azure.roleassignment
Role assignments map role definitions to principals. The Azure object only contains the unique ID of the principal, however we attempt to augment the object with the prinicpal name, display name and type from AAD.
Augmenting with data from AAD requires executing account to have permissions to read from the Microsoft AAD Graph. For Service Principal Authorization the Service Principal must have the permissions to read all users’ full profiles. Azure CLI authentication will provide the necessary permissions to run the policy locally.
- example:
Return role assignments with the Owner role.
policies:
- name: role-assignment-owner
resource: azure.roleassignment
filters:
- type: role
key: properties.roleName
op: eq
value: Owner
- example:
Return assignments with the principal name custodian@example.com
policies:
- name: assignment-by-principal-name
resource: azure.roleassignment
filters:
- type: value
key: principalName
op: eq
value: custodian@example.com
- example:
Delete the assignment with principal name custodian@example.com.
Note: The permissions required to run the delete action requires delete permissions to Microsoft.Authorization. The built-in role with the necessary permissions is Owner.
policies:
- name: delete-assignment-by-principal-name
resource: azure.roleassignment
filters:
- type: value
key: principalName
op: eq
value: custodian@example.com
actions:
- type: delete
Filters
advisor-recommendation
Filter resources by Azure Advisor Recommendations
Select all categories with ‘all’
- example:
policies:
- name: disks-with-cost-recommendations
resource: azure.disk
filters:
- type: advisor-recommendation
category: Cost
key: '[].properties.recommendationTypeId'
op: contains
value: '48eda464-1485-4dcf-a674-d0905df5054a'
properties:
category:
type: string
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
type:
enum:
- advisor-recommendation
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- category
- type
resource-access
Filters role assignments that have access to a certain type of azure resource.
- example:
policies:
- name: assignments-by-azure-resource
resource: azure.roleassignment
filters:
- type: resource-access
relatedResource: azure.vm
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
relatedResource:
type: string
type:
enum:
- resource-access
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- relatedResource
- type
role
Filters role assignments based on role definitions
- example:
Return role assignments with the Owner role.
policies:
- name: assignments-by-role-definition
resource: azure.roleassignment
filters:
- type: role
key: properties.roleName
op: in
value: Owner
- example:
Return all assignments with the Owner role that have access to virtual machines. For the resource-access filter, the related resource can be any custodian supported azure resource other than azure.roleassignments or azure.roledefinitions.
policies:
- name: assignment-by-role-and-resource
resource: azure.roleassignment
filters:
- type: role
key: properties.roleName
op: eq
value: Owner
- type: resource-access
relatedResource: azure.vm
- example:
Return all assignments with the Owner role that have access to virtual machines in westus2:
policies:
- name: assignment-by-role-and-resource-access
resource: azure.roleassignment
filters:
- type: role
key: properties.roleName
op: eq
value: Owner
- type: resource-access
relatedResource: azure.vm
key: location
op: eq
value: westus2
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
type:
enum:
- role
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- type
scope
Filter role assignments by assignment scope.
- example:
Return all role assignments with the Subscription level scope access.
policies:
- name: assignments-subscription-scope
resource: azure.roleassignment
filters:
- type: scope
value: subscription
- example:
Role assignments with scope other than Subscription or Resource Group.
policies:
- name: assignments-other-level-scope
resource: azure.roleassignment
filters:
- not:
- type: scope
value: subscription
- not:
- type: scope
value: resource-group
- example:
Return all service principal role assignments with the Subscription level scope access.
policies:
- name: service-principal-assignments-subscription-scope
resource: azure.roleassignment
filters:
- type: value
key: aadType
op: eq
value: ServicePrincipal
- type: scope
value: subscription
properties:
type:
enum:
- scope
value:
enum:
- subscription
- resource-group
- management-group
type: string
required:
- type
Actions
delete
Parent base class for filters and actions.
properties:
type:
enum:
- delete
required:
- type