Ensure custom role definition doesn't have excessive permissions (Wildcard)

gsl logic
Dome9 rules are powered by the Governance Specification Language (GSL). GSL allows our customers to write and run custom security and compliance checks that can be easily read
Learn more:
Compliance Engine
GSL Language
Remediation
From Portal:
1. Go to 'Access control (IAM)' in the relevant resource
2. Choose the 'Roles' tab in the upper menu
3. Identify the overly permissive role and choose 'Edit'
4. Instead of the wildcard, specify implicit permissions for the role
From TF:
Specify implicit permissions in the 'permissions' block within the 'azurerm_role_definition' resource:
resource "azurerm_role_definition" "role_definition_example" {
..
permissions {
..
actions = [ PERMISSIONS ]
..
}
..
}
From Command Line:
To update an existing role definition, use:
az role definition update --role-definition ROLE-DEFINITION-JSON
References:
1. https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles
2. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_definition
3. https://docs.microsoft.com/en-us/cli/azure/role/definition?view=azure-cli-latest#az-role-definition-update
Related Links:
Azure Role Definitions docs
Azure Role Definition
A role definition is a collection of permissions that can be performed, such as read, write, and delete. It's typically just called a role. Azure role-based access control (Azure RBAC) has over 120 built-in roles or you can create your own custom roles.
Compliance Frameworks
