Active Directory custom subscription owner roles should not be created¶
Description¶
Subscription ownership should not include permission to create custom owner roles. The principle of least privilege should be followed and only necessary privileges should be assigned instead of allowing full administrative access.
Remediation Steps¶
Azure Portal¶
Navigate to Roles and administrators.
Select the custom role.
Click the ellipsis (…) and click Delete.
Azure CLI¶
Get the list of Azure roles:
az role definition list
Check for entries with
assignableScope
of/
or asubscription
, and an action of*
Verify the usage and impact of removing the role:
az role definition delete --name "rolename"
Azure Resource Manager¶
Ensure that a Microsoft.Authorization/roleDefinitions resource does NOT contain both of the following:
permissions.actions
:["*"]
assignableScopes
:[ "/" ]
, or a subscription ID
Example Configuration¶
{
"type": "Microsoft.Authorization/roleDefinitions",
"apiVersion": "2021-02-01",
"name": "TestRoleDefinition",
"properties": {
"assignableScopes": [ "[subscription().id]" ],
"permissions": [
{
"actions": "Microsoft.Resources/subscriptions/read"
}
]
}
# other required fields here
}
Terraform¶
Ensure that a azurerm_role_definition resource does NOT contain both of the following:
permissions.actions
= [“*”]assignable_scopes
= [“/”] or asubscription
ID
Example Configuration¶
resource "azurerm_role_definition" "example" {
permissions {
actions = ["Microsoft.Resources/subscriptions/read"]
}
assignable_scopes = [
"/subscriptions/0b1f6471-1bf0-4dda-aec2-111122223333"
]
# other required fields here
}