Control: Subscriptions with custom roles should not be overly permissive
Description
This policy identifies azure subscriptions with custom roles are overly permissive. Least privilege access rule should be followed and only necessary privileges should be assigned instead of allowing full administrative access.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.iam_subscriptions_with_custom_roles_no_overly_permissiveSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.iam_subscriptions_with_custom_roles_no_overly_permissive --shareSQL
This control uses a named query:
with custom_roles as ( select role_name, role_type, title, action, _ctx, subscription_id from azure_role_definition, jsonb_array_elements(permissions) as s, jsonb_array_elements_text(s -> 'actions') as action where role_type = 'CustomRole' and assignable_scopes @> '["/"]' and action in ('*', '*:*'))select cr.subscription_id as resource, case when count(*) > 0 then 'alarm' else 'ok' end as status, case when count(*) = 1 then 'There is one subscription where custom roles are overly permissive.' when count(*) > 1 then 'There are ' || count(*) || ' subscriptions where custom roles are overly permissive.' else 'There is no subscription where custom roles are overly permissive.' end as reason , sub.display_name as subscriptionfrom custom_roles cr, azure_subscription subwhere sub.subscription_id = cr.subscription_idgroup by cr.subscription_id, cr._ctx, sub.display_name;