Lateral movement

Azure Automation account variables expose secrets

Risk Level

Hazardous (3)

Compliance Frameworks


Automation account allows you to automate your Azure management tasks and to orchestrate actions across external systems from right within Azure. Recipes are coded within Runbook. Variables can store database URLs, user names and other configurations. Variables can be used to effect a runbook without changing the actual code. Exposing secrets within variables, such as passwords or keys, is not safe since an attacker may be able to access those variables and use them for lateral movement. The Automation account {AzureAutomationAccount} was found to have the following exposed secrets: {AzureAutomationAccount.SecretEnvVars}
  • Recommended Mitigation

    Review your Automation account configurations and verify no secrets are stored within the variables. We recommend storing secrets in a dedicated service like Azure KeyVaults or a third-party service.