Roles Assumable By Network Services
More Info:
Roles which can be assumed by Network ServicesRisk Level
HighAddress
SecurityCompliance Standards
CBPTriage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration of “Roles Assumable By Network Services” in Azure using the Azure console, follow these steps:
- Sign in to the Azure portal (https://portal.azure.com) using your Azure account credentials.
- In the Azure portal’s search bar, type “Azure Active Directory” and select the “Azure Active Directory” service from the suggestions.
- In the Azure Active Directory blade, click on “Roles and administrators” in the left-hand navigation menu.
- On the Roles and administrators page, click on “Roles” tab.
- In the Roles tab, you will see a list of built-in roles. Look for roles that are assigned to Network Services, such as “Network Contributor” or “Network Contributor (Classic)”.
- Select the Network Service role that you want to remediate by clicking on it.
- In the Network Service role’s overview page, click on “Assignments” in the left-hand navigation menu.
- Review the list of role assignments for the Network Service role. Identify any inappropriate or unnecessary assignments.
- To remove an assignment, select the checkbox next to the assignment and click on the “Remove” button at the top of the page. Confirm the removal when prompted.
- Repeat steps 8 and 9 for all inappropriate or unnecessary role assignments.
- To prevent future misconfigurations, consider implementing a least privilege access model by creating custom roles with specific permissions for network-related tasks, rather than using the built-in Network Service roles.
- Click on “Add assignment” button to assign the appropriate roles to the network services based on their required responsibilities.
- In the “Add assignments” page, search for the appropriate role in the “Role” search bar.
- Select the desired role from the search results.
- In the “Select” section, choose the appropriate scope for the assignment (subscription, resource group, or specific resource).
- Specify the user, group, or application that should be assigned the role in the “Members” section.
- Click on the “Review + assign” button to review the assignment details.
- Review the assignment details and ensure they are correct. If everything looks good, click on the “Assign” button to complete the assignment.
- Repeat steps 13-18 for all necessary role assignments for the Network Services.
Using CLI
Using CLI
To remediate the misconfiguration of “Roles Assumable By Network Services” in Azure using Azure CLI, follow these steps:
- Install Azure CLI: If you don’t have Azure CLI installed, follow the official documentation to install it on your system.
-
Authenticate to Azure: Open the Azure CLI and log in to your Azure account using the following command:
-
List the existing network service roles: Run the following command to list all the existing network service roles in your Azure subscription:
This command will display the details of the network service role, including its name, ID, and other properties.
-
Remove the network service role assignment: Identify the role assignment that needs to be removed. You can find the role assignment by looking for the “RoleDefinitionName” property in the output of the previous command.
To remove the network service role assignment, use the following command, replacing
<role-assignment-id>with the actual ID of the role assignment:This command will delete the specified role assignment, removing the network service’s access to the resources. -
Verify the removal: To ensure that the network service role assignment has been successfully removed, run the following command again:
If the command does not return any results, it means that the network service role assignment has been successfully remediated.
Using Python
Using Python
To remediate the misconfiguration “Roles Assumable By Network Services” in Azure IAM using Python, follow these steps:
-
Install the required Python packages:
-
Import the necessary libraries in your Python script:
-
Authenticate with Azure using the DefaultAzureCredential:
-
Retrieve the list of role assignments for network services:
-
Remove the role assignments for network services:
- Run the Python script to remediate the misconfiguration.