AZ_PARENT_SUBSCRIPTION

Summary

FSProtect ACL Alias

Azure Alias

Contains / Member of Subscription

Affected Object Types

Resource Groups, VMs, Key Vaults, and all other ARM resources

Exploitation Certainty

Informational

Description

AZ_PARENT_SUBSCRIPTION represents that an Azure entity (Resource Group or resource) belongs to a specific Azure Subscription. This is a structural/containment edge that shows the top-level organizational hierarchy of Azure resources.

Subscriptions are the primary billing and access control boundary in Azure. Every Resource Group (and therefore every resource) exists within exactly one Subscription.

This edge is important for attack path analysis because:

RBAC role assignments inherit downward — a role assigned at the Subscription level applies to all Resource Groups and resources within that subscription.
An attacker with Contributor or Owner at the Subscription level gains access to everything in the subscription.
Subscription-level access is the broadest ARM scope (below Management Groups) and represents maximum blast radius.

The AZ_PARENT_SUBSCRIPTION relationship itself is not directly exploitable. It indicates containment for understanding scope of permissions and access control inheritance.

Identification

PowerShell (Az Module)

Connect-AzAccount

# List all subscriptions accessible to the current identity
Get-AzSubscription |
    Select-Object Name, Id, State, TenantId |
    Format-Table -AutoSize

# List all resource groups in a subscription
Set-AzContext -SubscriptionId "<SubscriptionId>"
Get-AzResourceGroup |
    Select-Object ResourceGroupName, Location, ProvisioningState |
    Format-Table -AutoSize

# List all resources in a subscription
Get-AzResource |
    Select-Object Name, ResourceType, ResourceGroupName, Location |
    Format-Table -AutoSize

Azure GUI

Open Azure Portal → Subscriptions.
Select the target Subscription.
Go to Resources or Resource groups to view all contained entities.

Exploitation

There is no direct exploit for this edge. It represents a containment relationship.

However, understanding subscription membership is critical for:

Scenario

Impact

Compromised subscription-level role

All resources in the subscription are affected

Blast radius assessment

A single compromised identity with subscription Owner/Contributor controls everything

Privilege escalation planning

Subscription-level access is the most impactful ARM scope

Related Attack Paths:
AZ_ARM_OWNER — Owner at subscription scope controls everything in the subscription.
AZ_CONTRIBUTOR — Contributor at subscription scope can manage all resources.
AZ_PARENT_RESOURCE_GROUP — Resource Groups belong to Subscriptions, resources belong to Resource Groups.
AZ_PARENT_MANAGEMENT_GROUP — Subscriptions themselves can belong to Management Groups.

References

PreviousAZ_PARENT_RESOURCE_GROUP NextAZ_PARTNER_TIER2_SUPPORT

Last updated 10 hours ago

Was this helpful?