Azure Custom Owner Role Available
ID: azure-custom-owner-role-unrestricted
Severity: medium
Author: princechaddha
Tags: cloud,devops,azure,microsoft,role-management,azure-cloud-config
Description
Section titled “Description”Ensure that there are no custom subscription owner roles available in your Azure account in order to adhere to cloud security best practices and implement the principle of least privilege - the practice of providing every user the minimal amount of access required to perform its tasks.
YAML Source
Section titled “YAML Source”id: azure-custom-owner-role-unrestrictedinfo: name: Azure Custom Owner Role Available author: princechaddha severity: medium description: | Ensure that there are no custom subscription owner roles available in your Azure account in order to adhere to cloud security best practices and implement the principle of least privilege - the practice of providing every user the minimal amount of access required to perform its tasks. impact: | Having custom owner roles can provide excessive permissions that exceed the requirements of the users, potentially leading to security vulnerabilities. remediation: | Remove any custom owner roles or modify their permissions to align with the principle of least privilege, ensuring users have only the necessary access rights to perform their duties. reference: - https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles tags: cloud,devops,azure,microsoft,role-management,azure-cloud-config
flow: | code(1); for (let RoleData of iterate(template.roleList)) { set("roleName", RoleData); code(2); }
self-contained: truecode: - engine: - sh - bash source: | az role definition list --custom-role-only true --query '[].{roleName:roleName}' --output json
extractors: - type: json name: roleList internal: true json: - '.[]'
- engine: - sh - bash source: | az role definition list --name "$roleName" --output json --query '[?(assignableScopes == `/` || assignableScopes == `/subscriptions/` && actions == `*`)].roleName'
matchers-condition: and matchers: - type: word words: - 'roleName'
extractors: - type: dsl dsl: - 'roleName + " is a custom owner role with excessive permissions"'# digest: 4b0a00483046022100883f4fde301ddae0afd388468a91c59ae8e08040397301bb796c36aa83a81fb2022100c53059b69e1e2e9ff9c9a3b76a8ea69ba5ccec02fdcea8f3a2908a56f05718d6:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "cloud/azure/accesscontrol/azure-custom-owner-role-unrestricted.yaml"