Enabling Azure resource-specific admin accounts can reduce an organization’s ability to protect itself against account thefts.
Azure resources such as Azure Batch and Azure Container Registry offer built-in administrative accounts or elevated-privilege identities that grant full administrator access. Enabling these accounts bypasses the principle of least privilege and fails to properly separate duties, creating potentially critical attack vectors on the affected resources. In case of an account compromise, an attacker with full administrator permissions can access, modify, or delete sensitive data, and can manipulate access logs to cover their tracks.
If an administrative account is compromised, an attacker gains unrestricted access to the affected Azure resource and all the data it manages. Both the data operated on by the resource and the audit trail required to detect and investigate a breach are at risk.
The following code enables an administrative account or elevated-privilege identity on an Azure resource, granting full administrator permissions.
resource "azurerm_batch_pool" "example" {
name = "example"
start_task {
user_identity {
auto_user {
elevation_level = "Admin" # Noncompliant
scope = "Task"
}
}
}
}
resource "azurerm_batch_pool" "example" {
name = "example"
start_task {
user_identity {
auto_user {
elevation_level = "NonAdmin"
scope = "Task"
}
}
}
}
The following code enables an administrative account or elevated-privilege identity on an Azure resource, granting full administrator permissions.
resource "azurerm_container_registry" "example" {
name = "example"
admin_enabled = true # Noncompliant
}
resource "azurerm_container_registry" "example" {
name = "example"
admin_enabled = false
}