Beta - Use Of User Access Administrator Role Is Not Restricted
- Query id: 41d7989b-3be2-4081-8c79-cf903dd174c5
- Query name: Beta - Use Of User Access Administrator Role Is Not Restricted
- Platform: Terraform
- Severity: Medium
- Category: Access Control
- CWE: 250
- Risk score: 3.0
- URL: Github
Description¶
Unnecessary assignements increase the likelihood of privilege escalation and unauthorized access.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "azurerm_role_assignment" "positive1" {
role_definition_name = "User Access Administrator"
scope = data.azurerm_management_group.primary.id
principal_id = data.azurerm_client_config.current.object_id
principal_type = "ServicePrincipal"
condition_version = "2.0"
}
Positive test num. 2 - tf file
resource "azurerm_role_assignment" "positive2" {
role_definition_id = "18d7d88d-d35e-4fb5-a5c3-7773c20a72d9"
scope = data.azurerm_management_group.primary.id
principal_id = data.azurerm_client_config.current.object_id
principal_type = "ServicePrincipal"
condition_version = "2.0"
}
Positive test num. 3 - tf file
resource "azurerm_role_assignment" "positive3" {
role_definition_name = "User Access Administrator"
scope = "/providers/Microsoft.Management/managementGroups/contoso-root"
principal_id = data.azurerm_client_config.current.object_id
principal_type = "ServicePrincipal"
condition_version = "2.0"
}
Positive test num. 4 - tf file
resource "azurerm_role_assignment" "positive4" {
role_definition_id = "18d7d88d-d35e-4fb5-a5c3-7773c20a72d9"
scope = "/providers/Microsoft.Management/managementGroups/contoso-root"
principal_id = data.azurerm_client_config.current.object_id
principal_type = "ServicePrincipal"
condition_version = "2.0"
}
Positive test num. 5 - tf file
Positive test num. 6 - tf file
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "azurerm_role_assignment" "negative1" {
role_definition_name = "Contributor"
scope = data.azurerm_management_group.primary.id
principal_id = data.azurerm_client_config.current.object_id
principal_type = "ServicePrincipal"
condition_version = "2.0"
}
Negative test num. 2 - tf file
resource "azurerm_role_assignment" "negative10" {
role_definition_name = "Contributor"
scope = data.azurerm_subscription.primary.id
principal_id = data.azurerm_client_config.current.object_id
principal_type = "ServicePrincipal"
condition_version = "2.0"
}
Negative test num. 3 - tf file
resource "azurerm_role_assignment" "negative11" {
role_definition_id = "18d7d88d-d35e-4fb5-a5c3-7773c20a72d9"
scope = "/subscriptions/12345678-1234-1234-1234-123456789abc"
principal_id = data.azurerm_client_config.current.object_id
principal_type = "ServicePrincipal"
condition_version = "2.0"
}
Negative test num. 4 - tf file
Negative test num. 5 - tf file
Negative test num. 6 - tf file
Negative test num. 7 - tf file
resource "azurerm_role_assignment" "negative4" {
role_definition_id = "b24988ac-6180-42a0-ab88-20f7382dd24c"
scope = "/providers/Microsoft.Management/managementGroups/contoso-root"
principal_id = data.azurerm_client_config.current.object_id
principal_type = "ServicePrincipal"
condition_version = "2.0"
}