Role Definitions Allow Custom Subscription Role Creation
- Query id: 8fa9ceea-881f-4ef0-b0b8-728f589699a7
- Query name: Role Definitions Allow Custom Subscription Role Creation
- Platform: AzureResourceManager
- Severity: High
- Category: Access Control
- CWE: 266
- URL: Github
Description¶
Role Definitions should not allow custom subscription role creation (actions set to '*' or 'Microsoft.Authorization/roleDefinitions/write')
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - bicep file
resource roleDef 'Microsoft.Authorization/roleDefinitions@2018-01-01-preview' = {
name: 'roleDef'
properties: {
roleName: 'my-custom-role'
description: 'This is a custom role'
permissions: [
{
actions: ['*']
}
]
assignableScopes: [subscription().id]
}
}
Positive test num. 2 - json file
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "2.0.0.0",
"apiProfile": "2019-03-01-hybrid",
"parameters": {},
"variables": {},
"functions": [],
"resources": [
{
"name": "roleDef",
"type": "Microsoft.Authorization/roleDefinitions",
"apiVersion": "2018-01-01-preview",
"properties": {
"roleName": "my-custom-role",
"description": "This is a custom role",
"permissions": [
{
"actions": [
"*"
]
}
],
"assignableScopes": [
"[subscription().id]"
]
}
}
],
"outputs": {}
}
Positive test num. 3 - bicep file
resource roleDef 'Microsoft.Authorization/roleDefinitions@2018-01-01-preview' = {
name: 'roleDef'
properties: {
roleName: 'my-custom-role'
description: 'This is a custom role'
permissions: [
{
actions: ['Microsoft.Authorization/roleDefinitions/write']
}
]
assignableScopes: [subscription().id]
}
}
Positive test num. 4 - json file
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "2.0.0.0",
"apiProfile": "2019-03-01-hybrid",
"parameters": {},
"variables": {},
"functions": [],
"resources": [
{
"name": "roleDef",
"type": "Microsoft.Authorization/roleDefinitions",
"apiVersion": "2018-01-01-preview",
"properties": {
"roleName": "my-custom-role",
"description": "This is a custom role",
"permissions": [
{
"actions": [
"Microsoft.Authorization/roleDefinitions/write"
]
}
],
"assignableScopes": [
"[subscription().id]"
]
}
}
],
"outputs": {}
}
Positive test num. 5 - bicep file
Positive test num. 6 - json file
{
"properties": {
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "2.0.0.0",
"apiProfile": "2019-03-01-hybrid",
"parameters": {},
"variables": {},
"functions": [],
"resources": [
{
"name": "roleDef",
"type": "Microsoft.Authorization/roleDefinitions",
"apiVersion": "2018-01-01-preview",
"properties": {
"roleName": "my-custom-role",
"description": "This is a custom role",
"permissions": [
{
"actions": [
"*"
]
}
],
"assignableScopes": [
"[subscription().id]"
]
}
}
],
"outputs": {}
},
"parameters": {}
},
"kind": "template",
"type": "Microsoft.Blueprint/blueprints/artifacts",
"name": "myTemplate"
}
Positive test num. 7 - bicep file
Positive test num. 8 - json file
{
"properties": {
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "2.0.0.0",
"apiProfile": "2019-03-01-hybrid",
"parameters": {},
"variables": {},
"functions": [],
"resources": [
{
"name": "roleDef",
"type": "Microsoft.Authorization/roleDefinitions",
"apiVersion": "2018-01-01-preview",
"properties": {
"roleName": "my-custom-role",
"description": "This is a custom role",
"permissions": [
{
"actions": [
"Microsoft.Authorization/roleDefinitions/write"
]
}
],
"assignableScopes": [
"[subscription().id]"
]
}
}
],
"outputs": {}
},
"parameters": {}
},
"kind": "template",
"type": "Microsoft.Blueprint/blueprints/artifacts",
"name": "myTemplate"
}
Code samples without security vulnerabilities¶
Negative test num. 1 - bicep file
resource roleDef 'Microsoft.Authorization/roleDefinitions@2018-01-01-preview' = {
name: 'roleDef'
properties: {
roleName: 'my-custom-role'
description: 'This is a custom role'
permissions: [
{
actions: ['Microsoft.Authorization/roleDefinitions/read']
}
]
assignableScopes: [subscription().id]
}
}
Negative test num. 2 - json file
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "2.0.0.0",
"apiProfile": "2019-03-01-hybrid",
"parameters": {},
"variables": {},
"functions": [],
"resources": [
{
"name": "roleDef",
"type": "Microsoft.Authorization/roleDefinitions",
"apiVersion": "2018-01-01-preview",
"properties": {
"roleName": "my-custom-role",
"description": "This is a custom role",
"permissions": [
{
"actions": [
"Microsoft.Authorization/roleDefinitions/read"
]
}
],
"assignableScopes": [
"[subscription().id]"
]
}
}
],
"outputs": {}
}
Negative test num. 3 - bicep file
resource roleDef 'Microsoft.Authorization/roleDefinitions@2018-01-01-preview' = {
name: 'roleDef'
properties: {
roleName: 'my-custom-role'
description: 'This is a custom role'
permissions: [
{
actions: ['Microsoft.Authorization/roleDefinitions/read']
}
]
assignableScopes: [subscription().id]
}
}
Negative test num. 4 - json file
{
"properties": {
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "2.0.0.0",
"apiProfile": "2019-03-01-hybrid",
"parameters": {},
"variables": {},
"functions": [],
"resources": [
{
"name": "roleDef",
"type": "Microsoft.Authorization/roleDefinitions",
"apiVersion": "2018-01-01-preview",
"properties": {
"roleName": "my-custom-role",
"description": "This is a custom role",
"permissions": [
{
"actions": [
"Microsoft.Authorization/roleDefinitions/read"
]
}
],
"assignableScopes": [
"[subscription().id]"
]
}
}
],
"outputs": {}
},
"parameters": {}
},
"kind": "template",
"type": "Microsoft.Blueprint/blueprints/artifacts",
"name": "myTemplate"
}