Role Definitions Allow Custom Subscription Role Creation

Query id: 8fa9ceea-881f-4ef0-b0b8-728f589699a7
Query name: Role Definitions Allow Custom Subscription Role Creation
Platform: AzureResourceManager
Severity: High
Category: Access Control
URL: Github

Description¶

Role Definitions should not allow custom subscription role creation (actions set to '*' or 'Microsoft.Authorization/roleDefinitions/write')
Documentation

Code samples¶

Code samples with security vulnerabilities¶

Positive test num. 1 - json file

Positive test num. 2 - json file

Positive test num. 3 - json file

/span>

{ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "2.0.0.0", "apiProfile": "2019-03-01-hybrid", "parameters": {}, "variables": {}, "functions": [], "resources": [ { "name": "roleDef", "type": "Microsoft.Authorization/roleDefinitions", "apiVersion": "2018-01-01-preview", "properties": { "roleName": "my-custom-role", "description": "This is a custom role", "permissions": [ { class="w">            "actions": [ "*" ] } ], "assignableScopes": [ "[subscription().id]" ] } } ], "outputs": {} } /span>{ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "2.0.0.0", "apiProfile": "2019-03-01-hybrid", "parameters": {}, "variables": {}, "functions": [], "resources": [ { "name": "roleDef", "type": "Microsoft.Authorization/roleDefinitions", "apiVersion": "2018-01-01-preview", "properties": { "roleName": "my-custom-role", "description": "This is a custom role", "permissions": [ { class="w">            "actions": [ "Microsoft.Authorization/roleDefinitions/write" ] } ], "assignableScopes": [ "[subscription().id]" ] } } ], "outputs": {} } /span>{ "properties": { "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "2.0.0.0", "apiProfile": "2019-03-01-hybrid", "parameters": {}, "variables": {}, "functions": [], "resources": [ { "name": "roleDef", "type": "Microsoft.Authorization/roleDefinitions", "apiVersion": "2018-01-01-preview", "properties": { "roleName": "my-custom-role", "description": "This is a custom role", "permissions": [ { class="w">                "actions": [ "*" ] } ], "assignableScopes": [ "[subscription().id]" ] } } ], "outputs": {} }, "parameters": {} }, "kind": "template", "type": "Microsoft.Blueprint/blueprints/artifacts", "name": "myTemplate" }
Positive test num. 4 - json file

{
  "properties": {
    "template": {
      "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
      "contentVersion": "2.0.0.0",
      "apiProfile": "2019-03-01-hybrid",
      "parameters": {},
      "variables": {},
      "functions": [],
      "resources": [
        {
          "name": "roleDef",
          "type": "Microsoft.Authorization/roleDefinitions",
          "apiVersion": "2018-01-01-preview",
          "properties": {
            "roleName": "my-custom-role",
            "description": "This is a custom role",
            "permissions": [
              {
                "actions": [
                  "Microsoft.Authorization/roleDefinitions/write"
                ]
              }
            ],
            "assignableScopes": [
              "[subscription().id]"
            ]
          }
        }
      ],
      "outputs": {}
    },
    "parameters": {}
  },
  "kind": "template",
  "type": "Microsoft.Blueprint/blueprints/artifacts",
  "name": "myTemplate"
}



Code samples without security vulnerabilities¶
Negative test num. 1 - json file{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "2.0.0.0",
  "apiProfile": "2019-03-01-hybrid",
  "parameters": {},
  "variables": {},
  "functions": [],
  "resources": [
    {
      "name": "roleDef",
      "type": "Microsoft.Authorization/roleDefinitions",
      "apiVersion": "2018-01-01-preview",
      "properties": {
        "roleName": "my-custom-role",
        "description": "This is a custom role",
        "permissions": [
          {
            "actions": [
              "Microsoft.Authorization/roleDefinitions/read"
            ]
          }
        ],
        "assignableScopes": [
          "[subscription().id]"
        ]
      }
    }
  ],
  "outputs": {}
}

Negative test num. 2 - json file{
  "properties": {
    "template": {
      "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
      "contentVersion": "2.0.0.0",
      "apiProfile": "2019-03-01-hybrid",
      "parameters": {},
      "variables": {},
      "functions": [],
      "resources": [
        {
          "name": "roleDef",
          "type": "Microsoft.Authorization/roleDefinitions",
          "apiVersion": "2018-01-01-preview",
          "properties": {
            "roleName": "my-custom-role",
            "description": "This is a custom role",
            "permissions": [
              {
                "actions": [
                  "Microsoft.Authorization/roleDefinitions/read"
                ]
              }
            ],
            "assignableScopes": [
              "[subscription().id]"
            ]
          }
        }
      ],
      "outputs": {}
    },
    "parameters": {}
  },
  "kind": "template",
  "type": "Microsoft.Blueprint/blueprints/artifacts",
  "name": "myTemplate"
}