Best practices

Azure User with Top-Level Assigned Permission of listKeys to Storage Accounts

Platform(s)

Description

Azure users with the ""Microsoft.Storage/storageAccounts/listkeys/action"" permission assigned at the top-level resource scope, such as a subscription or resource group, pose a security threat and violate the principle of least privilege. If compromised, these users can list the keys of a wide range of storage accounts, granting them full access and enabling lateral movement within the environment to reach critical business assets.