Ensure custom role definition doesn't have excessive permissions (Wildcard)

Azure custom role's permissions should be defined by the principle least privilege.

Risk Level: High
Cloud Entity: Azure Role Definition
CloudGuard Rule ID: D9.AZU.IAM.34
Covered by Spectral: No
Category: Security, Identity, & Compliance

GSL LOGIC

RoleDefinition where properties.roleName != 'Contributor' and properties.roleName != 'Owner' should not have properties.permissions contain [ actions contain [ '*' ] ]

REMEDIATION

From Portal

  1. Go to 'Access control (IAM)' in the relevant resource
  2. Choose the 'Roles' tab in the upper menu
  3. Identify the overly permissive role and choose 'Edit'
  4. Instead of the wildcard, specify implicit permissions for the role

From TF
Specify implicit permissions in the 'permissions' block within the 'azurerm_role_definition' resource:

resource "azurerm_role_definition" "role_definition_example" {
	..
	permissions {
		..
		actions = [ PERMISSIONS ]
		..
	}
	..
}

From Command Line
To update an existing role definition, use:

az role definition update --role-definition ROLE-DEFINITION-JSON

References

  1. https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles
  2. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_definition
  3. https://docs.microsoft.com/en-us/cli/azure/role/definition?view=azure-cli-latest#az-role-definition-update

Azure Role Definition

A role definition is a collection of permissions that can be performed, such as read, write, and delete. It's typically just called a role. Azure role-based access control (Azure RBAC) has over 120 built-in roles or you can create your own custom roles.

Compliance Frameworks

  • AZU PCI-DSS 4.0
  • Azure CSA CCM v.4.0.1
  • Azure CloudGuard Best Practices
  • Azure NIST 800-53 Rev 5
  • CloudGuard Azure All Rules Ruleset