rspec/rules/S6387/description.adoc

Azure RBAC roles can be assigned to users, groups, or service principals. A role assignment grants permissions on a predefined set of resources called "scope".

The widest scopes a role can be assigned to are:

* Subscription: a role assigned with this scope grants access to all resources of this Subscription. 
* Management Group: a scope assigned with this scope grants access to all resources of all the Subscriptions in this Management Group.

In case of security incidents involving a compromised identity (user, group, or service principal), limiting its role assignment to the narrowest scope possible helps separate duties and limits what resources are at risk.
Create rule S6387[terraform]: Azure role assignments that grant access to all resources of a subscription are security-sensitive (#622) * Create rule S6387 * Add rule description * Apply suggestions from code review Co-authored-by: Loris S. <91723853+loris-s-sonarsource@users.noreply.github.com> * Fix typo in highlighting.adoc filename Co-authored-by: pierre-loup-tristant-sonarsource <pierre-loup-tristant-sonarsource@users.noreply.github.com> Co-authored-by: Pierre-Loup Tristant <pierre-loup.tristant@sonarsource.com> Co-authored-by: Loris S. <91723853+loris-s-sonarsource@users.noreply.github.com> Co-authored-by: Nils Werner <64034005+nils-werner-sonarsource@users.noreply.github.com> 2022-01-04 11:02:05 +00:00			`Azure RBAC roles can be assigned to users, groups, or service principals. A role assignment grants permissions on a predefined set of resources called "scope".`

			`The widest scopes a role can be assigned to are:`
Modify rule S6387: Add newline (#678) 2022-01-07 10:50:42 +01:00
Create rule S6387[terraform]: Azure role assignments that grant access to all resources of a subscription are security-sensitive (#622) * Create rule S6387 * Add rule description * Apply suggestions from code review Co-authored-by: Loris S. <91723853+loris-s-sonarsource@users.noreply.github.com> * Fix typo in highlighting.adoc filename Co-authored-by: pierre-loup-tristant-sonarsource <pierre-loup-tristant-sonarsource@users.noreply.github.com> Co-authored-by: Pierre-Loup Tristant <pierre-loup.tristant@sonarsource.com> Co-authored-by: Loris S. <91723853+loris-s-sonarsource@users.noreply.github.com> Co-authored-by: Nils Werner <64034005+nils-werner-sonarsource@users.noreply.github.com> 2022-01-04 11:02:05 +00:00			`* Subscription: a role assigned with this scope grants access to all resources of this Subscription.`
			`* Management Group: a scope assigned with this scope grants access to all resources of all the Subscriptions in this Management Group.`

			`In case of security incidents involving a compromised identity (user, group, or service principal), limiting its role assignment to the narrowest scope possible helps separate duties and limits what resources are at risk.`