Ensure Azure subscriptions with custom roles have minimum permissions

ID

custom_role_definition_subscription_owner

Severity

critical

Vendor

Azure

Resource

IAM

Tags

reachable

Description

Azure subscriptions with custom roles are overly permissive.

Classic subscription admin roles offer basic access management and include Account Administrator, Service Administrator, and Co-Administrators.

According to the principle of least privilege, the minimum necessary permissions should be given to subscription owner accounts initially instead of granting them full administrative access.

Thus, we recommend not setting the wildcard (*) character to the Role actions.

Examples

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.Authorization/roleDefinitions",
      "apiVersion": "2021-04-01",
      "name": "bad", (1)
      "properties": {
        "roleName": "my_role",
        "type": "customRole",
        "isCustom": true,
        "permissions": [
          {
            "actions": "*"
          }
        ],
        "assignableScopes": [
          "[subscription().id]"
        ]
      }
    }
  ]
}
1 is a role definition which does not restrict permission to create custom owner roles.

Terraform

resource "azurerm_role_definition" "bad" {
  name        = "overly-permissive-role"
  scope       = data.azurerm_subscription.primary.id

  permissions {
    actions = [ "*" ] (1)
    not_actions = []
  }

  assignable_scopes = [
    "/"
  ]
}
1 This custom role has no restriction on actions

Mitigation / Fix

Buildtime

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.Authorization/roleDefinitions",
      "apiVersion": "2021-04-01",
      "name": "good", (1)
      "properties": {
        "roleName": "my_role",
        "type": "customRole",
        "isCustom": true,
        "permissions": [
          {
            "actions": ["Microsoft.Authorization/*/read"]
          }
        ],
        "assignableScopes": [
          "[subscription().id]"
        ]
      }
    }
  ]
}
1 is a role definition which does not include permission to create custom owner roles.

Terraform

resource "azurerm_role_definition" "ok" {
  name        = "restricted-role"
  scope       = data.azurerm_subscription.primary.id

  permissions {
    actions = [ (1)
      "Microsoft.Storage/*/read",
      "Microsoft.Network/*/read",
      "Microsoft.Compute/*/read",
      "Microsoft.Compute/virtualMachines/start/action",
      "Microsoft.Compute/virtualMachines/restart/action",
      "Microsoft.Authorization/*/read",
      "Microsoft.ResourceHealth/availabilityStatuses/read",
      "Microsoft.Resources/subscriptions/resourceGroups/read",
      "Microsoft.Insights/alertRules/*",
      "Microsoft.Insights/diagnosticSettings/*",
      "Microsoft.Support/*"
    ]
    not_actions = []
  }

  assignable_scopes = [
    "/"
  ]
}
1 Restricted allowed actions

Runtime

CLI Command

  • Use the following command to check for entries with assignableScope of / or a subscription, and an action of *.:

$ az role definition list

See Managing role definitions.