Role Definition Allows Custom Role Creation
- Query id: 3fa5900f-9aac-4982-96b2-a6143d9c99fb
- Query name: Role Definition Allows Custom Role Creation
- Platform: Terraform
- Severity: Medium
- Category: Access Control
- CWE: 284
- URL: Github
Description¶
Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write)
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "azurerm_role_definition" "example2" {
role_definition_id = "00000000-0000-0000-0000-000000000000"
name = "my-custom-role-definition"
scope = data.azurerm_subscription.primary.id
permissions {
actions = ["Microsoft.Authorization/roleDefinitions/write"]
not_actions = []
}
}
Positive test num. 2 - tf file
resource "azurerm_role_definition" "example" {
name = "my-custom-role"
scope = data.azurerm_subscription.primary.id
description = "This is a custom role created via Terraform"
permissions {
actions = ["*"]
not_actions = []
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "azurerm_role_definition" "example3" {
role_definition_id = "00000000-0000-0000-0000-000000000000"
name = "my-custom-role-definition"
scope = data.azurerm_subscription.primary.id
permissions {
actions = ["Microsoft.Authorization/roleDefinitions/read"]
not_actions = []
}
}