Profile Applicability:

  • Level 1

Description:

This check ensures that the principle of least privilege (PoLP) is followed when assigning roles to a Managed Identity in Azure. The principle of least privilege dictates that a user or service should only have the minimum permissions required to perform their tasks, thereby minimizing the potential impact of a security breach.

Rationale:

Assigning excessive permissions to a Managed Identity increases the risk of unauthorized access and exploitation if the identity is compromised. By assigning only the roles necessary for the Managed Identity to function, you limit the attack surface and reduce the likelihood of a malicious actor gaining unnecessary access to resources. Following PoLP helps maintain a more secure environment and aligns with best security practices.

Impact:

Pros:

  • Reduces the attack surface by limiting permissions to only those required for specific tasks.

  • Helps ensure that only authorized and validated actions can be performed by the Managed Identity.

  • Enhances security by preventing accidental or malicious misuse of elevated privileges.

Cons:

  • May require more detailed configuration and periodic review of access permissions.

  • Could result in operational overhead if role assignments are not carefully managed, leading to potential access issues.

Default Value:

By default, Azure Managed Identities do not have any roles assigned. Permissions must be explicitly assigned based on the identity’s required access level.

Pre-requisites:

Ensure that the Managed Identity has been created and assigned to the relevant resource. Also, ensure that access to resources is controlled using Azure Role-Based Access Control (RBAC).

Test Plan:

Using Azure Console:

  1. Log in to the Azure portal at https://portal.azure.com.

  2. Go to the Resource (e.g., Azure App Service, Virtual Machine) where the Managed Identity is used.

  3. Under the Settings section, click on Identity.

  4. In the Access Control (IAM) section, verify that roles assigned to the Managed Identity are appropriate for its tasks.

  5. Review the roles assigned and ensure that only the necessary roles (e.g., ReaderContributor) are assigned. Avoid granting broad roles like Owner unless absolutely necessary.

Using Azure CLI:

To check the roles assigned to a Managed Identity, run the following command:

az role assignment list --assignee <MANAGED_IDENTITY_CLIENT_ID>

  1. Ensure that the roles returned are the minimum required for the Managed Identity’s task and that more privileged roles (e.g., OwnerContributor) are not unnecessarily assigned.

Implementation Plan:

Using Azure Console:

  1. Log in to the Azure portal at https://portal.azure.com.

  2. Go to Access Control (IAM) for the resource associated with the Managed Identity.

  3. Click Add role assignment.

  4. Select the most restrictive role required for the Managed Identity to perform its tasks (e.g., ReaderStorage Blob Data Contributor).

  5. Click Save to apply the role assignment.

Using Azure CLI:

To assign a specific role to a Managed Identity, run the following command:

az role assignment create --assignee <MANAGED_IDENTITY_CLIENT_ID> --role <ROLE_NAME> --scope <RESOURCE_ID>

 Example:

az role assignment create --assignee <MANAGED_IDENTITY_CLIENT_ID> --role "Reader" --scope "/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>"

  1. To ensure the least privilege is followed, only assign the roles necessary for the Managed Identity to complete its required tasks.

Backout Plan:

Using Azure Console:

  1. Log in to the Azure portal at https://portal.azure.com.

  2. Go to Access Control (IAM) for the resource associated with the Managed Identity.

  3. Review the roles assigned to the Managed Identity.

  4. If overly permissive roles (such as Owner) are assigned, click on the role and select Remove to revoke unnecessary permissions.

  5. Click Save to confirm the changes.

Using Azure CLI:

To remove an overly permissive role from a Managed Identity, run the following command:

az role assignment delete --assignee <MANAGED_IDENTITY_CLIENT_ID> --role <ROLE_NAME> --scope <RESOURCE_ID>

 Example:

az role assignment delete --assignee <MANAGED_IDENTITY_CLIENT_ID> --role "Owner" --scope "/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>"

References: