Enabling Azure resource-specific admin accounts can reduce an organization’s ability to protect itself against account or service account
thefts.
Full Administrator permissions fail to correctly separate duties and create potentially critical attack vectors on the impacted resources.
In case of abuse of elevated permissions, both the data on which impacted resources operate and their access traceability are at risk.
Ask Yourself Whether
- This Azure resource is essential for the information system infrastructure.
- This Azure resource is essential for mission-critical functions.
- Compliance policies require this resource to disable its administrative accounts or permissions.
There is a risk if you answered yes to any of those questions.
Recommended Secure Coding Practices
Disable the administrative accounts or permissions in this Azure resource.
Sensitive Code Example
For Azure Batch Pools:
resource "azurerm_batch_pool" "example" {
name = "sensitive"
start_task {
user_identity {
auto_user {
elevation_level = "Admin" # Sensitive
scope = "Task"
}
}
}
}
For Azure Container Registries:
resource "azurerm_container_registry" "example" {
name = "example"
admin_enabled = true # Sensitive
}
Compliant Solution
For Azure Batch Pools:
resource "azurerm_batch_pool" "example" {
name = "example"
start_task {
user_identity {
auto_user {
elevation_level = "NonAdmin"
scope = "Task"
}
}
}
}
For Azure Container Registries:
resource "azurerm_container_registry" "exemple" {
name = "example"
admin_enabled = false
}
See
