Skip to main content

More Info:

Roles which can be assumed by Compute Services

Risk Level

High

Address

Security

Compliance Standards

CBP

Triage and Remediation

  • Remediation

Remediation

Using Console

None

To remediate the misconfiguration of roles assumable by compute services in Azure using the Azure CLI, follow these step-by-step instructions:
  1. Install and set up the Azure CLI on your local machine if you haven’t already. You can find the installation guide at https://docs.microsoft.com/en-us/cli/azure/install-azure-cli.
  2. Open a command prompt or terminal and log in to your Azure account using the following command: 
    az login
  3. If you have multiple subscriptions, set the desired subscription where the remediation needs to be applied using the following command: 
    az account set --subscription <subscription_id>
  4. List all the existing role assignments for the compute services using the following command: 
    az role assignment list --all --query "[?contains(roleDefinitionName, 'Virtual Machine Contributor') && contains(principalType, 'ServicePrincipal')]"
  5. Identify the role assignments that need to be remediated. Make a note of the principalId and scope values for each role assignment.
  6. Remove the role assignments using the following command for each role assignment: 
    az role assignment delete --assignee <principalId> --scope <scope>
    Replace <principalId> with the principalId value obtained in step 5 and <scope> with the scope value obtained in step 5.
  7. Verify that the role assignments have been successfully removed by re-running the command in step 4.
By following these steps, you will be able to remediate the misconfiguration of roles assumable by compute services in Azure using the Azure CLI.
To remediate the misconfiguration of roles assumable by compute services in Azure using Python, you can follow these steps:
  1. Install the required Python packages: 
    pip install azure-identity
pip install azure-mgmt-resource
  2. Import the necessary modules in your Python script: 
    from azure.identity import DefaultAzureCredential
from azure.mgmt.resource import ResourceManagementClient
  3. Authenticate with Azure using the default credentials: 
    credential = DefaultAzureCredential()
  4. Create an instance of the ResourceManagementClient: 
    subscription_id = "<your-subscription-id>"
resource_client = ResourceManagementClient(credential, subscription_id)
  5. Get the list of compute resources in your Azure subscription: 
    compute_resources = resource_client.resources.list(filter="resourceType eq 'Microsoft.Compute/virtualMachines'")
  6. Iterate over the compute resources and check their role assignments: 
    for compute_resource in compute_resources:
    resource_id = compute_resource.id
    role_assignments = resource_client.role_assignments.list_for_resource(resource_id)
    for role_assignment in role_assignments:
        if role_assignment.principal_type == "ServicePrincipal":
            print(f"Compute resource {resource_id} has a role assignment with principal type ServicePrincipal: {role_assignment.role_definition_name}")
  7. Review the output to identify any compute resources with role assignments that need remediation.
  8. To remediate the misconfiguration, you can remove the role assignments for compute resources that are not intended to have them. Use the delete method from the RoleAssignmentsOperations class: 
    resource_client.role_assignments.delete(role_assignment_name)
Note: Make sure to replace <your-subscription-id> with your actual Azure subscription ID in step 4.By following these steps, you can identify and remediate the misconfiguration of roles assumable by compute services in Azure using Python.
I