Table: azure_role_definition - Query Azure Role Definitions using SQL
Azure Role Definition is a resource within Microsoft Azure that represents a collection of permissions. It's used to provide access to Azure resources that the role is assigned to. Role Definitions help you manage access to your Azure resources by providing a way to group together permissions into roles.
Table Usage Guide
The azure_role_definition
table provides insights into Role Definitions within Microsoft Azure. As a DevOps engineer, explore role-specific details through this table, including permissions, trust policies, and associated metadata. Utilize it to manage access to your Azure resources, group together permissions into roles, and gain insights into role-specific details.
Examples
List the custom roles
Explore which custom roles have been defined in your Azure environment. This is beneficial to understand and manage the unique permissions and restrictions applied within your system.
select name, description, role_name, role_type, titlefrom azure_role_definitionwhere role_type = 'CustomRole';
select name, description, role_name, role_type, titlefrom azure_role_definitionwhere role_type = 'CustomRole';
List of roles whose assignable scope is set to root('/') scope
Explore the roles in your Azure environment that have been given broad permissions, as indicated by their assignable scope being set to root. This can be useful for identifying potential security risks and ensuring that permissions are appropriately restricted.
select name, role_name, scopefrom azure_role_definition, jsonb_array_elements_text(assignable_scopes) as scopewhere scope = '/';
Error: The corresponding SQLite query is unavailable.
Permissions of all custom roles
Explore which permissions are assigned to all custom roles within your Azure environment. This can help in maintaining security standards and ensuring that roles are not granted excessive permissions.
select name, role_name, role_type, permission -> 'actions' as action, permission -> 'dataActions' as data_action, permission -> 'notActions' as no_action, permission -> 'notDataActions' as not_data_actionsfrom azure_role_definition cross join jsonb_array_elements(permissions) as permissionwhere role_type = 'CustomRole';
select name, role_name, role_type, json_extract(permission.value, '$.actions') as action, json_extract(permission.value, '$.dataActions') as data_action, json_extract(permission.value, '$.notActions') as no_action, json_extract(permission.value, '$.notDataActions') as not_data_actionsfrom azure_role_definition, json_each(permissions) as permissionwhere role_type = 'CustomRole';
Permissions of all custom roles
Explore the permissions assigned to all custom roles in your Azure environment. This can help you understand access controls and identify potential security risks.
select name, role_name, role_type, permission -> 'actions' as action, permission -> 'dataActions' as data_action, permission -> 'notActions' as no_action, permission -> 'notDataActions' as not_data_actionsfrom azure_role_definition cross join jsonb_array_elements(permissions) as permissionwhere role_type = 'CustomRole';
select ard.name, ard.role_name, ard.role_type, json_extract(permission.value, '$.actions') as action, json_extract(permission.value, '$.dataActions') as data_action, json_extract(permission.value, '$.notActions') as no_action, json_extract(permission.value, '$.notDataActions') as not_data_actionsfrom azure_role_definition ard, json_each(ard.permissions) as permissionwhere ard.role_type = 'CustomRole';
Permissions of all custom roles
Analyze the permissions assigned to all custom roles in your Azure environment. This can help in identifying roles with excessive permissions, thereby assisting in maintaining a principle of least privilege.
select name, role_name, role_type, permission -> 'actions' as action, permission -> 'dataActions' as data_action, permission -> 'notActions' as no_action, permission -> 'notDataActions' as not_data_actionsfrom azure_role_definition cross join jsonb_array_elements(permissions) as permissionwhere role_type = 'CustomRole';
select ard.name, ard.role_name, ard.role_type, json_extract(permission.value, '$.actions') as action, json_extract(permission.value, '$.dataActions') as data_action, json_extract(permission.value, '$.notActions') as no_action, json_extract(permission.value, '$.notDataActions') as not_data_actionsfrom azure_role_definition ard, json_each(ard.permissions) as permissionwhere ard.role_type = 'CustomRole';
Query examples
Control examples
- A maximum of 3 owners should be designated for your subscription
- All Controls > Active Directory > Ensure that no Custom Subscription Administrator roles exist
- All Controls > Active Directory > IAM users should not have built in contributor role
- All Controls > Active Directory > Subscriptions with custom roles should not be overly permissive
- Audit usage of custom RBAC roles
- Blocked accounts with owner permissions on Azure resources should be removed
- Blocked accounts with read and write permissions on Azure resources should be removed
- CIS v1.3.0 > 1 Identity and Access Management > 1.21 Ensure that no custom subscription owner roles are created
- CIS v1.4.0 > 1 Identity and Access Management > 1.20 Ensure that no custom subscription owner roles are created
- CIS v1.5.0 > 1 Identity and Access Management > 1.23 Ensure That No Custom Subscription Owner Roles Are Created
- CIS v2.0.0 > 1 Identity and Access Management > 1.23 Ensure That No Custom Subscription Administrator Roles Exist
- CIS v2.1.0 > 1 Identity and Access Management > 1.2 Conditional Access > 1.2.7 Ensure Multifactor Authentication is Required to access Microsoft Admin Portals
- CIS v2.1.0 > 1 Identity and Access Management > 1.22 Ensure That No Custom Subscription Administrator Roles Exist
- CIS v3.0.0 > 2 Identity > 2.2 Conditional Access > 2.2.8 Ensure Multifactor Authentication is Required to access Microsoft Admin Portals
- CIS v3.0.0 > 2 Identity > 2.23 Ensure That No Custom Subscription Administrator Roles Exist
- Guest accounts with owner permissions on Azure resources should be removed
- Guest accounts with read permissions on Azure resources should be removed
- Guest accounts with write permissions on Azure resources should be removed
- There should be more than one owner assigned to your subscription
Schema for azure_role_definition
Name | Type | Operators | Description |
---|---|---|---|
_ctx | jsonb | Steampipe context in JSON form. | |
akas | jsonb | Array of globally unique identifier strings (also known as) for the resource. | |
assignable_scopes | jsonb | A list of assignable scopes for which the role definition can be assigned. | |
cloud_environment | text | The Azure Cloud Environment. | |
description | text | Description of the role definition. | |
id | text | Contains ID to identify a role definition uniquely. | |
name | text | = | The friendly name that identifies the role definition. |
permissions | jsonb | A list of actions, which can be accessed. | |
role_name | text | Current state of the role definition. | |
role_type | text | Name of the role definition. | |
sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
sp_ctx | jsonb | Steampipe context in JSON form. | |
subscription_id | text | =, !=, ~~, ~~*, !~~, !~~* | The Azure Subscription ID in which the resource is located. |
title | text | Title of the resource. | |
type | text | Contains the resource type. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh
script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- azure
You can pass the configuration to the command with the --config
argument:
steampipe_export_azure --config '<your_config>' azure_role_definition