Detections
Analytics

Ensure guest users are disabled for Azure Role Assignment

HIGH

Description

Azure Role Assignment has guest users added, this can impact the integrity and confidentiality of data.

Remediation

In Azure Console -

  1. Open the Azure Portal and go to Active Directory.
  2. Select the user you wish to edit.
  3. Under Manage, select Assigned roles.
  4. Remove any assignment for the Guest role.

In Terraform -

  1. In the azurerm_role_assignment resource, update the role_definition_name to something other than Guest.

References:
https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment

Policy Details

Rule Reference ID: AC_AZURE_0388
CSP: Azure
Remediation Available: Yes
Domain: Identity and Access Management
Resource: azurerm_role_assignment
Resource Category: Identity and Access Management (IAM)
Resource Type: Policy

Frameworks