Azure Policy not denying Custom Role creation

前端 未结 1 413
再見小時候
再見小時候 2021-01-25 03:40

I am currently helping investigate adopting Azure for my organization\'s public cloud. One of the tasks I have been assigned is locking down accounts to prevent users from being

相关标签:
1条回答
  • 2021-01-25 04:03

    It looks like Azure CLI creates the role definition without populating the "type" field. The following policy will handle this:

    {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Authorization/roleDefinitions"
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.Authorization/roleDefinitions/type",
                "equals": "CustomRole"
              },
              {
                "field": "Microsoft.Authorization/roleDefinitions/type",
                "exists": "false"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "Deny"
      }
    }
    
    0 讨论(0)
提交回复
热议问题