Why is this an issue?

Defining a custom role for a Subscription or a Management group that allows all actions will give them the same capabilities as the built-in Owner role.

This rule raises an issue when a custom role has an assignable scope set to a Subscription or a Management Group and allows all actions (*).

To reduce the risk of intrusion of a compromised owner, it is recommended to limit the number of subscription owners.

How to fix it

Code examples

Noncompliant code example

resource "azurerm_role_definition" "example" { # Sensitive
  name        = "example"
  scope       = data.azurerm_subscription.primary.id

  permissions {
    actions     = ["*"]
    not_actions = []
  }

  assignable_scopes = [
    data.azurerm_subscription.primary.id
  ]
}

Compliant solution

resource "azurerm_role_definition" "example" {
  name        = "example"
  scope       = data.azurerm_subscription.primary.id

  permissions {
    actions     = ["Microsoft.Compute/*"]
    not_actions = []
  }

  assignable_scopes = [
    data.azurerm_subscription.primary.id
  ]
}

Resources

Documentation

• OWASP Top 10 2021 Category A1 - Broken Access Control
• OWASP Top 10 2021 Category A4 - Insecure Design
• OWASP Top 10 2017 Category A5 - Broken Access Control
• MITRE, CWE-266 - Incorrect Privilege Assignment
• Azure Documentation - Azure custom roles
• Azure Documentation - Best practices for Azure RBAC