Ensure Owner roles are not assigned to any principal using Azure Role Assignment

HIGH

Description

Azure Role Assignment has Owner role assigned, this can lead to privilege escalation if an adversary takes over the principal(user, group, or service principal).

Remediation

In Azure Console -

Open the Azure Portal and go to Active Directory.
Select the user you wish to edit.
Under Manage, select Assigned roles.
Remove any assignment for the Owner role.

In Terraform -

In the azurerm_role_assignment resource, update the role_definition_name to something other than Owner.

References:
https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment

Policy Details

Rule Reference ID: AC_AZURE_0282

CSP: Azure

Remediation Available: Yes

Domain: Identity and Access Management

Resource: azurerm_role_assignment

Resource Category: Identity and Access Management (IAM)

Resource Type: Policy

Frameworks

GDPR
HIPAA
NIST-800-171
NIST-800-53
NIST-CSF
PCI-DSSv3.2.1
PCI-DSSv4.0
SOC2
NY-DFS

Detections

Analytics