Allowing custom roles to include ‘roleDefinitions/write’ enables privilege escalation. A user could define or alter roles to gain excessive permissions.
Impact
Recommended Actions
Follow the appropriate remediation steps below to resolve the issue.
Avoid granting ‘Microsoft.Authorization/roleDefinitions/write’ permission in custom roles. Restrict role creation capability to core admins only.
data"azurerm_subscription" "primary" {
}
resource"azurerm_role_definition" "example" {
name="my-custom-role" scope=data.azurerm_subscription.primary.id description="This is a custom role created via Terraform"permissions {
actions=["Microsoft.Authorization/roleDefinitions/read","Microsoft.Resources/subscriptions/resourceGroups/read","Microsoft.Storage/storageAccounts/read"] not_actions=[] }
assignable_scopes=[data.azurerm_subscription.primary.id,]}