Role Assignment Not Limit Guest User Permissions

• Query id: 8e75e431-449f-49e9-b56a-c8f1378025cf
• Query name: Role Assignment Not Limit Guest User Permissions
• Platform: Terraform
• Severity: High
• Category: Access Control
• URL: Github

Description

Role Assignment should limit guest user permissions
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file

resource "azurerm_role_definition" "example" {
  name        = "my-custom-role"
  scope       = data.azurerm_subscription.primary.id
  description = "This is a custom role created via Terraform"

  permissions {
    actions     = ["*"]
    not_actions = []
  }

  assignable_scopes = [
    data.azurerm_subscription.primary.id, 
  ]
}

resource "azurerm_role_assignment" "example" {
  name               = "00000000-0000-0000-0000-000000000000"
  scope              = data.azurerm_subscription.primary.id
  role_definition_name = "Guest"
  role_definition_id = azurerm_role_definition.example.role_definition_resource_id
  principal_id       = data.azurerm_client_config.example.object_id
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file

resource "azurerm_role_definition" "example2" {
  name        = "my-custom-role"
  scope       = data.azurerm_subscription.primary.id
  description = "This is a custom role created via Terraform"

  permissions {
    actions     = []
    not_actions = ["*"]
  }

  assignable_scopes = [
    data.azurerm_subscription.primary.id, 
  ]
}

resource "azurerm_role_assignment" "example2" {
  name               = "00000000-0000-0000-0000-000000000000"
  scope              = data.azurerm_subscription.primary.id
  role_definition_name = "Guest"
  role_definition_id = azurerm_role_definition.example2.role_definition_resource_id
  principal_id       = data.azurerm_client_config.example.object_id
}