e0109d1b26
* Create rule S6385 * Add rule description * Apply suggestions from code review Co-authored-by: Loris S. <91723853+loris-s-sonarsource@users.noreply.github.com> * Update rules/S6385/see.adoc Fix CWE link * Update rules/S6385/see.adoc Fix CWE link * Add missing azure tag Co-authored-by: pierre-loup-tristant-sonarsource <pierre-loup-tristant-sonarsource@users.noreply.github.com> Co-authored-by: Pierre-Loup Tristant <pierre-loup.tristant@sonarsource.com> Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> Co-authored-by: Loris S. <91723853+loris-s-sonarsource@users.noreply.github.com> Co-authored-by: Nils Werner <64034005+nils-werner-sonarsource@users.noreply.github.com>
7 lines
644 B
Plaintext
7 lines
644 B
Plaintext
Azure Resource Manager allows creating custom roles that can be assigned to users, groups, or service principals.
|
|
A custom role that grants access to all resources of a subscription will have the same capabilities as the built-in Owner role.
|
|
|
|
It's recommended to limit the number of subscription owners in order to mitigate the risk of being breached by a compromised owner.
|
|
Having a custom role that grants subscription Owner capabilities makes it way more difficult to enforce this limitation.
|
|
|
|
This rule raises an issue when a custom role has an assignable scope set to a Subscription or a Management Group and allows all actions (``++*++``) |