github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/azure/authorization/limit_role_actions.go (about) 1 package authorization 2 3 import ( 4 "github.com/khulnasoft-lab/defsec/internal/rules" 5 "github.com/khulnasoft-lab/defsec/pkg/providers" 6 "github.com/khulnasoft-lab/defsec/pkg/scan" 7 "github.com/khulnasoft-lab/defsec/pkg/severity" 8 "github.com/khulnasoft-lab/defsec/pkg/state" 9 ) 10 11 var CheckLimitRoleActions = rules.Register( 12 scan.Rule{ 13 AVDID: "AVD-AZU-0030", 14 Provider: providers.AzureProvider, 15 Service: "authorization", 16 ShortCode: "limit-role-actions", 17 Summary: "Roles limited to the required actions", 18 Impact: "Open permissions for subscriptions could result in an easily compromisable account", 19 Resolution: "Use targeted permissions for roles", 20 Explanation: `The permissions granted to a role should be kept to the minimum required to be able to do the task. Wildcard permissions must not be used.`, 21 Links: []string{}, 22 Terraform: &scan.EngineMetadata{ 23 GoodExamples: terraformLimitRoleActionsGoodExamples, 24 BadExamples: terraformLimitRoleActionsBadExamples, 25 Links: terraformLimitRoleActionsLinks, 26 RemediationMarkdown: terraformLimitRoleActionsRemediationMarkdown, 27 }, 28 Severity: severity.Medium, 29 }, 30 func(s *state.State) (results scan.Results) { 31 for _, roleDef := range s.Azure.Authorization.RoleDefinitions { 32 for _, perm := range roleDef.Permissions { 33 for _, action := range perm.Actions { 34 if action.Contains("*") { 35 for _, scope := range roleDef.AssignableScopes { 36 if scope.EqualTo("/") { 37 results.Add( 38 "Role definition uses wildcard action with all scopes.", 39 action, 40 ) 41 } else { 42 results.AddPassed(&perm) 43 } 44 } 45 46 } 47 } 48 } 49 } 50 return 51 }, 52 )