Knowledge base / Azure / Azure Role Definition / D9.AZU.IAM.34

Ensure custom role definition doesn't have excessive permissions (Wildcard)

Risk Level: High
Azure Role Definition
Rule ID: D9.AZU.IAM.34
Category: Security, Identity, & Compliance
Azure custom role's permissions should be defined by the principle least privilege.

gsl logic

RoleDefinition where properties.roleName != 'Contributor' and properties.roleName != 'Owner' should not have properties.permissions contain [ actions contain [ '*' ] ]

Dome9 rules are powered by the Governance Specification Language (GSL). GSL allows our customers to write and run custom security and compliance checks that can be easily read

Learn more:
Compliance Engine
GSL Language

Remediation


From Portal:
1. Go to 'Access control (IAM)' in the relevant resource
2. Choose the 'Roles' tab in the upper menu
3. Identify the overly permissive role and choose 'Edit'
4. Instead of the wildcard, specify implicit permissions for the role

From TF:
Specify implicit permissions in the 'permissions' block within the 'azurerm_role_definition' resource:


resource "azurerm_role_definition" "role_definition_example" {
 ..
 permissions {
  ..
  actions = [ PERMISSIONS ]
  ..
  }
 ..
 }



From Command Line:
To update an existing role definition, use:


az role definition update --role-definition ROLE-DEFINITION-JSON



References:
1. https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles
2. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_definition
3. https://docs.microsoft.com/en-us/cli/azure/role/definition?view=azure-cli-latest#az-role-definition-update

Related Links:
Azure Role Definitions docs

Azure Role Definition

A role definition is a collection of permissions that can be performed, such as read, write, and delete. It's typically just called a role. Azure role-based access control (Azure RBAC) has over 120 built-in roles or you can create your own custom roles.

Compliance Frameworks

BP_0318