Role Definition Allows Custom Role Creation
- Query id: 5c80db8e-03f5-43a2-b4af-1f3f87018157
- Query name: Role Definition Allows Custom Role Creation
- Platform: Ansible
- Severity: Medium
- Category: Access Control
- URL: Github
Description¶
Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write)
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
---
- name: Create a role definition
azure_rm_roledefinition:
name: myTestRole
scope: /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/myresourceGroup
permissions:
- actions:
- "Microsoft.Authorization/roleDefinitions/write"
assignable_scopes:
- "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
Positive test num. 2 - yaml file
---
- name: Create a role definition2
azure_rm_roledefinition:
name: myTestRole2
scope: /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/myresourceGroup
permissions:
- actions:
- "*"
assignable_scopes:
- "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
---
- name: Create a role definition3
azure_rm_roledefinition:
name: myTestRole3
scope: /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/myresourceGroup
permissions:
- actions:
- "Microsoft.Compute/virtualMachines/read"
data_actions:
- "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write"
assignable_scopes:
- "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"