Azure Policy not denying Custom Role creation

问题

I am currently helping investigate adopting Azure for my organization's public cloud. One of the tasks I have been assigned is locking down accounts to prevent users from being able to elevate their permissions within a subscription.

One of the things in particular I am interested in is denying the creation of Custom Roles, as we don't want people to go and start creating their own roles until the need for the role has been vetted by security.

I have been trying to do this via an Azure policy with the following definition

{
  "if": {
    "allOf": [
      {
        "field": "type",
        "equals": "Microsoft.Authorization/roleDefinitions"
      },
      {
        "field": "Microsoft.Authorization/roleDefinitions/type",
        "equals": "CustomRole"
      }
    ]
  },
  "then": {
    "effect": "Deny"
  }
}

It was actually just the built in "Audit Custom Roles" policy copied over and changing the effect from "Audit" to "Deny"

However I have applied this policy to the Management Group that contains the subscription I am testing with, and yet when I login to the CLI and try and create a new custom role it goes ahead and creates the role.

I have ensured that the policy is present on the subscription, and I have confirmed that I am in the correct subscription in the CLI (using az account show) yet I am still allowed to create custom roles.

Is this just not something Azure supports, or is there something else I am missing? Any help or guidance would be greatly appreciated as the Microsoft docs and the numerous examples available online don't seem to have any information on controlling roles with policies.

P.S. I know that you can control roles to some extent through policies as we have another policy that prevents the assignment of a certain set of roles from happening and that does work.

回答1:

It looks like Azure CLI creates the role definition without populating the "type" field. The following policy will handle this:

{
  "if": {
    "allOf": [
      {
        "field": "type",
        "equals": "Microsoft.Authorization/roleDefinitions"
      },
      {
        "anyOf": [
          {
            "field": "Microsoft.Authorization/roleDefinitions/type",
            "equals": "CustomRole"
          },
          {
            "field": "Microsoft.Authorization/roleDefinitions/type",
            "exists": "false"
          }
        ]
      }
    ]
  },
  "then": {
    "effect": "Deny"
  }
}

来源：https://stackoverflow.com/questions/54542727/azure-policy-not-denying-custom-role-creation