> For the complete documentation index, see [llms.txt](https://docs.forestall.io/fsprotect/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.forestall.io/fsprotect/edges/azure/az_get_keys.md). # AZ\_GET\_KEYS ## Summary | | | | -------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **FSProtect ACL Alias** | AZ\_GET\_KEYS | | **Azure Alias** | Get Keys (Key Vault Data Plane) | | **Affected Object Types** | Key Vaults | | **Exploitation Certainty** | Certain | | **Permission** | Key Vault data-plane permission `keys/get` — either via Key Vault access policy or Azure RBAC role **Key Vault Crypto User** (`12338af0-0e69-4776-bea7-57ae8d297424`) | ## Description `AZ_GET_KEYS` represents the ability to **read keys** from an Azure Key Vault. This is a data-plane permission that allows retrieval of cryptographic keys stored in the vault. Key Vault keys are used for: * **Data encryption/decryption** (Azure Disk Encryption, Storage Service Encryption, SQL TDE). * **Signing and verification** of tokens, documents, and code. * **Wrapping and unwrapping** other keys (key encryption keys). * **Authentication** via certificate-backed keys. A principal with this permission can read key material, which depending on the key type and configuration may enable: * Decryption of protected data. * Forging signed tokens or documents. * Impersonation of services that use the key for authentication. > **Note:** For HSM-protected keys, the private key material cannot be exported, but operations (sign, decrypt) can still be performed if the principal also has `keys/sign` or `keys/decrypt` permissions. ## Identification ### PowerShell (Az Module) ```powershell Connect-AzAccount # Check access policies on a vault (vault access policy model) $vault = Get-AzKeyVault -VaultName "" $vault.AccessPolicies | Where-Object { $_.PermissionsToKeys -match "get|list|all" } | Select-Object DisplayName, ObjectId, PermissionsToKeys | Format-Table -AutoSize # Check RBAC assignments (RBAC access model) Get-AzRoleAssignment -Scope $vault.ResourceId | Where-Object { $_.RoleDefinitionName -in "Key Vault Crypto User", "Key Vault Crypto Officer", "Key Vault Administrator" } | Select-Object DisplayName, RoleDefinitionName, ObjectType | Format-Table -AutoSize ``` ### Azure GUI 1. Open **Azure Portal** → navigate to the target **Key Vault**. 2. Go to **Access policies** → review policies that include **Get** under **Key permissions**. 3. Alternatively, go to **Access control (IAM)** → review assignments for **Key Vault Crypto User** or higher roles. ## Exploitation ### Step 1 — Grant Yourself Key Access (as Key Vault Contributor) ```powershell Connect-AzAccount # Grant yourself key get/list permissions via access policy Set-AzKeyVaultAccessPolicy -VaultName "" ` -ObjectId "" ` -PermissionsToKeys get,list ``` ### Step 2 — Read All Keys ```powershell Connect-AzAccount # List all keys in the vault $keys = Get-AzKeyVaultKey -VaultName "" # Read each key $keys | ForEach-Object { $key = Get-AzKeyVaultKey -VaultName "" -Name $_.Name [PSCustomObject]@{ Name = $_.Name KeyType = $key.KeyType KeySize = $key.KeySize Created = $key.Created Updated = $key.Updated Enabled = $key.Enabled } } | Format-Table -AutoSize ``` ![Read All Keys](/files/a6uRiNUvR2FQP5p09iHp) ### Via PowerZure * Get-AzureKeyVaultContent * Export-AzureKeyVaultContent ## Mitigation 1. **Restrict key access policies** * Go to **Azure Portal** → target Key Vault → **Access policies**. * Remove `get` permission from any principal that does not need to read keys. * Use the principle of least privilege. 2. **Use HSM-protected keys** * For the most sensitive keys, use HSM-backed keys that prevent key material export. 3. **Switch to Azure RBAC model** * Use granular RBAC roles like **Key Vault Crypto User** instead of broad access policies. 4. **Enable diagnostic logging** * Go to Key Vault → **Diagnostic settings** → enable **AuditEvent** logging. ## Detection Monitor key access in **Key Vault diagnostic logs**. * Enable **AuditEvent** logging on the Key Vault. * Alert on: * Bulk `KeyGet` or `KeyList` operations. * Key access from unusual identities or IP addresses. * Key operations (sign, decrypt) outside of expected patterns. ## References * * * --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.forestall.io/fsprotect/edges/azure/az_get_keys.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.