Ensure custom role definition doesn't have excessive permissions (Wildcard)
Azure custom role's permissions should be defined by the principle least privilege.
Risk Level: High
Cloud Entity: Azure Role Definition
CloudGuard Rule ID: D9.AZU.IAM.34
Covered by Spectral: No
Category: Security, Identity, & Compliance
GSL LOGIC
RoleDefinition where properties.roleName != 'Contributor' and properties.roleName != 'Owner' should not have properties.permissions contain [ actions contain [ '*' ] ]
REMEDIATION
From Portal
- Go to 'Access control (IAM)' in the relevant resource
- Choose the 'Roles' tab in the upper menu
- Identify the overly permissive role and choose 'Edit'
- Instead of the wildcard, specify implicit permissions for the role
From TF
Specify implicit permissions in the 'permissions' block within the 'azurerm_role_definition' resource:
resource "azurerm_role_definition" "role_definition_example" {
..
permissions {
..
actions = [ PERMISSIONS ]
..
}
..
}
From Command Line
To update an existing role definition, use:
az role definition update --role-definition ROLE-DEFINITION-JSON
References
- https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles
- https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_definition
- https://docs.microsoft.com/en-us/cli/azure/role/definition?view=azure-cli-latest#az-role-definition-update
Azure Role Definition
A role definition is a collection of permissions that can be performed, such as read, write, and delete. It's typically just called a role. Azure role-based access control (Azure RBAC) has over 120 built-in roles or you can create your own custom roles.
Compliance Frameworks
- AZU PCI-DSS 4.0
- Azure CSA CCM v.4.0.1
- Azure CloudGuard Best Practices
- Azure NIST 800-53 Rev 5
- CloudGuard Azure All Rules Ruleset
Updated over 1 year ago