Azure Introduction
Azure Pricing
Azure Threats
Roles Assumable By Network Services
More Info:
Roles which can be assumed by Network Services
Risk Level
High
Address
Security
Compliance Standards
CBP
Triage and Remediation
Remediation
To remediate the misconfiguration of “Roles Assumable By Network Services” in Azure using the Azure console, follow these steps:
-
Sign in to the Azure portal (https://portal.azure.com) using your Azure account credentials.
-
In the Azure portal’s search bar, type “Azure Active Directory” and select the “Azure Active Directory” service from the suggestions.
-
In the Azure Active Directory blade, click on “Roles and administrators” in the left-hand navigation menu.
-
On the Roles and administrators page, click on “Roles” tab.
-
In the Roles tab, you will see a list of built-in roles. Look for roles that are assigned to Network Services, such as “Network Contributor” or “Network Contributor (Classic)“.
-
Select the Network Service role that you want to remediate by clicking on it.
-
In the Network Service role’s overview page, click on “Assignments” in the left-hand navigation menu.
-
Review the list of role assignments for the Network Service role. Identify any inappropriate or unnecessary assignments.
-
To remove an assignment, select the checkbox next to the assignment and click on the “Remove” button at the top of the page. Confirm the removal when prompted.
-
Repeat steps 8 and 9 for all inappropriate or unnecessary role assignments.
-
To prevent future misconfigurations, consider implementing a least privilege access model by creating custom roles with specific permissions for network-related tasks, rather than using the built-in Network Service roles.
-
Click on “Add assignment” button to assign the appropriate roles to the network services based on their required responsibilities.
-
In the “Add assignments” page, search for the appropriate role in the “Role” search bar.
-
Select the desired role from the search results.
-
In the “Select” section, choose the appropriate scope for the assignment (subscription, resource group, or specific resource).
-
Specify the user, group, or application that should be assigned the role in the “Members” section.
-
Click on the “Review + assign” button to review the assignment details.
-
Review the assignment details and ensure they are correct. If everything looks good, click on the “Assign” button to complete the assignment.
-
Repeat steps 13-18 for all necessary role assignments for the Network Services.
By following these steps, you can remediate the misconfiguration of “Roles Assumable By Network Services” in Azure using the Azure console.
To remediate the misconfiguration of “Roles Assumable By Network Services” in Azure using Azure CLI, follow these steps:
-
Install Azure CLI: If you don’t have Azure CLI installed, follow the official documentation to install it on your system.
-
Authenticate to Azure: Open the Azure CLI and log in to your Azure account using the following command:
az login -
List the existing network service roles: Run the following command to list all the existing network service roles in your Azure subscription:
az role definition list --name 'Network Contributor'This command will display the details of the network service role, including its name, ID, and other properties.
-
Remove the network service role assignment: Identify the role assignment that needs to be removed. You can find the role assignment by looking for the “RoleDefinitionName” property in the output of the previous command.
To remove the network service role assignment, use the following command, replacing
<role-assignment-id>with the actual ID of the role assignment:az role assignment delete --ids <role-assignment-id>This command will delete the specified role assignment, removing the network service’s access to the resources.
-
Verify the removal: To ensure that the network service role assignment has been successfully removed, run the following command again:
az role definition list --name 'Network Contributor'If the command does not return any results, it means that the network service role assignment has been successfully remediated.
By following these steps, you will remediate the misconfiguration related to “Roles Assumable By Network Services” in Azure using Azure CLI.
To remediate the misconfiguration “Roles Assumable By Network Services” in Azure IAM using Python, follow these steps:
-
Install the required Python packages:
pip install azure-identity azure-mgmt-resource -
Import the necessary libraries in your Python script:
from azure.identity import DefaultAzureCredential from azure.mgmt.resource import ResourceManagementClient -
Authenticate with Azure using the DefaultAzureCredential:
credential = DefaultAzureCredential() subscription_id = "<your-subscription-id>" resource_client = ResourceManagementClient(credential, subscription_id) -
Retrieve the list of role assignments for network services:
network_service_principals = [ "f4d9f8cd-7b82-4a5b-9dca-2c3e3e6c9e8a", # Network Contributor "abfa0a7c-a6b6-4736-8310-5855508787cd", # Network Contributor (Classic) "4c4e6e0e-0a8d-4a8a-8f6a-396b6a2f8e47", # Network Contributor (Edge Zone) "b24988ac-6180-42a0-ab88-20f7382dd24c", # Network Contributor (Gateway) "d4a8f0dc-6f3d-4b1c-9c0e-8cdd3f1cd8a3" # Network Contributor (Virtual Network) ] network_service_role_assignments = [] for principal_id in network_service_principals: role_assignments = resource_client.role_assignments.list( filter=f"principalId eq '{principal_id}'" ) network_service_role_assignments.extend(role_assignments) -
Remove the role assignments for network services:
for role_assignment in network_service_role_assignments: resource_client.role_assignments.delete_by_id(role_assignment.id) -
Run the Python script to remediate the misconfiguration.
Note: Make sure you have the necessary permissions to delete role assignments.