Control: Ensure that no Custom Subscription Administrator roles exist
Description
The principle of least privilege should be followed and only necessary privileges should be assigned instead of allowing full administrative access.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.iam_no_custom_subscription_owner_roles_createdSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.iam_no_custom_subscription_owner_roles_created --shareSQL
This control uses a named query:
with owner_custom_roles as ( select role_name, role_type, title, action, _ctx, subscription_id from azure_role_definition, jsonb_array_elements(permissions) as s, jsonb_array_elements_text(s -> 'actions') as action where role_type = 'CustomRole' and action in ('*', '*:*'))select cr.subscription_id as resource, case when count(*) > 0 then 'alarm' else 'ok' end as status, case when count(*) = 1 then 'There is one custom owner role.' when count(*) > 1 then 'There are ' || count(*) || ' custom owner roles.' else 'There are no custom owner roles.' end as reason , sub.display_name as subscriptionfrom owner_custom_roles cr, azure_subscription subwhere sub.subscription_id = cr.subscription_idgroup by cr.subscription_id, cr._ctx, sub.display_name;