Azure Introduction
Azure Pricing
Azure Threats
Principals with Infrastructure modification capabilities
More Info:
Minimize or restrict principals which can modify infrastructure.
Risk Level
High
Address
Security
Compliance Standards
CBP
Triage and Remediation
Remediation
To remediate the misconfiguration of “Principals with Infrastructure modification capabilities” in Azure using the Azure console, follow these step-by-step instructions:
-
Sign in to the Azure portal (https://portal.azure.com) using your Azure account credentials.
-
Navigate to the Azure Active Directory (AAD) service by clicking on the “Azure Active Directory” option in the left-hand menu.
-
In the Azure Active Directory overview page, click on the “Security” tab in the left-hand menu.
-
Under the “Security” tab, click on the “Azure AD Identity Governance” option.
-
In the Azure AD Identity Governance page, click on the “Privileged Identity Management” option.
-
In the Privileged Identity Management page, click on the “Azure resources” tab.
-
You will see a list of Azure resources with their respective owners and roles. Identify the principals (users or groups) that have “Infrastructure modification capabilities” assigned to them.
-
To remediate the misconfiguration, you have two options:
a. Remove the “Infrastructure modification capabilities” assignment:
- Click on the principal’s name or email address.
- In the principal’s details page, click on the “Remove Assignment” button next to the “Infrastructure modification capabilities” role.
- Confirm the removal when prompted.
b. Review and modify the “Infrastructure modification capabilities” assignment:
- Click on the principal’s name or email address.
- In the principal’s details page, review the “Infrastructure modification capabilities” role assignment.
- Modify the assignment as per your organization’s security policies and requirements.
- Click on the “Save” button to apply the changes.
-
Repeat steps 7 and 8 for all principals that have the “Infrastructure modification capabilities” assigned.
By following these steps, you will be able to remediate the misconfiguration of “Principals with Infrastructure modification capabilities” in Azure using the Azure console.
To remediate the misconfiguration related to “Principals with Infrastructure modification capabilities” in Azure using Azure CLI, follow these step-by-step instructions:
-
Install Azure CLI: If you haven’t already, install the Azure CLI on your local machine by following the official documentation (https://docs.microsoft.com/en-us/cli/azure/install-azure-cli).
-
Authenticate with Azure: Open the command prompt or terminal and authenticate with your Azure account by running the following command:
az login -
Select the Azure subscription: If you have multiple Azure subscriptions, select the appropriate one using the following command:
az account set --subscription <subscription_id> -
List existing role assignments: To identify the principals with infrastructure modification capabilities, list the existing role assignments using the following command:
az role assignment list --allReview the output to identify any roles that grant excessive permissions to principals.
-
Revoke unnecessary role assignments: Determine the role assignments that need to be revoked based on the principle of least privilege. Use the following command to revoke a role assignment:
az role assignment delete --assignee <principal_id> --role <role_name> --scope <resource_scope>Replace
<principal_id>with the ID of the principal you want to revoke the role from,<role_name>with the name of the role you want to revoke, and<resource_scope>with the appropriate scope (e.g., resource group, subscription, etc.).Repeat this command for each unnecessary role assignment you identified in step 4.
-
Verify the remediation: To ensure that the role assignments have been successfully revoked, list the role assignments again using the command from step 4.
Confirm that the principals with infrastructure modification capabilities are no longer listed.
By following these steps, you will be able to remediate the misconfiguration related to “Principals with Infrastructure modification capabilities” in Azure using Azure CLI.
To remediate the misconfiguration of “Principals with Infrastructure modification capabilities” in Azure using Python, follow these steps:
-
Install the required Python libraries:
pip install azure-identity pip install azure-mgmt-resource -
Import the necessary modules in your Python script:
from azure.identity import DefaultAzureCredential from azure.mgmt.resource import ResourceManagementClient -
Authenticate to Azure using the DefaultAzureCredential:
credential = DefaultAzureCredential() -
Create an instance of the ResourceManagementClient using the authenticated credential:
subscription_id = "<your-subscription-id>" resource_client = ResourceManagementClient(credential, subscription_id) -
Retrieve the list of role assignments that have “Contributor” or other infrastructure modification capabilities:
role_assignments = resource_client.role_assignments.list(filter="roleDefinitionId eq '/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7'") # Contributor role definition ID -
Iterate through the role assignments and remove the ones that have “Contributor” or other infrastructure modification capabilities:
for role_assignment in role_assignments: resource_client.role_assignments.delete(role_assignment.name) -
Once the role assignments are deleted, the principals will no longer have infrastructure modification capabilities.
Make sure to replace <your-subscription-id> with your actual Azure subscription ID in step 4. Additionally, you can modify the role definition ID in step 5 to target different roles with infrastructure modification capabilities.
Note: This solution assumes you have the necessary permissions to delete role assignments.