Ensure to audit role assignments that have implicit managed identity permissions

Risk Level: High
Azure role-based access control
Rule ID: D9.AZU.IAM.36
Category: Security, Identity, & Compliance
Azure role assignments should be defined by the principle of least privilege.

gsl logic

RoleAssignment should not have getResources('RoleDefinition', properties.roleDefinitionId, 'id' ) getValues('properties.permissions') contain [ actions regexMatch /ManagedIdentity/ ]

Dome9 rules are powered by the Governance Specification Language (GSL). GSL allows our customers to write and run custom security and compliance checks that can be easily read

Learn more:
Compliance Engine
GSL Language

Remediation


From Portal:
1. Go to 'Access control (IAM)' in the relevant resource
2. Choose the 'Role assignments' tab in the upper menu
3. Audit the relevant role assignment according to the principle of least privilege

From TF:
Audit the relevant role definition, according to the 'azurerm_role_assignment' resource:


resource "azurerm_role_definition" "example" {
 ...
 }

resource "azurerm_role_assignment" "role_assignment_example" {
 ..
 role_definition_id = azurerm_role_definition.example.role_definition_resource_id
 ..
 }



From Command Line:
To list current subscription and below role assignments by query, use:


az role assignment list --all --query QUERY



References:
1. https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-list-portal
2. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment
3. https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-list-cli

Related Links:
Azure Assign roles docs

Azure role-based access control

Azure role-based access control (Azure RBAC) is the authorization system you use to manage access to Azure resources. To grant access, you assign roles to users, groups, service principals, or managed identities at a particular scope.

Compliance Frameworks

BP_0318