Access Control¶
Cloud custodian supports both azure role assignments and role definitions.
In order to get the principal name, display name, and AAD type (User, Service Principal, etc) of role assignments the method of authorization must have the necessary permissions to read from the Microsoft AAD Graph. For Service Principal Authorization the Service Principal must have the permissions to read all users’ full profiles. Azure CLI authentication will provide the necessary permissions to run the policy locally. Basic token authentication will not provide the necessary permissions.
Filters¶
- Standard Value Filter (see Generic Filters)
Model: RoleAssignment
Model: RoleDefinition
roleFilters Role Assignments based on name of Role Definitionproperties: default: type: object key: type: string op: enum: - eq - equal - ne - not-equal - gt - greater-than - ge - gte - le - lte - lt - less-than - glob - regex - regex-case - in - ni - not-in - contains - difference - intersect type: enum: - role value: oneOf: - type: array - type: string - type: boolean - type: number - type: 'null' value_from: additionalProperties: 'False' properties: expr: oneOf: - type: integer - type: string format: enum: - csv - json - txt - csv2dict url: type: string required: - url type: object value_regex: type: string value_type: enum: - age - integer - expiration - normalize - size - cidr - cidr_size - swap - resource_count - expr - unique_size - date required: - type
resource-accessFilter Role Assignments based on access to an azure resourceproperties: default: type: object key: type: string op: enum: - eq - equal - ne - not-equal - gt - greater-than - ge - gte - le - lte - lt - less-than - glob - regex - regex-case - in - ni - not-in - contains - difference - intersect relatedResource: type: string type: enum: - resource-access value: oneOf: - type: array - type: string - type: boolean - type: number - type: 'null' value_from: additionalProperties: 'False' properties: expr: oneOf: - type: integer - type: string format: enum: - csv - json - txt - csv2dict url: type: string required: - url type: object value_regex: type: string value_type: enum: - age - integer - expiration - normalize - size - cidr - cidr_size - swap - resource_count - expr - unique_size - date required: - relatedResource - type
scopeFilter Role Assignments by scope accessproperties: type: enum: - scope value: enum: - subscription - resource-group - management-group type: string required: - type
Actions¶
ARM Resource Actions (see Generic Actions)
deleteDeletes role assignment
Example Policies¶
Return role assignments with the Owner role.
policies:
- name: assignment-by-role
resource: azure.roleassignment
filters:
- type: role
key: properties.roleName
op: eq
value: Owner
Return all assignments with the Owner role that have access to virtual machines. For the resource-access filter, the related resource can be any custodian supported azure resource other than azure.roleassignments or azure.roledefinitions.
policies:
- name: assignment-by-role-and-resource
resource: azure.roleassignment
filters:
- type: role
key: properties.roleName
op: eq
value: Owner
- type: resource-access
relatedResource: azure.vm
Return all assignments with the Owner role that have access to virtual machines in westus2:
policies:
- name: assignment-by-role-and-resource
resource: azure.roleassignment
filters:
- type: role
key: properties.roleName
op: eq
value: Owner
- type: resource-access
relatedResource: azure.vm
key: location
op: eq
value: westus2
Return assignments with the principal name custodian@example.com:
policies:
- name: assignment-by-principal-name
resource: azure.roleassignment
filters:
- type: value
key: principalName
op: eq
value: custodian@example.com
Return role definitions that explicitly have the permission to read authorization objects (role assignments, role definitions, etc). If a role definition inherits permissions (e.g. by having * permissions) they are not returned in this filter.
policies:
- name: role-definition-permissions
resource: azure.roledefinition
filters:
- type: value
key: properties.permissions[0].actions
value: Microsoft.Authorization/*/read
op: contains
Delete the assignment with principal name custodian@example.com. The permissions required to run the delete action requires delete permissions to Microsoft.Authorization. The built-in role with the necessary permissions is Owner.
policies:
- name: delete-assignment-by-principal-name
resource: azure.roleassignment
filters:
- type: value
key: principalName
op: eq
value: custodian@example.com
actions:
- type: delete
Return all role assignments with the Subscription level scope access.
policies:
- name: assignments-subscription-scope
resource: azure.roleassignment
filters:
- type: scope
value: subscription
Return all role assignments with the Resource Group level scope access.
policies:
- name: assignments-resource-group-scope
resource: azure.roleassignment
filters:
- type: scope
value: resource-group
Return all role assignments with scope level access other than Subscription or Resource Group.
policies:
- name: assignments-other-level-scope
resource: azure.roleassignment
filters:
- not:
- type: scope
value: subscription
- not:
- type: scope
value: resource-group
Return all service principal role assignments with the Subscription level scope access.
policies:
- name: service-principal-assignments-subscription-scope
resource: azure.roleassignment
filters:
- type: value
key: aadType
op: eq
value: ServicePrincipal
- type: scope
value: subscription