Azure Automation Elevation of Privilege Vulnerability

An elevation of privilege vulnerability exists in Azure Automation “RunAs account” runbooks for users with contributor role. This vulnerability could potentially allow members of an organization to access Key Vault secrets through a runbook, even if these members would personally not have access to that Key Vault.

To exploit this vulnerability, an attacker must be a member of an organization who can run runbooks, with only global admins/co-admins who can create the “run as” account.

Microsoft is addressing the vulnerability by providing the following scripts for existing RunAsAutomation accounts that modify existing roles by excluding access to KeyVault within Azure Automation account.

• <https://www.powershellgallery.com/packages/Check-AutomationRunAsAccountRoleAssignments&gt;
• <https://www.powershellgallery.com/packages/Update-AutomationRunAsAccountRoleAssignments&gt;
• <https://www.powershellgallery.com/packages/Extend-AutomationRunAsAccountRoleAssignmentToKeyVault&gt;