Skip to content

feat(query): implemented query that checks if the use of user access administrator is not restricted for terraform/azure #7842

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open

feat(query): implemented query that checks if the use of user access administrator is not restricted for terraform/azure #7842

wants to merge 6 commits into from

Conversation

@cx-ricardo-jesus
Copy link
Contributor

@cx-ricardo-jesus cx-ricardo-jesus commented Nov 11, 2025
edited
Loading

Reason for Proposed Changes

  • Currently, there is no query for Terraform/Azure that checks if an resource of type azurerm_role_assignement is restricting the use of User Access Administrator role through its name or id.

Proposed Changes

  • The query has just one policy, that uses an helper function called get_res that check's the two possibilities of defining the User Access Administrator role, by using the field role_definition_name and defining it to User Access Administrator or its respective ID (18d7d88d-d35e-4fb5-a5c3-7773c20a72d9).
  • According to the documentation, "Either role_definition_id or role_definition_name must be set." so, I did not covered the case when both are defined.
  • Additionallym based on the AppSec team's feedback, the scope field should also be taken into account. Following this guidance, the query only covers the highest permission levels - the tenant root (/) and management group (/providers/Microsoft.Management/managementGroups/<mg>). According to the Microsoft RBAC scope documentation, assigning the User Access Administratir role at these level grants permissions over all resouces in the tenant.

I submit this contribution under the Apache-2.0 license.

@cx-ricardo-jesus cx-ricardo-jesus requested a review from a team as a code owner November 11, 2025 17:15
@github-actions github-actions bot added feature New feature query New query feature terraform Terraform query azure PR related with Azure Cloud labels Nov 11, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Nov 11, 2025

kics-logo

KICS version: v2.1.13

Category Results
CRITICAL CRITICAL 0
HIGH HIGH 0
MEDIUM MEDIUM 0
LOW LOW 0
INFO INFO 0
TRACE TRACE 0
TOTAL TOTAL 0
Metric Values
Files scanned placeholder 1
Files parsed placeholder 1
Files failed to scan placeholder 0
Total executed queries placeholder 47
Queries failed to execute placeholder 0
Execution time placeholder 0

@cx-ricardo-jesus cx-ricardo-jesus marked this pull request as draft November 12, 2025 15:10
@cx-ricardo-jesus cx-ricardo-jesus marked this pull request as ready for review November 12, 2025 17:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

azure PR related with Azure Cloud feature New feature query New query feature terraform Terraform query

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@cx-ricardo-jesus