Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Subscription Administrator Custom Role

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: AccessControl-003

To provide optimal access security and adhere to the Principle of Least Privilege (POLP), ensure there are no custom administrator roles created for your Microsoft Azure cloud subscriptions. POLP involves assigning only the necessary privileges instead of granting full administrative access.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

Administrators with appropriate permissions are responsible for managing Azure account subscriptions. Classic subscription admin roles, such as Account Administrator, Service Administrator, and Co-Administrators, provide sufficient access management capabilities and should not required custom administrator privileges. Misconfigured custom IAM roles with subscription administrator privileges can provide broad and unrestricted access to your Azure subscriptions. By removing custom IAM roles that grant subscription administrator privileges in Azure cloud you can enhance security, reduce the risk of unauthorized access, comply with regulatory requirements, mitigate insider threats, and enforce the Principle of Least Privilege.

Audit

To determine if there are any custom subscription administrator roles in your Azure cloud account, perform the following actions:

Using Azure Portal

01 Sign in to the Azure Management Console.

02 Navigate to Azure Subscriptions blade at https://portal.azure.com/#view/Microsoft_Azure_Billing/SubscriptionsBlade.

03 Click on the name (link) of the Azure subscription that you want to examine.

04 In the blade navigation panel, choose Access control (IAM) and select the Roles tab to access the role definitions available for the selected subscription.

05 Select the CustomRole option from the Type dropdown list to return only the custom roles available within the subscription.

06 Select the custom role that you want to examine and choose View in the Details column.

07 Select the JSON tab and check the "assignableScopes" and "actions" values to determine the permissions defined for the assignable scope of the role. If the "assignableScopes" value is set to "/" or "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd", where abcdabcd-1234-abcd-1234-abcdabcdabcd is the ID of your Azure subscription, and the "actions" value is set to " * ", the selected IAM role allows full administrative access to your Azure subscription, therefore this custom IAM role should not exist in your Azure cloud account.

08 Repeat steps no. 6 and 7 for each custom role available in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each Microsoft Azure subscription created within your cloud account.

Using Azure CLI

01 Run role definition list command (Windows/macOS/Linux) using custom query filters to list the names of all custom role definitions (i.e. custom IAM roles) created for the selected Azure subscription: 

az role definition list
  --subscription abcdabcd-1234-abcd-1234-abcdabcdabcd
  --custom-role-only true
  --query '[].{roleName:roleName}'
  --output table

02 The command output should return the name of each custom role available in the selected subscription: 

RoleName
-----------------------
Subscription Admin
API Service Manager
Cloud Data Reader

03 Run role definition list command (OSX/Linux/UNIX) using the name of the custom role that you want to examine as the identifier parameter, to describe the permissions defined for the selected role: 

az role definition list
  --name "Subscription Admin"
  --query '[*].{"assignableScopes":assignableScopes,"actions":permissions[].actions[]}'

04 The command output should return the requested IAM role permissions: 

[
	{
		"assignableScopes": [
			"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd "
		],
		"actions": [
			"*"
		]
	}
]

Check the "assignableScopes" and "actions" values to determine the permissions defined for the assignable scope of the role. If the "assignableScopes" value is set to "/" or "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd", where abcdabcd-1234-abcd-1234-abcdabcdabcd is the ID of your Azure subscription, and the "actions" value is set to " * ", as shown in the example above, the selected custom IAM role allows full administrative access to your Azure subscription, therefore this role should not exist in your Azure cloud account.

05 Repeat steps no. 3 and 4 for each custom role available within the current Azure subscription.

06 Repeat steps no. 1 – 5 for each Microsoft Azure subscription created in your cloud account.

Remediation / Resolution

To remove custom IAM roles that grant subscription administrator privileges, perform the following actions:

Ensure that any role assignments are removed from your non-compliant IAM role before the role can be deleted.

Using Azure Portal

01 Sign in to the Azure Management Console.

02 Navigate to Azure Subscriptions blade at https://portal.azure.com/#view/Microsoft_Azure_Billing/SubscriptionsBlade.

03 Click on the name (link) of the Azure subscription that you want to access.

04 In the blade navigation panel, choose Access control (IAM) and select the Roles tab to access the role definitions available for the selected subscription.

05 Select the CustomRole option from the Type dropdown list to return only the custom roles available within the subscription.

06 Select the non-compliant IAM role that you want to delete and choose Remove from the top menu.

07 In the Remove role definitions confirmation box, choose Yes to confirm the role removal.

08 Repeat steps no. 6 and 7 for each custom role that you want to remove, available in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each Microsoft Azure subscription created within your cloud account.

Using Azure CLI

01 Run role definition delete command (Windows/macOS/Linux) to remove the non-compliant IAM role that grants subscription administrator privileges from your Azure cloud account (the command does not produce an output): 

az role definition delete 
  --subscription abcdabcd-1234-abcd-1234-abcdabcdabcd
  --name "cc-subscription-role"

02 Repeat step no. 1 for each custom role that you want to remove, available within the selected Azure subscription.

03 Repeat steps no. 1 and 2 for each Microsoft Azure subscription created in your cloud account.

References

Publication date Apr 6, 2020

Related AccessControl rules