Active Directory custom subscription owner roles should not be created

Description

Subscription ownership should not include permission to create custom owner roles. The principle of least privilege should be followed and only necessary privileges should be assigned instead of allowing full administrative access.

Remediation Steps

Azure Portal

Azure CLI

  • Get the list of Azure roles:

az role definition list
  • Check for entries with assignableScope of / or a subscription, and an action of *

    • Verify the usage and impact of removing the role:

az role definition delete --name "rolename"

Azure Resource Manager

Example Configuration

{
  "type": "Microsoft.Authorization/roleDefinitions",
  "apiVersion": "2021-02-01",
  "name": "TestRoleDefinition",
  "properties": {
    "assignableScopes": [ "[subscription().id]" ],
    "permissions": [
      {
        "actions": "Microsoft.Resources/subscriptions/read"
      }
    ]
  }
  # other required fields here
}

Terraform

  • Ensure that a azurerm_role_definition resource does NOT contain both of the following:

    • permissions.actions = [“*”]

    • assignable_scopes = [“/”] or a subscription ID

Example Configuration

resource "azurerm_role_definition" "example" {
  permissions {
    actions = ["Microsoft.Resources/subscriptions/read"]
  }

  assignable_scopes = [
    "/subscriptions/0b1f6471-1bf0-4dda-aec2-111122223333"
  ]

  # other required fields here
}