Role Definition Allows Custom Role Creation

  • Query id: 5c80db8e-03f5-43a2-b4af-1f3f87018157
  • Query name: Role Definition Allows Custom Role Creation
  • Platform: Ansible
  • Severity: Medium
  • Category: Access Control
  • URL: Github

Description

Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write)
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
---
- name: Create a role definition
  azure_rm_roledefinition:
    name: myTestRole
    scope: /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/myresourceGroup
    permissions:
      - actions:
          - "Microsoft.Authorization/roleDefinitions/write"
    assignable_scopes:
      - "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
Positive test num. 2 - yaml file
---
- name: Create a role definition2
  azure_rm_roledefinition:
    name: myTestRole2
    scope: /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/myresourceGroup
    permissions:
      - actions:
          - "*"
    assignable_scopes:
      - "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
---
- name: Create a role definition3
  azure_rm_roledefinition:
    name: myTestRole3
    scope: /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/myresourceGroup
    permissions:
      - actions:
          - "Microsoft.Compute/virtualMachines/read"
        data_actions:
          - "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write"
    assignable_scopes:
      - "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"