id: azure-custom-admin-role-unrestricted info: name: Azure Subscription Administrator Custom Role Unrestricted Access author: princechaddha severity: high description: | To provide optimal access security and adhere to the Principle of Least Privilege (POLP), ensure there are no custom administrator roles created for your Microsoft Azure cloud subscriptions. POLP involves assigning only the necessary privileges instead of granting full administrative access. impact: | Having custom administrator roles that provide full administrative privileges can lead to overprivileged accounts, increasing the risk of security breaches or accidental changes. remediation: | Review and restrict the permissions of custom roles in Azure cloud subscriptions. Ensure that custom roles do not grant more privileges than necessary by conforming to the Principle of Least Privilege. reference: - https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles tags: cloud,devops,azure,microsoft,role-based-access,azure-cloud-config flow: | code(1); for (let RoleData of iterate(template.roleList)) { set("roleName", RoleData); code(2); } self-contained: true code: - engine: - sh - bash source: | az role definition list --custom-role-only true --output json --query '[].{roleName:roleName}' extractors: - type: json name: roleList internal: true json: - '.[]' - engine: - sh - bash source: | az role definition list --name "$roleName" --query '[*].{"assignableScopes":assignableScopes,"actions":permissions[].actions[]}' --output json matchers-condition: and matchers: - type: word words: - '"assignableScopes": "/' - type: word words: - '"actions": "*"' extractors: - type: dsl dsl: - 'roleName + " grants full administrative access and should not exist under POLP guidelines"' # digest: 4b0a00483046022100f859874a74575d8c022f812d59ff22fff83055a0402f0d38b7362cb3e4b12396022100e1f277b14129504389f98bebac7d6f684e4bfb766cde31b93527496cd45f1932:922c64590222798bb761d5b6d8e72950