Azure Introduction
Azure Pricing
Azure Threats
Principals With Assume Role
More Info:
Roles which can be assumed by Principals
Risk Level
High
Address
Security
Compliance Standards
CBP
Triage and Remediation
Remediation
To remediate the misconfiguration related to principals with assume role in Azure, follow these step-by-step instructions using the Azure console:
-
Log in to the Azure portal (https://portal.azure.com) using your Azure account credentials.
-
Navigate to the Azure Active Directory (AAD) service by clicking on the “Azure Active Directory” option in the left-hand side menu.
-
In the AAD dashboard, click on “Enterprise applications” under the “Manage” section in the left-hand side menu.
-
In the “Enterprise applications” page, search for the application that needs to be remediated. You can use the search bar at the top to find the application by name.
-
Click on the application to open its details page.
-
In the application details page, click on the “Single sign-on” option in the left-hand side menu.
-
Under the “Single sign-on” section, click on the “User assignment required” toggle switch to enable it. This will enforce user assignment for the application.
-
Once the “User assignment required” toggle switch is enabled, click on the “Save” button at the top of the page to save the changes.
-
Now, navigate to the “App registrations” section in the left-hand side menu of the AAD dashboard.
-
In the “App registrations” page, search for the application that needs to be remediated. You can use the search bar at the top to find the application by name.
-
Click on the application to open its details page.
-
In the application details page, click on the “API permissions” option in the left-hand side menu.
-
Under the “API permissions” section, review the permissions granted to the application. Remove any unnecessary or excessive permissions by clicking on the “Remove” button next to each permission.
-
After removing the unnecessary permissions, click on the “Save” button at the top of the page to save the changes.
-
Finally, navigate to the “Overview” section in the left-hand side menu of the AAD dashboard.
-
In the “Overview” section, click on the “Properties” option in the top menu.
-
Under the “Properties” section, review the settings and configurations for the application. Ensure that the appropriate settings are configured, such as multi-factor authentication, user assignment required, etc.
-
Make any necessary changes to the properties and click on the “Save” button at the top of the page to save the changes.
By following these steps, you have successfully remediated the misconfiguration related to principals with assume role in Azure using the Azure console.
To remediate the misconfiguration of “Principals with Assume Role” in Azure using Azure CLI, follow these step-by-step instructions:
-
Install and set up Azure CLI:
- Download and install Azure CLI from the official Microsoft documentation (https://docs.microsoft.com/en-us/cli/azure/install-azure-cli).
- Once installed, open the Azure CLI command prompt or terminal.
-
Authenticate with Azure:
- Run the following command to sign in to your Azure account:
az login - Follow the on-screen instructions to complete the authentication process.
- Run the following command to sign in to your Azure account:
-
List the existing role assignments:
- Run the following command to list all the existing role assignments in your Azure subscription:
az role assignment list - Review the output to identify any principals with assume role misconfigurations.
- Run the following command to list all the existing role assignments in your Azure subscription:
-
Remove the misconfigured role assignments:
- Identify the principal (user, group, or service principal) with the misconfigured assume role.
- Run the following command to remove the misconfigured role assignment:
Replace
az role assignment delete --assignee <principal-id> --role <role-name> --scope <scope><principal-id>with the ID of the misconfigured principal,<role-name>with the name of the role assigned to the principal, and<scope>with the scope where the misconfiguration exists (e.g., resource group, subscription, etc.). - Repeat this command for each misconfigured role assignment that needs to be removed.
-
Verify the remediation:
- Run the
az role assignment listcommand again to verify that the misconfigured role assignments have been successfully removed. - Ensure that the principals no longer have the ability to assume the role.
- Run the
By following these steps, you will be able to remediate the misconfiguration of “Principals with Assume Role” in Azure using Azure CLI.
To remediate the misconfiguration related to principals with assume role in Azure IAM using Python, follow these steps:
- Import the required libraries:
from azure.identity import DefaultAzureCredential
from azure.mgmt.authorization import AuthorizationManagementClient
- Authenticate to Azure using the Azure Identity library:
credential = DefaultAzureCredential()
- Create an instance of the AuthorizationManagementClient:
authorization_client = AuthorizationManagementClient(credential, subscription_id)
Note: Replace subscription_id with your Azure subscription ID.
- Get the list of role assignments:
role_assignments = authorization_client.role_assignments.list()
- Iterate through the role assignments and check if any principal has an “AssumeRole” type:
for role_assignment in role_assignments:
if role_assignment.principal_type == 'AssumeRole':
# Remove the role assignment
authorization_client.role_assignments.delete(role_assignment.name)
- Save and run the Python script to remediate the misconfiguration.
These steps will use the Azure Identity and Authorization Management libraries in Python to authenticate to Azure and remove any role assignments with the “AssumeRole” principal type.