id: azure-custom-owner-role-unrestricted
info:
  name: Azure Custom Owner Role Available
  author: princechaddha
  severity: medium
  description: |
    Ensure that there are no custom subscription owner roles available in your Azure account in order to adhere to cloud security best practices and implement the principle of least privilege - the practice of providing every user the minimal amount of access required to perform its tasks.
  impact: |
    Having custom owner roles can provide excessive permissions that exceed the requirements of the users, potentially leading to security vulnerabilities.
  remediation: |
    Remove any custom owner roles or modify their permissions to align with the principle of least privilege, ensuring users have only the necessary access rights to perform their duties.
  reference:
    - https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles
  tags: cloud,devops,azure,microsoft,role-management,azure-cloud-config

flow: |
  code(1);
  for (let RoleData of iterate(template.roleList)) {
    set("roleName", RoleData);
    code(2);
  }

self-contained: true
code:
  - engine:
      - sh
      - bash
    source: |
      az role definition list --custom-role-only true --query '[].{roleName:roleName}' --output json

    extractors:
      - type: json
        name: roleList
        internal: true
        json:
          - '.[]'

  - engine:
      - sh
      - bash
    source: |
      az role definition list --name "$roleName" --output json --query '[?(assignableScopes == `/` || assignableScopes == `/subscriptions/` && actions == `*`)].roleName'

    matchers-condition: and
    matchers:
      - type: word
        words:
          - 'roleName'

    extractors:
      - type: dsl
        dsl:
          - 'roleName + " is a custom owner role with excessive permissions"'
# digest: 490a0046304402206c4f926f7b2fe3c131efd1b2da59514089e79115e21b51ac086d9c228eca1a7902201b521f5cb521c49a713980fdd7c40a3fe599042da10c1b1052b7f4bb6ab5112b:922c64590222798bb761d5b6d8e72950