AZ_PARENT_RESOURCE_GROUP

Summary

FSProtect ACL Alias

Azure Alias

Contains / Member of Resource Group

Affected Object Types

VMs, Key Vaults, Automation Accounts, Storage Accounts, Web Apps, Function Apps, and all other ARM resources

Exploitation Certainty

Informational

Description

AZ_PARENT_RESOURCE_GROUP represents that an Azure resource belongs to a specific Resource Group. This is a structural/containment edge that shows the organizational hierarchy of Azure resources.

Resource Groups are logical containers in Azure Resource Manager (ARM) that group related resources for management, access control, and billing. Every ARM resource exists within exactly one Resource Group.

This edge is important for attack path analysis because:

RBAC role assignments inherit downward — a role assigned at the Resource Group level applies to all resources within that group.
An attacker with Contributor or Owner at the Resource Group level gains access to all contained resources (VMs, Key Vaults, etc.).
Resource Group membership reveals the blast radius of a compromised role assignment.

The AZ_PARENT_RESOURCE_GROUP relationship itself is not directly exploitable. It indicates containment for understanding scope of permissions and access control inheritance.

Identification

PowerShell (Az Module)

Connect-AzAccount

# List all resources in a resource group
Get-AzResource -ResourceGroupName "<RGName>" |
    Select-Object Name, ResourceType, ResourceGroupName, Location |
    Format-Table -AutoSize

# List all resource groups in a subscription
Get-AzResourceGroup |
    Select-Object ResourceGroupName, Location, ProvisioningState |
    Format-Table -AutoSize

Azure GUI

Open Azure Portal → Resource groups.
Select the target Resource Group.
View all contained resources in the Overview or Resources blade.

Exploitation

There is no direct exploit for this edge. It represents a containment relationship.

However, understanding resource group membership is critical for:

Scenario

Impact

Compromised RG-level role

All resources in the RG are affected (e.g., Owner on RG = Owner on all VMs, Key Vaults, etc.)

Lateral movement planning

Knowing which resources are co-located helps plan lateral movement paths

Blast radius assessment

Evaluate the impact of a compromised identity by tracing its RG-scoped assignments

Related Attack Paths:
AZ_ARM_OWNER — Owner at RG scope inherits to all contained resources.
AZ_CONTRIBUTOR — Contributor at RG scope inherits to all contained resources.
AZ_PARENT_SUBSCRIPTION — Resource Groups themselves belong to Subscriptions.

Mitigation

Organize resources thoughtfully — group resources with similar security requirements and access patterns.
Minimize broad role assignments at RG level — prefer resource-level assignments where possible.
Use resource locks — apply CanNotDelete or ReadOnly locks on critical resource groups.
Review RBAC assignments at RG scope — regularly audit who has access at the resource group level.

Detection

This edge represents a static structural relationship. Monitor for:

New resources added to sensitive resource groups.
Role assignments at the resource group scope.
Resource group creation/deletion.

References

PreviousAZ_PARENT_MANAGEMENT_GROUP NextAZ_PARENT_SUBSCRIPTION

Last updated 2 hours ago

Was this helpful?