-
Notifications
You must be signed in to change notification settings - Fork 0
Resource Trusts
resource-trusts is the cross-resource trust-boundary command for public-versus-private posture
across supported services.
Use it when the interesting question is broader than one service and becomes "where are the most permissive trust boundaries across the estate?"
- Which supported resources still trust broader public or mixed paths?
- Which resource boundary looks more permissive or surprising than expected?
- Which trust posture should change what you inspect next?
azurefox resource-trusts --output tableFor saved structured output:
azurefox resource-trusts --output json| resource | type | trust | target | exposure |
|---|---|---|---|---|
kvlabopen01 |
KeyVault |
public-network |
public-network |
high |
stlabpub01 |
StorageAccount |
anonymous-blob-access |
public-network |
high |
kvlabdeny01 |
KeyVault |
public-network |
public-network |
medium |
- when you need to compare trust posture across more than one resource family
- when public-versus-private posture matters more than raw inventory counts
- when you want a routing view before dropping into a service-specific command
- publicly trusting resources before private-only paths
- mixed posture that looks more permissive than expected
- trust target and resource-family context that makes the next service command obvious
- supported services whose trust boundary changes priority immediately
Public-versus-private trust posture often changes priority more than raw counts do.
A resource that still trusts broader public paths may deserve attention before a larger number of
quieter private-only assets. resource-trusts helps you compare those boundaries directly instead
of discovering them one service table at a time.
- public trust before private-only posture
- mixed or surprising trust patterns
- supported resource families that stay more permissive than expected
- enough context to choose the next service command quickly
- If you see a storage account
trust_type=anonymous-blob-access, go next to Storage because it shows the exact network and auth posture behind that storage finding. - If you see a Key Vault
trust_type=public-network, go next to Keyvault because it shows the vault-specific network and recovery posture behind that trust signal.
- Treat
resource-trustsas a narrowing command, not the end of the investigation. - Use it to choose the exact resource family whose trust posture deserves service-specific review next.
- Prioritize the resources whose trust story is broader, more public, or more surprising than the rest.
resource-trusts is a routing and comparison command.
It should compare trust boundaries across supported services. It is not exhaustive coverage for all Azure resource types or a replacement for deeper service-specific output.
- Home
- Getting Started
- Platform Notes
- Running Against The Proof Lab
- Understanding Output
- Command Guides
Core
Identity
Config
Secrets
Storage
Resource
Compute
Orchestration
Chain Families
Grouped Sweeps
Investigations
- Axios - Post Exposure Azure Triage
- From EvilTokens to AzureFox: Why Token Theft Can Become Azure Control
- FAQ / Known Limits (coming soon)