Azure Introduction
Azure Pricing
Azure Threats
Roles Assumable By Database Services
More Info:
Roles which can be assumed by Database Services
Risk Level
High
Address
Security
Compliance Standards
CBP
Triage and Remediation
Remediation
To remediate the issue of roles assumable by database services in Azure IAM, follow these step-by-step instructions using the Azure console:
-
Sign in to the Azure portal (https://portal.azure.com) using your Azure account credentials.
-
In the Azure portal, navigate to the Azure Active Directory (AAD) service by selecting “Azure Active Directory” from the left-hand menu.
-
In the Azure AD overview page, click on “Enterprise applications” in the left-hand menu.
-
In the Enterprise applications page, search for “Azure Database for PostgreSQL” or “Azure Database for MySQL” based on the database service you are using.
-
Click on the appropriate database service application.
-
In the application’s overview page, click on “Properties” in the left-hand menu.
-
Under the “Managed application” section, click on the “Users and groups” option.
-
In the “Users and groups” page, review the list of users and groups that have access to assume the role of the database service.
-
Identify any users or groups that should not have this role assumption privilege and should be remediated.
-
To remove a user or group’s role assumption privilege, click on the respective user or group.
-
In the user or group’s overview page, click on the “Roles and administrators” option in the left-hand menu.
-
In the “Roles and administrators” page, review the list of roles assigned to the user or group.
-
Identify the role that grants the privilege to assume the role of the database service and should be removed.
-
To remove the role, click on the role and then click on the “Remove assignment” button.
-
Confirm the removal of the role assignment when prompted.
-
Repeat steps 10-15 for any other users or groups that need to have their role assumption privilege remediated.
-
Once all necessary role assumption privileges have been removed, you have successfully remediated the issue of roles assumable by database services in Azure IAM.
Ensure to regularly review and manage the roles and permissions assigned to users and groups in Azure IAM to maintain a secure and compliant environment.
To remediate the misconfiguration “Roles Assumable By Database Services” in Azure using Azure CLI, follow these step-by-step instructions:
-
Install Azure CLI: If you haven’t already, install Azure CLI on your local machine by following the instructions provided by Microsoft.
-
Log in to Azure: Open the command prompt or terminal and log in to your Azure account using the following command:
az login -
Set the Azure subscription: If you have multiple Azure subscriptions, set the appropriate subscription using the following command:
az account set --subscription <subscription_id> -
List existing roles: Run the following command to list all the existing roles in your Azure subscription:
az role definition list -
Identify the roles assigned to database services: Review the list of roles and identify the roles assigned to database services. These roles typically have names like “Contributor”, “Owner”, or “Reader”.
-
Create a custom role: If the existing roles assigned to database services do not meet your requirements, you can create a custom role with limited permissions. Create a JSON file (e.g.,
custom-role.json) with the necessary permissions for database services. Here’s an example of a custom role JSON file that allows read access to databases and denies write access:{ "Name": "Custom Database Reader", "IsCustom": true, "Description": "Read-only access to databases", "Actions": [ "Microsoft.Sql/servers/databases/read", "Microsoft.Sql/servers/databases/list" ], "NotActions": [ "Microsoft.Sql/servers/databases/write" ], "AssignableScopes": [ "/subscriptions/<subscription_id>" ] }Modify the
AssignableScopesfield with the appropriate subscription ID. -
Create the custom role: Run the following command to create the custom role:
az role definition create --role-definition custom-role.json -
Assign the custom role to database services: Now, assign the newly created custom role to the appropriate database services. Replace
<custom_role_name>with the name you provided in the custom role JSON file and<database_service_name>with the name of the database service you want to assign the role to. Run the following command:az role assignment create --assignee <database_service_name> --role <custom_role_name> --scope /subscriptions/<subscription_id>Repeat this step for each database service that needs the custom role assigned.
-
Verify the role assignment: To verify that the custom role has been successfully assigned to the database services, run the following command:
az role assignment list --assignee <database_service_name>This command will list all the role assignments for the specified database service.
By following these steps, you will be able to remediate the misconfiguration “Roles Assumable By Database Services” in Azure using Azure CLI.
To remediate the misconfiguration “Roles Assumable By Database Services” in Azure using Python, follow these steps:
-
Install the necessary dependencies:
pip install azure-identity azure-mgmt-resource azure-mgmt-authorization -
Import the required modules:
from azure.identity import DefaultAzureCredential from azure.mgmt.authorization import AuthorizationManagementClient from azure.mgmt.resource import ResourceManagementClient -
Authenticate with Azure using the DefaultAzureCredential:
credential = DefaultAzureCredential() authorization_client = AuthorizationManagementClient(credential, <subscription_id>) resource_client = ResourceManagementClient(credential, <subscription_id>) -
Get the list of all the role assignments for the database services:
role_assignments = authorization_client.role_assignments.list( filter="atScope() and (roleDefinitionName eq 'Contributor' or roleDefinitionName eq 'Owner') and (principalType eq 'ServicePrincipal' or principalType eq 'User') and (scope='/providers/Microsoft.DBforPostgreSQL/servers' or scope='/providers/Microsoft.DBforMySQL/servers' or scope='/providers/Microsoft.DBforMariaDB/servers')" ) -
Iterate over the role assignments and remove any inappropriate assignments:
for assignment in role_assignments: authorization_client.role_assignments.delete_by_id(assignment.id) -
Verify the remediation by rechecking the role assignments:
role_assignments = authorization_client.role_assignments.list( filter="atScope() and (roleDefinitionName eq 'Contributor' or roleDefinitionName eq 'Owner') and (principalType eq 'ServicePrincipal' or principalType eq 'User') and (scope='/providers/Microsoft.DBforPostgreSQL/servers' or scope='/providers/Microsoft.DBforMySQL/servers' or scope='/providers/Microsoft.DBforMariaDB/servers')" ) if not any(role_assignments): print("All inappropriate role assignments have been successfully removed.") else: print("Some inappropriate role assignments still exist.")
Make sure to replace <subscription_id> with your Azure subscription ID in the code above. This code will remove any role assignments for the database services in Azure that have the ‘Contributor’ or ‘Owner’ role and are assigned to Service Principals or Users.