Ensure to audit role assignments that have implicit managed identity permissions

Azure role assignments should be defined by the principle of least privilege.

Risk Level: High
Cloud Entity: Azure role-based access control
CloudGuard Rule ID: D9.AZU.IAM.36
Covered by Spectral: No
Category: Security, Identity, & Compliance

GSL LOGIC

RoleAssignment should not have getResources('RoleDefinition', properties.roleDefinitionId, 'id' ) getValues('properties.permissions') contain [ actions regexMatch /ManagedIdentity/ ]

REMEDIATION

From Portal

  1. Go to 'Access control (IAM)' in the relevant resource
  2. Choose the 'Role assignments' tab in the upper menu
  3. Audit the relevant role assignment according to the principle of least privilege

From TF
Audit the relevant role definition, according to the 'azurerm_role_assignment' resource:

resource "azurerm_role_definition" "example" {
	...
}

resource "azurerm_role_assignment" "role_assignment_example" {
	..
	role_definition_id = azurerm_role_definition.example.role_definition_resource_id
	..
}

From Command Line
To list current subscription and below role assignments by query, use:

az role assignment list --all --query QUERY

References

  1. https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-list-portal
  2. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment
  3. https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-list-cli

Azure role-based access control

Azure role-based access control (Azure RBAC) is the authorization system you use to manage access to Azure resources. To grant access, you assign roles to users, groups, service principals, or managed identities at a particular scope.

Compliance Frameworks

  • AZU PCI-DSS 4.0
  • Azure CloudGuard Best Practices
  • Azure NIST 800-53 Rev 5
  • CloudGuard Azure All Rules Ruleset