Azure RBAC roles can be assigned to users, groups, or service principals. A role assignment grants permissions on a predefined set of resources
called "scope".
The widest scopes a role can be assigned to are:
- Subscription: a role assigned with this scope grants access to all resources of this Subscription.
- Management Group: a scope assigned with this scope grants access to all resources of all the Subscriptions in this Management Group.
In case of security incidents involving a compromised identity (user, group, or service principal), limiting its role assignment to the narrowest
scope possible helps separate duties and limits what resources are at risk.
Ask Yourself Whether
- The user, group, or service principal doesn’t use the entirety of the resources in the scope to operate on a day-to-day basis.
- It is possible to follow the Separation of Duties principle and split the scope into multiple role assignments with a narrower scope.
There is a risk if you answered yes to any of these questions.
Recommended Secure Coding Practices
- Limit the scope of the role assignment to a Resource or Resource Group.
- Apply the least privilege principle by assigning roles granting as few permissions as possible.
Sensitive Code Example
resource "azurerm_role_assignment" "example" {
scope = data.azurerm_subscription.primary.id # Sensitive
role_definition_name = "Reader"
principal_id = data.azuread_user.user.object_id
}
Compliant Solution
resource "azurerm_role_assignment" "example" {
scope = azurerm_resource_group.example.id
role_definition_name = "Reader"
principal_id = data.azuread_user.user.object_id
}
See
