/
Custom subscription owner roles should not exist

Custom subscription owner roles should not exist

Owned by Solomon F Prophete
Last updated: Aug 11, 2021 by Former user (Deleted)
2 min read

Description:

Ensure that there are no custom subscription owner roles available in your Azure account in order to adhere to cloud security best practices and implement the principle of least privilege - the practice of providing every user the minimal amount of access required to perform its tasks.

This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure

Typical Azure subscription administrator roles offer basic access management. A custom subscription owner role has full administrative access as its assignable scope is the entire subscription and it can perform any action (i.e. "*"). As security best practice, it is strongly recommended that the least necessary permissions are given initially. Permissions can be added later, as needed, by the account holder. This ensures that the Azure account holder cannot perform actions which were not intended.



Remediation:

  1. Sign in to Azure Management Console.

  2. Navigate to Azure Subscriptions blade at https://portal.azure.com/#blade/Microsoft_Azure_Billing/SubscriptionsBlade.

  3. Click on the Azure cloud subscription that you want to examine.

  4. In the navigation panel, choose Access control (IAM) and select the Roles tab to access the role definitions available for the selected subscription.

  5. Select CustomRole option from the Type dropdown list to return all custom roles available.

  6. Click on the custom definition role that you want to examine and select the Permissions tab to view all the permissions associated with the selected role. If the role can perform all actions, i.e. it can manage everything in the permissions list, the selected Azure role definition represents a custom subscription owner role.

  7. Repeat steps no. 6 for other custom roles that you want to examine, available in the current Azure subscription.

  8. Repeat step no. 3 – 7 for each available Microsoft Azure cloud subscription.



Documentation/Reference:





Related content

There should be more than one owner assigned to your subscription
There should be more than one owner assigned to your subscription
CUIT CyberSecurity
More like this
A Maximum of 3 Owners Should be Designated for your Subscription
A Maximum of 3 Owners Should be Designated for your Subscription
CUIT CyberSecurity
More like this
MFA Should be Enabled on Accounts with Owner/Read/Write Permissions on your Subscription
MFA Should be Enabled on Accounts with Owner/Read/Write Permissions on your Subscription
CUIT CyberSecurity
More like this
Virtual Machines' Guest Configuration Extension Should be Deployed with System-Assigned Managed Identity
Virtual Machines' Guest Configuration Extension Should be Deployed with System-Assigned Managed Identity
CUIT CyberSecurity
More like this
Auto Provisioning of the Log Analytics Agent Should be Enabled on Your Subscription
Auto Provisioning of the Log Analytics Agent Should be Enabled on Your Subscription
CUIT CyberSecurity
More like this
Storage Accounts Should be Migrated to New Azure Resource Manager Resources
Storage Accounts Should be Migrated to New Azure Resource Manager Resources
CUIT CyberSecurity
More like this