Control: 5.27 Ensure there are between 2 and 3 subscription owners
Description
The Owner role in Azure grants full control over all resources in a subscription, including the ability to assign roles to others.
Remediation
Remediate from Azure Portal
- Go to
Subscriptions. - Click the name of a subscription.
- Click
Access Controls (IAM). - Click
Role assignments. - Click
Role : All. - Click the arrow next to
All. - Click
Owner. - Check the box next to members from whom the owner role should be removed.
- Click
Delete. - Click
Yes. - Repeat steps 1-10 for each subscription requiring remediation.
SRemediate from Azure CLI
Run the following command to delete role assignments by role assignment id:
az role assignment delete --ids <role-assignment-ids>
Default Value
A subscription has 1 owner by default.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v500_5_27Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v500_5_27 --shareSQL
This control uses a named query:
with owner_roles as ( select d.role_name, d.role_type, d.name, d.title, d._ctx, d.subscription_id from azure_role_definition as d join azure_role_assignment as a on d.id = a.role_definition_id where d.role_name = 'Owner')select owner.subscription_id as resource, case when count(*) >= 2 and count(*) <= 3 then 'ok' else 'alarm' end as status, count(*) || ' owner(s) associated.' as reason , sub.display_name as subscriptionfrom owner_roles as owner, azure_subscription as subwhere sub.subscription_id =owner.subscription_idgroup by owner.subscription_id, owner._ctx, sub.display_name;