Using Azure policies to audit and automate RBAC role assignments
Kirjoittaja:
While it’s tempting to assign permissions on a larger scope, sometimes you might rather prefer to have only some of the subscription’s resource groups granted with a RBAC role with minimal permissions to accomplish the task at hand. In those scenarios you’ll usually end up with one of the following options to handle the role assignments:
- Include the role assignments in your ARM templates / Terraform codes / Bicep templates
- Manually add the role to proper resource groups
If neither these appeal to you, there’s a third option: define an Azure policy which identifies correct resource groups and then deploys RBAC role assignments automatically if conditions are met. This blog will go over with step-by-step instructions how to:
- Create a custom Azure policy definition for assigning
ContributorRBAC role for an Azure AD group - Create a custom RBAC role for policy deployments and add it to your policy definition
- Create an assignment for the custom policy
The example scenario is very specific and the policy definition is created to match this particular scenario. You can use the solution provided in this post as a basis to create something that fits exactly to your needs.
Azure policies in brief
Azure policies are a handy way to add automation and audit functionality to your cloud subscriptions. The policies can be applied to make sure resources are created following the company’s cloud governance guidelines for resource tagging or picking the right SKUs for VMs as an example. Microsoft provides a lot of different type built-in policies that are pretty much ready for assignment. However, for specific needs you’ll usually end up creating a custom policy that better suits your needs.
Using Azure policies is divided into two main steps:
- You need to define a policy which means creating a ruleset (policy rule) and actions (effect) to apply if a resource matches the defined rules.
- Then you must assign the policy to desired scope (management group / subscription / resource group / resource level). Assignment scope defines the maximum level of scanning if resources match the policy criteria. Usually the preferable levels are management group / subscription.
Depending on how you prefer governing your environment, you can resolve to use individual policies or group multiple policies into initiatives. Initiatives help you simplify assignments by working with groups instead of individual assignments. It also helps with handling service principal permissions. If you create a policy for enforcing 5 different tags, you’ll end up with having five service principals with the same permissions if you don’t use an initiative that groups the policies into one.
Creating the policy definition for assignment of Contributor RBAC role
The RBAC role assignment can be done with policy that targets the wanted scope of resources through policy rules. So first we’ll start with defining some basic properties for our policy which tells the other users what this policy is meant for. Few mentions:
- Policy
type = custom. Everything that’s not built-in is custom. Mode = allsince we won’t be creating a policy that enforces tags or locationsCategorycan be anything you like. We’ll use “Role assignment” as an example
{
"properties": {
"displayName": "Assign Contributor RBAC role for an AD group",
"policyType": "Custom",
"mode": "All",
"description": "Assigns Contributor RBAC role for AD group resource groups with Tag 'RbacAssignment = true' and name prefix 'my-rg-prefix'. Existing resource groups can be remediated by triggering a remediation task.",
"metadata": {
"category": "Role assignment"
},
"parameters": {},
"policyRule": {}
}
}
Now we have our policy’s base information set. It’s time to form a policy rule. The policy rule consists of two blocks: policyRule and then. First one is the actual rule definition and the latter is the definition of what should be done when conditions are met. We’ll want to target only a few specific resource groups so the scope can be narrowed down with tag evaluations and resource group name conventions. To do this let’s slap an allOf operator (which is kind of like the logical operator ‘and’) to the policy rule and set up the rules
{
"properties": {
"displayName": "Assign Contributor RBAC role for an AD group",
"policyType": "Custom",
"mode": "All",
"description": "Assigns Contributor RBAC role for AD group resource groups with Tag 'RbacAssignment = true' and name prefix 'my-rg-prefix'. Existing resource groups can be remediated by triggering a remediation task.",
"metadata": {
"category": "Role assignment"
},
"parameters": {},
"policyRule": {
"if": {
"allOf": [{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
}, {
"field": "name",
"like": "my-rg-prefix*"
}, {
"field": "tags['RbacAssignment']",
"equals": "true"
}
]
},
"then": {}
}
}
}
As can be seen from the JSON, the policy is applied to a resource (or actually a resource group) if
- It’s type of
Microsoft.Resources/subscriptions/resourceGroups= the target resource is a resource group - It has a tag named
RbacAssignmentset totrue - The resource group name starts with
my-rg-prefix
In order for the policy to actually do something, an effect must be defined. Because we want the role assignment to be automated, the deployIfNotExists effect is perfect. Few mentions of how to set up an effect:
- The most important stuff is in the
detailsblock - The type of the deployment and the scope of an existence check is
Microsoft.Authorization/roleAssignmentsfor RBAC role assignments - An existence condition is kind of an another
ifblock: the policy rule checks if a resource matches the conditions which makes it applicable for the policy. Existence check then confirms if the requirements of the details are met. If not, an ARM template will be deployed to the scoped resource
The existence condition of then block in the code example below checks the role assignment for a principal id through combination of Microsoft.Authorization/roleAssignments/roleDefinitionId and Microsoft.Authorization/roleAssignments/principalId. Since we want to assign the policy to a subscription, roleDefinitionId path must include the /subscriptions/<your_subscription_id>/.. in order for the policy to work properly.
{
"properties": {
"displayName": "Assign Contributor RBAC role for an AD group",
"policyType": "Custom",
"mode": "All",
"description": "Assigns Contributor RBAC role for AD group resource groups with Tag 'RbacAssignment = true' and name prefix 'my-rg-prefix'. Existing resource groups can be remediated by triggering a remediation task.",
"metadata": {
"category": "Role assignment"
},
"parameters": {},
"policyRule": {
"if": {
"allOf": [{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
}, {
"field": "name",
"like": "my-rg-prefix*"
}, {
"field": "tags['RbacAssignment']",
"equals": "true"
}
]
},
"then": {
"effect": "deployIfNotExists",
"details": {
"type": "Microsoft.Authorization/roleAssignments",
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9" // Use user access administrator role update RBAC role assignments
],
"existenceCondition": {
"allOf": [{
"field": "Microsoft.Authorization/roleAssignments/roleDefinitionId",
"equals": "/subscriptions/your_subscription_id/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" // RBAC role definition ID for Contributor role
}, {
"field": "Microsoft.Authorization/roleAssignments/principalId",
"equals": "OBJECT_ID_OF_YOUR_AD_GROUP" // Object ID of desired AD group
}
]
}
}
}
}
The last thing to add is the actual ARM template that will be deployed if existence conditions are not met. The template itself is fairly simple since it’s only containing the definitions for a RBAC role assignment.
{
"properties": {
"displayName": "Assign Contributor RBAC role for an AD group",
"policyType": "Custom",
"mode": "All",
"description": "Assigns Contributor RBAC role for AD group resource groups with Tag 'RbacAssignment = true' and name prefix 'my-rg-prefix'. Existing resource groups can be remediated by triggering a remediation task.",
"metadata": {
"category": "Tags",
},
"parameters": {},
"policyRule": {
"if": {
"allOf": [{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
}, {
"field": "name",
"like": "my-rg-prefix*"
}, {
"field": "tags['RbacAssignment']",
"equals": "true"
}
]
},
"then": {
"effect": "deployIfNotExists",
"details": {
"type": "Microsoft.Authorization/roleAssignments",
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9" // Use user access administrator role update RBAC role assignments
],
"existenceCondition": {
"allOf": [{
"field": "Microsoft.Authorization/roleAssignments/roleDefinitionId",
"equals": "/subscriptions/your_subscription_id/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" // RBAC role definition ID for Contributor role
}, {
"field": "Microsoft.Authorization/roleAssignments/principalId",
"equals": "OBJECT_ID_OF_YOUR_AD_GROUP" // Object ID of desired AD group
}
]
},
"deployment": {
"properties": {
"mode": "incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"adGroupId": {
"type": "string",
"defaultValue": "OBJECT_ID_OF_YOUR_AD_GROUP",
"metadata": {
"description": "ObjectId of an AD group"
}
},
"contributorRbacRole": {
"type": "string",
"defaultValue": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c')]",
"metadata": {
"description": "Contributor RBAC role definition ID"
}
}
},
"resources": [{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2018-09-01-preview",
"name": "[guid(resourceGroup().id, deployment().name)]",
"properties": {
"roleDefinitionId": "[parameters('contributorRbacRole')]",
"principalId": "[parameters('adGroupId')]"
}
}
]
}
}
}
}
}
}
}
}
And that’s it! Now we have the policy definition set up for checking and remediating default RBAC role assignment for our subscription. If the automated deployment feels too daunting, the effect can be swapped to auditIfNotExist version. That way you won’t be deploying anything automatically but you can simply audit all the resource groups in the scope for default RBAC role assignments.
{
"properties": {
"displayName": "Assign Contributor RBAC role for an AD group",
"policyType": "Custom",
"mode": "All",
"description": "Assigns Contributor RBAC role for AD group resource groups with Tag 'RbacAssignment = true' and name prefix 'my-rg-prefix'. Existing resource groups can be remediated by triggering a remediation task.",
"metadata": {
"category": "Tags",
},
"parameters": {},
"policyRule": {
"if": {
"allOf": [{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
}, {
"field": "name",
"like": "my-rg-prefix*"
}, {
"field": "tags['RbacAssignment']",
"equals": "true"
}
]
},
"then": {
"effect": "auditIfNotExist",
"details": {
"type": "Microsoft.Authorization/roleAssignments",
"existenceCondition": {
"allOf": [{
"field": "Microsoft.Authorization/roleAssignments/roleDefinitionId",
"equals": "/subscriptions/your_subscription_id/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" // RBAC role definition ID for Contributor role
}, {
"field": "Microsoft.Authorization/roleAssignments/principalId",
"equals": "OBJECT_ID_OF_YOUR_AD_GROUP" // Object ID of desired AD group
}
]
}
}
}
}
}
}
That should be enough, right? Well it isn’t. Since we’re using ARM template deployment with our policy, we must add a role with privileges to create remediation tasks which essentially means we must add a role that has privileges to create and validate resource deployments. Azure doesn’t provide such policy with minimal privileges out-of-the-box since the scope that has all the permissions we need is Owner. We naturally don’t want to give Owner permissions to anything if we reeeeeally don’t have to. The solution: create a custom RBAC role for Azure Policy remediation tasks.
Create custom RBAC role for policy remediation
Luckily creating a new RBAC role for our needs is a fairly straightforward task. You can create new roles in Azure portal or with Powershell or Azure CLI. Depending on your desire and permissions to go around in Azure, you’ll want to create the new role into a management group or a subscription to contain it to a level where it is needed. Of course there’s no harm done to spread that role to wider area of your Azure environment, but for the sake of keeping everything tidy, we’ll create the new role to one subscription since it’s not needed elsewhere for the moment.
Note that the custom role only allows anyone to validate and create deployments. That’s not enough to actually do anything. You’ll need to combine the deployment role with a role that has permissions to do the stuff set in deployment. For RBAC role assignments you’d need to add “User Access Administrator” role to the deployer as well.
Here’s how to do it in Azure portal:
- Go to your subscription listing in Azure, pick the subscription you want to add the role to and head on to
Access control (IAM)tab. - From the top toolbar, click on the “Add” menu and select “Add custom role”.
- Give your role a clear, descriptive name such as
Least privilege deployeror something else that you think is more descriptive. - Add a description.
- Add permissions
Microsoft.Resources/deployments/validate/actionandMicrosoft.Resources/deployments/writeto the role. - Set the assignable scope to your subscription.
- Review everything and save.
After the role is created, check it’s properties and take note of the role id. Next we’ll need to update the policy definition made earlier in order to get the new RBAC role assigned to the service principal during policy initiative assignment.
So from the template, change this in effect block:
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9" // Use user access administrator role update RBAC role assignments
]
to this:
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9", // Use user access administrator role update RBAC role assignments
"/subscriptions/your_subscription_id/providers/Microsoft.Authorization/roleDefinitions/THE_NEW_ROLE_ID" // The newly created role with permissions to create and validate deployments
]
Assigning the created policy
Creating the policy definition is not enough for the policy to take effect. As mentioned before, the definition is merely a ruleset created for assigning the policy and does nothing without the policy assignment. Like definitions, assignments can be set to desired scope. Depending on your policy, you can set the policy for management group level or individual assignments to subscription level with property values that fit each individual subscription as needed.
Open Azure Policy and select “Assignment” from the left side menu. You can find “Assign policy” from the top toolbar. There’s a few considerations that you should go over when you’re assigning a policy:
Basics
- The scope: always think about your assignment scope before blindly assigning policies that modify your environment.
- Exclusion is a possibility, not a necessity. Should you re-evaluate the policy definition if you find yourself adding a lot of exclusions?
- Policy enforcement: if you have ANY doubts about the policy you have created, don’t enforce the policy. That way you won’t accidentally overwrite anything. It might be a good idea to assign policy without enforcement for the first time, review compliance results and if you’re happy with them, then enforce the policy.
- You can fix all the non-compliant resources with a remediation task after initial compliance scan
Remediation
- If you have a policy that changes something either with
modifyofdeployIfNotExistseffect, you’ll be creating a service principal for implementing the changes when you assign the policy. Be sure to check the location (region) of the service principal that it matches your desired location. - If you select to create a remediation tasks upon assignment, it will implement the changes in policy to existing resources. So if you have doubts if the policy works as you desire, do not create a remediation task during assignment. Review the compliance results first, then create the remediation task if everything’s ok.
Non-compliance message
- It’s usually a good idea to create a custom non-compliance message for your own custom definitions.
After you’ve set up all relevant stuff for the assignment and created it, it’s time to wait for the compliance checks to go through. When you’ve created an assignment, the first compliance check cycle is done usually within 30 minutes of the assignment creation. After the first cycle, compliance is evaluated once every 24 hours or whenever the assigned policy definitions are changed. If that’s not fast enough for you, you can always trigger an on-demand evaluation scan.