Azure策略不拒绝创建自定义角色 [英] Azure Policy not denying Custom Role creation

问题描述

我目前正在帮助调查组织的公共云采用Azure的情况.我被分配的任务之一是锁定帐户，以防止用户能够提升其在订阅中的权限.

I am currently helping investigate adopting Azure for my organization's public cloud. One of the tasks I have been assigned is locking down accounts to prevent users from being able to elevate their permissions within a subscription.

我特别感兴趣的一件事是拒绝创建自定义角色，因为我们不希望人们在安全性审查过对该角色的需求之前就开始创建自己的角色.

One of the things in particular I am interested in is denying the creation of Custom Roles, as we don't want people to go and start creating their own roles until the need for the role has been vetted by security.

我一直试图通过具有以下定义的Azure策略来做到这一点

I have been trying to do this via an Azure policy with the following definition

{
  "if": {
    "allOf": [
      {
        "field": "type",
        "equals": "Microsoft.Authorization/roleDefinitions"
      },
      {
        "field": "Microsoft.Authorization/roleDefinitions/type",
        "equals": "CustomRole"
      }
    ]
  },
  "then": {
    "effect": "Deny"
  }
}

实际上只是复制了内置的审核自定义角色"策略，并将效果从审核"更改为拒绝"

It was actually just the built in "Audit Custom Roles" policy copied over and changing the effect from "Audit" to "Deny"

但是，我已将此策略应用于包含要测试的订阅的管理组，但是当我登录CLI并尝试创建新的自定义角色时，它将继续并创建该角色.

However I have applied this policy to the Management Group that contains the subscription I am testing with, and yet when I login to the CLI and try and create a new custom role it goes ahead and creates the role.

我确保订阅中包含该策略，并且已经确认我在CLI中处于正确的订阅中(使用az account show)，但仍然可以创建自定义角色.

I have ensured that the policy is present on the subscription, and I have confirmed that I am in the correct subscription in the CLI (using az account show) yet I am still allowed to create custom roles.

这仅仅是Azure所不支持的东西，还是我还缺少其他东西?任何帮助或指导都将不胜感激，因为Microsoft文档和在线上提供的大量示例似乎都没有有关通过策略控制角色的任何信息.

Is this just not something Azure supports, or is there something else I am missing? Any help or guidance would be greatly appreciated as the Microsoft docs and the numerous examples available online don't seem to have any information on controlling roles with policies.

P.S. 我知道您可以通过策略在某种程度上控制角色，因为我们还有另一种策略可以防止某些角色的分配发生并且确实起作用.

P.S. I know that you can control roles to some extent through policies as we have another policy that prevents the assignment of a certain set of roles from happening and that does work.

推荐答案

Azure CLI似乎在不填充类型"字段的情况下创建了角色定义.以下政策将解决此问题:

It looks like Azure CLI creates the role definition without populating the "type" field. The following policy will handle this:

{
  "if": {
    "allOf": [
      {
        "field": "type",
        "equals": "Microsoft.Authorization/roleDefinitions"
      },
      {
        "anyOf": [
          {
            "field": "Microsoft.Authorization/roleDefinitions/type",
            "equals": "CustomRole"
          },
          {
            "field": "Microsoft.Authorization/roleDefinitions/type",
            "exists": "false"
          }
        ]
      }
    ]
  },
  "then": {
    "effect": "Deny"
  }
}

这篇关于Azure策略不拒绝创建自定义角色的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！