Roles Assumable By Database Services

Using Console

Using CLI

To remediate the misconfiguration “Roles Assumable By Database Services” in Azure using Azure CLI, follow these step-by-step instructions:

Install Azure CLI: If you haven’t already, install Azure CLI on your local machine by following the instructions provided by Microsoft.
Log in to Azure: Open the command prompt or terminal and log in to your Azure account using the following command:
```
az login
```
Set the Azure subscription: If you have multiple Azure subscriptions, set the appropriate subscription using the following command:
```
az account set --subscription <subscription_id>
```
List existing roles: Run the following command to list all the existing roles in your Azure subscription:
```
az role definition list
```
Identify the roles assigned to database services: Review the list of roles and identify the roles assigned to database services. These roles typically have names like “Contributor”, “Owner”, or “Reader”.
Create a custom role: If the existing roles assigned to database services do not meet your requirements, you can create a custom role with limited permissions. Create a JSON file (e.g., custom-role.json) with the necessary permissions for database services. Here’s an example of a custom role JSON file that allows read access to databases and denies write access:
```
{
  "Name": "Custom Database Reader",
  "IsCustom": true,
  "Description": "Read-only access to databases",
  "Actions": [
    "Microsoft.Sql/servers/databases/read",
    "Microsoft.Sql/servers/databases/list"
  ],
  "NotActions": [
    "Microsoft.Sql/servers/databases/write"
  ],
  "AssignableScopes": [
    "/subscriptions/<subscription_id>"
  ]
}
```
Modify the AssignableScopes field with the appropriate subscription ID.
Create the custom role: Run the following command to create the custom role:
```
az role definition create --role-definition custom-role.json
```
Assign the custom role to database services: Now, assign the newly created custom role to the appropriate database services. Replace <custom_role_name> with the name you provided in the custom role JSON file and <database_service_name> with the name of the database service you want to assign the role to. Run the following command:
```
az role assignment create --assignee <database_service_name> --role <custom_role_name> --scope /subscriptions/<subscription_id>
```
Repeat this step for each database service that needs the custom role assigned.
Verify the role assignment: To verify that the custom role has been successfully assigned to the database services, run the following command:
```
az role assignment list --assignee <database_service_name>
```
This command will list all the role assignments for the specified database service.

By following these steps, you will be able to remediate the misconfiguration “Roles Assumable By Database Services” in Azure using Azure CLI.

Using Python

To remediate the misconfiguration “Roles Assumable By Database Services” in Azure using Python, follow these steps:

Install the necessary dependencies:

pip install azure-identity azure-mgmt-resource azure-mgmt-authorization

Import the required modules:

from azure.identity import DefaultAzureCredential
from azure.mgmt.authorization import AuthorizationManagementClient
from azure.mgmt.resource import ResourceManagementClient

Authenticate with Azure using the DefaultAzureCredential:

credential = DefaultAzureCredential()
authorization_client = AuthorizationManagementClient(credential, <subscription_id>)
resource_client = ResourceManagementClient(credential, <subscription_id>)

Get the list of all the role assignments for the database services:

role_assignments = authorization_client.role_assignments.list(
    filter="atScope() and (roleDefinitionName eq 'Contributor' or roleDefinitionName eq 'Owner') and (principalType eq 'ServicePrincipal' or principalType eq 'User') and (scope='/providers/Microsoft.DBforPostgreSQL/servers' or scope='/providers/Microsoft.DBforMySQL/servers' or scope='/providers/Microsoft.DBforMariaDB/servers')"
)

Iterate over the role assignments and remove any inappropriate assignments:

for assignment in role_assignments:
    authorization_client.role_assignments.delete_by_id(assignment.id)

Verify the remediation by rechecking the role assignments:

role_assignments = authorization_client.role_assignments.list(
    filter="atScope() and (roleDefinitionName eq 'Contributor' or roleDefinitionName eq 'Owner') and (principalType eq 'ServicePrincipal' or principalType eq 'User') and (scope='/providers/Microsoft.DBforPostgreSQL/servers' or scope='/providers/Microsoft.DBforMySQL/servers' or scope='/providers/Microsoft.DBforMariaDB/servers')"
)
if not any(role_assignments):
    print("All inappropriate role assignments have been successfully removed.")
else:
    print("Some inappropriate role assignments still exist.")

Make sure to replace <subscription_id> with your Azure subscription ID in the code above. This code will remove any role assignments for the database services in Azure that have the ‘Contributor’ or ‘Owner’ role and are assigned to Service Principals or Users.

Azure Introduction

Azure Pricing

Azure Threats

Azure Misconfigurations

Roles Assumable By Database Services

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Azure Introduction

Azure Pricing

Azure Threats

Azure Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation