CCSS (Common Configuration Scoring System) is a set of measures used to determine the severity of the rule.
Each rule is associated with a high-level category. For example IAM, Container, Monitoring, Logging, Network, etc.
Is your environment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CC-00690
- creditSnyk Research Team
Description
Resource lock functionality is a powerful configuration setting for preventing modification/deletion of sensitive resources. To reduce the risk of unintentional damage a best practice is to create a tightly scoped custom role rather than a broader "owner" or "contributor" role for administering resource locks.
How to fix?
Set Microsoft.Authorization/locks/* to permissions.actions in Microsoft.Authorization/roleDefinitions, set roleDefinitionId in Microsoft.Authorization/roleAssignments to match valid role definition ID.
Example Configuration
{
"$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"variables": {
"example690allowed": "[guid(subscription().id, 'Microsoft.Authorization/locks/*')]",
"example690a1": "[guid(subscription().id, 'roleassignmenta1')]"
},
"resources": [
{
"type": "Microsoft.Authorization/roleDefinitions",
"apiVersion": "2018-01-01-preview",
"name": "[variables('example690allowed')]",
"properties": {
"roleName": "customRole-locks",
"type": "customRole",
"permissions": [
{
"actions": [
"Microsoft.Authorization/locks/*"
],
"notActions": []
}
],
"assignableScopes": [
"[subscription().id]"
]
}
},
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2018-09-01-preview",
"name": "[variables('example690a1')]",
"scope": "[subscription().id]",
"properties": {
"roleDefinitionId": "[concat( subscription().id, '/providers/Microsoft.Authorization/roleDefinitions/', variables('example690allowed'))]",
"principalId": "4406338f-15f7-452e-8fbd-7e718edba77d"
}
}
]
}
Add Microsoft.Authorization/locks/* to the permissions.actions permissions list of a custom role.
Example Configuration
data "azurerm_subscription" "primary" {
}
data "azurerm_client_config" "client" {
}
resource "azurerm_role_definition" "role_allowed" {
name = "role_allowed"
scope = data.azurerm_subscription.primary.id
assignable_scopes = ["${data.azurerm_subscription.primary.id}"]
permissions {
actions = ["Microsoft.Authorization/locks/*"]
}
}
resource "azurerm_role_assignment" "assignment_allowed" {
role_definition_id = azurerm_role_definition.role_allowed.role_definition_resource_id
scope = data.azurerm_subscription.primary.id
principal_id = data.azurerm_client_config.client.object_id
}
resource "azurerm_role_definition" "builtinassignedrole1" {
name = "builtinassignedrole1"
scope = data.azurerm_subscription.primary.id
assignable_scopes = ["${data.azurerm_subscription.primary.id}"]
permissions {
actions = ["Microsoft.Authorization/locks/*"]
}
}