Role definition has enabled custom role creation
ID |
azure_role_with_custom_role_permission |
Severity |
high |
Vendor |
Azure |
Resource |
IAM |
Tags |
reachable |
Description
Role definition has enabled custom role creation. The users with this role can create a new roles with other permissions. To avoid this not allow Microsoft.Authorization/roleDefinitions/write.
Learn more about this topic at Azure role definition actions.
Examples
---
- name: Example playbook
hosts: localhost
tasks:
- name: Create a role definition
azure_rm_roledefinition:
name: myTestRole
scope: /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/myresourceGroup
permissions:
- actions:
- "Microsoft.Authorization/roleDefinitions/write"
data_actions:
- "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write"
assignable_scopes:
- "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"Mitigation / Fix
---
- name: Example playbook
hosts: localhost
tasks:
- name: Create a role definition
azure_rm_roledefinition:
name: myTestRole
scope: /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/myresourceGroup
permissions:
- actions:
- "Microsoft.Compute/virtualMachines/read"
data_actions:
- "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write"
assignable_scopes:
- "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"