False positive for Azure RBAC - Custom Subscription Owner Role Not Allowed

[GramanP]

Description

Custom RBAC roles in Azure are incorrectly detected as custom owner roles due to * or */read actions being present in the permissions despite there also being notActions in the permissions.

To Reproduce

Create new custom roles in a Microsoft Azure subscription by cloning the BuiltIn Reader and Contributor roles and add additional notActions to those already included by the BuiltIn role they were based on.

Custom Reader permissions: "permissions": [ { "actions": [ "*/read" ], "notActions": [ "Microsoft.AppConfiguration/register/action", "Microsoft.AppConfiguration/unregister/action", "Microsoft.AppConfiguration/checkNameAvailability/read", "Microsoft.AppConfiguration/locations/operationsStatus/read", "Microsoft.AppConfiguration/configurationStores/read", "Microsoft.AppConfiguration/configurationStores/write", "Microsoft.AppConfiguration/configurationStores/delete", "Microsoft.AppConfiguration/configurationStores/ListKeys/action", "Microsoft.AppConfiguration/configurationStores/RegenerateKey/action", "Microsoft.AppConfiguration/configurationStores/ListKeyValue/action", "Microsoft.AppConfiguration/configurationStores/PrivateEndpointConnectionsApproval/action", "Microsoft.AppConfiguration/configurationStores/providers/Microsoft.Insights/diagnosticSettings/read", "Microsoft.AppConfiguration/configurationStores/providers/Microsoft.Insights/diagnosticSettings/write", "Microsoft.AppConfiguration/configurationStores/eventGridFilters/read", "Microsoft.AppConfiguration/configurationStores/eventGridFilters/write", "Microsoft.AppConfiguration/configurationStores/eventGridFilters/delete", "Microsoft.AppConfiguration/configurationStores/providers/Microsoft.Insights/logDefinitions/read", "Microsoft.AppConfiguration/configurationStores/providers/Microsoft.Insights/metricDefinitions/read", "Microsoft.AppConfiguration/configurationStores/privateEndpointConnections/read", "Microsoft.AppConfiguration/configurationStores/privateEndpointConnections/write", "Microsoft.AppConfiguration/configurationStores/privateEndpointConnections/delete", "Microsoft.AppConfiguration/configurationStores/privateEndpointConnectionProxies/validate/action", "Microsoft.AppConfiguration/configurationStores/privateEndpointConnectionProxies/read", "Microsoft.AppConfiguration/configurationStores/privateEndpointConnectionProxies/write", "Microsoft.AppConfiguration/configurationStores/privateEndpointConnectionProxies/delete", "Microsoft.AppConfiguration/configurationStores/privateLinkResources/read", "Microsoft.AppConfiguration/operations/read" ], "dataActions": [], "notDataActions": [] } ]

Custom Contributor permissions: "permissions": [ { "actions": [ "*" ], "notActions": [ "Microsoft.Authorization/*/Delete", "Microsoft.Authorization/*/Write", "Microsoft.Authorization/elevateAccess/Action", "Microsoft.Blueprint/blueprintAssignments/write", "Microsoft.Blueprint/blueprintAssignments/delete", "Microsoft.Compute/galleries/share/action", "Microsoft.AppConfiguration/register/action", "Microsoft.AppConfiguration/unregister/action", "Microsoft.AppConfiguration/checkNameAvailability/read", "Microsoft.AppConfiguration/locations/operationsStatus/read", "Microsoft.AppConfiguration/configurationStores/read", "Microsoft.AppConfiguration/configurationStores/write", "Microsoft.AppConfiguration/configurationStores/delete", "Microsoft.AppConfiguration/configurationStores/ListKeys/action", "Microsoft.AppConfiguration/configurationStores/RegenerateKey/action", "Microsoft.AppConfiguration/configurationStores/ListKeyValue/action", "Microsoft.AppConfiguration/configurationStores/PrivateEndpointConnectionsApproval/action", "Microsoft.AppConfiguration/configurationStores/providers/Microsoft.Insights/diagnosticSettings/read", "Microsoft.AppConfiguration/configurationStores/providers/Microsoft.Insights/diagnosticSettings/write", "Microsoft.AppConfiguration/configurationStores/eventGridFilters/read", "Microsoft.AppConfiguration/configurationStores/eventGridFilters/write", "Microsoft.AppConfiguration/configurationStores/eventGridFilters/delete", "Microsoft.AppConfiguration/configurationStores/providers/Microsoft.Insights/logDefinitions/read", "Microsoft.AppConfiguration/configurationStores/providers/Microsoft.Insights/metricDefinitions/read", "Microsoft.AppConfiguration/configurationStores/privateEndpointConnections/read", "Microsoft.AppConfiguration/configurationStores/privateEndpointConnections/write", "Microsoft.AppConfiguration/configurationStores/privateEndpointConnections/delete", "Microsoft.AppConfiguration/configurationStores/privateEndpointConnectionProxies/validate/action", "Microsoft.AppConfiguration/configurationStores/privateEndpointConnectionProxies/read", "Microsoft.AppConfiguration/configurationStores/privateEndpointConnectionProxies/write", "Microsoft.AppConfiguration/configurationStores/privateEndpointConnectionProxies/delete", "Microsoft.AppConfiguration/configurationStores/privateLinkResources/read", "Microsoft.AppConfiguration/operations/read" ], "dataActions": [], "notDataActions": [] } ]

Then run a Scout Suite scan of the subscription, the report will include these new custom roles in the list of detections for Custom Owner Roles.

[rieck-srlabs]

Adding to this report, the check incorrectly flags any action with * in the name as a Owner role, i.e. Microsoft.Web/certificates/*.

This is because the check here checks if * is in the action name. To correspond to the CIS control it tries to implement, it should be if "*" == action, not if "*" in action, though even this improved version suffers from the same problem as reported in the original issue.