Role Assignment Not Limit Guest User Permissions
- Query id: 8e75e431-449f-49e9-b56a-c8f1378025cf
- Query name: Role Assignment Not Limit Guest User Permissions
- Platform: Terraform
- Severity: High
- Category: Access Control
- URL: Github
Description¶
Role Assignment should limit guest user permissions
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "azurerm_role_definition" "example" {
name = "my-custom-role"
scope = data.azurerm_subscription.primary.id
description = "This is a custom role created via Terraform"
permissions {
actions = ["*"]
not_actions = []
}
assignable_scopes = [
data.azurerm_subscription.primary.id,
]
}
resource "azurerm_role_assignment" "example" {
name = "00000000-0000-0000-0000-000000000000"
scope = data.azurerm_subscription.primary.id
role_definition_name = "Guest"
role_definition_id = azurerm_role_definition.example.role_definition_resource_id
principal_id = data.azurerm_client_config.example.object_id
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "azurerm_role_definition" "example2" {
name = "my-custom-role"
scope = data.azurerm_subscription.primary.id
description = "This is a custom role created via Terraform"
permissions {
actions = []
not_actions = ["*"]
}
assignable_scopes = [
data.azurerm_subscription.primary.id,
]
}
resource "azurerm_role_assignment" "example2" {
name = "00000000-0000-0000-0000-000000000000"
scope = data.azurerm_subscription.primary.id
role_definition_name = "Guest"
role_definition_id = azurerm_role_definition.example2.role_definition_resource_id
principal_id = data.azurerm_client_config.example.object_id
}