Unexpected Azure API calls indicating Key Vault access policy modification
Description
AlphaSOC detected modification of an Azure Key Vault access policy via
Microsoft.KeyVault/vaults/accessPolicies/write. Access policies define which
identities can access secrets, keys, and certificates stored in the vault.
Access policy modifications can grant or revoke permissions to sensitive credentials. Adversaries who have compromised administrative credentials may add themselves to access policies to steal secrets or establish persistent access to credential stores.
Impact
Unauthorized access policy changes can expose sensitive secrets, encryption keys, and certificates to attackers. Threat actors may use stolen credentials to access other systems, decrypt protected data, or impersonate services. Unauthorized access to Key Vault secrets can lead to widespread compromise of applications and infrastructure.
Severity
| Severity | Condition |
|---|---|
Low | Access policy modification detected |
Medium | Anomalous access policy modification |
Investigation and Remediation
Review Azure Activity logs for Microsoft.KeyVault/vaults/accessPolicies/write
events. Identify what permissions were granted or revoked and to which
identities. Verify if the changes align with authorized change management
processes.
If unauthorized, immediately revoke the added permissions and investigate what secrets may have been accessed. Review Key Vault diagnostic logs for secret retrieval operations. Rotate any secrets that may have been exposed and implement Azure RBAC instead of access policies for more granular control.