🚀Launch Week 07, January 27th - 31st, 2025🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-azure-compliance
Overview
13Dashboards
1311Benchmarks
430Queries
2Variables
GitHub

Control: Audit usage of custom RBAC roles

Description

Audit built-in roles such as 'Owner, Contributor, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.iam_no_custom_role

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.iam_no_custom_role --share

SQL

This control uses a named query:

with custom_roles as (
  select
    role_name,
    role_type,
    _ctx,
    subscription_id
  from
    azure_role_definition
  where
    role_type = 'CustomRole'
)
select
  cr.subscription_id as resource,
  case
    when count(*) > 0 then 'alarm'
    else 'ok'
  end as status,
  'There are ' || count(*) || ' custom roles.' as reason
  
  , sub.display_name as subscription
from
  custom_roles as cr,
  azure_subscription as sub
where
  sub.subscription_id = cr.subscription_id
group by
  cr.subscription_id,
  cr._ctx,
  sub.display_name;

Tags

fedramp_high = true
hipaa_hitrust_v92 = true
nist_sp_800_171_rev_2 = true
nist_sp_800_53_rev_5 = true
pci_dss_v321 = true
rbi_itf_nbfc_v2017 = true
service = Azure/ActiveDirectory