nuclei-templates/cloud/azure/accesscontrol/azure-custom-admin-role-unrestricted.yaml

id: azure-custom-admin-role-unrestricted
info:
  name: Azure Subscription Administrator Custom Role Unrestricted Access
  author: princechaddha
  severity: high
  description: |
    To provide optimal access security and adhere to the Principle of Least Privilege (POLP), ensure there are no custom administrator roles created for your Microsoft Azure cloud subscriptions. POLP involves assigning only the necessary privileges instead of granting full administrative access.    
  impact: |
    Having custom administrator roles that provide full administrative privileges can lead to overprivileged accounts, increasing the risk of security breaches or accidental changes.    
  remediation: |
    Review and restrict the permissions of custom roles in Azure cloud subscriptions. Ensure that custom roles do not grant more privileges than necessary by conforming to the Principle of Least Privilege.    
  reference:
    - https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles
  tags: cloud,devops,azure,microsoft,role-based-access,azure-cloud-config

flow: |
  code(1);
  for (let RoleData of iterate(template.roleList)) {
    set("roleName", RoleData);
    code(2);
  }  

self-contained: true
code:
  - engine:
      - sh
      - bash
    source: |
      az role definition list --custom-role-only true --output json --query '[].{roleName:roleName}'      
    extractors:
      - type: json
        name: roleList
        internal: true
        json:
          - '.[]'

  - engine:
      - sh
      - bash
    source: |
      az role definition list --name "$roleName" --query '[*].{"assignableScopes":assignableScopes,"actions":permissions[].actions[]}' --output json      

    matchers-condition: and
    matchers:
      - type: word
        words:
          - '"assignableScopes": "/'

      - type: word
        words:
          - '"actions": "*"'

    extractors:
      - type: dsl
        dsl:
          - 'roleName + " grants full administrative access and should not exist under POLP guidelines"'
# digest: 4b0a00483046022100f859874a74575d8c022f812d59ff22fff83055a0402f0d38b7362cb3e4b12396022100e1f277b14129504389f98bebac7d6f684e4bfb766cde31b93527496cd45f1932:922c64590222798bb761d5b6d8e72950