azure.roleassignment

Role assignments map role definitions to principals. The Azure object only contains the unique ID of the principal, however we attempt to augment the object with the prinicpal name, display name and type from AAD.

Augmenting with data from AAD requires executing account to have permissions to read from the Microsoft AAD Graph. For Service Principal Authorization the Service Principal must have the permissions to read all users’ full profiles. Azure CLI authentication will provide the necessary permissions to run the policy locally.

example:

Return role assignments with the Owner role.

policies:
    - name: role-assignment-owner
      resource: azure.roleassignment
      filters:
        - type: role
          key: properties.roleName
          op: eq
          value: Owner
example:

Return assignments with the principal name custodian@example.com

policies:
  - name: assignment-by-principal-name
    resource: azure.roleassignment
    filters:
       - type: value
         key: principalName
         op: eq
         value: custodian@example.com
example:

Delete the assignment with principal name custodian@example.com.

Note: The permissions required to run the delete action requires delete permissions to Microsoft.Authorization. The built-in role with the necessary permissions is Owner.

policies:
  - name: delete-assignment-by-principal-name
    resource: azure.roleassignment
    filters:
       - type: value
         key: principalName
         op: eq
         value: custodian@example.com
    actions:
       - type: delete

Filters

advisor-recommendation

Filter resources by Azure Advisor Recommendations

Select all categories with ‘all’

example:

policies:
  - name: disks-with-cost-recommendations
    resource: azure.disk
    filters:
      - type: advisor-recommendation
        category: Cost
        key: '[].properties.recommendationTypeId'
        op: contains
        value: '48eda464-1485-4dcf-a674-d0905df5054a'
properties:
  category:
    type: string
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - advisor-recommendation
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- category
- type

resource-access

Filters role assignments that have access to a certain type of azure resource.

example:

policies:
   - name: assignments-by-azure-resource
     resource: azure.roleassignment
     filters:
        - type: resource-access
          relatedResource: azure.vm
properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  relatedResource:
    type: string
  type:
    enum:
    - resource-access
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- relatedResource
- type

role

Filters role assignments based on role definitions

example:

Return role assignments with the Owner role.

policies:
   - name: assignments-by-role-definition
     resource: azure.roleassignment
     filters:
        - type: role
          key: properties.roleName
          op: in
          value: Owner
example:

Return all assignments with the Owner role that have access to virtual machines. For the resource-access filter, the related resource can be any custodian supported azure resource other than azure.roleassignments or azure.roledefinitions.

policies:
   - name: assignment-by-role-and-resource
     resource: azure.roleassignment
     filters:
        - type: role
          key: properties.roleName
          op: eq
          value: Owner
        - type: resource-access
          relatedResource: azure.vm
example:

Return all assignments with the Owner role that have access to virtual machines in westus2:

policies:
   - name: assignment-by-role-and-resource-access
     resource: azure.roleassignment
     filters:
        - type: role
          key: properties.roleName
          op: eq
          value: Owner
        - type: resource-access
          relatedResource: azure.vm
          key: location
          op: eq
          value: westus2
properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - role
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type

scope

Filter role assignments by assignment scope.

example:

Return all role assignments with the Subscription level scope access.

policies:
   - name: assignments-subscription-scope
     resource: azure.roleassignment
     filters:
        - type: scope
          value: subscription
example:

Role assignments with scope other than Subscription or Resource Group.

policies:
   - name: assignments-other-level-scope
     resource: azure.roleassignment
     filters:
        - not:
          - type: scope
            value: subscription
        - not:
          - type: scope
            value: resource-group
example:

Return all service principal role assignments with the Subscription level scope access.

policies:
   - name: service-principal-assignments-subscription-scope
     resource: azure.roleassignment
     filters:
        - type: value
          key: aadType
          op: eq
          value: ServicePrincipal
        - type: scope
          value: subscription
properties:
  type:
    enum:
    - scope
  value:
    enum:
    - subscription
    - resource-group
    - management-group
    type: string
required:
- type

Actions

delete

Parent base class for filters and actions.

properties:
  type:
    enum:
    - delete
required:
- type