MEDIUM
Source
Trivy
ID
AVD-AZU-0052

Role Definition Allows Custom Role Creation

Allowing custom roles to include ‘roleDefinitions/write’ enables privilege escalation. A user could define or alter roles to gain excessive permissions.

Impact

Follow the appropriate remediation steps below to resolve the issue.

Avoid granting ‘Microsoft.Authorization/roleDefinitions/write’ permission in custom roles. Restrict role creation capability to core admins only.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
data "azurerm_subscription" "primary" {
}

resource "azurerm_role_definition" "example" {
  name        = "my-custom-role"
  scope       = data.azurerm_subscription.primary.id
  description = "This is a custom role created via Terraform"

  permissions {
    actions = [
      "Microsoft.Authorization/roleDefinitions/read",
      "Microsoft.Resources/subscriptions/resourceGroups/read",
      "Microsoft.Storage/storageAccounts/read"
    ]
    not_actions = []
  }

  assignable_scopes = [
    data.azurerm_subscription.primary.id,
  ]
}