Role Definitions Allow Custom Subscription Role Creation

  • Query id: 8fa9ceea-881f-4ef0-b0b8-728f589699a7
  • Query name: Role Definitions Allow Custom Subscription Role Creation
  • Platform: AzureResourceManager
  • Severity: Medium
  • Category: Access Control
  • URL: Github

Description

Role Definitions should not allow custom subscription role creation (actions set to '*' or 'Microsoft.Authorization/roleDefinitions/write')
Documentation

Code samples

Code samples with security vulnerabilities

Postitive test num. 1 - json file
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "2.0.0.0",
  "apiProfile": "2019-03-01-hybrid",
  "parameters": {},
  "variables": {},
  "functions": [],
  "resources": [
    {
      "name": "roleDef",
      "type": "Microsoft.Authorization/roleDefinitions",
      "apiVersion": "2018-01-01-preview",
      "properties": {
        "roleName": "my-custom-role",
        "description": "This is a custom role",
        "permissions": [
          {
            "actions": [
              "*"
            ]
          }
        ],
        "assignableScopes": [
          "[subscription().id]"
        ]
      }
    }
  ],
  "outputs": {}
}
Postitive test num. 2 - json file
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "2.0.0.0",
  "apiProfile": "2019-03-01-hybrid",
  "parameters": {},
  "variables": {},
  "functions": [],
  "resources": [
    {
      "name": "roleDef",
      "type": "Microsoft.Authorization/roleDefinitions",
      "apiVersion": "2018-01-01-preview",
      "properties": {
        "roleName": "my-custom-role",
        "description": "This is a custom role",
        "permissions": [
          {
            "actions": [
              "Microsoft.Authorization/roleDefinitions/write"
            ]
          }
        ],
        "assignableScopes": [
          "[subscription().id]"
        ]
      }
    }
  ],
  "outputs": {}
}
Postitive test num. 3 - json file
{
  "properties": {
    "template": {
      "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
      "contentVersion": "2.0.0.0",
      "apiProfile": "2019-03-01-hybrid",
      "parameters": {},
      "variables": {},
      "functions": [],
      "resources": [
        {
          "name": "roleDef",
          "type": "Microsoft.Authorization/roleDefinitions",
          "apiVersion": "2018-01-01-preview",
          "properties": {
            "roleName": "my-custom-role",
            "description": "This is a custom role",
            "permissions": [
              {
                "actions": [
                  "*"
                ]
              }
            ],
            "assignableScopes": [
              "[subscription().id]"
            ]
          }
        }
      ],
      "outputs": {}
    },
    "parameters": {}
  },
  "kind": "template",
  "type": "Microsoft.Blueprint/blueprints/artifacts",
  "name": "myTemplate"
}

Postitive test num. 4 - json file
{
  "properties": {
    "template": {
      "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
      "contentVersion": "2.0.0.0",
      "apiProfile": "2019-03-01-hybrid",
      "parameters": {},
      "variables": {},
      "functions": [],
      "resources": [
        {
          "name": "roleDef",
          "type": "Microsoft.Authorization/roleDefinitions",
          "apiVersion": "2018-01-01-preview",
          "properties": {
            "roleName": "my-custom-role",
            "description": "This is a custom role",
            "permissions": [
              {
                "actions": [
                  "Microsoft.Authorization/roleDefinitions/write"
                ]
              }
            ],
            "assignableScopes": [
              "[subscription().id]"
            ]
          }
        }
      ],
      "outputs": {}
    },
    "parameters": {}
  },
  "kind": "template",
  "type": "Microsoft.Blueprint/blueprints/artifacts",
  "name": "myTemplate"
}

Code samples without security vulnerabilities

Negative test num. 1 - json file
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "2.0.0.0",
  "apiProfile": "2019-03-01-hybrid",
  "parameters": {},
  "variables": {},
  "functions": [],
  "resources": [
    {
      "name": "roleDef",
      "type": "Microsoft.Authorization/roleDefinitions",
      "apiVersion": "2018-01-01-preview",
      "properties": {
        "roleName": "my-custom-role",
        "description": "This is a custom role",
        "permissions": [
          {
            "actions": [
              "Microsoft.Authorization/roleDefinitions/read"
            ]
          }
        ],
        "assignableScopes": [
          "[subscription().id]"
        ]
      }
    }
  ],
  "outputs": {}
}
Negative test num. 2 - json file
{
  "properties": {
    "template": {
      "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
      "contentVersion": "2.0.0.0",
      "apiProfile": "2019-03-01-hybrid",
      "parameters": {},
      "variables": {},
      "functions": [],
      "resources": [
        {
          "name": "roleDef",
          "type": "Microsoft.Authorization/roleDefinitions",
          "apiVersion": "2018-01-01-preview",
          "properties": {
            "roleName": "my-custom-role",
            "description": "This is a custom role",
            "permissions": [
              {
                "actions": [
                  "Microsoft.Authorization/roleDefinitions/read"
                ]
              }
            ],
            "assignableScopes": [
              "[subscription().id]"
            ]
          }
        }
      ],
      "outputs": {}
    },
    "parameters": {}
  },
  "kind": "template",
  "type": "Microsoft.Blueprint/blueprints/artifacts",
  "name": "myTemplate"
}