Azure Introduction
Azure Pricing
Azure Threats
Custom Owner Roles In Use
More Info:
Ensure that there are no custom subscription owner roles available in your Azure account in order to adhere to cloud security best practices and implement the principle of least privilege - the practice of providing every user the minimal amount of access required to perform its tasks.
Risk Level
Medium
Address
Security
Compliance Standards
HITRUST, SOC2, NISTCSF, PCIDSS
Triage and Remediation
Remediation
To remediate the “Custom Owner Roles In Use” misconfiguration in Azure using the Azure console, follow these steps:
- Log in to the Azure portal at https://portal.azure.com/.
- In the left-hand menu, click on “Azure Active Directory”.
- Click on “Roles and administrators”.
- In the “Roles and administrators” page, click on “Custom roles”.
- Review the custom roles that are currently in use.
- Identify any custom roles that are assigned to users or groups that have owner-level permissions.
- Determine if the custom role is necessary for the user or group to perform their job duties.
- If the custom role is not necessary, remove the role assignment.
- If the custom role is necessary, modify the permissions of the role to reduce the level of access granted.
- Repeat steps 6-9 for each custom role that is assigned to users or groups with owner-level permissions.
By following these steps, you can remediate the “Custom Owner Roles In Use” misconfiguration in Azure using the Azure console.
To remediate the “Custom Owner Roles In Use” misconfiguration in Azure using Azure CLI, follow the steps below:
-
Open the Azure CLI command prompt or terminal.
-
Run the following command to list all the custom owner roles in use:
az role assignment list --all --include-classic-administrators --query "[?roleDefinitionName=='Owner']"This command lists all the custom owner roles in use in your Azure subscription.
-
Review the output of the above command and identify the custom owner roles that are not required or are no longer in use.
-
Run the following command to delete the custom owner role:
az role assignment delete --assignee <object-id> --role <role-name>Replace
<object-id>with the object ID of the user or group to whom the custom owner role is assigned, and<role-name>with the name of the custom owner role. -
Repeat step 4 for all the custom owner roles that are not required or are no longer in use.
-
Run the following command to verify that the custom owner roles have been deleted:
az role assignment list --all --include-classic-administrators --query "[?roleDefinitionName=='Owner']"This command should not list any custom owner roles.
By following the above steps, you can remediate the “Custom Owner Roles In Use” misconfiguration in Azure using Azure CLI.
To remediate the misconfiguration “Custom Owner Roles In Use” in Azure using Python, you can follow the below steps:
Step 1: Connect to Azure using Python SDK
from azure.identity import DefaultAzureCredential
from azure.mgmt.resource import ResourceManagementClient
credential = DefaultAzureCredential()
subscription_id = 'your_subscription_id'
client = ResourceManagementClient(credential, subscription_id)
Step 2: Get the list of resource groups
resource_groups = client.resource_groups.list()
Step 3: For each resource group, check if custom owner roles are assigned
for rg in resource_groups:
roles = client.role_assignments.list_for_resource_group(rg.name)
for role in roles:
if role.role_definition_name == 'Owner' and role.scope == rg.id:
print(f"Custom Owner role assigned in Resource Group {rg.name}")
Step 4: Remove the custom owner role assignments
for rg in resource_groups:
roles = client.role_assignments.list_for_resource_group(rg.name)
for role in roles:
if role.role_definition_name == 'Owner' and role.scope == rg.id:
client.role_assignments.delete(role.scope, role.name)
print(f"Custom Owner role removed from Resource Group {rg.name}")
Note: Before running the script, make sure to authenticate with Azure using the appropriate credentials and provide the necessary permissions to the service principal or user account. Also, test the script in a non-production environment before running it in a production environment.