Severity Framework
Snyk CCSS
Rule category
IAM / Least Privilege
Is your enviroment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsFrameworks
CIS-Azure
- Snyk ID SNYK-CC-00690
- credit Snyk Research Team
Description
Resource lock functionality is a powerful configuration setting for preventing modification/deletion of sensitive resources. To reduce the risk of unintentional damage a best practice is to create a tightly scoped custom role rather than a broader "owner" or "contributor" role for administering resource locks.
How to fix?
Set Microsoft.Authorization/locks/* to permissions.actions in Microsoft.Authorization/roleDefinitions, set roleDefinitionId in Microsoft.Authorization/roleAssignments to match valid role definition ID.
Example Configuration
{
"$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"variables": {
"example690allowed": "[guid(subscription().id, 'Microsoft.Authorization/locks/*')]",
"example690a1": "[guid(subscription().id, 'roleassignmenta1')]"
},
"resources": [
{
"type": "Microsoft.Authorization/roleDefinitions",
"apiVersion": "2018-01-01-preview",
"name": "[variables('example690allowed')]",
"properties": {
"roleName": "customRole-locks",
"type": "customRole",
"permissions": [
{
"actions": [
"Microsoft.Authorization/locks/*"
],
"notActions": []
}
],
"assignableScopes": [
"[subscription().id]"
]
}
},
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2018-09-01-preview",
"name": "[variables('example690a1')]",
"scope": "[subscription().id]",
"properties": {
"roleDefinitionId": "[concat( subscription().id, '/providers/Microsoft.Authorization/roleDefinitions/', variables('example690allowed'))]",
"principalId": "4406338f-15f7-452e-8fbd-7e718edba77d"
}
}
]
}