tags-overview"],"seeAlso":[]},"resourcemanager.tagkeys.get":{"id":"resourcemanager.tagkeys.get","name":"Google Cloud Tag Keys","scope":"MEDIUM","parent":{"notes":null,"description":"Tags are metadata attached to resources in the form of key-value pairs, and are frequently used with conditional IAM policies."},"risks":["discovery:metadata"],"notes":null,"links":["https://cloud.google.com/resource-manager/docs/tags/tags-overview"],"seeAlso":[]},"resourcemanager.tagkeys.getIamPolicy":{"id":"resourcemanager.tagkeys.getIamPolicy","name":"Google Cloud Tag Keys","scope":"MEDIUM","parent":{"notes":null,"description":"Tags are metadata attached to resources in the form of key-value pairs, and are frequently used with conditional IAM policies."},"risks":["discovery:policy","discovery:account"],"notes":null,"links":["https://cloud.google.com/resource-manager/docs/tags/tags-overview"],"seeAlso":[]},"resourcemanager.tagkeys.list":{"id":"resourcemanager.tagkeys.list","name":"Google Cloud Tag Keys","scope":"MEDIUM","parent":{"notes":null,"description":"Tags are metadata attached to resources in the form of key-value pairs, and are frequently used with conditional IAM policies."},"risks":["discovery:metadata"],"notes":null,"links":["https://cloud.google.com/resource-manager/docs/tags/tags-overview"],"seeAlso":[]},"resourcemanager.tagkeys.setIamPolicy":{"id":"resourcemanager.tagkeys.setIamPolicy","name":"Google Cloud Tag Keys","scope":"MEDIUM","parent":{"notes":null,"description":"Tags are metadata attached to resources in the form of key-value pairs, and are frequently used with conditional IAM policies."},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/resource-manager/docs/tags/tags-overview"],"seeAlso":[]},"resourcemanager.tagkeys.update":{"id":"resourcemanager.tagkeys.update","name":"Google Cloud Tag Keys","scope":"MEDIUM","parent":{"notes":null,"description":"Tags are metadata attached to resources in the form of key-value pairs, and are frequently used with conditional IAM policies."},"risks":[],"notes":"Only allows updating the tag description.\n","links":["https://cloud.google.com/resource-manager/docs/tags/tags-overview"],"seeAlso":[]},"resourcemanager.tagvalues.create":{"id":"resourcemanager.tagvalues.create","name":"Google Cloud Tag Values","scope":"LOW","parent":{"notes":null,"description":"Tags are metadata attached to resources in the form of key-value pairs, and are frequently used with conditional IAM policies."},"risks":["impact:consumption"],"notes":null,"links":["https://cloud.google.com/resource-manager/docs/tags/tags-overview"],"seeAlso":[]},"resourcemanager.tagvalues.delete":{"id":"resourcemanager.tagvalues.delete","name":"Google Cloud Tag Values","scope":"LOW","parent":{"notes":null,"description":"Tags are metadata attached to resources in the form of key-value pairs, and are frequently used with conditional IAM policies."},"risks":[],"notes":"Tag values in use by any tag bindings cannot be deleted.","links":["https://cloud.google.com/resource-manager/docs/tags/tags-overview"],"seeAlso":[]},"resourcemanager.tagvalues.get":{"id":"resourcemanager.tagvalues.get","name":"Google Cloud Tag Values","scope":"LOW","parent":{"notes":null,"description":"Tags are metadata attached to resources in the form of key-value pairs, and are frequently used with conditional IAM policies."},"risks":["discovery:metadata"],"notes":null,"links":["https://cloud.google.com/resource-manager/docs/tags/tags-overview"],"seeAlso":[]},"resourcemanager.tagvalues.getIamPolicy":{"id":"resourcemanager.tagvalues.getIamPolicy","name":"Google Cloud Tag Values","scope":"LOW","parent":{"notes":null,"description":"Tags are metadata attached to resources in the form of key-value pairs, and are frequently used with conditional IAM policies."},"risks":["discovery:policy","discovery:account"],"notes":null,"links":["https://cloud.google.com/resource-manager/docs/tags/tags-overview"],"seeAlso":[]},"resourcemanager.tagvalues.list":{"id":"resourcemanager.tagvalues.list","name":"Google Cloud Tag Values","scope":"LOW","parent":{"notes":null,"description":"Tags are metadata attached to resources in the form of key-value pairs, and are frequently used with conditional IAM policies."},"risks":["discovery:metadata"],"notes":null,"links":["https://cloud.google.com/resource-manager/docs/tags/tags-overview"],"seeAlso":[]},"resourcemanager.tagvalues.setIamPolicy":{"id":"resourcemanager.tagvalues.setIamPolicy","name":"Google Cloud Tag Values","scope":"LOW","parent":{"notes":null,"description":"Tags are metadata attached to resources in the form of key-value pairs, and are frequently used with conditional IAM policies."},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/resource-manager/docs/tags/tags-overview"],"seeAlso":[]},"resourcemanager.tagvalues.update":{"id":"resourcemanager.tagvalues.update","name":"Google Cloud Tag Values","scope":"LOW","parent":{"notes":null,"description":"Tags are metadata attached to resources in the form of key-value pairs, and are frequently used with conditional IAM policies."},"risks":[],"notes":"Only allows updating the tag description.\n","links":["https://cloud.google.com/resource-manager/docs/tags/tags-overview"],"seeAlso":[]},"run.configurations.get":{"id":"run.configurations.get","name":"Cloud Run Configurations","scope":"MEDIUM","parent":{"notes":null,"description":"A cloud run configuration contains basic metadata and  information about the latest revision for a service."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/run/docs/resource-model","https://cloud.google.com/run/docs/reference/rest/v1/namespaces.configurations","https://cloud.google.com/run/docs/reference/rest/v1/namespaces.revisions"],"seeAlso":[]},"run.configurations.list":{"id":"run.configurations.list","name":"Cloud Run Configurations","scope":"MEDIUM","parent":{"notes":null,"description":"A cloud run configuration contains basic metadata and  information about the latest revision for a service."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/run/docs/resource-model","https://cloud.google.com/run/docs/reference/rest/v1/namespaces.configurations","https://cloud.google.com/run/docs/reference/rest/v1/namespaces.revisions"],"seeAlso":[]},"run.executions.delete":{"id":"run.executions.delete","name":"Cloud Run Executions","scope":"HIGH","parent":{"notes":"Cloud Run jobs may be used for important organizational tasks, such as processing of sensitive data.","description":"A Cloud Run execution is a resource created when a cloud run job is executed in order to track the execution."},"risks":["impact:dos"],"notes":"A currently running execution can be deleted. This will halt execution of the job.","links":["https://cloud.google.com/run/docs/resource-model","https://cloud.google.com/run/docs/reference/rest/v1/namespaces.executions","https://cloud.google.com/run/docs/managing/job-executions"],"seeAlso":[]},"run.executions.get":{"id":"run.executions.get","name":"Cloud Run Executions","scope":"HIGH","parent":{"notes":"Cloud Run jobs may be used for important organizational tasks, such as processing of sensitive data.","description":"A Cloud Run execution is a resource created when a cloud run job is executed in order to track the execution."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/run/docs/resource-model","https://cloud.google.com/run/docs/reference/rest/v1/namespaces.executions","https://cloud.google.com/run/docs/managing/job-executions"],"seeAlso":[]},"run.executions.list":{"id":"run.executions.list","name":"Cloud Run Executions","scope":"HIGH","parent":{"notes":"Cloud Run jobs may be used for important organizational tasks, such as processing of sensitive data.","description":"A Cloud Run execution is a resource created when a cloud run job is executed in order to track the execution."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/run/docs/resource-model","https://cloud.google.com/run/docs/reference/rest/v1/namespaces.executions","https://cloud.google.com/run/docs/managing/job-executions"],"seeAlso":[]},"run.jobs.create":{"id":"run.jobs.create","name":"Cloud Run Jobs","scope":"HIGH","parent":{"notes":"Cloud run jobs may be used for important organizational tasks, such as processing of sensitive data.","description":"A Cloud Run job is used for running code that executes for a period of time and exits once complete. Jobs may be executed on a one-off basis, a recurring schedule, or as part of a workflow."},"risks":[],"notes":"Executing a job requires the run permission, so create on its own does not allow execution of the newly created job. Cloud Run billing is based on execution of jobs and services, so creation does not incur spend.","links":["https://cloud.google.com/run/docs/resource-model","https://cloud.google.com/run/docs/managing/jobs","https://cloud.google.com/run/docs/reference/rest/v1/namespaces.jobs","https://cloud.google.com/run/docs/create-jobs"],"seeAlso":[]},"run.jobs.createTagBinding":{"id":"run.jobs.createTagBinding","name":"Cloud Run Jobs","scope":"HIGH","parent":{"notes":"Cloud run jobs may be used for important organizational tasks, such as processing of sensitive data.","description":"A Cloud Run job is used for running code that executes for a period of time and exits once complete. Jobs may be executed on a one-off basis, a recurring schedule, or as part of a workflow."},"risks":["impact:access","escalation:privilege"],"notes":"A common use case of tag bindings is for use in IAM policy conditions. The risks apply if the tag is used in any policies.","links":["https://cloud.google.com/run/docs/resource-model","https://cloud.google.com/run/docs/managing/jobs","https://cloud.google.com/run/docs/reference/rest/v1/namespaces.jobs","https://cloud.google.com/run/docs/create-jobs"],"seeAlso":[]},"run.jobs.delete":{"id":"run.jobs.delete","name":"Cloud Run Jobs","scope":"HIGH","parent":{"notes":"Cloud run jobs may be used for important organizational tasks, such as processing of sensitive data.","description":"A Cloud Run job is used for running code that executes for a period of time and exits once complete. Jobs may be executed on a one-off basis, a recurring schedule, or as part of a workflow."},"risks":["impact:dos","destruction:infra"],"notes":"You can only delete a job if there are no executions in progress. However, certain services may rely on a job that runs on a schedule, so  deleting a job can create a DOS even if at deletion time there are no executions in progress.","links":["https://cloud.google.com/run/docs/resource-model","https://cloud.google.com/run/docs/managing/jobs","https://cloud.google.com/run/docs/reference/rest/v1/namespaces.jobs","https://cloud.google.com/run/docs/create-jobs"],"seeAlso":[]},"run.jobs.deleteTagBinding":{"id":"run.jobs.deleteTagBinding","name":"Cloud Run Jobs","scope":"HIGH","parent":{"notes":"Cloud run jobs may be used for important organizational tasks, such as processing of sensitive data.","description":"A Cloud Run job is used for running code that executes for a period of time and exits once complete. Jobs may be executed on a one-off basis, a recurring schedule, or as part of a workflow."},"risks":["escalation:privilege","destruction:policy","impact:access"],"notes":"A common use case of tag bindings is for use in IAM policy conditions. The risks apply if the tag is used in any policies.","links":["https://cloud.google.com/run/docs/resource-model","https://cloud.google.com/run/docs/managing/jobs","https://cloud.google.com/run/docs/reference/rest/v1/namespaces.jobs","https://cloud.google.com/run/docs/create-jobs"],"seeAlso":[]},"run.jobs.get":{"id":"run.jobs.get","name":"Cloud Run Jobs","scope":"HIGH","parent":{"notes":"Cloud run jobs may be used for important organizational tasks, such as processing of sensitive data.","description":"A Cloud Run job is used for running code that executes for a period of time and exits once complete. Jobs may be executed on a one-off basis, a recurring schedule, or as part of a workflow."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/run/docs/resource-model","https://cloud.google.com/run/docs/managing/jobs","https://cloud.google.com/run/docs/reference/rest/v1/namespaces.jobs","https://cloud.google.com/run/docs/create-jobs"],"seeAlso":[]},"run.jobs.getIamPolicy":{"id":"run.jobs.getIamPolicy","name":"Cloud Run Jobs","scope":"HIGH","parent":{"notes":"Cloud run jobs may be used for important organizational tasks, such as processing of sensitive data.","description":"A Cloud Run job is used for running code that executes for a period of time and exits once complete. Jobs may be executed on a one-off basis, a recurring schedule, or as part of a workflow."},"risks":["discovery:policy","discovery:account"],"notes":null,"links":["https://cloud.google.com/run/docs/resource-model","https://cloud.google.com/run/docs/managing/jobs","https://cloud.google.com/run/docs/reference/rest/v1/namespaces.jobs","https://cloud.google.com/run/docs/create-jobs"],"seeAlso":[]},"run.jobs.list":{"id":"run.jobs.list","name":"Cloud Run Jobs","scope":"HIGH","parent":{"notes":"Cloud run jobs may be used for important organizational tasks, such as processing of sensitive data.","description":"A Cloud Run job is used for running code that executes for a period of time and exits once complete. Jobs may be executed on a one-off basis, a recurring schedule, or as part of a workflow."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/run/docs/resource-model","https://cloud.google.com/run/docs/managing/jobs","https://cloud.google.com/run/docs/reference/rest/v1/namespaces.jobs","https://cloud.google.com/run/docs/create-jobs"],"seeAlso":[]},"run.jobs.listEffectiveTags":{"id":"run.jobs.listEffectiveTags","name":"Cloud Run Jobs","scope":"HIGH","parent":{"notes":"Cloud run jobs may be used for important organizational tasks, such as processing of sensitive data.","description":"A Cloud Run job is used for running code that executes for a period of time and exits once complete. Jobs may be executed on a one-off basis, a recurring schedule, or as part of a workflow."},"risks":["discovery:policy"],"notes":null,"links":["https://cloud.google.com/run/docs/resource-model","https://cloud.google.com/run/docs/managing/jobs","https://cloud.google.com/run/docs/reference/rest/v1/namespaces.jobs","https://cloud.google.com/run/docs/create-jobs"],"seeAlso":[]},"run.jobs.listTagBindings":{"id":"run.jobs.listTagBindings","name":"Cloud Run Jobs","scope":"HIGH","parent":{"notes":"Cloud run jobs may be used for important organizational tasks, such as processing of sensitive data.","description":"A Cloud Run job is used for running code that executes for a period of time and exits once complete. Jobs may be executed on a one-off basis, a recurring schedule, or as part of a workflow."},"risks":["discovery:policy"],"notes":null,"links":["https://cloud.google.com/run/docs/resource-model","https://cloud.google.com/run/docs/managing/jobs","https://cloud.google.com/run/docs/reference/rest/v1/namespaces.jobs","https://cloud.google.com/run/docs/create-jobs"],"seeAlso":[]},"run.jobs.run":{"id":"run.jobs.run","name":"Cloud Run Jobs","scope":"HIGH","parent":{"notes":"Cloud run jobs may be used for important organizational tasks, such as processing of sensitive data.","description":"A Cloud Run job is used for running code that executes for a period of time and exits once complete. Jobs may be executed on a one-off basis, a recurring schedule, or as part of a workflow."},"risks":["impact:spend","impact:hijack","escalation:lateral"],"notes":"If combined with create permission and iam.serviceAccounts.actAs on the Cloud Run service account, includes a resource hijacking risk. Additionally, the environment variables may be abused to allow a reverse shell and dump the contents of the container, including the service account credentials.","links":["https://cloud.google.com/run/docs/resource-model","https://cloud.google.com/run/docs/managing/jobs","https://cloud.google.com/run/docs/reference/rest/v1/namespaces.jobs","https://cloud.google.com/run/docs/create-jobs","https://cloud.hacktricks.wiki/en/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-run-privesc.html#runjobsrun-runjobsrunwithoverrides-runjobsget"],"seeAlso":[]},"run.jobs.runWithOverrides":{"id":"run.jobs.runWithOverrides","name":"Cloud Run Jobs","scope":"HIGH","parent":{"notes":"Cloud run jobs may be used for important organizational tasks, such as processing of sensitive data.","description":"A Cloud Run job is used for running code that executes for a period of time and exits once complete. Jobs may be executed on a one-off basis, a recurring schedule, or as part of a workflow."},"risks":["impact:spend","impact:hijack","impact:manipulation","exfiltration:data","escalation:lateral"],"notes":"Allows an attacker to run a job with overrides for the environment variables and arguments. Depending on the job and the contents of environment variables and arguments, this may  allow the attacker to hijack the job for their own purposes, manipulate organizational data,  or store output data in a location accessible to the attacker. Also includes a resource hijacking risk if combined with the create permission and iam.serviceAccounts.actAs on the Cloud Run service account.","links":["https://cloud.google.com/run/docs/resource-model","https://cloud.google.com/run/docs/managing/jobs","https://cloud.google.com/run/docs/reference/rest/v1/namespaces.jobs","https://cloud.google.com/run/docs/create-jobs","https://cloud.hacktricks.wiki/en/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-run-privesc.html#runjobsrun-runjobsrunwithoverrides-runjobsget"],"seeAlso":[]},"run.jobs.setIamPolicy":{"id":"run.jobs.setIamPolicy","name":"Cloud Run Jobs","scope":"HIGH","parent":{"notes":"Cloud run jobs may be used for important organizational tasks, such as processing of sensitive data.","description":"A Cloud Run job is used for running code that executes for a period of time and exits once complete. Jobs may be executed on a one-off basis, a recurring schedule, or as part of a workflow."},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/run/docs/resource-model","https://cloud.google.com/run/docs/managing/jobs","https://cloud.google.com/run/docs/reference/rest/v1/namespaces.jobs","https://cloud.google.com/run/docs/create-jobs"],"seeAlso":[]},"run.jobs.update":{"id":"run.jobs.update","name":"Cloud Run Jobs","scope":"HIGH","parent":{"notes":"Cloud run jobs may be used for important organizational tasks, such as processing of sensitive data.","description":"A Cloud Run job is used for running code that executes for a period of time and exits once complete. Jobs may be executed on a one-off basis, a recurring schedule, or as part of a workflow."},"risks":["impact:spend","impact:dos","impact:hijack","impact:manipulation","exfiltration:data"],"notes":"Allows an attacker to update settings for a job, including CPU/memory limits, timeouts, retries,  the values of environment variables, and the container entrypoint command and arguments. Depending on the job and the contents of environment variables and arguments, this may  allow the attacker to hijack the job for their own purposes, manipulate organizational data,  or store output data in a location accessible to the attacker. Changing CPU/memory limits or increasing retries can incur spend, and changing timeouts, reducing  retries, or manipulating arguments/environment variables can create a DOS.","links":["https://cloud.google.com/run/docs/resource-model","https://cloud.google.com/run/docs/managing/jobs","https://cloud.google.com/run/docs/reference/rest/v1/namespaces.jobs","https://cloud.google.com/run/docs/create-jobs"],"seeAlso":[]},"run.locations.list":{"id":"run.locations.list","name":"Cloud Run Locations","scope":"PUBLIC","parent":{"notes":"This resource contains public information about Google's location offerings for Cloud Run","description":"Infrastructure regions available for Cloud Run resources"},"risks":[],"notes":null,"links":["https://cloud.google.com/run/docs/reference/rest/v1/projects.locations"],"seeAlso":[]},"run.locations.get":{"id":"run.locations.get","name":"Cloud Run Locations","scope":"PUBLIC","parent":{"notes":"This resource contains public information about Google's location offerings for Cloud Run","description":"Infrastructure regions available for Cloud Run resources"},"risks":[],"notes":null,"links":["https://cloud.google.com/run/docs/reference/rest/v1/projects.locations"],"seeAlso":[]},"run.revisions.delete":{"id":"run.revisions.delete","name":"Cloud Run Revisions","scope":"MEDIUM","parent":{"notes":null,"description":"A revision is a deployment to a Cloud Run service.  It consists of a container image along with environment settings. Revisions are immutable."},"risks":["destruction:infra"],"notes":"Revisions that can receive traffic, are the only revision of the service, or are the latest revision of the service cannot be deleted.","links":["https://cloud.google.com/run/docs/resource-model","https://cloud.google.com/run/docs/reference/rest/v1/namespaces.revisions","https://cloud.google.com/run/docs/managing/revisions"],"seeAlso":[]},"run.revisions.get":{"id":"run.revisions.get","name":"Cloud Run Revisions","scope":"MEDIUM","parent":{"notes":null,"description":"A revision is a deployment to a Cloud Run service.  It consists of a container image along with environment settings. Revisions are immutable."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/run/docs/resource-model","https://cloud.google.com/run/docs/reference/rest/v1/namespaces.revisions","https://cloud.google.com/run/docs/managing/revisions"],"seeAlso":[]},"run.revisions.list":{"id":"run.revisions.list","name":"Cloud Run Revisions","scope":"MEDIUM","parent":{"notes":null,"description":"A revision is a deployment to a Cloud Run service.  It consists of a container image along with environment settings. Revisions are immutable."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/run/docs/resource-model","https://cloud.google.com/run/docs/reference/rest/v1/namespaces.revisions","https://cloud.google.com/run/docs/managing/revisions"],"seeAlso":[]},"run.routes.get":{"id":"run.routes.get","name":"Cloud run routes","scope":"MEDIUM","parent":{"notes":null,"description":"Cloud run routes contain rules for routing ingress traffic to specific revisions of a service."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/run/docs/reference/rest/v1/namespaces.routes","https://cloud.google.com/run/docs/authenticating/developers"],"seeAlso":[]},"run.routes.invoke":{"id":"run.routes.invoke","name":"Cloud run routes","scope":"MEDIUM","parent":{"notes":null,"description":"Cloud run routes contain rules for routing ingress traffic to specific revisions of a service."},"risks":["escalation:network"],"notes":"Allows a user to make curl requests to the service that the route is associated with.","links":["https://cloud.google.com/run/docs/reference/rest/v1/namespaces.routes","https://cloud.google.com/run/docs/authenticating/developers"],"seeAlso":[]},"run.routes.list":{"id":"run.routes.list","name":"Cloud run routes","scope":"MEDIUM","parent":{"notes":null,"description":"Cloud run routes contain rules for routing ingress traffic to specific revisions of a service."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/run/docs/reference/rest/v1/namespaces.routes","https://cloud.google.com/run/docs/authenticating/developers"],"seeAlso":[]},"run.services.create":{"id":"run.services.create","name":"Cloud Run Services","scope":"HIGH","parent":{"notes":"Cloud Run services may be used to run core organizational infrastructure,  such as web applications or REST APIs.","description":"A Cloud Run service continuously runs code that responds to web requests or events. It will automatically scale the number of instances to match incoming requests."},"risks":["impact:spend","impact:hijack"],"notes":"Allows creating and deploying a new service on Cloud Run. Also requires iam.serviceAccounts.actAs on the Cloud Run service account","links":["https://cloud.google.com/run/docs/resource-model","https://cloud.google.com/run/docs/deploying","https://cloud.google.com/run/docs/managing/services","https://cloud.google.com/run/docs/reference/rest/v1/namespaces.services"],"seeAlso":[]},"run.services.createTagBinding":{"id":"run.services.createTagBinding","name":"Cloud Run Services","scope":"HIGH","parent":{"notes":"Cloud Run services may be used to run core organizational infrastructure,  such as web applications or REST APIs.","description":"A Cloud Run service continuously runs code that responds to web requests or events. It will automatically scale the number of instances to match incoming requests."},"risks":["impact:access","escalation:privilege"],"notes":"A common use case of tag bindings is for use in IAM policy conditions. The risks apply if the tag is used in any policies.","links":["https://cloud.google.com/run/docs/resource-model","https://cloud.google.com/run/docs/deploying","https://cloud.google.com/run/docs/managing/services","https://cloud.google.com/run/docs/reference/rest/v1/namespaces.services"],"seeAlso":[]},"run.services.delete":{"id":"run.services.delete","name":"Cloud Run Services","scope":"HIGH","parent":{"notes":"Cloud Run services may be used to run core organizational infrastructure,  such as web applications or REST APIs.","description":"A Cloud Run service continuously runs code that responds to web requests or events. It will automatically scale the number of instances to match incoming requests."},"risks":["impact:dos","destruction:infra"],"notes":"Deleting a service is permanent: it cannot be undone or restored.","links":["https://cloud.google.com/run/docs/resource-model","https://cloud.google.com/run/docs/deploying","https://cloud.google.com/run/docs/managing/services","https://cloud.google.com/run/docs/reference/rest/v1/namespaces.services"],"seeAlso":[]},"run.services.deleteTagBinding":{"id":"run.services.deleteTagBinding","name":"Cloud Run Services","scope":"HIGH","parent":{"notes":"Cloud Run services may be used to run core organizational infrastructure,  such as web applications or REST APIs.","description":"A Cloud Run service continuously runs code that responds to web requests or events. It will automatically scale the number of instances to match incoming requests."},"risks":["escalation:privilege","destruction:policy","impact:access"],"notes":"A common use case of tag bindings is for use in IAM policy conditions. The risks apply if the tag is used in any policies.","links":["https://cloud.google.com/run/docs/resource-model","https://cloud.google.com/run/docs/deploying","https://cloud.google.com/run/docs/managing/services","https://cloud.google.com/run/docs/reference/rest/v1/namespaces.services"],"seeAlso":[]},"run.services.get":{"id":"run.services.get","name":"Cloud Run Services","scope":"HIGH","parent":{"notes":"Cloud Run services may be used to run core organizational infrastructure,  such as web applications or REST APIs.","description":"A Cloud Run service continuously runs code that responds to web requests or events. It will automatically scale the number of instances to match incoming requests."},"risks":["discovery:infra","discovery:policy"],"notes":"Includes ingress and egress network policies for the service.","links":["https://cloud.google.com/run/docs/resource-model","https://cloud.google.com/run/docs/deploying","https://cloud.google.com/run/docs/managing/services","https://cloud.google.com/run/docs/reference/rest/v1/namespaces.services"],"seeAlso":[]},"run.services.getIamPolicy":{"id":"run.services.getIamPolicy","name":"Cloud Run Services","scope":"HIGH","parent":{"notes":"Cloud Run services may be used to run core organizational infrastructure,  such as web applications or REST APIs.","description":"A Cloud Run service continuously runs code that responds to web requests or events. It will automatically scale the number of instances to match incoming requests."},"risks":["discovery:policy","discovery:account"],"notes":null,"links":["https://cloud.google.com/run/docs/resource-model","https://cloud.google.com/run/docs/deploying","https://cloud.google.com/run/docs/managing/services","https://cloud.google.com/run/docs/reference/rest/v1/namespaces.services"],"seeAlso":[]},"run.services.list":{"id":"run.services.list","name":"Cloud Run Services","scope":"HIGH","parent":{"notes":"Cloud Run services may be used to run core organizational infrastructure,  such as web applications or REST APIs.","description":"A Cloud Run service continuously runs code that responds to web requests or events. It will automatically scale the number of instances to match incoming requests."},"risks":["discovery:infra","discovery:policy"],"notes":"Includes ingress and egress network policies for the service.","links":["https://cloud.google.com/run/docs/resource-model","https://cloud.google.com/run/docs/deploying","https://cloud.google.com/run/docs/managing/services","https://cloud.google.com/run/docs/reference/rest/v1/namespaces.services"],"seeAlso":[]},"run.services.listEffectiveTags":{"id":"run.services.listEffectiveTags","name":"Cloud Run Services","scope":"HIGH","parent":{"notes":"Cloud Run services may be used to run core organizational infrastructure,  such as web applications or REST APIs.","description":"A Cloud Run service continuously runs code that responds to web requests or events. It will automatically scale the number of instances to match incoming requests."},"risks":["discovery:policy"],"notes":null,"links":["https://cloud.google.com/run/docs/resource-model","https://cloud.google.com/run/docs/deploying","https://cloud.google.com/run/docs/managing/services","https://cloud.google.com/run/docs/reference/rest/v1/namespaces.services"],"seeAlso":[]},"run.services.listTagBindings":{"id":"run.services.listTagBindings","name":"Cloud Run Services","scope":"HIGH","parent":{"notes":"Cloud Run services may be used to run core organizational infrastructure,  such as web applications or REST APIs.","description":"A Cloud Run service continuously runs code that responds to web requests or events. It will automatically scale the number of instances to match incoming requests."},"risks":["discovery:policy"],"notes":null,"links":["https://cloud.google.com/run/docs/resource-model","https://cloud.google.com/run/docs/deploying","https://cloud.google.com/run/docs/managing/services","https://cloud.google.com/run/docs/reference/rest/v1/namespaces.services"],"seeAlso":[]},"run.services.setIamPolicy":{"id":"run.services.setIamPolicy","name":"Cloud Run Services","scope":"HIGH","parent":{"notes":"Cloud Run services may be used to run core organizational infrastructure,  such as web applications or REST APIs.","description":"A Cloud Run service continuously runs code that responds to web requests or events. It will automatically scale the number of instances to match incoming requests."},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/run/docs/resource-model","https://cloud.google.com/run/docs/deploying","https://cloud.google.com/run/docs/managing/services","https://cloud.google.com/run/docs/reference/rest/v1/namespaces.services"],"seeAlso":[]},"run.services.update":{"id":"run.services.update","name":"Cloud Run Services","scope":"HIGH","parent":{"notes":"Cloud Run services may be used to run core organizational infrastructure,  such as web applications or REST APIs.","description":"A Cloud Run service continuously runs code that responds to web requests or events. It will automatically scale the number of instances to match incoming requests."},"risks":["impact:spend","impact:dos","impact:hijack","impact:manipulation","exfiltration:data","escalation:network","destruction:defense"],"notes":"Allows an attacker to update settings for a service, including CPU/memory limits, autoscaling settings,  the values of environment variables, the container entrypoint command and arguments, and egress/ingress network policy settings. Depending on the job and the contents of environment variables and arguments, this may  allow the attacker to hijack the job for their own purposes, manipulate organizational data,  or store output data in a location accessible to the attacker. Changing ingress/egress network policies can allow an attacker to make private services public or vice versa. Changing CPU/memory limits or autoscaling settings can incur spend,  and changing autoscaling settings, network settings, or manipulating arguments/environment variables can create a DOS.","links":["https://cloud.google.com/run/docs/resource-model","https://cloud.google.com/run/docs/deploying","https://cloud.google.com/run/docs/managing/services","https://cloud.google.com/run/docs/reference/rest/v1/namespaces.services"],"seeAlso":[]},"run.tasks.list":{"id":"run.tasks.list","name":"Cloud Run tasks","scope":"MEDIUM","parent":{"notes":null,"description":"A Cloud Run task represents a single run of a container to completion.  A Cloud Run job contains some number of tasks."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/run/docs/reference/rest/v1/namespaces.tasks","https://cloud.google.com/run/docs/resource-model"],"seeAlso":[]},"run.tasks.get":{"id":"run.tasks.get","name":"Cloud Run tasks","scope":"MEDIUM","parent":{"notes":null,"description":"A Cloud Run task represents a single run of a container to completion.  A Cloud Run job contains some number of tasks."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/run/docs/reference/rest/v1/namespaces.tasks","https://cloud.google.com/run/docs/resource-model"],"seeAlso":[]},"secretmanager.locations.list":{"id":"secretmanager.locations.list","name":"Secret Manager Locations","scope":"PUBLIC","parent":{"notes":"This resource contains public information about Google's location offerings for Secret Manager","description":"Infrastructure regions available for Secret Manager resources"},"risks":[],"notes":null,"links":["https://cloud.google.com/secret-manager/docs/locations"],"seeAlso":[]},"secretmanager.locations.get":{"id":"secretmanager.locations.get","name":"Secret Manager Locations","scope":"PUBLIC","parent":{"notes":"This resource contains public information about Google's location offerings for Secret Manager","description":"Infrastructure regions available for Secret Manager resources"},"risks":[],"notes":null,"links":["https://cloud.google.com/secret-manager/docs/locations"],"seeAlso":[]},"secretmanager.secrets.create":{"id":"secretmanager.secrets.create","name":"Secret Manager Secrets","scope":"HIGH","parent":{"notes":"Secret manager is a highly sensitive service. Secrets may include API keys, encryption secret keys, login credentials, and other extremely sensitive data.","description":"A secret contains one or more versions along with metadata. The actual contents of the secret are stored in the version."},"risks":[],"notes":null,"links":["https://cloud.google.com/secret-manager/docs/creating-and-accessing-secrets","https://cloud.google.com/secret-manager/docs/reference/rest/v1/projects.secrets/patch"],"seeAlso":[]},"secretmanager.secrets.delete":{"id":"secretmanager.secrets.delete","name":"Secret Manager Secrets","scope":"HIGH","parent":{"notes":"Secret manager is a highly sensitive service. Secrets may include API keys, encryption secret keys, login credentials, and other extremely sensitive data.","description":"A secret contains one or more versions along with metadata. The actual contents of the secret are stored in the version."},"risks":["impact:dos","destruction:crypto"],"notes":null,"links":["https://cloud.google.com/secret-manager/docs/creating-and-accessing-secrets","https://cloud.google.com/secret-manager/docs/reference/rest/v1/projects.secrets/patch"],"seeAlso":[]},"secretmanager.secrets.get":{"id":"secretmanager.secrets.get","name":"Secret Manager Secrets","scope":"HIGH","parent":{"notes":"Secret manager is a highly sensitive service. Secrets may include API keys, encryption secret keys, login credentials, and other extremely sensitive data.","description":"A secret contains one or more versions along with metadata. The actual contents of the secret are stored in the version."},"risks":["discovery:infra","discovery:account"],"notes":"This includes account discovery because the names of secrets may expose accounts that the secrets are associated with. Does not give access to secrets.","links":["https://cloud.google.com/secret-manager/docs/creating-and-accessing-secrets","https://cloud.google.com/secret-manager/docs/reference/rest/v1/projects.secrets/patch"],"seeAlso":[]},"secretmanager.secrets.getIamPolicy":{"id":"secretmanager.secrets.getIamPolicy","name":"Secret Manager Secrets","scope":"HIGH","parent":{"notes":"Secret manager is a highly sensitive service. Secrets may include API keys, encryption secret keys, login credentials, and other extremely sensitive data.","description":"A secret contains one or more versions along with metadata. The actual contents of the secret are stored in the version."},"risks":["discovery:policy","discovery:account"],"notes":null,"links":["https://cloud.google.com/secret-manager/docs/creating-and-accessing-secrets","https://cloud.google.com/secret-manager/docs/reference/rest/v1/projects.secrets/patch"],"seeAlso":[]},"secretmanager.secrets.list":{"id":"secretmanager.secrets.list","name":"Secret Manager Secrets","scope":"HIGH","parent":{"notes":"Secret manager is a highly sensitive service. Secrets may include API keys, encryption secret keys, login credentials, and other extremely sensitive data.","description":"A secret contains one or more versions along with metadata. The actual contents of the secret are stored in the version."},"risks":["discovery:infra","discovery:account"],"notes":"See get.","links":["https://cloud.google.com/secret-manager/docs/creating-and-accessing-secrets","https://cloud.google.com/secret-manager/docs/reference/rest/v1/projects.secrets/patch"],"seeAlso":[]},"secretmanager.secrets.setIamPolicy":{"id":"secretmanager.secrets.setIamPolicy","name":"Secret Manager Secrets","scope":"HIGH","parent":{"notes":"Secret manager is a highly sensitive service. Secrets may include API keys, encryption secret keys, login credentials, and other extremely sensitive data.","description":"A secret contains one or more versions along with metadata. The actual contents of the secret are stored in the version."},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/secret-manager/docs/creating-and-accessing-secrets","https://cloud.google.com/secret-manager/docs/reference/rest/v1/projects.secrets/patch"],"seeAlso":[]},"secretmanager.secrets.update":{"id":"secretmanager.secrets.update","name":"Secret Manager Secrets","scope":"HIGH","parent":{"notes":"Secret manager is a highly sensitive service. Secrets may include API keys, encryption secret keys, login credentials, and other extremely sensitive data.","description":"A secret contains one or more versions along with metadata. The actual contents of the secret are stored in the version."},"risks":["impact:dos","destruction:data","impact:encryption"],"notes":"Can destroy the secret by updating it to expire. Can also add/change a customer-managed encryption key.","links":["https://cloud.google.com/secret-manager/docs/creating-and-accessing-secrets","https://cloud.google.com/secret-manager/docs/reference/rest/v1/projects.secrets/patch"],"seeAlso":[]},"secretmanager.versions.access":{"id":"secretmanager.versions.access","name":"Secret Manager Versions","scope":"CRITICAL","parent":{"notes":"Secret manager is a highly sensitive service. Secrets may include API keys, encryption secret keys, login credentials, and other extremely sensitive data.","description":"A version in Secret Manager contains the contents of a secret along with metadata about the version."},"risks":["exfiltration:crypto","exfiltration:data"],"notes":"Gives direct read access to secrets data (which often include keys and tokens).","links":[],"seeAlso":[]},"secretmanager.versions.add":{"id":"secretmanager.versions.add","name":"Secret Manager Versions","scope":"CRITICAL","parent":{"notes":"Secret manager is a highly sensitive service. Secrets may include API keys, encryption secret keys, login credentials, and other extremely sensitive data.","description":"A version in Secret Manager contains the contents of a secret along with metadata about the version."},"risks":["impact:dos"],"notes":"Adding a new version of a secret can break services that rely on reading the latest version of the secret.","links":[],"seeAlso":[]},"secretmanager.versions.destroy":{"id":"secretmanager.versions.destroy","name":"Secret Manager Versions","scope":"CRITICAL","parent":{"notes":"Secret manager is a highly sensitive service. Secrets may include API keys, encryption secret keys, login credentials, and other extremely sensitive data.","description":"A version in Secret Manager contains the contents of a secret along with metadata about the version."},"risks":["impact:dos","destruction:crypto"],"notes":null,"links":[],"seeAlso":[]},"secretmanager.versions.disable":{"id":"secretmanager.versions.disable","name":"Secret Manager Versions","scope":"CRITICAL","parent":{"notes":"Secret manager is a highly sensitive service. Secrets may include API keys, encryption secret keys, login credentials, and other extremely sensitive data.","description":"A version in Secret Manager contains the contents of a secret along with metadata about the version."},"risks":["impact:dos"],"notes":null,"links":[],"seeAlso":[]},"secretmanager.versions.enable":{"id":"secretmanager.versions.enable","name":"Secret Manager Versions","scope":"CRITICAL","parent":{"notes":"Secret manager is a highly sensitive service. Secrets may include API keys, encryption secret keys, login credentials, and other extremely sensitive data.","description":"A version in Secret Manager contains the contents of a secret along with metadata about the version."},"risks":["impact:dos"],"notes":"This can be used for a DOS by enabling a out-of-date or otherwise incorrect version of the secret.","links":[],"seeAlso":[]},"secretmanager.versions.get":{"id":"secretmanager.versions.get","name":"Secret Manager Versions","scope":"CRITICAL","parent":{"notes":"Secret manager is a highly sensitive service. Secrets may include API keys, encryption secret keys, login credentials, and other extremely sensitive data.","description":"A version in Secret Manager contains the contents of a secret along with metadata about the version."},"risks":["discovery:infra","discovery:account"],"notes":"This includes account discovery because the names of secrets may expose accounts that the secrets are associated with.","links":[],"seeAlso":[]},"secretmanager.versions.list":{"id":"secretmanager.versions.list","name":"Secret Manager Versions","scope":"CRITICAL","parent":{"notes":"Secret manager is a highly sensitive service. Secrets may include API keys, encryption secret keys, login credentials, and other extremely sensitive data.","description":"A version in Secret Manager contains the contents of a secret along with metadata about the version."},"risks":["discovery:infra","discovery:account"],"notes":null,"links":[],"seeAlso":[]},"serviceusage.quotas.get":{"id":"serviceusage.quotas.get","name":"Service Usage Quotas","scope":"LOW","parent":{"notes":null,"description":"Includes quota limitations for service usage for all Google Services."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/service-usage/docs/access-control"],"seeAlso":[]},"serviceusage.quotas.update":{"id":"serviceusage.quotas.update","name":"Service Usage Quotas","scope":"LOW","parent":{"notes":null,"description":"Includes quota limitations for service usage for all Google Services."},"risks":["impact:dos","impact:spend"],"notes":null,"links":["https://cloud.google.com/service-usage/docs/access-control"],"seeAlso":[]},"serviceusage.services.disable":{"id":"serviceusage.services.disable","name":"Google Cloud Service","scope":"CRITICAL","parent":{"notes":null,"description":"Includes all services and APIs offered as part of Google Cloud Platform."},"risks":["impact:dos"],"notes":"Depends on the service: disabling a service the organization relies on is a critical impact.","links":["https://cloud.google.com/service-usage/docs/access-control"],"seeAlso":[]},"serviceusage.services.enable":{"id":"serviceusage.services.enable","name":"Google Cloud Service","scope":"CRITICAL","parent":{"notes":null,"description":"Includes all services and APIs offered as part of Google Cloud Platform."},"risks":["escalation:lateral"],"notes":"Depends on the service. The attacker could enable a service that contains risks (such as an overprovisioned default service account) that allows themselves to escalate permissions.","links":["https://cloud.google.com/service-usage/docs/access-control"],"seeAlso":[]},"serviceusage.services.get":{"id":"serviceusage.services.get","name":"Google Cloud Service","scope":"LOW","parent":{"notes":null,"description":"Includes all services and APIs offered as part of Google Cloud Platform."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/service-usage/docs/access-control"],"seeAlso":[]},"serviceusage.services.list":{"id":"serviceusage.services.list","name":"Google Cloud Service","scope":"LOW","parent":{"notes":null,"description":"Includes all services and APIs offered as part of Google Cloud Platform."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/service-usage/docs/access-control"],"seeAlso":[]},"serviceusage.services.use":{"id":"serviceusage.services.use","name":"Google Cloud Service","scope":"LOW","parent":{"notes":null,"description":"Includes all services and APIs offered as part of Google Cloud Platform."},"risks":["impact:spend"],"notes":null,"links":["https://cloud.google.com/service-usage/docs/access-control"],"seeAlso":[]},"storage.buckets.create":{"id":"storage.buckets.create","name":"Cloud Storage buckets","scope":"LOW","parent":{"notes":"Buckets may be used to store data of various sensitivities, from publicly available data to very sensitive confidential data.","description":"Buckets are the basic unit of data storage within Cloud Storage. All data must be contained in a bucket."},"risks":["impact:spend"],"notes":null,"links":["https://cloud.google.com/storage/docs/access-control/iam-permissions","https://cloud.google.com/resource-manager/docs/tags/tags-creating-and-managing","https://cloud.google.com/storage/docs/bucket-metadata","https://cloud.google.com/storage/docs/json_api/v1/buckets/update"],"seeAlso":[]},"storage.buckets.createTagBinding":{"id":"storage.buckets.createTagBinding","name":"Cloud Storage buckets","scope":"CRITICAL","parent":{"notes":"Buckets may be used to store data of various sensitivities, from publicly available data to very sensitive confidential data.","description":"Buckets are the basic unit of data storage within Cloud Storage. All data must be contained in a bucket."},"risks":["impact:access","escalation:privilege"],"notes":"A common use case of tag bindings is for use in IAM policy conditions. If the user has any policies that use tag bindings to enforce conditions, creating a tag on a resource allows them to escalate their access to that resource. Also requires getIamPolicy or knowledge of the IAM policy from some other means.","links":["https://cloud.google.com/storage/docs/access-control/iam-permissions","https://cloud.google.com/resource-manager/docs/tags/tags-creating-and-managing","https://cloud.google.com/storage/docs/bucket-metadata","https://cloud.google.com/storage/docs/json_api/v1/buckets/update"],"seeAlso":[]},"storage.buckets.delete":{"id":"storage.buckets.delete","name":"Cloud Storage buckets","scope":"CRITICAL","parent":{"notes":"Buckets may be used to store data of various sensitivities, from publicly available data to very sensitive confidential data.","description":"Buckets are the basic unit of data storage within Cloud Storage. All data must be contained in a bucket."},"risks":["impact:dos","destruction:data","destruction:infra"],"notes":null,"links":["https://cloud.google.com/storage/docs/access-control/iam-permissions","https://cloud.google.com/resource-manager/docs/tags/tags-creating-and-managing","https://cloud.google.com/storage/docs/bucket-metadata","https://cloud.google.com/storage/docs/json_api/v1/buckets/update"],"seeAlso":[]},"storage.buckets.deleteTagBinding":{"id":"storage.buckets.deleteTagBinding","name":"Cloud Storage buckets","scope":"CRITICAL","parent":{"notes":"Buckets may be used to store data of various sensitivities, from publicly available data to very sensitive confidential data.","description":"Buckets are the basic unit of data storage within Cloud Storage. All data must be contained in a bucket."},"risks":["escalation:privilege","destruction:policy","impact:access"],"notes":"A common use case of tag bindings is for use in IAM policy conditions. The \"destruction:policy\" and \"impact:access\" risks apply if the tag is used in any policies.","links":["https://cloud.google.com/storage/docs/access-control/iam-permissions","https://cloud.google.com/resource-manager/docs/tags/tags-creating-and-managing","https://cloud.google.com/storage/docs/bucket-metadata","https://cloud.google.com/storage/docs/json_api/v1/buckets/update"],"seeAlso":[]},"storage.buckets.get":{"id":"storage.buckets.get","name":"Cloud Storage buckets","scope":"LOW","parent":{"notes":"Buckets may be used to store data of various sensitivities, from publicly available data to very sensitive confidential data.","description":"Buckets are the basic unit of data storage within Cloud Storage. All data must be contained in a bucket."},"risks":["discovery:data"],"notes":null,"links":["https://cloud.google.com/storage/docs/access-control/iam-permissions","https://cloud.google.com/resource-manager/docs/tags/tags-creating-and-managing","https://cloud.google.com/storage/docs/bucket-metadata","https://cloud.google.com/storage/docs/json_api/v1/buckets/update"],"seeAlso":[]},"storage.buckets.list":{"id":"storage.buckets.list","name":"Cloud Storage buckets","scope":"MEDIUM","parent":{"notes":"Buckets may be used to store data of various sensitivities, from publicly available data to very sensitive confidential data.","description":"Buckets are the basic unit of data storage within Cloud Storage. All data must be contained in a bucket."},"risks":["discovery:data"],"notes":null,"links":["https://cloud.google.com/storage/docs/access-control/iam-permissions","https://cloud.google.com/resource-manager/docs/tags/tags-creating-and-managing","https://cloud.google.com/storage/docs/bucket-metadata","https://cloud.google.com/storage/docs/json_api/v1/buckets/update"],"seeAlso":[]},"storage.buckets.getIamPolicy":{"id":"storage.buckets.getIamPolicy","name":"Cloud Storage buckets","scope":"CRITICAL","parent":{"notes":"Buckets may be used to store data of various sensitivities, from publicly available data to very sensitive confidential data.","description":"Buckets are the basic unit of data storage within Cloud Storage. All data must be contained in a bucket."},"risks":["discovery:policy","discovery:account"],"notes":null,"links":["https://cloud.google.com/storage/docs/access-control/iam-permissions","https://cloud.google.com/resource-manager/docs/tags/tags-creating-and-managing","https://cloud.google.com/storage/docs/bucket-metadata","https://cloud.google.com/storage/docs/json_api/v1/buckets/update"],"seeAlso":[]},"storage.buckets.listEffectiveTags":{"id":"storage.buckets.listEffectiveTags","name":"Cloud Storage buckets","scope":"LOW","parent":{"notes":"Buckets may be used to store data of various sensitivities, from publicly available data to very sensitive confidential data.","description":"Buckets are the basic unit of data storage within Cloud Storage. All data must be contained in a bucket."},"risks":["discovery:policy"],"notes":null,"links":["https://cloud.google.com/storage/docs/access-control/iam-permissions","https://cloud.google.com/resource-manager/docs/tags/tags-creating-and-managing","https://cloud.google.com/storage/docs/bucket-metadata","https://cloud.google.com/storage/docs/json_api/v1/buckets/update"],"seeAlso":[]},"storage.buckets.listTagBindings":{"id":"storage.buckets.listTagBindings","name":"Cloud Storage buckets","scope":"LOW","parent":{"notes":"Buckets may be used to store data of various sensitivities, from publicly available data to very sensitive confidential data.","description":"Buckets are the basic unit of data storage within Cloud Storage. All data must be contained in a bucket."},"risks":["discovery:policy"],"notes":null,"links":["https://cloud.google.com/storage/docs/access-control/iam-permissions","https://cloud.google.com/resource-manager/docs/tags/tags-creating-and-managing","https://cloud.google.com/storage/docs/bucket-metadata","https://cloud.google.com/storage/docs/json_api/v1/buckets/update"],"seeAlso":[]},"storage.buckets.setIamPolicy":{"id":"storage.buckets.setIamPolicy","name":"Cloud Storage buckets","scope":"CRITICAL","parent":{"notes":"Buckets may be used to store data of various sensitivities, from publicly available data to very sensitive confidential data.","description":"Buckets are the basic unit of data storage within Cloud Storage. All data must be contained in a bucket."},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/storage/docs/access-control/iam-permissions","https://cloud.google.com/resource-manager/docs/tags/tags-creating-and-managing","https://cloud.google.com/storage/docs/bucket-metadata","https://cloud.google.com/storage/docs/json_api/v1/buckets/update"],"seeAlso":[]},"storage.buckets.update":{"id":"storage.buckets.update","name":"Cloud Storage buckets","scope":"CRITICAL","parent":{"notes":"Buckets may be used to store data of various sensitivities, from publicly available data to very sensitive confidential data.","description":"Buckets are the basic unit of data storage within Cloud Storage. All data must be contained in a bucket."},"risks":["impact:encryption","destruction:metadata"],"notes":"Even though certain access-related controls are part of the bucket metadata (ACLs, public access settings), those cannot be updated without setIamPolicy. However, the encryption key can be updated with just this permission. An attacker could use their own key (in their own project) to encrypt the data, then disable or delete it, rendering the data unusable until the user can recover the key.","links":["https://cloud.google.com/storage/docs/access-control/iam-permissions","https://cloud.google.com/resource-manager/docs/tags/tags-creating-and-managing","https://cloud.google.com/storage/docs/bucket-metadata","https://cloud.google.com/storage/docs/json_api/v1/buckets/update"],"seeAlso":[]},"storage.buckets.getObjectInsights":{"id":"storage.buckets.getObjectInsights","name":"Cloud Storage buckets","scope":"CRITICAL","parent":{"notes":"Buckets may be used to store data of various sensitivities, from publicly available data to very sensitive confidential data.","description":"Buckets are the basic unit of data storage within Cloud Storage. All data must be contained in a bucket."},"risks":["discovery:data"],"notes":"This includes access to object metadata, but not objects themselves.","links":["https://cloud.google.com/storage/docs/access-control/iam-permissions","https://cloud.google.com/resource-manager/docs/tags/tags-creating-and-managing","https://cloud.google.com/storage/docs/bucket-metadata","https://cloud.google.com/storage/docs/json_api/v1/buckets/update"],"seeAlso":[]},"storage.hmacKeys.create":{"id":"storage.hmacKeys.create","name":"Cloud Storage HMAC Keys","scope":"CRITICAL","parent":{"notes":null,"description":"A HMAC key is a type of credential that can be used to authenticate requests to Cloud Storage."},"risks":["escalation:data"],"notes":"Allows you to sign requests to cloud storage as a service account, allowing for escalation.","links":["https://cloud.google.com/storage/docs/authentication/managing-hmackeys","https://cloud.google.com/storage/docs/authentication/hmackeys","https://rhinosecuritylabs.com/cloud-security/privilege-escalation-google-cloud-platform-part-2/"],"seeAlso":[]},"storage.hmacKeys.delete":{"id":"storage.hmacKeys.delete","name":"Cloud Storage HMAC Keys","scope":"CRITICAL","parent":{"notes":null,"description":"A HMAC key is a type of credential that can be used to authenticate requests to Cloud Storage."},"risks":["impact:dos","destruction:crypto"],"notes":null,"links":["https://cloud.google.com/storage/docs/authentication/managing-hmackeys","https://cloud.google.com/storage/docs/authentication/hmackeys"],"seeAlso":[]},"storage.hmacKeys.get":{"id":"storage.hmacKeys.get","name":"Cloud Storage HMAC Keys","scope":"CRITICAL","parent":{"notes":null,"description":"A HMAC key is a type of credential that can be used to authenticate requests to Cloud Storage."},"risks":["discovery:infra"],"notes":"This does not include the secret.","links":["https://cloud.google.com/storage/docs/authentication/managing-hmackeys","https://cloud.google.com/storage/docs/authentication/hmackeys"],"seeAlso":[]},"storage.hmacKeys.list":{"id":"storage.hmacKeys.list","name":"Cloud Storage HMAC Keys","scope":"CRITICAL","parent":{"notes":null,"description":"A HMAC key is a type of credential that can be used to authenticate requests to Cloud Storage."},"risks":["discovery:infra"],"notes":"This does not include the secret.","links":["https://cloud.google.com/storage/docs/authentication/managing-hmackeys","https://cloud.google.com/storage/docs/authentication/hmackeys"],"seeAlso":[]},"storage.hmacKeys.update":{"id":"storage.hmacKeys.update","name":"Cloud Storage HMAC Keys","scope":"CRITICAL","parent":{"notes":null,"description":"A HMAC key is a type of credential that can be used to authenticate requests to Cloud Storage."},"risks":["impact:dos"],"notes":"Allows updating the key to be inactive.","links":["https://cloud.google.com/storage/docs/authentication/managing-hmackeys","https://cloud.google.com/storage/docs/authentication/hmackeys"],"seeAlso":[]},"storage.multipartUploads.create":{"id":"storage.multipartUploads.create","name":"Cloud Storage Multi-part uploads","scope":"LOW","parent":{"notes":null,"description":"Allows users to upload an object to a Cloud Storage bucket in multiple parts."},"risks":["impact:spend"],"notes":"Also requires storage.objects.create permission.","links":["https://cloud.google.com/storage/docs/access-control/iam-permissions"],"seeAlso":[]},"storage.multipartUploads.abort":{"id":"storage.multipartUploads.abort","name":"Cloud Storage Multi-part uploads","scope":"LOW","parent":{"notes":null,"description":"Allows users to upload an object to a Cloud Storage bucket in multiple parts."},"risks":["impact:dos"],"notes":null,"links":["https://cloud.google.com/storage/docs/access-control/iam-permissions"],"seeAlso":[]},"storage.multipartUploads.list":{"id":"storage.multipartUploads.list","name":"Cloud Storage Multi-part uploads","scope":"LOW","parent":{"notes":null,"description":"Allows users to upload an object to a Cloud Storage bucket in multiple parts."},"risks":["discovery:data"],"notes":null,"links":["https://cloud.google.com/storage/docs/access-control/iam-permissions"],"seeAlso":[]},"storage.multipartUploads.listParts":{"id":"storage.multipartUploads.listParts","name":"Cloud Storage Multi-part uploads","scope":"LOW","parent":{"notes":null,"description":"Allows users to upload an object to a Cloud Storage bucket in multiple parts."},"risks":["discovery:data"],"notes":null,"links":["https://cloud.google.com/storage/docs/access-control/iam-permissions"],"seeAlso":[]},"storage.objects.create":{"id":"storage.objects.create","name":"Cloud Storage Objects","scope":"LOW","parent":{"notes":"Cloud Storage objects may be used to store data of various sensitivities, from publicly available data to very sensitive confidential data.","description":"Objects are files and folders inside Google Cloud storage buckets."},"risks":["impact:spend"],"notes":null,"links":["https://cloud.google.com/storage/docs/access-control/iam-permissions"],"seeAlso":[]},"storage.objects.delete":{"id":"storage.objects.delete","name":"Cloud Storage Objects","scope":"CRITICAL","parent":{"notes":"Cloud Storage objects may be used to store data of various sensitivities, from publicly available data to very sensitive confidential data.","description":"Objects are files and folders inside Google Cloud storage buckets."},"risks":["impact:dos","destruction:data"],"notes":null,"links":["https://cloud.google.com/storage/docs/access-control/iam-permissions"],"seeAlso":[]},"storage.objects.get":{"id":"storage.objects.get","name":"Cloud Storage Objects","scope":"CRITICAL","parent":{"notes":"Cloud Storage objects may be used to store data of various sensitivities, from publicly available data to very sensitive confidential data.","description":"Objects are files and folders inside Google Cloud storage buckets."},"risks":["exfiltration:data","discovery:data"],"notes":null,"links":["https://cloud.google.com/storage/docs/access-control/iam-permissions"],"seeAlso":[]},"storage.objects.list":{"id":"storage.objects.list","name":"Cloud Storage Objects","scope":"CRITICAL","parent":{"notes":"Cloud Storage objects may be used to store data of various sensitivities, from publicly available data to very sensitive confidential data.","description":"Objects are files and folders inside Google Cloud storage buckets."},"risks":["discovery:data"],"notes":null,"links":["https://cloud.google.com/storage/docs/access-control/iam-permissions"],"seeAlso":[]},"storage.objects.getIamPolicy":{"id":"storage.objects.getIamPolicy","name":"Cloud Storage Objects","scope":"CRITICAL","parent":{"notes":"Cloud Storage objects may be used to store data of various sensitivities, from publicly available data to very sensitive confidential data.","description":"Objects are files and folders inside Google Cloud storage buckets."},"risks":["discovery:policy","discovery:account"],"notes":null,"links":["https://cloud.google.com/storage/docs/access-control/iam-permissions"],"seeAlso":[]},"storage.objects.setIamPolicy":{"id":"storage.objects.setIamPolicy","name":"Cloud Storage Objects","scope":"CRITICAL","parent":{"notes":"Cloud Storage objects may be used to store data of various sensitivities, from publicly available data to very sensitive confidential data.","description":"Objects are files and folders inside Google Cloud storage buckets."},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/storage/docs/access-control/iam-permissions"],"seeAlso":[]},"storage.objects.update":{"id":"storage.objects.update","name":"Cloud Storage Objects","scope":"CRITICAL","parent":{"notes":"Cloud Storage objects may be used to store data of various sensitivities, from publicly available data to very sensitive confidential data.","description":"Objects are files and folders inside Google Cloud storage buckets."},"risks":["destruction:metadata"],"notes":null,"links":["https://cloud.google.com/storage/docs/access-control/iam-permissions"],"seeAlso":[]}},"k8s":{"apiregistration.k8s.io/apiservices.create":{"id":"apiregistration.k8s.io/apiservices.create","name":"APIServices","scope":"MEDIUM","parent":{"notes":"API Services can be used to track the availability and health of API servers and extensions  in the cluster. For custom resources can set the insecureSkipTLSVerify to true which allows unauthenticated communication with the custom resource's endpoints.","description":"API Services provide a way to advertise a Kubernetes API that is implemented across  multiple versions of Kubernetes. It is used to register and expose APIs for Kubernetes  extensions and custom resources. It also provides a way to specify the resource schema  for a custom resource, which enables client-side validation and discovery of resources."},"risks":["escalation:network"],"notes":"Together with the ability to deploy a new Kubernetes service in the cluster an attacker can configure an APIService to expose that new service with custom authentication settings which opens a backdoor to the cluster.","links":[],"seeAlso":[]},"apiregistration.k8s.io/apiservices.delete":{"id":"apiregistration.k8s.io/apiservices.delete","name":"APIServices","scope":"MEDIUM","parent":{"notes":"API Services can be used to track the availability and health of API servers and extensions  in the cluster. For custom resources can set the insecureSkipTLSVerify to true which allows unauthenticated communication with the custom resource's endpoints.","description":"API Services provide a way to advertise a Kubernetes API that is implemented across  multiple versions of Kubernetes. It is used to register and expose APIs for Kubernetes  extensions and custom resources. It also provides a way to specify the resource schema  for a custom resource, which enables client-side validation and discovery of resources."},"risks":["destruction:infra"],"notes":"Only API Services that expose custom CRDs can be deleted. API Services automanaged by Kubernetes, such as core v1, apps/v1, batch/v1, extensions/v1beta1 APIs cannot be deleted or modified.","links":[],"seeAlso":[]},"apiregistration.k8s.io/apiservices.get":{"id":"apiregistration.k8s.io/apiservices.get","name":"APIServices","scope":"LOW","parent":{"notes":"API Services can be used to track the availability and health of API servers and extensions  in the cluster. For custom resources can set the insecureSkipTLSVerify to true which allows unauthenticated communication with the custom resource's endpoints.","description":"API Services provide a way to advertise a Kubernetes API that is implemented across  multiple versions of Kubernetes. It is used to register and expose APIs for Kubernetes  extensions and custom resources. It also provides a way to specify the resource schema  for a custom resource, which enables client-side validation and discovery of resources."},"risks":["discovery:infra"],"notes":null,"links":[],"seeAlso":[]},"apiregistration.k8s.io/apiservices.getStatus":{"id":"apiregistration.k8s.io/apiservices.getStatus","name":"APIServices","scope":"LOW","parent":{"notes":"API Services can be used to track the availability and health of API servers and extensions  in the cluster. For custom resources can set the insecureSkipTLSVerify to true which allows unauthenticated communication with the custom resource's endpoints.","description":"API Services provide a way to advertise a Kubernetes API that is implemented across  multiple versions of Kubernetes. It is used to register and expose APIs for Kubernetes  extensions and custom resources. It also provides a way to specify the resource schema  for a custom resource, which enables client-side validation and discovery of resources."},"risks":["discovery:infra"],"notes":null,"links":[],"seeAlso":[]},"apiregistration.k8s.io/apiservices.list":{"id":"apiregistration.k8s.io/apiservices.list","name":"APIServices","scope":"LOW","parent":{"notes":"API Services can be used to track the availability and health of API servers and extensions  in the cluster. For custom resources can set the insecureSkipTLSVerify to true which allows unauthenticated communication with the custom resource's endpoints.","description":"API Services provide a way to advertise a Kubernetes API that is implemented across  multiple versions of Kubernetes. It is used to register and expose APIs for Kubernetes  extensions and custom resources. It also provides a way to specify the resource schema  for a custom resource, which enables client-side validation and discovery of resources."},"risks":["discovery:infra"],"notes":null,"links":[],"seeAlso":[]},"apiregistration.k8s.io/apiservices.update":{"id":"apiregistration.k8s.io/apiservices.update","name":"APIServices","scope":"MEDIUM","parent":{"notes":"API Services can be used to track the availability and health of API servers and extensions  in the cluster. For custom resources can set the insecureSkipTLSVerify to true which allows unauthenticated communication with the custom resource's endpoints.","description":"API Services provide a way to advertise a Kubernetes API that is implemented across  multiple versions of Kubernetes. It is used to register and expose APIs for Kubernetes  extensions and custom resources. It also provides a way to specify the resource schema  for a custom resource, which enables client-side validation and discovery of resources."},"risks":["escalation:network"],"notes":null,"links":[],"seeAlso":[]},"apiregistration.k8s.io/apiservices.updateStatus":{"id":"apiregistration.k8s.io/apiservices.updateStatus","name":"APIServices","scope":"MEDIUM","parent":{"notes":"API Services can be used to track the availability and health of API servers and extensions  in the cluster. For custom resources can set the insecureSkipTLSVerify to true which allows unauthenticated communication with the custom resource's endpoints.","description":"API Services provide a way to advertise a Kubernetes API that is implemented across  multiple versions of Kubernetes. It is used to register and expose APIs for Kubernetes  extensions and custom resources. It also provides a way to specify the resource schema  for a custom resource, which enables client-side validation and discovery of resources."},"risks":[],"notes":"While this permission is exposed, updating the status of a custom APIService is not allowed. Status is managed by Kubernetes.","links":[],"seeAlso":[]},"apps/daemonsets.create":{"id":"apps/daemonsets.create","name":"DaemonSets","scope":"CRITICAL","parent":{"notes":"DaemonSets manage pods, similar to ReplicaSets and StatefulSets. A DaemonSet ensures there is the desired number of pods running on each node. If DaemonSets are allowed to connect to the public internet, it may open up the door for arbitrary code execution for an attacker. See notes on `container/deployments` for mitigations.","description":"Control Kubernetes DaemonSets objects."},"risks":["impact:spend","impact:hijack","escalation:lateral","escalation:network"],"notes":"Creation of DaemonSets allows running an image inside the Kubernetes cluster. This may allow arbitrary code execution, if the cluster has access to the public internet. The code may execute with service account privileges, leading to new permissions that may allow access to other services.  Secondly, creating DaemonSets drains the limited resources available to other Kubernetes workloads.","links":[],"seeAlso":[]},"apps/daemonsets.delete":{"id":"apps/daemonsets.delete","name":"DaemonSets","scope":"CRITICAL","parent":{"notes":"DaemonSets manage pods, similar to ReplicaSets and StatefulSets. A DaemonSet ensures there is the desired number of pods running on each node. If DaemonSets are allowed to connect to the public internet, it may open up the door for arbitrary code execution for an attacker. See notes on `container/deployments` for mitigations.","description":"Control Kubernetes DaemonSets objects."},"risks":["destruction:infra","destruction:logs"],"notes":"Deleting a DaemonSets deletes its pods and ephemeral volumes. Logs of the deleted pods disappear permanently when the pods shut down, unless they are exported to an external system for persistence.","links":[],"seeAlso":[]},"apps/daemonsets.get":{"id":"apps/daemonsets.get","name":"DaemonSets","scope":"CRITICAL","parent":{"notes":"DaemonSets manage pods, similar to ReplicaSets and StatefulSets. A DaemonSet ensures there is the desired number of pods running on each node. If DaemonSets are allowed to connect to the public internet, it may open up the door for arbitrary code execution for an attacker. See notes on `container/deployments` for mitigations.","description":"Control Kubernetes DaemonSets objects."},"risks":["discovery:infra","discovery:network"],"notes":"Describes detailed metadata about the DaemonSet, and Pods and Containers in it, such as ports, IP address, replicas, attached volumes, containers and the images they are running.","links":[],"seeAlso":[]},"apps/daemonsets.getStatus":{"id":"apps/daemonsets.getStatus","name":"DaemonSets","scope":"CRITICAL","parent":{"notes":"DaemonSets manage pods, similar to ReplicaSets and StatefulSets. A DaemonSet ensures there is the desired number of pods running on each node. If DaemonSets are allowed to connect to the public internet, it may open up the door for arbitrary code execution for an attacker. See notes on `container/deployments` for mitigations.","description":"Control Kubernetes DaemonSets objects."},"risks":["discovery:infra","discovery:network"],"notes":"Equivalent to `daemonSets.get`. Allows reading the `/apis/apps/v1/namespaces/{namespace}/daemonsets/{name}/status` subresource which returns the same payload as the `/apis/apps/v1/namespaces/{namespace}/daemonsets/{name}` resource.","links":[],"seeAlso":[]},"apps/daemonsets.list":{"id":"apps/daemonsets.list","name":"DaemonSets","scope":"CRITICAL","parent":{"notes":"DaemonSets manage pods, similar to ReplicaSets and StatefulSets. A DaemonSet ensures there is the desired number of pods running on each node. If DaemonSets are allowed to connect to the public internet, it may open up the door for arbitrary code execution for an attacker. See notes on `container/deployments` for mitigations.","description":"Control Kubernetes DaemonSets objects."},"risks":["discovery:infra","discovery:network"],"notes":"Allows listing all ReplicaSets in a namespace.","links":[],"seeAlso":[]},"apps/daemonsets.update":{"id":"apps/daemonsets.update","name":"DaemonSets","scope":"CRITICAL","parent":{"notes":"DaemonSets manage pods, similar to ReplicaSets and StatefulSets. A DaemonSet ensures there is the desired number of pods running on each node. If DaemonSets are allowed to connect to the public internet, it may open up the door for arbitrary code execution for an attacker. See notes on `container/deployments` for mitigations.","description":"Control Kubernetes DaemonSets objects."},"risks":["destruction:infra","destruction:network","escalation:lateral","escalation:network","impact:hijack","impact:spend"],"notes":"An update may let an attacker change the container image that is running inside pods. This may allow arbitrary code execution, if the cluster has access to the public internet. The code may execute with service account privileges, leading to new permissions that may allow access to other services. Since DaemonSet runs a pod on multiple nodes, DaemonSets are especially great for a complete cluster takeover. Secondly, DaemonSet pods drain the limited resources available to other Kubernetes workloads.","links":[],"seeAlso":[]},"apps/daemonsets.updateStatus":{"id":"apps/daemonsets.updateStatus","name":"DaemonSets","scope":"LOW","parent":{"notes":"DaemonSets manage pods, similar to ReplicaSets and StatefulSets. A DaemonSet ensures there is the desired number of pods running on each node. If DaemonSets are allowed to connect to the public internet, it may open up the door for arbitrary code execution for an attacker. See notes on `container/deployments` for mitigations.","description":"Control Kubernetes DaemonSets objects."},"risks":[],"notes":"This subresource has no effect on the actual DaemonSets.","links":[],"seeAlso":[]},"apps/deployments.create":{"id":"apps/deployments.create","name":"Deployments","scope":"CRITICAL","parent":{"notes":"Deployments are declarative updates to Kubernetes Pods and ReplicaSets. They provide an abstraction layer that allows services to discover and connect to pods  running within a Deployment. Applications can scale, load balance, and seamlessly handle changes  in the underlying pod instances. Access to Deployments is sensitive because they are a primary interface for controlling applications running on Kubernetes. A Deployment specifies the container image to run, and may lead to arbitrary code execution in the cluster. A good mitigation strategy is to make Kubernetes clusters private, which effectively disables pulling images over the internet. Secondly, creating or updating the replica count of Deployments drains the limited resources available to other Kubernetes workloads.","description":"Control Kubernetes Deployment objects."},"risks":["impact:spend","impact:hijack","escalation:lateral","escalation:network","exfiltration:data"],"notes":"Deployments tie up compute resources in Kubernetes that cannot be allocated to another Kubernetes workload while the deployment is present. Deployments run a user-specified container image, which may allow an attacker to escalate their privileges by running arbitrary code inside the Kubernetes workload. Secondly, creating Deployments drains the limited resources available to other Kubernetes workloads.","links":["https://kubernetes.io/docs/concepts/workloads/controllers/deployment/"],"seeAlso":[]},"apps/deployments.delete":{"id":"apps/deployments.delete","name":"Deployments","scope":"CRITICAL","parent":{"notes":"Deployments are declarative updates to Kubernetes Pods and ReplicaSets. They provide an abstraction layer that allows services to discover and connect to pods  running within a Deployment. Applications can scale, load balance, and seamlessly handle changes  in the underlying pod instances. Access to Deployments is sensitive because they are a primary interface for controlling applications running on Kubernetes. A Deployment specifies the container image to run, and may lead to arbitrary code execution in the cluster. A good mitigation strategy is to make Kubernetes clusters private, which effectively disables pulling images over the internet. Secondly, creating or updating the replica count of Deployments drains the limited resources available to other Kubernetes workloads.","description":"Control Kubernetes Deployment objects."},"risks":["destruction:infra","destruction:logs"],"notes":"Deleting a Deployment deletes its pods and ephemeral volumes. Persistent Volumes attached to the Deployment are left intact. Logs of the deleted pods disappear permanently when the pods shut down, unless they are exported to an external system for persistence.","links":["https://kubernetes.io/docs/concepts/workloads/controllers/deployment/"],"seeAlso":[]},"apps/deployments.get":{"id":"apps/deployments.get","name":"Deployments","scope":"MEDIUM","parent":{"notes":"Deployments are declarative updates to Kubernetes Pods and ReplicaSets. They provide an abstraction layer that allows services to discover and connect to pods  running within a Deployment. Applications can scale, load balance, and seamlessly handle changes  in the underlying pod instances. Access to Deployments is sensitive because they are a primary interface for controlling applications running on Kubernetes. A Deployment specifies the container image to run, and may lead to arbitrary code execution in the cluster. A good mitigation strategy is to make Kubernetes clusters private, which effectively disables pulling images over the internet. Secondly, creating or updating the replica count of Deployments drains the limited resources available to other Kubernetes workloads.","description":"Control Kubernetes Deployment objects."},"risks":["discovery:infra","discovery:network"],"notes":"Describes detailed metadata about the Deployment, and Pods and Containers in it,  such as ports, IP address, replicas, attached volumes, containers and the images they are running.","links":["https://kubernetes.io/docs/concepts/workloads/controllers/deployment/"],"seeAlso":[]},"apps/deployments.getScale":{"id":"apps/deployments.getScale","name":"Deployments","scope":"LOW","parent":{"notes":"Deployments are declarative updates to Kubernetes Pods and ReplicaSets. They provide an abstraction layer that allows services to discover and connect to pods  running within a Deployment. Applications can scale, load balance, and seamlessly handle changes  in the underlying pod instances. Access to Deployments is sensitive because they are a primary interface for controlling applications running on Kubernetes. A Deployment specifies the container image to run, and may lead to arbitrary code execution in the cluster. A good mitigation strategy is to make Kubernetes clusters private, which effectively disables pulling images over the internet. Secondly, creating or updating the replica count of Deployments drains the limited resources available to other Kubernetes workloads.","description":"Control Kubernetes Deployment objects."},"risks":["discovery:infra"],"notes":"Allows reading the `/apis/apps/v1/namespaces/{namespace}/deployments/{name}/scale` subresource which returns the number of desired replicas in the Deployment. The `deployments.get` permission already includes the ability to read this subresource.","links":["https://kubernetes.io/docs/concepts/workloads/controllers/deployment/","https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#types-kinds"],"seeAlso":[]},"apps/deployments.getStatus":{"id":"apps/deployments.getStatus","name":"Deployments","scope":"MEDIUM","parent":{"notes":"Deployments are declarative updates to Kubernetes Pods and ReplicaSets. They provide an abstraction layer that allows services to discover and connect to pods  running within a Deployment. Applications can scale, load balance, and seamlessly handle changes  in the underlying pod instances. Access to Deployments is sensitive because they are a primary interface for controlling applications running on Kubernetes. A Deployment specifies the container image to run, and may lead to arbitrary code execution in the cluster. A good mitigation strategy is to make Kubernetes clusters private, which effectively disables pulling images over the internet. Secondly, creating or updating the replica count of Deployments drains the limited resources available to other Kubernetes workloads.","description":"Control Kubernetes Deployment objects."},"risks":["discovery:infra","discovery:network"],"notes":"Equivalent to `deployments.get`. Allows reading the `/apis/apps/v1/namespaces/{namespace}/deployments/{name}/status` subresource which returns the same payload as the `/apis/apps/v1/namespaces/{namespace}/deployments/{name}` resource.","links":["https://kubernetes.io/docs/concepts/workloads/controllers/deployment/"],"seeAlso":[]},"apps/deployments.list":{"id":"apps/deployments.list","name":"Deployments","scope":"MEDIUM","parent":{"notes":"Deployments are declarative updates to Kubernetes Pods and ReplicaSets. They provide an abstraction layer that allows services to discover and connect to pods  running within a Deployment. Applications can scale, load balance, and seamlessly handle changes  in the underlying pod instances. Access to Deployments is sensitive because they are a primary interface for controlling applications running on Kubernetes. A Deployment specifies the container image to run, and may lead to arbitrary code execution in the cluster. A good mitigation strategy is to make Kubernetes clusters private, which effectively disables pulling images over the internet. Secondly, creating or updating the replica count of Deployments drains the limited resources available to other Kubernetes workloads.","description":"Control Kubernetes Deployment objects."},"risks":["discovery:infra","discovery:network"],"notes":"Allows listing all Deployments in a namespace.","links":["https://kubernetes.io/docs/concepts/workloads/controllers/deployment/"],"seeAlso":[]},"apps/deployments.rollback":{"id":"apps/deployments.rollback","name":"Deployments","scope":"CRITICAL","parent":{"notes":"Deployments are declarative updates to Kubernetes Pods and ReplicaSets. They provide an abstraction layer that allows services to discover and connect to pods  running within a Deployment. Applications can scale, load balance, and seamlessly handle changes  in the underlying pod instances. Access to Deployments is sensitive because they are a primary interface for controlling applications running on Kubernetes. A Deployment specifies the container image to run, and may lead to arbitrary code execution in the cluster. A good mitigation strategy is to make Kubernetes clusters private, which effectively disables pulling images over the internet. Secondly, creating or updating the replica count of Deployments drains the limited resources available to other Kubernetes workloads.","description":"Control Kubernetes Deployment objects."},"risks":["destruction:infra"],"notes":"Allows reverting to a previous version of the Deployment spec from the rollout history.","links":["https://kubernetes.io/docs/concepts/workloads/controllers/deployment/","https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#checking-rollout-history-of-a-deployment"],"seeAlso":[]},"apps/deployments.update":{"id":"apps/deployments.update","name":"Deployments","scope":"CRITICAL","parent":{"notes":"Deployments are declarative updates to Kubernetes Pods and ReplicaSets. They provide an abstraction layer that allows services to discover and connect to pods  running within a Deployment. Applications can scale, load balance, and seamlessly handle changes  in the underlying pod instances. Access to Deployments is sensitive because they are a primary interface for controlling applications running on Kubernetes. A Deployment specifies the container image to run, and may lead to arbitrary code execution in the cluster. A good mitigation strategy is to make Kubernetes clusters private, which effectively disables pulling images over the internet. Secondly, creating or updating the replica count of Deployments drains the limited resources available to other Kubernetes workloads.","description":"Control Kubernetes Deployment objects."},"risks":["destruction:infra","destruction:network","escalation:lateral","escalation:network","exfiltration:data","impact:hijack","impact:spend"],"notes":"An update may set the replica count to 0 which effectively deletes the application. An update may also let an attacker change the container image that is running inside pods, potentially leading to a complete takeover of the Kubernetes cluster. Secondly, increasing the replica count in Deployments drains the limited resources available to  other Kubernetes workloads. Also, persistent volumes may be attached to the Pods, which may provide access to sensitive data.","links":["https://kubernetes.io/docs/concepts/workloads/controllers/deployment/"],"seeAlso":[]},"apps/deployments.updateScale":{"id":"apps/deployments.updateScale","name":"Deployments","scope":"CRITICAL","parent":{"notes":"Deployments are declarative updates to Kubernetes Pods and ReplicaSets. They provide an abstraction layer that allows services to discover and connect to pods  running within a Deployment. Applications can scale, load balance, and seamlessly handle changes  in the underlying pod instances. Access to Deployments is sensitive because they are a primary interface for controlling applications running on Kubernetes. A Deployment specifies the container image to run, and may lead to arbitrary code execution in the cluster. A good mitigation strategy is to make Kubernetes clusters private, which effectively disables pulling images over the internet. Secondly, creating or updating the replica count of Deployments drains the limited resources available to other Kubernetes workloads.","description":"Control Kubernetes Deployment objects."},"risks":["destruction:infra","impact:hijack","impact:spend"],"notes":"Allows updating the replica count, including setting replicas to 0. If properties other than replicas are updated in the PATCH request, those are quietly ignored. Secondly, increasing the replica count in Deployments drains the limited resources available to  other Kubernetes workloads.","links":["https://kubernetes.io/docs/concepts/workloads/controllers/deployment/"],"seeAlso":[]},"apps/deployments.updateStatus":{"id":"apps/deployments.updateStatus","name":"Deployments","scope":"LOW","parent":{"notes":"Deployments are declarative updates to Kubernetes Pods and ReplicaSets. They provide an abstraction layer that allows services to discover and connect to pods  running within a Deployment. Applications can scale, load balance, and seamlessly handle changes  in the underlying pod instances. Access to Deployments is sensitive because they are a primary interface for controlling applications running on Kubernetes. A Deployment specifies the container image to run, and may lead to arbitrary code execution in the cluster. A good mitigation strategy is to make Kubernetes clusters private, which effectively disables pulling images over the internet. Secondly, creating or updating the replica count of Deployments drains the limited resources available to other Kubernetes workloads.","description":"Control Kubernetes Deployment objects."},"risks":[],"notes":"Allows updating the status object of the Deployment with different \"replicas\", \"updatedReplicas\", \"readyReplicas\", and \"availableReplicas\" counts than the actual counts in the Deployment's current ReplicaSet. However, these values don't take effect, despite a successful API call.","links":["https://kubernetes.io/docs/concepts/workloads/controllers/deployment/"],"seeAlso":[]},"apps/replicasets.create":{"id":"apps/replicasets.create","name":"ReplicaSets","scope":"MEDIUM","parent":{"notes":"ReplicaSets allow maintaining a desired number of replicas and handle situations like pod failures or manual scaling. Typically, ReplicaSets are not created directly but are managed by a Deployment. When that is the case, the ReplicaSet cannot be updated directly using the `update` endpoints. ReplicaSets expose very similar risks to Deployments, the key privilege being the ability to specify a container image to run in the Pods managed by the ReplicaSet. If coupled with a cluster that can connect to the internet, this opens up arbitrary code execution by fetching and running potentially malicious images. Secondly, creating or updating the replica count of ReplicaSets drains the limited resources available to other Kubernetes workloads.","description":"Control Kubernetes ReplicaSet objects."},"risks":["impact:spend","impact:hijack","escalation:lateral","escalation:network","exfiltration:data"],"notes":"Creation of standalone ReplicaSet allows running an image inside the Kubernetes cluster. This may allow arbitrary code execution, if the cluster has access to the public internet. Secondly, creating ReplicaSets drains the limited resources available to other Kubernetes workloads.","links":[],"seeAlso":[]},"apps/replicasets.delete":{"id":"apps/replicasets.delete","name":"ReplicaSets","scope":"MEDIUM","parent":{"notes":"ReplicaSets allow maintaining a desired number of replicas and handle situations like pod failures or manual scaling. Typically, ReplicaSets are not created directly but are managed by a Deployment. When that is the case, the ReplicaSet cannot be updated directly using the `update` endpoints. ReplicaSets expose very similar risks to Deployments, the key privilege being the ability to specify a container image to run in the Pods managed by the ReplicaSet. If coupled with a cluster that can connect to the internet, this opens up arbitrary code execution by fetching and running potentially malicious images. Secondly, creating or updating the replica count of ReplicaSets drains the limited resources available to other Kubernetes workloads.","description":"Control Kubernetes ReplicaSet objects."},"risks":["destruction:infra","destruction:logs"],"notes":"Deleting a ReplicaSet deletes its pods and ephemeral volumes. PersistentVolumes attached to the ReplicaSet are left intact. Logs of the deleted pods disappear permanently when the pods shut down, unless they are exported to an external system for persistence.","links":[],"seeAlso":[]},"apps/replicasets.get":{"id":"apps/replicasets.get","name":"ReplicaSets","scope":"MEDIUM","parent":{"notes":"ReplicaSets allow maintaining a desired number of replicas and handle situations like pod failures or manual scaling. Typically, ReplicaSets are not created directly but are managed by a Deployment. When that is the case, the ReplicaSet cannot be updated directly using the `update` endpoints. ReplicaSets expose very similar risks to Deployments, the key privilege being the ability to specify a container image to run in the Pods managed by the ReplicaSet. If coupled with a cluster that can connect to the internet, this opens up arbitrary code execution by fetching and running potentially malicious images. Secondly, creating or updating the replica count of ReplicaSets drains the limited resources available to other Kubernetes workloads.","description":"Control Kubernetes ReplicaSet objects."},"risks":["discovery:infra","discovery:network"],"notes":"Describes detailed metadata about the ReplicaSet, and Pods and Containers in it,  such as ports, IP address, replicas, attached volumes, containers and the images they are running.","links":[],"seeAlso":[]},"apps/replicasets.getScale":{"id":"apps/replicasets.getScale","name":"ReplicaSets","scope":"LOW","parent":{"notes":"ReplicaSets allow maintaining a desired number of replicas and handle situations like pod failures or manual scaling. Typically, ReplicaSets are not created directly but are managed by a Deployment. When that is the case, the ReplicaSet cannot be updated directly using the `update` endpoints. ReplicaSets expose very similar risks to Deployments, the key privilege being the ability to specify a container image to run in the Pods managed by the ReplicaSet. If coupled with a cluster that can connect to the internet, this opens up arbitrary code execution by fetching and running potentially malicious images. Secondly, creating or updating the replica count of ReplicaSets drains the limited resources available to other Kubernetes workloads.","description":"Control Kubernetes ReplicaSet objects."},"risks":["discovery:infra"],"notes":"Allows reading the `/apis/apps/v1/namespaces/{namespace}/replicasets/{name}/scale` subresource which returns the number of desired replicas in the ReplicaSet. The `replicaSets.get` permission already includes the ability to read this subresource.","links":[],"seeAlso":[]},"apps/replicasets.getStatus":{"id":"apps/replicasets.getStatus","name":"ReplicaSets","scope":"MEDIUM","parent":{"notes":"ReplicaSets allow maintaining a desired number of replicas and handle situations like pod failures or manual scaling. Typically, ReplicaSets are not created directly but are managed by a Deployment. When that is the case, the ReplicaSet cannot be updated directly using the `update` endpoints. ReplicaSets expose very similar risks to Deployments, the key privilege being the ability to specify a container image to run in the Pods managed by the ReplicaSet. If coupled with a cluster that can connect to the internet, this opens up arbitrary code execution by fetching and running potentially malicious images. Secondly, creating or updating the replica count of ReplicaSets drains the limited resources available to other Kubernetes workloads.","description":"Control Kubernetes ReplicaSet objects."},"risks":["discovery:infra","discovery:network"],"notes":"Equivalent to `replicaSets.get`. Allows reading the `/apis/apps/v1/namespaces/{namespace}/replicasets/{name}/status` subresource which returns the same payload as the `/apis/apps/v1/namespaces/{namespace}/replicasets/{name}` resource.","links":[],"seeAlso":[]},"apps/replicasets.list":{"id":"apps/replicasets.list","name":"ReplicaSets","scope":"MEDIUM","parent":{"notes":"ReplicaSets allow maintaining a desired number of replicas and handle situations like pod failures or manual scaling. Typically, ReplicaSets are not created directly but are managed by a Deployment. When that is the case, the ReplicaSet cannot be updated directly using the `update` endpoints. ReplicaSets expose very similar risks to Deployments, the key privilege being the ability to specify a container image to run in the Pods managed by the ReplicaSet. If coupled with a cluster that can connect to the internet, this opens up arbitrary code execution by fetching and running potentially malicious images. Secondly, creating or updating the replica count of ReplicaSets drains the limited resources available to other Kubernetes workloads.","description":"Control Kubernetes ReplicaSet objects."},"risks":["discovery:infra","discovery:network"],"notes":"Allows listing all ReplicaSets in a namespace.","links":[],"seeAlso":[]},"apps/replicasets.update":{"id":"apps/replicasets.update","name":"ReplicaSets","scope":"MEDIUM","parent":{"notes":"ReplicaSets allow maintaining a desired number of replicas and handle situations like pod failures or manual scaling. Typically, ReplicaSets are not created directly but are managed by a Deployment. When that is the case, the ReplicaSet cannot be updated directly using the `update` endpoints. ReplicaSets expose very similar risks to Deployments, the key privilege being the ability to specify a container image to run in the Pods managed by the ReplicaSet. If coupled with a cluster that can connect to the internet, this opens up arbitrary code execution by fetching and running potentially malicious images. Secondly, creating or updating the replica count of ReplicaSets drains the limited resources available to other Kubernetes workloads.","description":"Control Kubernetes ReplicaSet objects."},"risks":["destruction:infra","destruction:network","escalation:lateral","escalation:network","exfiltration:data","impact:hijack","impact:spend"],"notes":"Only ReplicaSets without a Deployment may be updated. Updates to ReplicaSets owned by a Deployment will succeed but have no effect on the ReplicaSet. An update may set the replica count to 0 which effectively deletes the application. An update may also let an attacker change the container image that is running inside pods, potentially leading to a complete takeover of the Kubernetes cluster. Secondly, increasing the replica count in ReplicaSets drains the limited resources available to other Kubernetes workloads. Also, persistent volumes may be attached to the Pods, which may provide access to sensitive data.","links":[],"seeAlso":[]},"apps/replicasets.updateScale":{"id":"apps/replicasets.updateScale","name":"ReplicaSets","scope":"MEDIUM","parent":{"notes":"ReplicaSets allow maintaining a desired number of replicas and handle situations like pod failures or manual scaling. Typically, ReplicaSets are not created directly but are managed by a Deployment. When that is the case, the ReplicaSet cannot be updated directly using the `update` endpoints. ReplicaSets expose very similar risks to Deployments, the key privilege being the ability to specify a container image to run in the Pods managed by the ReplicaSet. If coupled with a cluster that can connect to the internet, this opens up arbitrary code execution by fetching and running potentially malicious images. Secondly, creating or updating the replica count of ReplicaSets drains the limited resources available to other Kubernetes workloads.","description":"Control Kubernetes ReplicaSet objects."},"risks":["destruction:infra","impact:hijack","impact:spend"],"notes":"Only ReplicaSets without a Deployment may be updated. Updates to ReplicaSets owned by a Deployment will succeed but have no effect on the ReplicaSet. Allows updating the replica count, including setting replicas to 0. If properties other than replicas are updated in the PATCH request, those are quietly ignored. Secondly, increasing the replica count in ReplicaSets drains the limited resources available to  other Kubernetes workloads.","links":[],"seeAlso":[]},"apps/replicasets.updateStatus":{"id":"apps/replicasets.updateStatus","name":"ReplicaSets","scope":"LOW","parent":{"notes":"ReplicaSets allow maintaining a desired number of replicas and handle situations like pod failures or manual scaling. Typically, ReplicaSets are not created directly but are managed by a Deployment. When that is the case, the ReplicaSet cannot be updated directly using the `update` endpoints. ReplicaSets expose very similar risks to Deployments, the key privilege being the ability to specify a container image to run in the Pods managed by the ReplicaSet. If coupled with a cluster that can connect to the internet, this opens up arbitrary code execution by fetching and running potentially malicious images. Secondly, creating or updating the replica count of ReplicaSets drains the limited resources available to other Kubernetes workloads.","description":"Control Kubernetes ReplicaSet objects."},"risks":[],"notes":"Allows updating the status object of the ReplicaSet with different \"replicas\", \"updatedReplicas\", \"readyReplicas\", and \"availableReplicas\" counts than the actual counts in the Replicasets's current ReplicaSet. However, these values don't take effect, despite a successful API call.","links":[],"seeAlso":[]},"apps/statefulsets.create":{"id":"apps/statefulsets.create","name":"StatefulSets","scope":"CRITICAL","parent":{"notes":"StatefulSets manage Pods, with different guarantees but similar to Deployments, ReplicaSets, and DaemonSets. As such, the primary security concerns are the container images that are running on these Pods, and the resources the Pods consume from the Kubernetes cluster.","description":"Control Kubernetes StatefulSets objects."},"risks":["impact:spend","impact:hijack","escalation:lateral","escalation:network","exfiltration:data"],"notes":"Creation of StatefulSets allows running an image inside the Kubernetes cluster. This may allow arbitrary code execution, if the cluster has access to the public internet. Secondly, creating StatefulSets drains the limited  resources available to other Kubernetes workloads. Persistent volumes may be attached to the Pods, which may provide access to sensitive data.","links":[],"seeAlso":[]},"apps/statefulsets.delete":{"id":"apps/statefulsets.delete","name":"StatefulSets","scope":"CRITICAL","parent":{"notes":"StatefulSets manage Pods, with different guarantees but similar to Deployments, ReplicaSets, and DaemonSets. As such, the primary security concerns are the container images that are running on these Pods, and the resources the Pods consume from the Kubernetes cluster.","description":"Control Kubernetes StatefulSets objects."},"risks":["destruction:infra","destruction:logs"],"notes":"Deleting a DaemonSets deletes its pods and ephemeral volumes. Persistent Volumes are retained. Logs of the deleted pods disappear permanently when the pods shut down, unless they are exported to an external system for persistence.","links":[],"seeAlso":[]},"apps/statefulsets.get":{"id":"apps/statefulsets.get","name":"StatefulSets","scope":"MEDIUM","parent":{"notes":"StatefulSets manage Pods, with different guarantees but similar to Deployments, ReplicaSets, and DaemonSets. As such, the primary security concerns are the container images that are running on these Pods, and the resources the Pods consume from the Kubernetes cluster.","description":"Control Kubernetes StatefulSets objects."},"risks":["discovery:infra","discovery:network"],"notes":"Describes detailed metadata about the StatefulSet, and Pods and Containers in it, such as ports, IP address, replicas, attached volumes, containers and the images they are running.","links":[],"seeAlso":[]},"apps/statefulsets.getScale":{"id":"apps/statefulsets.getScale","name":"StatefulSets","scope":"LOW","parent":{"notes":"StatefulSets manage Pods, with different guarantees but similar to Deployments, ReplicaSets, and DaemonSets. As such, the primary security concerns are the container images that are running on these Pods, and the resources the Pods consume from the Kubernetes cluster.","description":"Control Kubernetes StatefulSets objects."},"risks":["discovery:infra"],"notes":"Allows reading the `/apis/apps/v1/namespaces/{namespace}/statefulsets/{name}/scale` subresource which returns the number of desired replicas in the StatefulSet. The `statefulSets.get` permission already includes the ability to read this subresource.","links":[],"seeAlso":[]},"apps/statefulsets.getStatus":{"id":"apps/statefulsets.getStatus","name":"StatefulSets","scope":"MEDIUM","parent":{"notes":"StatefulSets manage Pods, with different guarantees but similar to Deployments, ReplicaSets, and DaemonSets. As such, the primary security concerns are the container images that are running on these Pods, and the resources the Pods consume from the Kubernetes cluster.","description":"Control Kubernetes StatefulSets objects."},"risks":["discovery:infra","discovery:network"],"notes":"Equivalent to `statefulSets.get`. Allows reading the `/apis/apps/v1/namespaces/{namespace}/statefulsets/{name}/status` subresource which returns the same payload as the `/apis/apps/v1/namespaces/{namespace}/statefulsets/{name}` resource.","links":[],"seeAlso":[]},"apps/statefulsets.list":{"id":"apps/statefulsets.list","name":"StatefulSets","scope":"MEDIUM","parent":{"notes":"StatefulSets manage Pods, with different guarantees but similar to Deployments, ReplicaSets, and DaemonSets. As such, the primary security concerns are the container images that are running on these Pods, and the resources the Pods consume from the Kubernetes cluster.","description":"Control Kubernetes StatefulSets objects."},"risks":["discovery:infra","discovery:network"],"notes":"Allows listing all StatefulSets in a namespace.","links":[],"seeAlso":[]},"apps/statefulsets.update":{"id":"apps/statefulsets.update","name":"StatefulSets","scope":"CRITICAL","parent":{"notes":"StatefulSets manage Pods, with different guarantees but similar to Deployments, ReplicaSets, and DaemonSets. As such, the primary security concerns are the container images that are running on these Pods, and the resources the Pods consume from the Kubernetes cluster.","description":"Control Kubernetes StatefulSets objects."},"risks":["destruction:infra","destruction:network","escalation:lateral","escalation:network","exfiltration:data","impact:hijack","impact:spend"],"notes":"An update may set the replica count to 0 which effectively deletes the application. An update may also let an attacker change the container image that is running inside pods, potentially leading to a complete takeover of the Kubernetes cluster. Secondly, increasing the replica count in StatefulSets may cause disruption to stateful services, depending on the behavior of the stateful service in a scaling event. Scaling may drain the limited resources available to other Kubernetes workloads. Also, persistent volumes may be attached to the Pods, which may provide access to sensitive data.","links":[],"seeAlso":[]},"apps/statefulsets.updateScale":{"id":"apps/statefulsets.updateScale","name":"StatefulSets","scope":"CRITICAL","parent":{"notes":"StatefulSets manage Pods, with different guarantees but similar to Deployments, ReplicaSets, and DaemonSets. As such, the primary security concerns are the container images that are running on these Pods, and the resources the Pods consume from the Kubernetes cluster.","description":"Control Kubernetes StatefulSets objects."},"risks":["destruction:infra","impact:hijack","impact:spend"],"notes":"If properties other than replicas are updated in the PATCH request, those are quietly ignored.  Secondly, increasing the replica count in StatefulSets may disrupt stateful service and/or drain the limited resources  available to other Kubernetes workloads.","links":[],"seeAlso":[]},"apps/statefulsets.updateStatus":{"id":"apps/statefulsets.updateStatus","name":"StatefulSets","scope":"CRITICAL","parent":{"notes":"StatefulSets manage Pods, with different guarantees but similar to Deployments, ReplicaSets, and DaemonSets. As such, the primary security concerns are the container images that are running on these Pods, and the resources the Pods consume from the Kubernetes cluster.","description":"Control Kubernetes StatefulSets objects."},"risks":[],"notes":"This subresource has no effect on the actual StatefulSets.","links":[],"seeAlso":[]},"batch/jobs.create":{"id":"batch/jobs.create","name":"Jobs","scope":"CRITICAL","parent":{"notes":"The security implications of Jobs are similar to other controllers, like Deployments. Jobs ultimately lead to running a container image, and may allow arbitrary code execution in the cluster. That code runs with the service-account privileges that the Pod runs with, thus may lead to privilege escalation. Creating Jobs drains the  limited resources available to other Kubernetes workloads. Attaching Persistent Volumes to a Job may expose  the data on that volume to attackers.","description":"A Kubernetes Job is a type of controller that runs one or more Pods until they successfully complete,  by retrying (restarting) the Pods if necessary. The Pod and its resources are released when the Job completes.  Jobs are typically used for batch processes, report generation or maintenance tasks."},"risks":["impact:spend","impact:hijack","escalation:lateral","escalation:network","exfiltration:data"],"notes":"Jobs tie up compute resources in Kubernetes that cannot be allocated to another Kubernetes workload while the Job is present. Jobs run a user-specified container image, which may allow an attacker to escalate their privileges by running arbitrary code inside the Kubernetes workload with service account privileges. Persistent Volumes may be  attached to jobs, meaning data can be exposed to the Kubernetes workload.","links":["https://kubernetes.io/docs/concepts/workloads/controllers/job"],"seeAlso":[]},"batch/jobs.delete":{"id":"batch/jobs.delete","name":"Jobs","scope":"CRITICAL","parent":{"notes":"The security implications of Jobs are similar to other controllers, like Deployments. Jobs ultimately lead to running a container image, and may allow arbitrary code execution in the cluster. That code runs with the service-account privileges that the Pod runs with, thus may lead to privilege escalation. Creating Jobs drains the  limited resources available to other Kubernetes workloads. Attaching Persistent Volumes to a Job may expose  the data on that volume to attackers.","description":"A Kubernetes Job is a type of controller that runs one or more Pods until they successfully complete,  by retrying (restarting) the Pods if necessary. The Pod and its resources are released when the Job completes.  Jobs are typically used for batch processes, report generation or maintenance tasks."},"risks":["destruction:infra","destruction:logs"],"notes":"Deleting a Job deletes its pods and ephemeral volumes. Persistent Volumes attached to the Job are left intact. Logs of the deleted pods disappear permanently when the job completes and the pods shut down, unless they are exported to an external system for persistence.","links":["https://kubernetes.io/docs/concepts/workloads/controllers/job"],"seeAlso":[]},"batch/jobs.get":{"id":"batch/jobs.get","name":"Jobs","scope":"CRITICAL","parent":{"notes":"The security implications of Jobs are similar to other controllers, like Deployments. Jobs ultimately lead to running a container image, and may allow arbitrary code execution in the cluster. That code runs with the service-account privileges that the Pod runs with, thus may lead to privilege escalation. Creating Jobs drains the  limited resources available to other Kubernetes workloads. Attaching Persistent Volumes to a Job may expose  the data on that volume to attackers.","description":"A Kubernetes Job is a type of controller that runs one or more Pods until they successfully complete,  by retrying (restarting) the Pods if necessary. The Pod and its resources are released when the Job completes.  Jobs are typically used for batch processes, report generation or maintenance tasks."},"risks":["discovery:infra","discovery:network"],"notes":"Describes detailed metadata about the Job, Pods and Containers in it,  such as ports, IP address, replicas, attached volumes, containers and the images they are running.","links":["https://kubernetes.io/docs/concepts/workloads/controllers/job"],"seeAlso":[]},"batch/jobs.getStatus":{"id":"batch/jobs.getStatus","name":"Jobs","scope":"CRITICAL","parent":{"notes":"The security implications of Jobs are similar to other controllers, like Deployments. Jobs ultimately lead to running a container image, and may allow arbitrary code execution in the cluster. That code runs with the service-account privileges that the Pod runs with, thus may lead to privilege escalation. Creating Jobs drains the  limited resources available to other Kubernetes workloads. Attaching Persistent Volumes to a Job may expose  the data on that volume to attackers.","description":"A Kubernetes Job is a type of controller that runs one or more Pods until they successfully complete,  by retrying (restarting) the Pods if necessary. The Pod and its resources are released when the Job completes.  Jobs are typically used for batch processes, report generation or maintenance tasks."},"risks":["discovery:infra","discovery:network"],"notes":"Equivalent to `jobs.get`. Allows reading the `/apis/batch/v1/namespaces/{namespace}/deployments/{name}/status` subresource which returns the same payload as the `/apis/batch/v1/namespaces/{namespace}/deployments/{name}` resource.","links":["https://kubernetes.io/docs/concepts/workloads/controllers/job"],"seeAlso":[]},"batch/jobs.list":{"id":"batch/jobs.list","name":"Jobs","scope":"CRITICAL","parent":{"notes":"The security implications of Jobs are similar to other controllers, like Deployments. Jobs ultimately lead to running a container image, and may allow arbitrary code execution in the cluster. That code runs with the service-account privileges that the Pod runs with, thus may lead to privilege escalation. Creating Jobs drains the  limited resources available to other Kubernetes workloads. Attaching Persistent Volumes to a Job may expose  the data on that volume to attackers.","description":"A Kubernetes Job is a type of controller that runs one or more Pods until they successfully complete,  by retrying (restarting) the Pods if necessary. The Pod and its resources are released when the Job completes.  Jobs are typically used for batch processes, report generation or maintenance tasks."},"risks":["discovery:infra","discovery:network"],"notes":"Allows listing all Jobs in a namespace.","links":["https://kubernetes.io/docs/concepts/workloads/controllers/job"],"seeAlso":[]},"batch/jobs.update":{"id":"batch/jobs.update","name":"Jobs","scope":"CRITICAL","parent":{"notes":"The security implications of Jobs are similar to other controllers, like Deployments. Jobs ultimately lead to running a container image, and may allow arbitrary code execution in the cluster. That code runs with the service-account privileges that the Pod runs with, thus may lead to privilege escalation. Creating Jobs drains the  limited resources available to other Kubernetes workloads. Attaching Persistent Volumes to a Job may expose  the data on that volume to attackers.","description":"A Kubernetes Job is a type of controller that runs one or more Pods until they successfully complete,  by retrying (restarting) the Pods if necessary. The Pod and its resources are released when the Job completes.  Jobs are typically used for batch processes, report generation or maintenance tasks."},"risks":["destruction:infra","escalation:lateral","escalation:network","exfiltration:data","impact:hijack","impact:spend"],"notes":"An update may suspend the job which prevents the controller from creating Pods, effectively disabling the Job.  An update may also let an attacker change the container image that is running inside pods, potentially leading to a arbitrary code execution. Secondly, increasing the parallelism in Jobs or the amount of resources dedicated to Pods drains the  limited resources available to other Kubernetes workloads. Also, persistent volumes may be attached to the Pods,  which may provide access to sensitive data.","links":["https://kubernetes.io/docs/concepts/workloads/controllers/job"],"seeAlso":[]},"batch/jobs.updateStatus":{"id":"batch/jobs.updateStatus","name":"Jobs","scope":"LOW","parent":{"notes":"The security implications of Jobs are similar to other controllers, like Deployments. Jobs ultimately lead to running a container image, and may allow arbitrary code execution in the cluster. That code runs with the service-account privileges that the Pod runs with, thus may lead to privilege escalation. Creating Jobs drains the  limited resources available to other Kubernetes workloads. Attaching Persistent Volumes to a Job may expose  the data on that volume to attackers.","description":"A Kubernetes Job is a type of controller that runs one or more Pods until they successfully complete,  by retrying (restarting) the Pods if necessary. The Pod and its resources are released when the Job completes.  Jobs are typically used for batch processes, report generation or maintenance tasks."},"risks":[],"notes":"Allows updating the status object of the Jobs with different \"active\", \"failed\", \"ready\", and \"succeeded\" counts. However, these values don't take effect, despite a successful API call. The status is managed by Kubernetes.","links":["https://kubernetes.io/docs/concepts/workloads/controllers/job"],"seeAlso":[]},"core/endpoints.create":{"id":"core/endpoints.create","name":"Endpoints","scope":"MEDIUM","parent":{"notes":"Typically endpoints are not managed directly. Endpoints are a lower-level abstraction managed by a Service object. Endpoint slices are a newer addition to Kubernetes, and serve the same purpose as endpoints. However, they slice the potentially large Endpoint object into multiple smaller slices for reduced network traffic between nodes when pods are updated.","description":"A Kubernetes endpoint is a mapping of an IP address and a port to target reference, mostly a Pod. The same IP and port may map to multiple Pods to describe a load balancing scheme."},"risks":["escalation:network"],"notes":"Creating an endpoint slice may open up access to Pods from the public Internet.","links":["https://kubernetes.io/docs/concepts/services-networking/endpoint-slices/","https://kubernetes.io/blog/2020/09/02/scaling-kubernetes-networking-with-endpointslices/"],"seeAlso":[]},"core/endpoints.delete":{"id":"core/endpoints.delete","name":"Endpoints","scope":"MEDIUM","parent":{"notes":"Typically endpoints are not managed directly. Endpoints are a lower-level abstraction managed by a Service object. Endpoint slices are a newer addition to Kubernetes, and serve the same purpose as endpoints. However, they slice the potentially large Endpoint object into multiple smaller slices for reduced network traffic between nodes when pods are updated.","description":"A Kubernetes endpoint is a mapping of an IP address and a port to target reference, mostly a Pod. The same IP and port may map to multiple Pods to describe a load balancing scheme."},"risks":["destruction:network"],"notes":"Deleting an endpoint slice may partially or completely disrupt public access to Kubernetes Pods.","links":["https://kubernetes.io/docs/concepts/services-networking/endpoint-slices/","https://kubernetes.io/blog/2020/09/02/scaling-kubernetes-networking-with-endpointslices/"],"seeAlso":[]},"core/endpoints.get":{"id":"core/endpoints.get","name":"Endpoints","scope":"MEDIUM","parent":{"notes":"Typically endpoints are not managed directly. Endpoints are a lower-level abstraction managed by a Service object. Endpoint slices are a newer addition to Kubernetes, and serve the same purpose as endpoints. However, they slice the potentially large Endpoint object into multiple smaller slices for reduced network traffic between nodes when pods are updated.","description":"A Kubernetes endpoint is a mapping of an IP address and a port to target reference, mostly a Pod. The same IP and port may map to multiple Pods to describe a load balancing scheme."},"risks":["discovery:network"],"notes":"Retrieve metadata about a specific endpoint slice: the IP address, port, and target reference, typically a Pod.","links":["https://kubernetes.io/docs/concepts/services-networking/endpoint-slices/","https://kubernetes.io/blog/2020/09/02/scaling-kubernetes-networking-with-endpointslices/"],"seeAlso":[]},"core/endpoints.list":{"id":"core/endpoints.list","name":"Endpoints","scope":"MEDIUM","parent":{"notes":"Typically endpoints are not managed directly. Endpoints are a lower-level abstraction managed by a Service object. Endpoint slices are a newer addition to Kubernetes, and serve the same purpose as endpoints. However, they slice the potentially large Endpoint object into multiple smaller slices for reduced network traffic between nodes when pods are updated.","description":"A Kubernetes endpoint is a mapping of an IP address and a port to target reference, mostly a Pod. The same IP and port may map to multiple Pods to describe a load balancing scheme."},"risks":["discovery:network"],"notes":"Retrieve  about all endpoint slices: the IP address, port, and target reference, typically a Pod.","links":["https://kubernetes.io/docs/concepts/services-networking/endpoint-slices/","https://kubernetes.io/blog/2020/09/02/scaling-kubernetes-networking-with-endpointslices/"],"seeAlso":[]},"core/endpoints.update":{"id":"core/endpoints.update","name":"Endpoints","scope":"MEDIUM","parent":{"notes":"Typically endpoints are not managed directly. Endpoints are a lower-level abstraction managed by a Service object. Endpoint slices are a newer addition to Kubernetes, and serve the same purpose as endpoints. However, they slice the potentially large Endpoint object into multiple smaller slices for reduced network traffic between nodes when pods are updated.","description":"A Kubernetes endpoint is a mapping of an IP address and a port to target reference, mostly a Pod. The same IP and port may map to multiple Pods to describe a load balancing scheme."},"risks":["destruction:network","escalation:network"],"notes":"An endpoint update allows remapping IP addresses and ports to different Pods.","links":["https://kubernetes.io/docs/concepts/services-networking/endpoint-slices/","https://kubernetes.io/blog/2020/09/02/scaling-kubernetes-networking-with-endpointslices/"],"seeAlso":[]},"core/namespaces.create":{"id":"core/namespaces.create","name":"Namespaces","scope":"LOW","parent":{"notes":"","description":"Namespaces isolate resources within a Kubernetes cluster. This is a logical isolation, that allows you to group and segregate resources like Pods, Services, Deployments. Kubernetes role-based access control (RBAC) defines Roles and ClusterRoles. The former is scoped to a specific namespaces, meaning Roles only grant permissions within the scope of one namespace."},"risks":[],"notes":"Namespace is a logical resource, and creating one does not carry risks by itself.","links":["https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/"],"seeAlso":[]},"core/namespaces.delete":{"id":"core/namespaces.delete","name":"Namespaces","scope":"CRITICAL","parent":{"notes":"","description":"Namespaces isolate resources within a Kubernetes cluster. This is a logical isolation, that allows you to group and segregate resources like Pods, Services, Deployments. Kubernetes role-based access control (RBAC) defines Roles and ClusterRoles. The former is scoped to a specific namespaces, meaning Roles only grant permissions within the scope of one namespace."},"risks":["destruction:data","destruction:infra","destruction:logs","destruction:network","destruction:policy"],"notes":"Deleting a namespace also deletes all other Kubernetes resources inside it.","links":["https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/"],"seeAlso":[]},"core/namespaces.finalize":{"id":"core/namespaces.finalize","name":"Namespaces","scope":"LOW","parent":{"notes":"","description":"Namespaces isolate resources within a Kubernetes cluster. This is a logical isolation, that allows you to group and segregate resources like Pods, Services, Deployments. Kubernetes role-based access control (RBAC) defines Roles and ClusterRoles. The former is scoped to a specific namespaces, meaning Roles only grant permissions within the scope of one namespace."},"risks":["destruction:defense"],"notes":"Allows updating the list of finalizers. Finalizers check if a certain condition is met before deleting a  namespace. They may either implement garbage-collection, and are responsible for cleaning up all resources inside  a namespace when that namespace is deleted. Or, they may implement a protective measure and prevent the deletion of a namespace, for instance the `kubernetes.io/pvc-protection` finalizer prevents accidental deletion of data. As such, the edit and removal of finalizers may remove protection measures.","links":["https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/","https://kubernetes.io/docs/concepts/overview/working-with-objects/finalizers/"],"seeAlso":[]},"core/namespaces.get":{"id":"core/namespaces.get","name":"Namespaces","scope":"LOW","parent":{"notes":"","description":"Namespaces isolate resources within a Kubernetes cluster. This is a logical isolation, that allows you to group and segregate resources like Pods, Services, Deployments. Kubernetes role-based access control (RBAC) defines Roles and ClusterRoles. The former is scoped to a specific namespaces, meaning Roles only grant permissions within the scope of one namespace."},"risks":["discovery:infra"],"notes":"Retrieve metadata about a namespace.","links":["https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/"],"seeAlso":[]},"core/namespaces.getStatus":{"id":"core/namespaces.getStatus","name":"Namespaces","scope":"LOW","parent":{"notes":"","description":"Namespaces isolate resources within a Kubernetes cluster. This is a logical isolation, that allows you to group and segregate resources like Pods, Services, Deployments. Kubernetes role-based access control (RBAC) defines Roles and ClusterRoles. The former is scoped to a specific namespaces, meaning Roles only grant permissions within the scope of one namespace."},"risks":["discovery:infra"],"notes":"Allows see the same namespace metadata as `namespaces.get`.","links":["https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/"],"seeAlso":[]},"core/namespaces.list":{"id":"core/namespaces.list","name":"Namespaces","scope":"LOW","parent":{"notes":"","description":"Namespaces isolate resources within a Kubernetes cluster. This is a logical isolation, that allows you to group and segregate resources like Pods, Services, Deployments. Kubernetes role-based access control (RBAC) defines Roles and ClusterRoles. The former is scoped to a specific namespaces, meaning Roles only grant permissions within the scope of one namespace."},"risks":["discovery:infra"],"notes":"Allows listing namespaces.","links":["https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/"],"seeAlso":[]},"core/namespaces.update":{"id":"core/namespaces.update","name":"Namespaces","scope":"LOW","parent":{"notes":"","description":"Namespaces isolate resources within a Kubernetes cluster. This is a logical isolation, that allows you to group and segregate resources like Pods, Services, Deployments. Kubernetes role-based access control (RBAC) defines Roles and ClusterRoles. The former is scoped to a specific namespaces, meaning Roles only grant permissions within the scope of one namespace."},"risks":["destruction:defense"],"notes":"Allows editing the finalizers array. See `namespaces.finalize` permission.","links":["https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/"],"seeAlso":[]},"core/namespaces.updateStatus":{"id":"core/namespaces.updateStatus","name":"Namespaces","scope":"LOW","parent":{"notes":"","description":"Namespaces isolate resources within a Kubernetes cluster. This is a logical isolation, that allows you to group and segregate resources like Pods, Services, Deployments. Kubernetes role-based access control (RBAC) defines Roles and ClusterRoles. The former is scoped to a specific namespaces, meaning Roles only grant permissions within the scope of one namespace."},"risks":[],"notes":"Status is managed by the Kubernetes control plane, updating it does not take effect.","links":["https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/"],"seeAlso":[]},"core/nodes.create":{"id":"core/nodes.create","name":"Nodes","scope":"CRITICAL","parent":{"notes":"Nodes can be configured in multiple ways, and the configuration has a significant impact on Node security. In general, nodes should not be publicly accessible, block ssh access if possible (already enforced in AutoPilot mode), isolation between containers running on the  same node, isolation between the host operating system on the node and the workload running inside a container, performing timely upgrades of the node OS, Kubernetes, and the container runtime.","description":"Nodes are physical or virtual machines that serve as a worker in the cluster. Nodes provide the underlying pool of CPU, memory, storage, and network connectivity  resources for running containers and other tasks assigned by the control plane."},"risks":[],"notes":"There are two ways to create a node: self-registration from the kubelet running on the node using a kubeconfig file or by manually registering the node via the Kubernetes API. The `node.create`  permission allows the latter. Creating a node object manually only creates an internal node representation. The control plane then ensures that a node object described is valid: is available and healthy. Only then does it become eligible to run a Pod. This permission alone is not enough to add a new Node to a cluster.","links":["https://kubernetes.io/docs/concepts/architecture/nodes/","https://kubernetes.io/docs/concepts/architecture/nodes/#management","https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/"],"seeAlso":[]},"core/nodes.delete":{"id":"core/nodes.delete","name":"Nodes","scope":"CRITICAL","parent":{"notes":"Nodes can be configured in multiple ways, and the configuration has a significant impact on Node security. In general, nodes should not be publicly accessible, block ssh access if possible (already enforced in AutoPilot mode), isolation between containers running on the  same node, isolation between the host operating system on the node and the workload running inside a container, performing timely upgrades of the node OS, Kubernetes, and the container runtime.","description":"Nodes are physical or virtual machines that serve as a worker in the cluster. Nodes provide the underlying pool of CPU, memory, storage, and network connectivity  resources for running containers and other tasks assigned by the control plane."},"risks":["destruction:infra","destruction:data","destruction:logs"],"notes":"Deleting a node immediately destroys all workloads running on it. This is an unsafe action and is likely to disrupt normal operations. Instead, a node can be cordoned to prevent new pods from being scheduled on it. Cordoning requires the `nodes.update` permission. To safely move workloads to other nodes, the node must be drained. The `kubectl drain` command uses listing commands (list pods, replicasets, daemonsets, etc.), and the `pods.evict` permission.","links":["https://kubernetes.io/docs/concepts/architecture/nodes/","https://kubernetes.io/docs/concepts/architecture/nodes/#manual-node-administration","https://kubernetes.io/docs/tasks/administer-cluster/safely-drain-node/"],"seeAlso":[]},"core/nodes.get":{"id":"core/nodes.get","name":"Nodes","scope":"CRITICAL","parent":{"notes":"Nodes can be configured in multiple ways, and the configuration has a significant impact on Node security. In general, nodes should not be publicly accessible, block ssh access if possible (already enforced in AutoPilot mode), isolation between containers running on the  same node, isolation between the host operating system on the node and the workload running inside a container, performing timely upgrades of the node OS, Kubernetes, and the container runtime.","description":"Nodes are physical or virtual machines that serve as a worker in the cluster. Nodes provide the underlying pool of CPU, memory, storage, and network connectivity  resources for running containers and other tasks assigned by the control plane."},"risks":["discovery:infra","discovery:network"],"notes":"The response payload contains container image IDs stored on the nodes, as well as IP addresses, Pod CIDR ranges, health check statuses, and other metadata.","links":["https://kubernetes.io/docs/concepts/architecture/nodes/"],"seeAlso":[]},"core/nodes.getStatus":{"id":"core/nodes.getStatus","name":"Nodes","scope":"CRITICAL","parent":{"notes":"Nodes can be configured in multiple ways, and the configuration has a significant impact on Node security. In general, nodes should not be publicly accessible, block ssh access if possible (already enforced in AutoPilot mode), isolation between containers running on the  same node, isolation between the host operating system on the node and the workload running inside a container, performing timely upgrades of the node OS, Kubernetes, and the container runtime.","description":"Nodes are physical or virtual machines that serve as a worker in the cluster. Nodes provide the underlying pool of CPU, memory, storage, and network connectivity  resources for running containers and other tasks assigned by the control plane."},"risks":["discovery:infra","discovery:network"],"notes":"Allows access to the same information as `nodes.get`.","links":["https://kubernetes.io/docs/concepts/architecture/nodes/"],"seeAlso":[]},"core/nodes.list":{"id":"core/nodes.list","name":"Nodes","scope":"CRITICAL","parent":{"notes":"Nodes can be configured in multiple ways, and the configuration has a significant impact on Node security. In general, nodes should not be publicly accessible, block ssh access if possible (already enforced in AutoPilot mode), isolation between containers running on the  same node, isolation between the host operating system on the node and the workload running inside a container, performing timely upgrades of the node OS, Kubernetes, and the container runtime.","description":"Nodes are physical or virtual machines that serve as a worker in the cluster. Nodes provide the underlying pool of CPU, memory, storage, and network connectivity  resources for running containers and other tasks assigned by the control plane."},"risks":["discovery:infra","discovery:network"],"notes":"List all nodes.","links":["https://kubernetes.io/docs/concepts/architecture/nodes/"],"seeAlso":[]},"core/nodes.proxy":{"id":"core/nodes.proxy","name":"Nodes","scope":"CRITICAL","parent":{"notes":"Nodes can be configured in multiple ways, and the configuration has a significant impact on Node security. In general, nodes should not be publicly accessible, block ssh access if possible (already enforced in AutoPilot mode), isolation between containers running on the  same node, isolation between the host operating system on the node and the workload running inside a container, performing timely upgrades of the node OS, Kubernetes, and the container runtime.","description":"Nodes are physical or virtual machines that serve as a worker in the cluster. Nodes provide the underlying pool of CPU, memory, storage, and network connectivity  resources for running containers and other tasks assigned by the control plane."},"risks":["escalation:privilege","escalation:lateral"],"notes":"This permission allows calling the `api/v1/nodes/{node}/proxy/{path?}` endpoint with any HTTP method, which executes the request directly against the kubelet API on the kubelet running on the node, without further authorization checks. It is theoretically possible to call other endpoints of the kubelet API, such as `/exec` `/portForward`, that allow reading the node service account token to act as the service account, or executing code on the node.","links":["https://kubernetes.io/docs/concepts/architecture/nodes/","https://www.deepnetwork.com/blog/2020/01/13/kubelet-api.html","https://blog.aquasec.com/privilege-escalation-kubernetes-rbac"],"seeAlso":[]},"core/nodes.update":{"id":"core/nodes.update","name":"Nodes","scope":"CRITICAL","parent":{"notes":"Nodes can be configured in multiple ways, and the configuration has a significant impact on Node security. In general, nodes should not be publicly accessible, block ssh access if possible (already enforced in AutoPilot mode), isolation between containers running on the  same node, isolation between the host operating system on the node and the workload running inside a container, performing timely upgrades of the node OS, Kubernetes, and the container runtime.","description":"Nodes are physical or virtual machines that serve as a worker in the cluster. Nodes provide the underlying pool of CPU, memory, storage, and network connectivity  resources for running containers and other tasks assigned by the control plane."},"risks":["impact:manipulation","destruction:metadata"],"notes":"The things that you can typically update are the metadata labels and annotations, and fields in the `spec` section of the node manifest: taints, which prevent certain pods to be scheduled on the node, and the  `unschedulable` property, which effectively cordons the node.  With enough nodes cordoned or tainted the  cluster may become \"paralyzed\" because workloads cannot be scheduled efficiently or not at all.","links":["https://kubernetes.io/docs/concepts/architecture/nodes/","https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#nodespec-v1-core"],"seeAlso":[]},"core/nodes.updateStatus":{"id":"core/nodes.updateStatus","name":"Nodes","scope":"CRITICAL","parent":{"notes":"Nodes can be configured in multiple ways, and the configuration has a significant impact on Node security. In general, nodes should not be publicly accessible, block ssh access if possible (already enforced in AutoPilot mode), isolation between containers running on the  same node, isolation between the host operating system on the node and the workload running inside a container, performing timely upgrades of the node OS, Kubernetes, and the container runtime.","description":"Nodes are physical or virtual machines that serve as a worker in the cluster. Nodes provide the underlying pool of CPU, memory, storage, and network connectivity  resources for running containers and other tasks assigned by the control plane."},"risks":[],"notes":"Allows updating only the status component of a node. Does not have any real effect since status is managed by Kubernetes.","links":["https://kubernetes.io/docs/concepts/architecture/nodes/"],"seeAlso":[]},"core/pods.attach":{"id":"core/pods.attach","name":"Pods","scope":"HIGH","parent":{"notes":"The risks associated with Pods is similar to Deployments, StatefulSets, and DaemonSets. Pods consume CPU, memory, and  network resources of the cluster, thus they are susceptible to exhaustion attacks. Containers inside Pods run a specific image, and may lead to arbitrary code execution in the cluster if an attacker is able to run their image.  Pods also need access to other resources within the cluster, and outside the cluster, often using other services of the cloud provider. In order to do so, Pods have service account credentials, which, if leaked, allow one to move laterally by authenticating as the service account.","description":"A Kubernetes Pod is a logical host that encapsulates one or more Containers. It is the smallest and most basic unit of deployment. Containers can communicate with each other via localhost. Pod lifecycle is typically managed by a higher level controller, such as a Deployment, StatefulSet, or DaemonSet."},"risks":["destruction:infra","impact:access"],"notes":"Allows attaching to a process that is already running inside an existing container. An attacker accesses the stdout output, and is able to send stdin input to the running process, for instance ctrl+c to stop the process.","links":[],"seeAlso":[]},"core/pods.create":{"id":"core/pods.create","name":"Pods","scope":"HIGH","parent":{"notes":"The risks associated with Pods is similar to Deployments, StatefulSets, and DaemonSets. Pods consume CPU, memory, and  network resources of the cluster, thus they are susceptible to exhaustion attacks. Containers inside Pods run a specific image, and may lead to arbitrary code execution in the cluster if an attacker is able to run their image.  Pods also need access to other resources within the cluster, and outside the cluster, often using other services of the cloud provider. In order to do so, Pods have service account credentials, which, if leaked, allow one to move laterally by authenticating as the service account.","description":"A Kubernetes Pod is a logical host that encapsulates one or more Containers. It is the smallest and most basic unit of deployment. Containers can communicate with each other via localhost. Pod lifecycle is typically managed by a higher level controller, such as a Deployment, StatefulSet, or DaemonSet."},"risks":["impact:spend","impact:hijack","escalation:lateral","escalation:network","exfiltration:data"],"notes":"It is possible to create standalone pods not managed by a Deployment or other controller in Kubernetes. This action bears the risk of pulling in an arbitrary image (if the cluster is open to the internet) to hijack resources, or to move laterally by assuming the privileges of the pod's or node's service account. It also drains the cluster's limited resource pool.","links":[],"seeAlso":[]},"core/pods.delete":{"id":"core/pods.delete","name":"Pods","scope":"MEDIUM","parent":{"notes":"The risks associated with Pods is similar to Deployments, StatefulSets, and DaemonSets. Pods consume CPU, memory, and  network resources of the cluster, thus they are susceptible to exhaustion attacks. Containers inside Pods run a specific image, and may lead to arbitrary code execution in the cluster if an attacker is able to run their image.  Pods also need access to other resources within the cluster, and outside the cluster, often using other services of the cloud provider. In order to do so, Pods have service account credentials, which, if leaked, allow one to move laterally by authenticating as the service account.","description":"A Kubernetes Pod is a logical host that encapsulates one or more Containers. It is the smallest and most basic unit of deployment. Containers can communicate with each other via localhost. Pod lifecycle is typically managed by a higher level controller, such as a Deployment, StatefulSet, or DaemonSet."},"risks":["destruction:infra","destruction:logs"],"notes":"Deleting a pod deletes its pods and ephemeral volumes. PersistentVolumes attached to the pod are left intact. Logs of the deleted pod disappear permanently when the pods shut down, unless they are exported to an external system for persistence.","links":[],"seeAlso":[]},"core/pods.evict":{"id":"core/pods.evict","name":"Pods","scope":"HIGH","parent":{"notes":"The risks associated with Pods is similar to Deployments, StatefulSets, and DaemonSets. Pods consume CPU, memory, and  network resources of the cluster, thus they are susceptible to exhaustion attacks. Containers inside Pods run a specific image, and may lead to arbitrary code execution in the cluster if an attacker is able to run their image.  Pods also need access to other resources within the cluster, and outside the cluster, often using other services of the cloud provider. In order to do so, Pods have service account credentials, which, if leaked, allow one to move laterally by authenticating as the service account.","description":"A Kubernetes Pod is a logical host that encapsulates one or more Containers. It is the smallest and most basic unit of deployment. Containers can communicate with each other via localhost. Pod lifecycle is typically managed by a higher level controller, such as a Deployment, StatefulSet, or DaemonSet."},"risks":["impact:consumption"],"notes":"Eviction moves the pod to another node. An attacker may disrupt normal operations with many evictions, draining cluster resources.","links":[],"seeAlso":[]},"core/pods.exec":{"id":"core/pods.exec","name":"Pods","scope":"CRITICAL","parent":{"notes":"The risks associated with Pods is similar to Deployments, StatefulSets, and DaemonSets. Pods consume CPU, memory, and  network resources of the cluster, thus they are susceptible to exhaustion attacks. Containers inside Pods run a specific image, and may lead to arbitrary code execution in the cluster if an attacker is able to run their image.  Pods also need access to other resources within the cluster, and outside the cluster, often using other services of the cloud provider. In order to do so, Pods have service account credentials, which, if leaked, allow one to move laterally by authenticating as the service account.","description":"A Kubernetes Pod is a logical host that encapsulates one or more Containers. It is the smallest and most basic unit of deployment. Containers can communicate with each other via localhost. Pod lifecycle is typically managed by a higher level controller, such as a Deployment, StatefulSet, or DaemonSet."},"risks":["escalation:privilege","escalation:lateral"],"notes":"The exec operation is similar to the `attach` operation, but instead of attaching to an existing process inside the container, it allows launching a new process from a command and attaching to it. Most often this command is opening the shell, dropping an attacker in a terminal inside the container. The risks arising are container and  application-specific. However, process run inside the container are authenticated as the service account, leading to privilege escalation, and potentially lateral movement into other cloud services.","links":[],"seeAlso":[]},"core/pods.get":{"id":"core/pods.get","name":"Pods","scope":"MEDIUM","parent":{"notes":"The risks associated with Pods is similar to Deployments, StatefulSets, and DaemonSets. Pods consume CPU, memory, and  network resources of the cluster, thus they are susceptible to exhaustion attacks. Containers inside Pods run a specific image, and may lead to arbitrary code execution in the cluster if an attacker is able to run their image.  Pods also need access to other resources within the cluster, and outside the cluster, often using other services of the cloud provider. In order to do so, Pods have service account credentials, which, if leaked, allow one to move laterally by authenticating as the service account.","description":"A Kubernetes Pod is a logical host that encapsulates one or more Containers. It is the smallest and most basic unit of deployment. Containers can communicate with each other via localhost. Pod lifecycle is typically managed by a higher level controller, such as a Deployment, StatefulSet, or DaemonSet."},"risks":["discovery:infra","discovery:network"],"notes":"Describes detailed metadata about the Deployment, and Pods and Containers in it,  such as ports, IP address, replicas, attached volumes, containers and the images they are running.","links":[],"seeAlso":[]},"core/pods.getLogs":{"id":"core/pods.getLogs","name":"Pods","scope":"HIGH","parent":{"notes":"The risks associated with Pods is similar to Deployments, StatefulSets, and DaemonSets. Pods consume CPU, memory, and  network resources of the cluster, thus they are susceptible to exhaustion attacks. Containers inside Pods run a specific image, and may lead to arbitrary code execution in the cluster if an attacker is able to run their image.  Pods also need access to other resources within the cluster, and outside the cluster, often using other services of the cloud provider. In order to do so, Pods have service account credentials, which, if leaked, allow one to move laterally by authenticating as the service account.","description":"A Kubernetes Pod is a logical host that encapsulates one or more Containers. It is the smallest and most basic unit of deployment. Containers can communicate with each other via localhost. Pod lifecycle is typically managed by a higher level controller, such as a Deployment, StatefulSet, or DaemonSet."},"risks":["discovery:infra"],"notes":"Logs of the application running on any of the pod's containers can be read with the `getLogs` permission.","links":[],"seeAlso":[]},"core/pods.getStatus":{"id":"core/pods.getStatus","name":"Pods","scope":"HIGH","parent":{"notes":"The risks associated with Pods is similar to Deployments, StatefulSets, and DaemonSets. Pods consume CPU, memory, and  network resources of the cluster, thus they are susceptible to exhaustion attacks. Containers inside Pods run a specific image, and may lead to arbitrary code execution in the cluster if an attacker is able to run their image.  Pods also need access to other resources within the cluster, and outside the cluster, often using other services of the cloud provider. In order to do so, Pods have service account credentials, which, if leaked, allow one to move laterally by authenticating as the service account.","description":"A Kubernetes Pod is a logical host that encapsulates one or more Containers. It is the smallest and most basic unit of deployment. Containers can communicate with each other via localhost. Pod lifecycle is typically managed by a higher level controller, such as a Deployment, StatefulSet, or DaemonSet."},"risks":["discovery:infra"],"notes":"Allows reading the same Pod metadata as `pods.get`.","links":[],"seeAlso":[]},"core/pods.initialize":{"id":"core/pods.initialize","name":"Pods","scope":"HIGH","parent":{"notes":"The risks associated with Pods is similar to Deployments, StatefulSets, and DaemonSets. Pods consume CPU, memory, and  network resources of the cluster, thus they are susceptible to exhaustion attacks. Containers inside Pods run a specific image, and may lead to arbitrary code execution in the cluster if an attacker is able to run their image.  Pods also need access to other resources within the cluster, and outside the cluster, often using other services of the cloud provider. In order to do so, Pods have service account credentials, which, if leaked, allow one to move laterally by authenticating as the service account.","description":"A Kubernetes Pod is a logical host that encapsulates one or more Containers. It is the smallest and most basic unit of deployment. Containers can communicate with each other via localhost. Pod lifecycle is typically managed by a higher level controller, such as a Deployment, StatefulSet, or DaemonSet."},"risks":[],"notes":"Documentation is lacking on this permission. It may be related to init-containers, or the initialization process of a Pod.","links":[],"seeAlso":[]},"core/pods.list":{"id":"core/pods.list","name":"Pods","scope":"HIGH","parent":{"notes":"The risks associated with Pods is similar to Deployments, StatefulSets, and DaemonSets. Pods consume CPU, memory, and  network resources of the cluster, thus they are susceptible to exhaustion attacks. Containers inside Pods run a specific image, and may lead to arbitrary code execution in the cluster if an attacker is able to run their image.  Pods also need access to other resources within the cluster, and outside the cluster, often using other services of the cloud provider. In order to do so, Pods have service account credentials, which, if leaked, allow one to move laterally by authenticating as the service account.","description":"A Kubernetes Pod is a logical host that encapsulates one or more Containers. It is the smallest and most basic unit of deployment. Containers can communicate with each other via localhost. Pod lifecycle is typically managed by a higher level controller, such as a Deployment, StatefulSet, or DaemonSet."},"risks":["discovery:infra"],"notes":"List metadata about all pods.","links":[],"seeAlso":[]},"core/pods.portForward":{"id":"core/pods.portForward","name":"Pods","scope":"HIGH","parent":{"notes":"The risks associated with Pods is similar to Deployments, StatefulSets, and DaemonSets. Pods consume CPU, memory, and  network resources of the cluster, thus they are susceptible to exhaustion attacks. Containers inside Pods run a specific image, and may lead to arbitrary code execution in the cluster if an attacker is able to run their image.  Pods also need access to other resources within the cluster, and outside the cluster, often using other services of the cloud provider. In order to do so, Pods have service account credentials, which, if leaked, allow one to move laterally by authenticating as the service account.","description":"A Kubernetes Pod is a logical host that encapsulates one or more Containers. It is the smallest and most basic unit of deployment. Containers can communicate with each other via localhost. Pod lifecycle is typically managed by a higher level controller, such as a Deployment, StatefulSet, or DaemonSet."},"risks":["escalation:network","impact:access"],"notes":"Forwards a local port to a port on the Pod. This allows interaction with the application, if the application listens on any ports. An attacker may exploit application risks with the ability to port-forward.","links":[],"seeAlso":[]},"core/pods.proxy":{"id":"core/pods.proxy","name":"Pods","scope":"HIGH","parent":{"notes":"The risks associated with Pods is similar to Deployments, StatefulSets, and DaemonSets. Pods consume CPU, memory, and  network resources of the cluster, thus they are susceptible to exhaustion attacks. Containers inside Pods run a specific image, and may lead to arbitrary code execution in the cluster if an attacker is able to run their image.  Pods also need access to other resources within the cluster, and outside the cluster, often using other services of the cloud provider. In order to do so, Pods have service account credentials, which, if leaked, allow one to move laterally by authenticating as the service account.","description":"A Kubernetes Pod is a logical host that encapsulates one or more Containers. It is the smallest and most basic unit of deployment. Containers can communicate with each other via localhost. Pod lifecycle is typically managed by a higher level controller, such as a Deployment, StatefulSet, or DaemonSet."},"risks":["escalation:network","impact:access"],"notes":"The proxy action forwards the HTTP request to a specific port and request path inside the container. If a process is listening on that port and path, this is similar in effect to port forwarding, and may allow an attacker to exploit application-level risks.","links":[],"seeAlso":[]},"core/pods.update":{"id":"core/pods.update","name":"Pods","scope":"HIGH","parent":{"notes":"The risks associated with Pods is similar to Deployments, StatefulSets, and DaemonSets. Pods consume CPU, memory, and  network resources of the cluster, thus they are susceptible to exhaustion attacks. Containers inside Pods run a specific image, and may lead to arbitrary code execution in the cluster if an attacker is able to run their image.  Pods also need access to other resources within the cluster, and outside the cluster, often using other services of the cloud provider. In order to do so, Pods have service account credentials, which, if leaked, allow one to move laterally by authenticating as the service account.","description":"A Kubernetes Pod is a logical host that encapsulates one or more Containers. It is the smallest and most basic unit of deployment. Containers can communicate with each other via localhost. Pod lifecycle is typically managed by a higher level controller, such as a Deployment, StatefulSet, or DaemonSet."},"risks":[],"notes":"An update is limited to a few fields in the Pod spec: may not change fields other than  spec.containers[*].image, spec.initContainers[*].image, spec.activeDeadlineSeconds, spec.tolerations (only additions to existing tolerations) or `spec.terminationGracePeriodSeconds` (allow it to be set to 1 if it was previously negative).  In practice even the image update is not possible since pods are typically run via a controller. In those cases an update to the `image` field has no effect.","links":["https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#pod-v1-core"],"seeAlso":[]},"core/pods.updateStatus":{"id":"core/pods.updateStatus","name":"Pods","scope":"HIGH","parent":{"notes":"The risks associated with Pods is similar to Deployments, StatefulSets, and DaemonSets. Pods consume CPU, memory, and  network resources of the cluster, thus they are susceptible to exhaustion attacks. Containers inside Pods run a specific image, and may lead to arbitrary code execution in the cluster if an attacker is able to run their image.  Pods also need access to other resources within the cluster, and outside the cluster, often using other services of the cloud provider. In order to do so, Pods have service account credentials, which, if leaked, allow one to move laterally by authenticating as the service account.","description":"A Kubernetes Pod is a logical host that encapsulates one or more Containers. It is the smallest and most basic unit of deployment. Containers can communicate with each other via localhost. Pod lifecycle is typically managed by a higher level controller, such as a Deployment, StatefulSet, or DaemonSet."},"risks":[],"notes":"Has no effect on the actual status, as it is managed by Kubernetes.","links":[],"seeAlso":[]},"core/secrets.create":{"id":"core/secrets.create","name":"Secrets","scope":"CRITICAL","parent":{"notes":"By default, secrets are stored unencrypted, and anyone who can read a Secret can read its contents (its `data` field). The Secret contents are mounted inside pods as files in the file system. Someone with ability to gain access into a Pod may freely read the contents of the secret.","description":"A Kubernetes Secret is mounted as a volume on Pods. Secrets are similar to ConfigMaps but are meant for storing sensitive data."},"risks":[],"notes":"Creating a secret does not represent a security risk by itself.","links":["https://kubernetes.io/docs/concepts/configuration/secret","https://kubernetes.io/docs/concepts/security/secrets-good-practices/"],"seeAlso":[]},"core/secrets.delete":{"id":"core/secrets.delete","name":"Secrets","scope":"CRITICAL","parent":{"notes":"By default, secrets are stored unencrypted, and anyone who can read a Secret can read its contents (its `data` field). The Secret contents are mounted inside pods as files in the file system. Someone with ability to gain access into a Pod may freely read the contents of the secret.","description":"A Kubernetes Secret is mounted as a volume on Pods. Secrets are similar to ConfigMaps but are meant for storing sensitive data."},"risks":["destruction:infra"],"notes":"Deleting a secret may disrupt communication of workloads with the Kubernetes API server, or other services.","links":["https://kubernetes.io/docs/concepts/configuration/secret","https://kubernetes.io/docs/concepts/security/secrets-good-practices/"],"seeAlso":[]},"core/secrets.get":{"id":"core/secrets.get","name":"Secrets","scope":"CRITICAL","parent":{"notes":"By default, secrets are stored unencrypted, and anyone who can read a Secret can read its contents (its `data` field). The Secret contents are mounted inside pods as files in the file system. Someone with ability to gain access into a Pod may freely read the contents of the secret.","description":"A Kubernetes Secret is mounted as a volume on Pods. Secrets are similar to ConfigMaps but are meant for storing sensitive data."},"risks":["discovery:data","discovery:infra","exfiltration:crypto","exfiltration:data"],"notes":"By default, secrets are stored unencrypted in Kubernetes, and anyone who can read the secret has access to its contents.","links":["https://kubernetes.io/docs/concepts/configuration/secret","https://kubernetes.io/docs/concepts/security/secrets-good-practices/"],"seeAlso":[]},"core/secrets.list":{"id":"core/secrets.list","name":"Secrets","scope":"CRITICAL","parent":{"notes":"By default, secrets are stored unencrypted, and anyone who can read a Secret can read its contents (its `data` field). The Secret contents are mounted inside pods as files in the file system. Someone with ability to gain access into a Pod may freely read the contents of the secret.","description":"A Kubernetes Secret is mounted as a volume on Pods. Secrets are similar to ConfigMaps but are meant for storing sensitive data."},"risks":["discovery:data","discovery:infra","exfiltration:crypto","exfiltration:data"],"notes":"List all secrets in a specific namespace. Listing also allows reading the data field of each secret.","links":["https://kubernetes.io/docs/concepts/configuration/secret","https://kubernetes.io/docs/concepts/security/secrets-good-practices/"],"seeAlso":[]},"core/secrets.update":{"id":"core/secrets.update","name":"Secrets","scope":"CRITICAL","parent":{"notes":"By default, secrets are stored unencrypted, and anyone who can read a Secret can read its contents (its `data` field). The Secret contents are mounted inside pods as files in the file system. Someone with ability to gain access into a Pod may freely read the contents of the secret.","description":"A Kubernetes Secret is mounted as a volume on Pods. Secrets are similar to ConfigMaps but are meant for storing sensitive data."},"risks":["destruction:infra"],"notes":"Allows updating the contents of the secret (the `data` field) unless `immutable` property was set to true.","links":["https://kubernetes.io/docs/concepts/configuration/secret","https://kubernetes.io/docs/concepts/security/secrets-good-practices/"],"seeAlso":[]},"core/serviceaccounts.create":{"id":"core/serviceaccounts.create","name":"ServiceAccounts","scope":"CRITICAL","parent":{"notes":"Each service account has a unique token associated with it, which is used to authenticate requests.  This token is automatically mounted as a secret within the container running the workload, and workloads (such as Pods) use it to authenticate against the Kubernetes API server. The token is a long-lived token, however, it is re-created each time the Pods are re-created. Service accounts may also hold an `imagePullSecret` object used to authenticate against a container image repository.","description":"A Kubernetes service account is a machine identity for Kubernetes workloads.  It provides an authentication mechanism for applications and processes running within a Kubernetes cluster. Service accounts are primarily used to authenticate requests made to the Kubernetes API server."},"risks":[],"notes":"Creating a service account by itself does not represent a security risk. Service accounts need to be granted permissions via Roles.","links":["https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account"],"seeAlso":[]},"core/serviceaccounts.createToken":{"id":"core/serviceaccounts.createToken","name":"ServiceAccounts","scope":"CRITICAL","parent":{"notes":"Each service account has a unique token associated with it, which is used to authenticate requests.  This token is automatically mounted as a secret within the container running the workload, and workloads (such as Pods) use it to authenticate against the Kubernetes API server. The token is a long-lived token, however, it is re-created each time the Pods are re-created. Service accounts may also hold an `imagePullSecret` object used to authenticate against a container image repository.","description":"A Kubernetes service account is a machine identity for Kubernetes workloads.  It provides an authentication mechanism for applications and processes running within a Kubernetes cluster. Service accounts are primarily used to authenticate requests made to the Kubernetes API server."},"risks":["escalation:lateral"],"notes":"Allows sending a TokenRequest to the API server. This request issues a new token and binds the token to a service account. The token is also returned to the caller, allowing it to act as  the service account bound to that token.","links":["https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account","https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#tokenrequestspec-v1-authentication-k8s-io","https://securitylabs.datadoghq.com/articles/kubernetes-tokenrequest-api/"],"seeAlso":[]},"core/serviceaccounts.delete":{"id":"core/serviceaccounts.delete","name":"ServiceAccounts","scope":"CRITICAL","parent":{"notes":"Each service account has a unique token associated with it, which is used to authenticate requests.  This token is automatically mounted as a secret within the container running the workload, and workloads (such as Pods) use it to authenticate against the Kubernetes API server. The token is a long-lived token, however, it is re-created each time the Pods are re-created. Service accounts may also hold an `imagePullSecret` object used to authenticate against a container image repository.","description":"A Kubernetes service account is a machine identity for Kubernetes workloads.  It provides an authentication mechanism for applications and processes running within a Kubernetes cluster. Service accounts are primarily used to authenticate requests made to the Kubernetes API server."},"risks":["destruction:infra"],"notes":"Deleting a service account may disrupt communication of workloads with the Kubernetes API server.","links":["https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account"],"seeAlso":[]},"core/serviceaccounts.get":{"id":"core/serviceaccounts.get","name":"ServiceAccounts","scope":"CRITICAL","parent":{"notes":"Each service account has a unique token associated with it, which is used to authenticate requests.  This token is automatically mounted as a secret within the container running the workload, and workloads (such as Pods) use it to authenticate against the Kubernetes API server. The token is a long-lived token, however, it is re-created each time the Pods are re-created. Service accounts may also hold an `imagePullSecret` object used to authenticate against a container image repository.","description":"A Kubernetes service account is a machine identity for Kubernetes workloads.  It provides an authentication mechanism for applications and processes running within a Kubernetes cluster. Service accounts are primarily used to authenticate requests made to the Kubernetes API server."},"risks":["discovery:infra"],"notes":"Read which secrets are associated with a specific service account. The secret contents cannot be read with this permission.","links":["https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account"],"seeAlso":[]},"core/serviceaccounts.list":{"id":"core/serviceaccounts.list","name":"ServiceAccounts","scope":"CRITICAL","parent":{"notes":"Each service account has a unique token associated with it, which is used to authenticate requests.  This token is automatically mounted as a secret within the container running the workload, and workloads (such as Pods) use it to authenticate against the Kubernetes API server. The token is a long-lived token, however, it is re-created each time the Pods are re-created. Service accounts may also hold an `imagePullSecret` object used to authenticate against a container image repository.","description":"A Kubernetes service account is a machine identity for Kubernetes workloads.  It provides an authentication mechanism for applications and processes running within a Kubernetes cluster. Service accounts are primarily used to authenticate requests made to the Kubernetes API server."},"risks":["discovery:infra"],"notes":"Read all service accounts in a namespace.","links":["https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account"],"seeAlso":[]},"core/serviceaccounts.update":{"id":"core/serviceaccounts.update","name":"ServiceAccounts","scope":"CRITICAL","parent":{"notes":"Each service account has a unique token associated with it, which is used to authenticate requests.  This token is automatically mounted as a secret within the container running the workload, and workloads (such as Pods) use it to authenticate against the Kubernetes API server. The token is a long-lived token, however, it is re-created each time the Pods are re-created. Service accounts may also hold an `imagePullSecret` object used to authenticate against a container image repository.","description":"A Kubernetes service account is a machine identity for Kubernetes workloads.  It provides an authentication mechanism for applications and processes running within a Kubernetes cluster. Service accounts are primarily used to authenticate requests made to the Kubernetes API server."},"risks":["destruction:infra"],"notes":"An update may remove or add more secrets. In particular, a removal may remove the imagePullSecret of service account or the Kubernetes API secret.","links":["https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account"],"seeAlso":[]},"core/services.create":{"id":"core/services.create","name":"Services","scope":"CRITICAL","parent":{"notes":"Services control how your Kubernetes Pods are exposed on the Kubernetes network.","description":"Services provide a stable network endpoint for one or more pods, allowing them to be  accessed by other pods or external clients."},"risks":["escalation:network"],"notes":"Services open up communication to your pods from other Kubernetes workloads. Depending on other settings in the Kubernetes cluster and the presence of ingress controllers, it may allow public exposure as well.","links":["https://kubernetes.io/docs/concepts/services-networking/service"],"seeAlso":[]},"core/services.delete":{"id":"core/services.delete","name":"Services","scope":"CRITICAL","parent":{"notes":"Services control how your Kubernetes Pods are exposed on the Kubernetes network.","description":"Services provide a stable network endpoint for one or more pods, allowing them to be  accessed by other pods or external clients."},"risks":["destruction:network"],"notes":"Deleting a service may disrupt communication to Pods, taking down an application completely.","links":["https://kubernetes.io/docs/concepts/services-networking/service"],"seeAlso":[]},"core/services.get":{"id":"core/services.get","name":"Services","scope":"MEDIUM","parent":{"notes":"Services control how your Kubernetes Pods are exposed on the Kubernetes network.","description":"Services provide a stable network endpoint for one or more pods, allowing them to be  accessed by other pods or external clients."},"risks":["discovery:network"],"notes":"Retrieve status information such as Pod selector, IP (virtual), port. Additionally, load-balancer information is returned, if any: public IP, port, host name.","links":["https://kubernetes.io/docs/concepts/services-networking/service","https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#loadbalancerstatus-v1-core"],"seeAlso":[]},"core/services.getStatus":{"id":"core/services.getStatus","name":"Services","scope":"MEDIUM","parent":{"notes":"Services control how your Kubernetes Pods are exposed on the Kubernetes network.","description":"Services provide a stable network endpoint for one or more pods, allowing them to be  accessed by other pods or external clients."},"risks":["discovery:network"],"notes":"While this is a different permission from `services.get`, calling the `GET api/v1/namespaces/default/services/{{service-name}}/status` endpoint retrieves the same information as the `GET api/v1/namespaces/default/services/{{service-name}}` endpoint.","links":["https://kubernetes.io/docs/concepts/services-networking/service"],"seeAlso":[]},"core/services.list":{"id":"core/services.list","name":"Services","scope":"MEDIUM","parent":{"notes":"Services control how your Kubernetes Pods are exposed on the Kubernetes network.","description":"Services provide a stable network endpoint for one or more pods, allowing them to be  accessed by other pods or external clients."},"risks":["discovery:network"],"notes":"List all services and their description to the same detail as the `GET api/v1/namespaces/default/services/{{service-name}}` endpoint.","links":["https://kubernetes.io/docs/concepts/services-networking/service"],"seeAlso":[]},"core/services.proxy":{"id":"core/services.proxy","name":"Services","scope":"CRITICAL","parent":{"notes":"Services control how your Kubernetes Pods are exposed on the Kubernetes network.","description":"Services provide a stable network endpoint for one or more pods, allowing them to be  accessed by other pods or external clients."},"risks":["escalation:lateral","escalation:network","exfiltration:data","impact:manipulation"],"notes":"Allows an attacker to interact with your application as if they were inside the Kubernetes cluster. Creates a proxy server or between localhost and a specified service running on Kubernetes. This service can be a kube-system service started by Kubernetes and retrieved by the `kubectl cluster-info` command or a user-defined Service object. The resulting proxy allows sending payloads to the targeted Service which otherwise would be unreachable. This is different from the `kubectl proxy` command which creates a proxy for  the Kubernetes API server - this endpoint acts like a bastion and exposes the user-defined application endpoints  of a Service.","links":["https://kubernetes.io/docs/concepts/services-networking/service","https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#create-connect-proxy-service-v1-core","https://kubernetes.io/docs/concepts/cluster-administration/proxies/"],"seeAlso":[]},"core/services.update":{"id":"core/services.update","name":"Services","scope":"CRITICAL","parent":{"notes":"Services control how your Kubernetes Pods are exposed on the Kubernetes network.","description":"Services provide a stable network endpoint for one or more pods, allowing them to be  accessed by other pods or external clients."},"risks":["destruction:network","escalation:network"],"notes":"Modifying a Service may render Pods unreachable to other Kubernetes workloads or establish new connections to Pods.","links":["https://kubernetes.io/docs/concepts/services-networking/service"],"seeAlso":[]},"core/services.updateStatus":{"id":"core/services.updateStatus","name":"Services","scope":"MEDIUM","parent":{"notes":"Services control how your Kubernetes Pods are exposed on the Kubernetes network.","description":"Services provide a stable network endpoint for one or more pods, allowing them to be  accessed by other pods or external clients."},"risks":["discovery:network"],"notes":"Updating the status metadata has no effect on the actual status of the Service. Services are managed by controllers. However, the response returns the entire Service object, with the same information as the `GET api/v1/namespaces/default/services/{{service-name}}` endpoint, allowing discovery of Service parameters.","links":["https://kubernetes.io/docs/concepts/services-networking/service"],"seeAlso":[]},"discovery.k8s.io/endpointslices.create":{"id":"discovery.k8s.io/endpointslices.create","name":"EndpointSlices","scope":"MEDIUM","parent":{"notes":"Typically endpoint slices are not managed directly. Endpoint slices are a lower-level abstraction managed by a Service object. Endpoint slices are a newer addition to Kubernetes, and serve the same purpose as endpoints. However, they slice the potentially large Endpoint object into multiple smaller slices for reduced network traffic between nodes when pods are updated.","description":"A Kubernetes endpoint slice contains up to 100 mapping entries from an IP address and a port to target reference, mostly a Pod. The same IP and port may map to multiple Pods to describe a load balancing scheme."},"risks":["escalation:network"],"notes":"Creating an endpoint may open up access to Pods from the public Internet.","links":["https://kubernetes.io/docs/concepts/services-networking/endpoint-slices","https://kubernetes.io/docs/concepts/services-networking/service/#endpoints"],"seeAlso":[]},"discovery.k8s.io/endpointslices.delete":{"id":"discovery.k8s.io/endpointslices.delete","name":"EndpointSlices","scope":"MEDIUM","parent":{"notes":"Typically endpoint slices are not managed directly. Endpoint slices are a lower-level abstraction managed by a Service object. Endpoint slices are a newer addition to Kubernetes, and serve the same purpose as endpoints. However, they slice the potentially large Endpoint object into multiple smaller slices for reduced network traffic between nodes when pods are updated.","description":"A Kubernetes endpoint slice contains up to 100 mapping entries from an IP address and a port to target reference, mostly a Pod. The same IP and port may map to multiple Pods to describe a load balancing scheme."},"risks":["destruction:network"],"notes":"Deleting an endpoint may partially or completely disrupt public access to Kubernetes Pods.","links":["https://kubernetes.io/docs/concepts/services-networking/endpoint-slices","https://kubernetes.io/docs/concepts/services-networking/service/#endpoints"],"seeAlso":[]},"discovery.k8s.io/endpointslices.get":{"id":"discovery.k8s.io/endpointslices.get","name":"EndpointSlices","scope":"MEDIUM","parent":{"notes":"Typically endpoint slices are not managed directly. Endpoint slices are a lower-level abstraction managed by a Service object. Endpoint slices are a newer addition to Kubernetes, and serve the same purpose as endpoints. However, they slice the potentially large Endpoint object into multiple smaller slices for reduced network traffic between nodes when pods are updated.","description":"A Kubernetes endpoint slice contains up to 100 mapping entries from an IP address and a port to target reference, mostly a Pod. The same IP and port may map to multiple Pods to describe a load balancing scheme."},"risks":["discovery:network"],"notes":"Retrieve metadata about a specific endpoint: the IP address, port, and target reference, typically a Pod.","links":["https://kubernetes.io/docs/concepts/services-networking/endpoint-slices","https://kubernetes.io/docs/concepts/services-networking/service/#endpoints"],"seeAlso":[]},"discovery.k8s.io/endpointslices.list":{"id":"discovery.k8s.io/endpointslices.list","name":"EndpointSlices","scope":"MEDIUM","parent":{"notes":"Typically endpoint slices are not managed directly. Endpoint slices are a lower-level abstraction managed by a Service object. Endpoint slices are a newer addition to Kubernetes, and serve the same purpose as endpoints. However, they slice the potentially large Endpoint object into multiple smaller slices for reduced network traffic between nodes when pods are updated.","description":"A Kubernetes endpoint slice contains up to 100 mapping entries from an IP address and a port to target reference, mostly a Pod. The same IP and port may map to multiple Pods to describe a load balancing scheme."},"risks":["discovery:network"],"notes":"Retrieve  about all endpoints: the IP address, port, and target reference, typically a Pod.","links":["https://kubernetes.io/docs/concepts/services-networking/endpoint-slices","https://kubernetes.io/docs/concepts/services-networking/service/#endpoints"],"seeAlso":[]},"discovery.k8s.io/endpointslices.update":{"id":"discovery.k8s.io/endpointslices.update","name":"EndpointSlices","scope":"MEDIUM","parent":{"notes":"Typically endpoint slices are not managed directly. Endpoint slices are a lower-level abstraction managed by a Service object. Endpoint slices are a newer addition to Kubernetes, and serve the same purpose as endpoints. However, they slice the potentially large Endpoint object into multiple smaller slices for reduced network traffic between nodes when pods are updated.","description":"A Kubernetes endpoint slice contains up to 100 mapping entries from an IP address and a port to target reference, mostly a Pod. The same IP and port may map to multiple Pods to describe a load balancing scheme."},"risks":["destruction:network","escalation:network"],"notes":"An endpoint update allows remapping IP addresses and ports to different Pods.","links":["https://kubernetes.io/docs/concepts/services-networking/endpoint-slices","https://kubernetes.io/docs/concepts/services-networking/service/#endpoints"],"seeAlso":[]},"rbac.authorization.k8s.io/clusterrolebindings.create":{"id":"rbac.authorization.k8s.io/clusterrolebindings.create","name":"ClusterRoleBindings","scope":"CRITICAL","parent":{"notes":"ClusterRoles are only definitions of permissions. A role does not take effect unless assigned to principal via a ClusterRoleBinding.","description":"A ClusterRoleBinding is used to associate a ClusterRole with one or more principals (users, groups, or service accounts).  It establishes a connection between a set of permissions defined in a ClusterRole and the entities that should have those permissions. ClusterRoles are scoped to the entire Kubernetes cluster."},"risks":[],"notes":"Kubernetes does not allow the creation or update of a ClusterRoleBinding unless at least one of the following two conditions is met: 1) the caller has the permission it is granting 2) the caller has the `clusterRoles.bind` permission","links":["https://kubernetes.io/docs/reference/access-authn-authz/rbac/#restrictions-on-role-binding-creation-or-update"],"seeAlso":[]},"rbac.authorization.k8s.io/clusterrolebindings.delete":{"id":"rbac.authorization.k8s.io/clusterrolebindings.delete","name":"ClusterRoleBindings","scope":"CRITICAL","parent":{"notes":"ClusterRoles are only definitions of permissions. A role does not take effect unless assigned to principal via a ClusterRoleBinding.","description":"A ClusterRoleBinding is used to associate a ClusterRole with one or more principals (users, groups, or service accounts).  It establishes a connection between a set of permissions defined in a ClusterRole and the entities that should have those permissions. ClusterRoles are scoped to the entire Kubernetes cluster."},"risks":["destruction:policy"],"notes":"Deleting a ClusterRoleBinding removes the permissions of the ClusterRole from a list of principals","links":[],"seeAlso":[]},"rbac.authorization.k8s.io/clusterrolebindings.get":{"id":"rbac.authorization.k8s.io/clusterrolebindings.get","name":"ClusterRoleBindings","scope":"CRITICAL","parent":{"notes":"ClusterRoles are only definitions of permissions. A role does not take effect unless assigned to principal via a ClusterRoleBinding.","description":"A ClusterRoleBinding is used to associate a ClusterRole with one or more principals (users, groups, or service accounts).  It establishes a connection between a set of permissions defined in a ClusterRole and the entities that should have those permissions. ClusterRoles are scoped to the entire Kubernetes cluster."},"risks":["discovery:policy"],"notes":"Retrieves the list of principals and the role in a specific ClusterRoleBinding","links":[],"seeAlso":[]},"rbac.authorization.k8s.io/clusterrolebindings.list":{"id":"rbac.authorization.k8s.io/clusterrolebindings.list","name":"ClusterRoleBindings","scope":"CRITICAL","parent":{"notes":"ClusterRoles are only definitions of permissions. A role does not take effect unless assigned to principal via a ClusterRoleBinding.","description":"A ClusterRoleBinding is used to associate a ClusterRole with one or more principals (users, groups, or service accounts).  It establishes a connection between a set of permissions defined in a ClusterRole and the entities that should have those permissions. ClusterRoles are scoped to the entire Kubernetes cluster."},"risks":["discovery:policy"],"notes":"List all ClusterRoleBindings within a namespace","links":[],"seeAlso":[]},"rbac.authorization.k8s.io/clusterrolebindings.update":{"id":"rbac.authorization.k8s.io/clusterrolebindings.update","name":"ClusterRoleBindings","scope":"MEDIUM","parent":{"notes":"ClusterRoles are only definitions of permissions. A role does not take effect unless assigned to principal via a ClusterRoleBinding.","description":"A ClusterRoleBinding is used to associate a ClusterRole with one or more principals (users, groups, or service accounts).  It establishes a connection between a set of permissions defined in a ClusterRole and the entities that should have those permissions. ClusterRoles are scoped to the entire Kubernetes cluster."},"risks":[],"notes":"Kubernetes does not allow the creation or update of a ClusterRoleBinding unless one of the following two conditions are met: 1) the caller has the permission it is granting 2) the caller has the `clusterRoles.bind` permission","links":[],"seeAlso":[]},"rbac.authorization.k8s.io/clusterroles.bind":{"id":"rbac.authorization.k8s.io/clusterroles.bind","name":"ClusterRoles","scope":"CRITICAL","parent":{"notes":"ClusterRoles are only definitions of permissions. A role does not take effect unless assigned to principal via a ClusterRoleBinding.","description":"A cluster role is a set of permissions that defines a specific level of access to resources within a single namespace. It consists of rules that specify which API operations can be performed on specific resource types. ClusterRoles are scoped to the entire cluster."},"risks":["escalation:privilege"],"notes":"Allows escalating the current or other users' permissions by binding a ClusterRole to them.  Also requires the `clusterRoleBindings.create` or `clusterRoleBindings.update` permission.","links":["https://kubernetes.io/docs/reference/access-authn-authz/rbac/#restrictions-on-role-binding-creation-or-update"],"seeAlso":[]},"rbac.authorization.k8s.io/clusterroles.create":{"id":"rbac.authorization.k8s.io/clusterroles.create","name":"ClusterRoles","scope":"CRITICAL","parent":{"notes":"ClusterRoles are only definitions of permissions. A role does not take effect unless assigned to principal via a ClusterRoleBinding.","description":"A cluster role is a set of permissions that defines a specific level of access to resources within a single namespace. It consists of rules that specify which API operations can be performed on specific resource types. ClusterRoles are scoped to the entire cluster."},"risks":[],"notes":"ClusterRoles are only definitions of permissions. A role does not take effect unless assigned to principal via a ClusterRoleBinding. Kubernetes does not allow the creation or update of a ClusterRole unless one of the following two conditions are met: 1) the caller already has the permissions contained in the role 2) the caller has the `clusterRoles.escalate` permission","links":[],"seeAlso":[]},"rbac.authorization.k8s.io/clusterroles.delete":{"id":"rbac.authorization.k8s.io/clusterroles.delete","name":"ClusterRoles","scope":"CRITICAL","parent":{"notes":"ClusterRoles are only definitions of permissions. A role does not take effect unless assigned to principal via a ClusterRoleBinding.","description":"A cluster role is a set of permissions that defines a specific level of access to resources within a single namespace. It consists of rules that specify which API operations can be performed on specific resource types. ClusterRoles are scoped to the entire cluster."},"risks":["destruction:policy"],"notes":"ClusterRoles that are attached to principals via a ClusterRoleBinding can be deleted in Kubernetes.","links":[],"seeAlso":[]},"rbac.authorization.k8s.io/clusterroles.escalate":{"id":"rbac.authorization.k8s.io/clusterroles.escalate","name":"ClusterRoles","scope":"CRITICAL","parent":{"notes":"ClusterRoles are only definitions of permissions. A role does not take effect unless assigned to principal via a ClusterRoleBinding.","description":"A cluster role is a set of permissions that defines a specific level of access to resources within a single namespace. It consists of rules that specify which API operations can be performed on specific resource types. ClusterRoles are scoped to the entire cluster."},"risks":["escalation:lateral","escalation:privilege"],"notes":"Allows escalating the current or other users' permissions by creating a new ClusterRole or updating an existing ClusterRole. Also requires the `clusterRoles.create` or `clusterRoles.update` permission.","links":["https://kubernetes.io/docs/reference/access-authn-authz/rbac/#restrictions-on-role-creation-or-update"],"seeAlso":[]},"rbac.authorization.k8s.io/clusterroles.get":{"id":"rbac.authorization.k8s.io/clusterroles.get","name":"ClusterRoles","scope":"CRITICAL","parent":{"notes":"ClusterRoles are only definitions of permissions. A role does not take effect unless assigned to principal via a ClusterRoleBinding.","description":"A cluster role is a set of permissions that defines a specific level of access to resources within a single namespace. It consists of rules that specify which API operations can be performed on specific resource types. ClusterRoles are scoped to the entire cluster."},"risks":["discovery:policy"],"notes":"Retrieves the permissions contained in a specific ClusterRole.","links":[],"seeAlso":[]},"rbac.authorization.k8s.io/clusterroles.list":{"id":"rbac.authorization.k8s.io/clusterroles.list","name":"ClusterRoles","scope":"CRITICAL","parent":{"notes":"ClusterRoles are only definitions of permissions. A role does not take effect unless assigned to principal via a ClusterRoleBinding.","description":"A cluster role is a set of permissions that defines a specific level of access to resources within a single namespace. It consists of rules that specify which API operations can be performed on specific resource types. ClusterRoles are scoped to the entire cluster."},"risks":["discovery:policy"],"notes":"List all ClusterRoles","links":[],"seeAlso":[]},"rbac.authorization.k8s.io/clusterroles.update":{"id":"rbac.authorization.k8s.io/clusterroles.update","name":"ClusterRoles","scope":"CRITICAL","parent":{"notes":"ClusterRoles are only definitions of permissions. A role does not take effect unless assigned to principal via a ClusterRoleBinding.","description":"A cluster role is a set of permissions that defines a specific level of access to resources within a single namespace. It consists of rules that specify which API operations can be performed on specific resource types. ClusterRoles are scoped to the entire cluster."},"risks":[],"notes":"Kubernetes does not allow the creation or update of a ClusterRole unless one of the following two conditions are met: 1) the caller already has the permissions contained in the role 2) the caller has the `clusterRoles.escalate` permission","links":[],"seeAlso":[]},"rbac.authorization.k8s.io/rolebindings.create":{"id":"rbac.authorization.k8s.io/rolebindings.create","name":"RoleBindings","scope":"CRITICAL","parent":{"notes":"Roles are only definitions of permissions. A role does not take effect unless assigned to principal via a RoleBinding.","description":"A RoleBinding is used to associate a Role with one or more principals (users, groups, or service accounts).  It establishes a connection between a set of permissions defined in a Role and the entities that should have those permissions. Roles are scoped to a specific Kubernetes namespace."},"risks":[],"notes":"Kubernetes does not allow the creation or update of a RoleBinding unless at least one of the following two conditions is met: 1) the caller has the permission it is granting 2) the caller has the `roles.bind` permission","links":["https://kubernetes.io/docs/reference/access-authn-authz/rbac/#restrictions-on-role-binding-creation-or-update"],"seeAlso":[]},"rbac.authorization.k8s.io/rolebindings.delete":{"id":"rbac.authorization.k8s.io/rolebindings.delete","name":"RoleBindings","scope":"CRITICAL","parent":{"notes":"Roles are only definitions of permissions. A role does not take effect unless assigned to principal via a RoleBinding.","description":"A RoleBinding is used to associate a Role with one or more principals (users, groups, or service accounts).  It establishes a connection between a set of permissions defined in a Role and the entities that should have those permissions. Roles are scoped to a specific Kubernetes namespace."},"risks":["destruction:policy"],"notes":"Deleting a RoleBinding removes the permissions of the Role from a list of principals","links":[],"seeAlso":[]},"rbac.authorization.k8s.io/rolebindings.get":{"id":"rbac.authorization.k8s.io/rolebindings.get","name":"RoleBindings","scope":"CRITICAL","parent":{"notes":"Roles are only definitions of permissions. A role does not take effect unless assigned to principal via a RoleBinding.","description":"A RoleBinding is used to associate a Role with one or more principals (users, groups, or service accounts).  It establishes a connection between a set of permissions defined in a Role and the entities that should have those permissions. Roles are scoped to a specific Kubernetes namespace."},"risks":["discovery:policy"],"notes":"Retrieves the list of principals and the role in a specific RoleBinding","links":[],"seeAlso":[]},"rbac.authorization.k8s.io/rolebindings.list":{"id":"rbac.authorization.k8s.io/rolebindings.list","name":"RoleBindings","scope":"CRITICAL","parent":{"notes":"Roles are only definitions of permissions. A role does not take effect unless assigned to principal via a RoleBinding.","description":"A RoleBinding is used to associate a Role with one or more principals (users, groups, or service accounts).  It establishes a connection between a set of permissions defined in a Role and the entities that should have those permissions. Roles are scoped to a specific Kubernetes namespace."},"risks":["discovery:policy"],"notes":"List all RoleBindings within a namespace","links":[],"seeAlso":[]},"rbac.authorization.k8s.io/rolebindings.update":{"id":"rbac.authorization.k8s.io/rolebindings.update","name":"RoleBindings","scope":"CRITICAL","parent":{"notes":"Roles are only definitions of permissions. A role does not take effect unless assigned to principal via a RoleBinding.","description":"A RoleBinding is used to associate a Role with one or more principals (users, groups, or service accounts).  It establishes a connection between a set of permissions defined in a Role and the entities that should have those permissions. Roles are scoped to a specific Kubernetes namespace."},"risks":[],"notes":"Kubernetes does not allow the creation or update of a RoleBinding unless one of the following two conditions are met: 1) the caller has the permission it is granting 2) the caller has the `roles.bind` permission","links":[],"seeAlso":[]},"rbac.authorization.k8s.io/roles.bind":{"id":"rbac.authorization.k8s.io/roles.bind","name":"Roles","scope":"CRITICAL","parent":{"notes":"Roles are only definitions of permissions. A role does not take effect unless assigned to principal via a RoleBinding.","description":"A role is a set of permissions that defines a specific level of access to resources within a single namespace. It consists of rules that specify which API operations can be performed on specific resource types. Roles are scoped to a specific Kubernetes namespace."},"risks":["escalation:lateral","escalation:privilege"],"notes":"Allows escalating the current or other users' permissions by binding a Role to them.  Also requires the `roleBindings.create` or `roleBindings.update` permission.","links":["https://kubernetes.io/docs/reference/access-authn-authz/rbac/#restrictions-on-role-binding-creation-or-update"],"seeAlso":[]},"rbac.authorization.k8s.io/roles.create":{"id":"rbac.authorization.k8s.io/roles.create","name":"Roles","scope":"CRITICAL","parent":{"notes":"Roles are only definitions of permissions. A role does not take effect unless assigned to principal via a RoleBinding.","description":"A role is a set of permissions that defines a specific level of access to resources within a single namespace. It consists of rules that specify which API operations can be performed on specific resource types. Roles are scoped to a specific Kubernetes namespace."},"risks":[],"notes":"Roles are only definitions of permissions. A role does not take effect unless assigned to principal via a RoleBinding. Kubernetes does not allow the creation or update of a Role unless one of the following two conditions are met: 1) the caller already has the permissions contained in the role 2) the caller has the `roles.escalate` permission","links":[],"seeAlso":[]},"rbac.authorization.k8s.io/roles.delete":{"id":"rbac.authorization.k8s.io/roles.delete","name":"Roles","scope":"CRITICAL","parent":{"notes":"Roles are only definitions of permissions. A role does not take effect unless assigned to principal via a RoleBinding.","description":"A role is a set of permissions that defines a specific level of access to resources within a single namespace. It consists of rules that specify which API operations can be performed on specific resource types. Roles are scoped to a specific Kubernetes namespace."},"risks":["destruction:policy"],"notes":"Roles that are attached to principals via a RoleBinding can be deleted in Kubernetes.","links":[],"seeAlso":[]},"rbac.authorization.k8s.io/roles.escalate":{"id":"rbac.authorization.k8s.io/roles.escalate","name":"Roles","scope":"CRITICAL","parent":{"notes":"Roles are only definitions of permissions. A role does not take effect unless assigned to principal via a RoleBinding.","description":"A role is a set of permissions that defines a specific level of access to resources within a single namespace. It consists of rules that specify which API operations can be performed on specific resource types. Roles are scoped to a specific Kubernetes namespace."},"risks":["escalation:lateral","escalation:privilege"],"notes":"Allows escalating the current or other users' permissions by creating a new Role or updating an existing Role. Also requires the `roles.create` or `roles.update` permission.","links":["https://kubernetes.io/docs/reference/access-authn-authz/rbac/#restrictions-on-role-creation-or-update"],"seeAlso":[]},"rbac.authorization.k8s.io/roles.get":{"id":"rbac.authorization.k8s.io/roles.get","name":"Roles","scope":"CRITICAL","parent":{"notes":"Roles are only definitions of permissions. A role does not take effect unless assigned to principal via a RoleBinding.","description":"A role is a set of permissions that defines a specific level of access to resources within a single namespace. It consists of rules that specify which API operations can be performed on specific resource types. Roles are scoped to a specific Kubernetes namespace."},"risks":["discovery:policy"],"notes":"Retrieves the permissions contained in a specific role.","links":[],"seeAlso":[]},"rbac.authorization.k8s.io/roles.list":{"id":"rbac.authorization.k8s.io/roles.list","name":"Roles","scope":"CRITICAL","parent":{"notes":"Roles are only definitions of permissions. A role does not take effect unless assigned to principal via a RoleBinding.","description":"A role is a set of permissions that defines a specific level of access to resources within a single namespace. It consists of rules that specify which API operations can be performed on specific resource types. Roles are scoped to a specific Kubernetes namespace."},"risks":["discovery:policy"],"notes":"List all roles within a namespace","links":[],"seeAlso":[]},"rbac.authorization.k8s.io/roles.update":{"id":"rbac.authorization.k8s.io/roles.update","name":"Roles","scope":"CRITICAL","parent":{"notes":"Roles are only definitions of permissions. A role does not take effect unless assigned to principal via a RoleBinding.","description":"A role is a set of permissions that defines a specific level of access to resources within a single namespace. It consists of rules that specify which API operations can be performed on specific resource types. Roles are scoped to a specific Kubernetes namespace."},"risks":[],"notes":"Kubernetes does not allow the creation or update of a Role unless one of the following two conditions are met: 1) the caller already has the permissions contained in the role 2) the caller has the `roles.escalate` permission","links":[],"seeAlso":[]}},"workspace":{"ADMIN_DASHBOARD":{"id":"ADMIN_DASHBOARD","name":"Admin","scope":"CRITICAL","parent":{"notes":"","description":"The Admin console and API allow control over the Google Workspace, including its users, groups, organizational units, schemata, licenses, domains, and security settings."},"risks":[],"notes":"The exact use of this privilege is not well documented. Naming suggests that this allows access to the Admin console.","links":[],"seeAlso":[]},"GROUPS_ALL":{"id":"GROUPS_ALL","name":"Groups","scope":"CRITICAL","parent":{"notes":"Groups are identities that may be granted to users or other groups within Workspace. Groups may be granted privileges within other systems, notably Google Cloud. This catalog treats groups as system accounts for the purposes of risk assignment.","description":"Privileges for viewing and managing groups."},"risks":["discovery:account","destruction:account","destruction:policy","escalation:lateral","impact:manipulation"],"notes":"Create / read / update / delete on groups. Allows modification of the group's aliases, email address, name, and description. Allows updating group settings, which can alter who can join groups, and who can approve group join requests.\nLateral movement in this context indicates movement from one user or group account to the managed group account.","links":["https://developers.google.com/admin-sdk/directory/reference/rest/v1/groups#Group","https://developers.google.com/admin-sdk/groups-settings/manage"],"seeAlso":[]},"GROUPS_MANAGE_LOCKED_LABEL":{"id":"GROUPS_MANAGE_LOCKED_LABEL","name":"Groups","scope":"CRITICAL","parent":{"notes":"Groups are identities that may be granted to users or other groups within Workspace. Groups may be granted privileges within other systems, notably Google Cloud. This catalog treats groups as system accounts for the purposes of risk assignment.","description":"Privileges for viewing and managing groups."},"risks":["destruction:policy","escalation:privilege"],"notes":"Locked labels are labels that are used in application policies. Altering these labels allows destruction or escalation of privileges to these policies.","links":["https://support.google.com/a/answer/13127870"],"seeAlso":[]},"GROUPS_MANAGE_SECURITY_LABEL":{"id":"GROUPS_MANAGE_SECURITY_LABEL","name":"Groups","scope":"CRITICAL","parent":{"notes":"Groups are identities that may be granted to users or other groups within Workspace. Groups may be granted privileges within other systems, notably Google Cloud. This catalog treats groups as system accounts for the purposes of risk assignment.","description":"Privileges for viewing and managing groups."},"risks":["impact:access"],"notes":"Converting a group to a security group is a one-time irreversible operation. Security groups can not be automatically joined by your organization's members, nor joined by non-security groups or users external to your organization.\nSince this is a non-reversible operation, converting a group to a security group can impact group access.","links":["https://support.google.com/a/answer/10607394"],"seeAlso":[]},"USERS_RETRIEVE":{"id":"USERS_RETRIEVE","name":"Groups","scope":"CRITICAL","parent":{"notes":"Users are accounts with static usernames, passwords, and email addresses. Typically used for human accounts.","description":"Privileges for viewing and managing users."},"risks":["discovery:account","exfiltration:data"],"notes":"Gives access to the account's user name, email address, and profile fields. Many profile fields are personally identifying or otherwise sensitive, including addresses, telephone numbers, and gender.","links":["https://developers.google.com/admin-sdk/directory/reference/rest/v1/users#User"],"seeAlso":[]},"ORGANIZATION_UNITS_RETRIEVE":{"id":"ORGANIZATION_UNITS_RETRIEVE","name":"Organizational Units","scope":"CRITICAL","parent":{"notes":"Organizational units provide a mechanism for organizing users within a Workspace, as well as for applying settings and access policies to those users.","description":"Privileges for viewing and managing organizational units."},"risks":["discovery:infra"],"notes":"Allows the caller to retrieve organizational unit paths.","links":["https://developers.google.com/admin-sdk/directory/reference/rest/v1/orgunits#OrgUnit"],"seeAlso":[]},"SUPER_ADMIN":{"id":"SUPER_ADMIN","name":"Super Admin","scope":null,"parent":{"notes":null,"description":"Google super admins have access to all features in Google Admin, can alter any organizational settings, and have full access to all users' calendars.\nSome actions can only be taken by super admins, including: creating and assigning administrator roles, managing other super admins, inviting unmanaged user accounts, restoring deleted user accounts, installing Google Marketplace apps, granting domain-wide delegation, and modifying SAML apps."},"risks":["destruction:account","destruction:crypto","destruction:defense","destruction:metadata","destruction:policy","destruction:infra","discovery:account","discovery:policy","escalation:privilege","persistence:account","takeover:account"],"notes":"Super admins have the highest level of privilege in a Workspace account.\nHolding this privilege allows creation and deletion of accounts, as well as account takeover via password reset. It allows modification of administrator roles and role assignments. It also can allow disabling (or enabling) of two- factor security settings.","links":["https://support.google.com/a/answer/2405986"],"seeAlso":[]}}}}