More Info:

Roles which can be assumed by Security Services

Risk Level

High

Address

Security

Compliance Standards

CBP

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration “Roles Assumable By Security Services” in AZUREIAM using the AZURE console, follow these step-by-step instructions:
  1. Sign in to the AZURE portal (https://portal.azure.com) using your credentials.
  2. In the left-hand menu, click on “Azure Active Directory”.
  3. Under “Manage”, click on “Roles and administrators”.
  4. On the “Roles and administrators” page, you will see a list of built-in roles. Click on the role that you want to remediate (e.g., “Security Administrator”).
  5. In the role details page, click on the “Properties” tab.
  6. Scroll down to the “Permissions” section and click on the “Add permissions” button.
  7. In the “Add permissions” pane, search for and select the appropriate security service (e.g., “Azure Security Center”).
  8. Click on the “Add permissions” button to add the security service to the role.
  9. Review the other properties of the role and make any necessary changes.
  10. Click on the “Save” button to save the changes to the role.
Repeat steps 4-10 for any other roles that are affected by the misconfiguration.By following these steps, you have now remediated the “Roles Assumable By Security Services” misconfiguration in AZUREIAM using the AZURE console.

To remediate the misconfiguration of roles assumable by security services in Azure using Azure CLI, follow these step-by-step instructions:
  1. Install Azure CLI: If you haven’t already, install Azure CLI on your local machine by following the instructions provided by Microsoft.
  2. Login to Azure: Open a command prompt or terminal and log in to your Azure account using the following command: 
    az login
  3. Select the Azure subscription: If you have multiple Azure subscriptions, select the appropriate subscription using the following command: 
    az account set --subscription <subscription_id>
  4. List existing roles: Run the following command to list all the existing roles in your Azure subscription: 
    az role definition list
  5. Identify the security service roles: Look for any roles that are assumable by security services, such as “Security Admin” or “Security Reader”. Note down the role names or IDs that need to be remediated.
  6. Remove the assumable roles: To remove the assumable roles, use the following command: 
    az role assignment delete --role <role_name_or_id> --assignee <service_principal_object_id>
    Replace <role_name_or_id> with the name or ID of the role you want to remove, and <service_principal_object_id> with the object ID of the security service principal. Repeat this command for each assumable role that needs to be remediated.
  7. Verify the changes: Run the following command to verify that the roles have been successfully removed: 
    az role assignment list --assignee <service_principal_object_id>
    Replace <service_principal_object_id> with the object ID of the security service principal. Ensure that the assumable roles you remediated are no longer listed.
  8. Repeat for other security services: If you have multiple security services, repeat steps 6 and 7 for each security service to remove their assumable roles.
By following these steps, you will be able to remediate the misconfiguration of roles assumable by security services in Azure using Azure CLI.
To remediate the misconfiguration “Roles Assumable By Security Services” in Azure IAM using Python, follow these steps:
  1. Install the necessary Python libraries: 
    pip install azure-identity
pip install azure-mgmt-resource
  2. Authenticate with Azure using the Azure Identity library. You can choose one of the available authentication methods (e.g., interactive login, service principal, managed identity). Here’s an example using interactive login: 
    from azure.identity import DefaultAzureCredential
from azure.mgmt.resource import ResourceManagementClient

# Create a credential object
credential = DefaultAzureCredential()

# Create a ResourceManagementClient instance
subscription_id = '<your-subscription-id>'
resource_client = ResourceManagementClient(credential, subscription_id)
  3. Retrieve the list of security services’ roles that can be assumed. This can be achieved by listing the built-in roles assigned to the security services. Here’s an example: 
    from azure.mgmt.authorization import AuthorizationManagementClient

# Create an AuthorizationManagementClient instance
authorization_client = AuthorizationManagementClient(credential, subscription_id)

# Define the security services' names
security_services = ['Azure Security Center', 'Azure Sentinel']

# Retrieve the built-in roles assigned to the security services
roles = []
for service in security_services:
    role_assignments = authorization_client.role_assignments.list_for_scope('<your-scope>')
    for assignment in role_assignments:
        if assignment.principal_name.startswith(service):
            roles.append(assignment.role_definition_name)
  4. Remove the roles assigned to the security services. Iterate through the list of roles and delete them one by one. Here’s an example: 
    for role in roles:
    role_definition = authorization_client.role_definitions.get('<your-scope>', role)
    authorization_client.role_definitions.delete_by_id(role_definition.id)
  5. Verify the remediation by re-checking the roles assigned to the security services. Ensure that the roles have been successfully removed.
Note: Replace <your-subscription-id> with your Azure subscription ID, and <your-scope> with the appropriate scope (e.g., resource group, subscription, etc.) where the security services’ roles are assigned.Remember to handle any potential errors and exceptions that may occur during the remediation process.