ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S6385/description.adoc

7 lines
644 B
Plaintext
Raw Normal View History

Create rule S6385[terraform]: Azure custom roles should not grant subscription Owner capabilities (#603) * Create rule S6385 * Add rule description * Apply suggestions from code review Co-authored-by: Loris S. <91723853+loris-s-sonarsource@users.noreply.github.com> * Update rules/S6385/see.adoc Fix CWE link * Update rules/S6385/see.adoc Fix CWE link * Add missing azure tag Co-authored-by: pierre-loup-tristant-sonarsource <pierre-loup-tristant-sonarsource@users.noreply.github.com> Co-authored-by: Pierre-Loup Tristant <pierre-loup.tristant@sonarsource.com> Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> Co-authored-by: Loris S. <91723853+loris-s-sonarsource@users.noreply.github.com> Co-authored-by: Nils Werner <64034005+nils-werner-sonarsource@users.noreply.github.com>
2022-01-03 15:07:46 +00:00
Azure Resource Manager allows creating custom roles that can be assigned to users, groups, or service principals.
A custom role that grants access to all resources of a subscription will have the same capabilities as the built-in Owner role.
It's recommended to limit the number of subscription owners in order to mitigate the risk of being breached by a compromised owner.
Having a custom role that grants subscription Owner capabilities makes it way more difficult to enforce this limitation.
This rule raises an issue when a custom role has an assignable scope set to a Subscription or a Management Group and allows all actions (``++*++``)
Reference in New Issue Copy Permalink