Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Remove Custom Owner Roles

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: AccessControl-001

Ensure that there are no custom subscription owner roles available in your Azure account in order to adhere to cloud security best practices and implement the principle of least privilege - the practice of providing every user the minimal amount of access required to perform its tasks.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

Typical Azure subscription administrator roles offer basic access management. A custom subscription owner role has full administrative access as its assignable scope is the entire subscription and it can perform any action (i.e. "*"). As security best practice, it is strongly recommended that the least necessary permissions are given initially. Permissions can be added later, as needed, by the account holder. This ensures that the Azure account holder cannot perform actions which were not intended.

Audit

To determine if there are any custom owner roles available in your Microsoft Azure account, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Subscriptions blade at https://portal.azure.com/#blade/Microsoft_Azure_Billing/SubscriptionsBlade.

03 Click on the Azure cloud subscription that you want to examine.

04 In the navigation panel, choose Access control (IAM) and select the Roles tab to access the role definitions available for the selected subscription.

05 Select CustomRole option from the Type dropdown list to return all custom roles available.

06 Click on the custom definition role that you want to examine and select the Permissions tab to view all the permissions associated with the selected role. If the role can perform all actions, i.e. it can manage everything in the permissions list, the selected Azure role definition represents a custom subscription owner role.

07 Repeat steps no. 6 for other custom roles that you want to examine, available in the current Azure subscription.

08 Repeat step no. 3 – 7 for each available Microsoft Azure cloud subscription.

Using Azure CLI

01 Run role definition list command (Windows/macOS/Linux) using built-in and custom query filters to list the names of all custom role definitions (i.e. roles) created for the current Azure subscription: 

az role definition list
	--custom-role-only true
	--query '[].{roleName:roleName}'
	--output table

02 The command output should return a table that contains the names of all the custom roles available: 

RoleName
-----------------------
Azure Manager
API Service Contributor
Cloud Data Reader

03 Run role definition list command (OSX/Linux/UNIX) using the name of the custom role that you want to examine as identifier parameter value to describe the selected role metadata: 

az role definition list
	--name Azure Manager

04 The command output should return an array with the requested information (i.e. role metadata): 

[
  {
    "assignableScopes": [
      "/subscriptions/abcdabcd-1234-1234-1234-abcdabcdabcd"
    ],
    "description": "Manages Azure Cloud Account Resources.",
    "id": "/subscriptions/abcdabcd-1234-1234-1234-abcdabcdabcd/providers/Microsoft.Authorization/roleDefinitions/abcdabcd-abcd-abcd-abcd-abcdabcdabcd",
    "name": "abcdabcd-abcd-abcd-abcd-abcdabcdabcd",
    "permissions": [
      {
        "actions": [
          "*"
        ],
        "dataActions": [
          "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/*"
        ],
        "notActions": [],
        "notDataActions": [
          "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write"
        ]
      }
    ],
    "roleName": "Azure Manager",
    "roleType": "CustomRole",
    "type": "Microsoft.Authorization/roleDefinitions"
  }
]

If the assignableScopes attribute value is set to "/" or "/subscriptions/<azure-subscription-id>" and the actions value is set to "*" (i.e. everything), as shown in the output example above, the selected Microsoft Azure role definition represents a custom owner role.

05 Repeat step no. 3 and 4 for each Azure custom role definition that you want to examine.

Remediation / Resolution

To remove all non-compliant custom owner roles from your Microsoft Azure cloud account, perform the following actions:

Note: Before deleting the non-compliant role definition, verify the usage and the impact of removing the identified role from your Azure cloud account.

Using Azure CLI

01 Sign in to Azure Management Console.

02 Navigate to Azure Subscriptions blade at https://portal.azure.com/#blade/Microsoft_Azure_Billing/SubscriptionsBlade.

03 Click on the Azure cloud subscription that you want to examine.

04 In the navigation panel, choose Access control (IAM) and select the Roles tab to access the role definitions available for the selected subscription.

05 Select CustomRole option from the Type dropdown list to return all custom roles available.

06 Select the custom subscription owner role that you want to delete (see Audit section part I to identify the right role) and click the Remove button from the blade top menu to initiate the removal process.

07 On Remove role definitions confirmation panel, click Yes to remove the selected role definition. From now on, the deleted role can no longer be assigned as part of a role assignment.

08 If required, repeat step no. 6 and 7 to remove other custom owner roles available in the current Azure subscription.

09 Repeat step no. 3 – 8 for each Microsoft Azure cloud subscription available.

Using Azure CLI

01 Run role definition delete command (Windows/macOS/Linux) using the name of the custom owner role that you want to delete as identifier parameter value (see Audit section part II to identify the right role), to remove the selected role definition from your Microsoft Azure account. The deleted role can no longer be assigned as part of a role assignment (the role definition delete command request does not produce an output): 

az role definition delete
	--name Azure Manager

02 Repeat step no. 1 for each Azure custom owner role definition that you want to delete.

References

Publication date May 21, 2019

Related AccessControl rules