Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-azure-compliance
Overview
16Dashboards
1651Benchmarks
486Queries
8Variables
GitHub

Control: Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No'

Description

Restrict security group creation to administrators only.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.iam_user_not_allowed_to_create_security_group

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.iam_user_not_allowed_to_create_security_group --share

SQL

This control uses a named query:

with distinct_tenant as (
  select
    distinct tenant_id,
    subscription_id,
    _ctx
  from
    azure_tenant
)
select
  a.id as resource,
  case
    when a.default_user_role_permissions ->> 'allowedToCreateSecurityGroups' = 'false' then 'ok'
    else 'alarm'
  end as status,
  case
    when a.default_user_role_permissions ->> 'allowedToCreateSecurityGroups' = 'false' then a.display_name || ' does not allow user to create security groups.'
    else a.display_name || ' allows user to create security groups.'
  end as reason,
  t.tenant_id
  
from
  distinct_tenant as t,
  azuread_authorization_policy as a;

Tags

service = Azure/ActiveDirectory