search

Azure / azure-policy

Repository for Azure Resource Policy built-in definitions and samples
MIT License
1.49k stars 1.08k forks source link

Over-priviledged managed identity - role definition ID should be changed #1291

Open KennethMLdk opened 5 months ago

KennethMLdk commented 5 months ago

The managed identity created when assigning this policy is highly over-priviledged and does not comply with least priviledge principle.

https://github.com/Azure/azure-policy/blob/8d69fada93c4348e4f2d5db22a4595b8af4683eb/built-in-policies/policyDefinitions/Tags/InheritTag_Add_Modify.json#L38

Role Contributor: "roleDefinitionIds": [ "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" ],

Should be changed to Tag Contributor: "roleDefinitionIds": [ "/providers/microsoft.authorization/roleDefinitions/4a9ae827-6dc8-4573-8ac7-8239d42aa03f" ],