Pipeline: 2.23 Ensure That No Custom Subscription Administrator Roles Exist
Description
The principle of least privilege should be followed and only necessary privileges should be assigned instead of allowing full administrative access.
Custom roles in Azure with administrative access can obfuscate the permissions granted and introduce complexity and blind spots to the management of privileged identities. For less mature security programs without regular identity audits, the creation of Custom roles should be avoided entirely. For more mature security programs with regular identity audits, Custom Roles should be audited for use and assignment, used minimally, and the principle of least privilege should be observed when granting permissions
Remediation
From Azure Portal
- From Azure Home select the Portal Menu.
- Select
Subscriptions
. - Select a subscription.
- Select
Access control (IAM)
. - Select
Roles
. - Click
Type
and selectCustom role
from the drop-down menu. - Check the box next to each role which grants subscription administrator privileges.
- Select
Delete
. - Select
Yes
.
From Azure CLI
List custom roles:
az role definition list --custom-role-only True
Check for entries with assignableScope
of the subscription
, and an action of *
.
To remove a violating role:
az role definition delete --name <role name>
Note that any role assignments must be removed before a custom role can be deleted. Ensure impact is assessed before deleting a custom role granting subscription administrator privileges.
Default Value
By default, no custom owner roles are created.
Run the pipeline
To run this pipeline from your terminal:
flowpipe pipeline run azure_cis.pipeline.cis_v300_2_23
Use this pipeline
To call this pipeline from your pipeline, use a step:
step "pipeline" "step_name" { pipeline = azure_cis.pipeline.cis_v300_2_23 }
Params
Name | Type | Required | Description | Default |
---|---|---|---|---|
database | connection.steampipe | Yes | Database connection string. | connection.steampipe.default |
notifier | notifier | Yes | The name of the notifier to use for sending notification messages. | notifier.default |
notification_level | string | Yes | The verbosity level of notification messages to send. Valid options are 'verbose', 'info', 'error'. | info |
approvers | list(notifier) | Yes | List of notifiers to be used for obtaining action/approval decisions. | notifier.default |
Outputs
This pipeline has no outputs.