Control: A maximum of 3 owners should be designated for your subscription
Description
It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.iam_subscription_owner_max_3Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.iam_subscription_owner_max_3 --shareSQL
This control uses a named query:
with owner_roles as ( select d.role_name, d.role_type, d.name, d.title, d._ctx, d.subscription_id from azure_role_definition as d join azure_role_assignment as a on d.id = a.role_definition_id where d.role_name = 'Owner')select owner.subscription_id as resource, case when count(*) <= 3 then 'ok' else 'alarm' end as status, count(*) || ' owner(s) associated.' as reason , sub.display_name as subscriptionfrom owner_roles as owner, azure_subscription as subwhere sub.subscription_id =owner.subscription_idgroup by owner.subscription_id, owner._ctx, sub.display_name;