Reputation: 71
Manually extract and review access roles for Azure VM
I'm currently auditing an Azure VM to verify if users with access to it have been assigned roles appropriate to their job responsibilities.
I understand roles can be assigned at the subscription, resource group, resource levels. If I'm interested in identifying all users with access to the VM AND could grant access to the VM, does this mean I should be looking at roles assigned through these various levels? Or is there a more efficient approach to meet my test objective?
Hoping if anyone could point me in the right direction. Thanks in advance!
Upvotes: 0
Views: 223
Answers (1)
Reputation: 5165
• Yes, you should be looking at the access to the VM at all the levels since roles and permissions to a particular Azure resource is subject to the specific purpose relating to that resource. As resource management is one of the five disciplines of cloud governance, Azure RBAC (Role Based Access Control) plays an important role in assigning the required permissions only according to the role assigned to the specific user identity and the underlying permissions defined in it as a scope of the tasks that can be performed on that Azure resource. Thus, accordingly you will have to check and verify the required roles and underlying permissions for that resource at the initial level.
• Secondly, check whether the RBAC request granted is in line and allowed under the settings specified for Azure Resource Policy. This can also be said as the default set policy for the control and usage of resources in that Azure tenant or subscription. And finally, check whether the RBAC request granted for that resource doesn’t exceed the set Azure Subscription Limit, i.e., the set number of resources to be deployed in that subscription or whatsoever. The final check also includes the financial commitment that is associated with the Azure subscription and should adhere to the payment information and commitment defined to that subscription.
• Thus, in this way, you can audit and check for the required roles and inherent permissions for an Azure resource at multiple levels. To know more in detail on checking the access level for an Azure resource, I would suggest you to please refer the below documentation link: -
https://learn.microsoft.com/en-us/azure/role-based-access-control/check-access
Upvotes: 1
Related Questions
- Retrieve App role assignments using Azure CLI
- Where to see a list of Azure AD roles that a serivice princple have?
- How can I list all of my permissions derived from roles in Azure?
- AzureAD Powershell list all available roles rather than assigned roles
- Fetch Azure role assignments to AAD groups
- Azure VM with cli
- How to get Azure Role Instance using Windows Azure Powershell commands
- Azure Virtual Machine VMRole SLA
- how to set up Azure VM Role instances ready/busy programmatically?
- How to discover role instances in Azure?