rspec/rules/S6381/description.adoc

Azure Resource Manager offers built-in roles that can be assigned to users, groups, or service principals.
Some of these roles should be carefully assigned as they grant sensitive permissions like the ability to reset passwords for all users.

An Azure account that fails to limit the use of such roles has a higher risk of being breached by a compromised owner.

This rule raises an issue when one of the following roles is assigned:

* Contributor
* Owner
* User Access Administrator
Create rule S6381[terraform]: Assigning high privileges Azure Resource Manager built-in roles is security-sensitive (#583) * Create rule S6381 * Add rule description * Apply suggestions from code review Co-authored-by: Loris S. <91723853+loris-s-sonarsource@users.noreply.github.com> Co-authored-by: pierre-loup-tristant-sonarsource <pierre-loup-tristant-sonarsource@users.noreply.github.com> Co-authored-by: Pierre-Loup Tristant <pierre-loup.tristant@sonarsource.com> Co-authored-by: Loris S. <91723853+loris-s-sonarsource@users.noreply.github.com> Co-authored-by: Nils Werner <64034005+nils-werner-sonarsource@users.noreply.github.com> 2021-12-29 08:22:27 +00:00			`Azure Resource Manager offers built-in roles that can be assigned to users, groups, or service principals.`
			`Some of these roles should be carefully assigned as they grant sensitive permissions like the ability to reset passwords for all users.`

			`An Azure account that fails to limit the use of such roles has a higher risk of being breached by a compromised owner.`

			`This rule raises an issue when one of the following roles is assigned:`

			`* Contributor`
			`* Owner`
			`* User Access Administrator`