Custom Owner Roles In Use

More Info:

Ensure that there are no custom subscription owner roles available in your Azure account in order to adhere to cloud security best practices and implement the principle of least privilege - the practice of providing every user the minimal amount of access required to perform its tasks.

Risk Level

Medium

Address

Security

Compliance Standards

HITRUST, SOC2, NISTCSF, PCIDSS

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the “Custom Owner Roles In Use” misconfiguration in Azure using Azure CLI, follow the steps below:

Open the Azure CLI command prompt or terminal.
Run the following command to list all the custom owner roles in use:
```
az role assignment list --all --include-classic-administrators --query "[?roleDefinitionName=='Owner']"
```
This command lists all the custom owner roles in use in your Azure subscription.
Review the output of the above command and identify the custom owner roles that are not required or are no longer in use.
Run the following command to delete the custom owner role:
```
az role assignment delete --assignee <object-id> --role <role-name>
```
Replace <object-id> with the object ID of the user or group to whom the custom owner role is assigned, and <role-name> with the name of the custom owner role.
Repeat step 4 for all the custom owner roles that are not required or are no longer in use.
Run the following command to verify that the custom owner roles have been deleted:
```
az role assignment list --all --include-classic-administrators --query "[?roleDefinitionName=='Owner']"
```
This command should not list any custom owner roles.

By following the above steps, you can remediate the “Custom Owner Roles In Use” misconfiguration in Azure using Azure CLI.

Using Python

To remediate the misconfiguration “Custom Owner Roles In Use” in Azure using Python, you can follow the below steps:Step 1: Connect to Azure using Python SDK

from azure.identity import DefaultAzureCredential
from azure.mgmt.resource import ResourceManagementClient

credential = DefaultAzureCredential()
subscription_id = 'your_subscription_id'
client = ResourceManagementClient(credential, subscription_id)

Step 2: Get the list of resource groups

resource_groups = client.resource_groups.list()

Step 3: For each resource group, check if custom owner roles are assigned

for rg in resource_groups:
    roles = client.role_assignments.list_for_resource_group(rg.name)
    for role in roles:
        if role.role_definition_name == 'Owner' and role.scope == rg.id:
            print(f"Custom Owner role assigned in Resource Group {rg.name}")

Step 4: Remove the custom owner role assignments

for rg in resource_groups:
    roles = client.role_assignments.list_for_resource_group(rg.name)
    for role in roles:
        if role.role_definition_name == 'Owner' and role.scope == rg.id:
            client.role_assignments.delete(role.scope, role.name)
            print(f"Custom Owner role removed from Resource Group {rg.name}")

Note: Before running the script, make sure to authenticate with Azure using the appropriate credentials and provide the necessary permissions to the service principal or user account. Also, test the script in a non-production environment before running it in a production environment.

Azure Introduction

Azure Pricing

Azure Threats

Azure Misconfigurations

Custom Owner Roles In Use

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Azure Introduction

Azure Pricing

Azure Threats

Azure Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation