Role Definition Allows Custom Role Creation

  • Query id: 3fa5900f-9aac-4982-96b2-a6143d9c99fb
  • Query name: Role Definition Allows Custom Role Creation
  • Platform: Terraform
  • Severity: Medium
  • Category: Access Control
  • CWE: 284
  • URL: Github

Description

Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write)
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file
resource "azurerm_role_definition" "example2" {
  role_definition_id = "00000000-0000-0000-0000-000000000000"
  name               = "my-custom-role-definition"
  scope              = data.azurerm_subscription.primary.id

  permissions {
    actions     = ["Microsoft.Authorization/roleDefinitions/write"]
    not_actions = []
  }
}
Positive test num. 2 - tf file
resource "azurerm_role_definition" "example" {
  name        = "my-custom-role"
  scope       = data.azurerm_subscription.primary.id
  description = "This is a custom role created via Terraform"

  permissions {
    actions     = ["*"]
    not_actions = []
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file
resource "azurerm_role_definition" "example3" {
  role_definition_id = "00000000-0000-0000-0000-000000000000"
  name               = "my-custom-role-definition"
  scope              = data.azurerm_subscription.primary.id

  permissions {
    actions     = ["Microsoft.Authorization/roleDefinitions/read"]
    not_actions = []
  }
}