This kata shows how to review Azure IAM administrators and verify they need that privileged access using the k9 Principals report.
Reviewing IAM administration capabilities is the first Azure access improvement step. This is because any IAM user or service principal who can administer the Azure Authorization service can give themselves privileges to do anything in the subscription if they don’t already have it:
- create or destroy compute & data resources
- read, write, delete data
- run applications and scripts
Let’s see who can administer Azure IAM and verify they need that privilege.
Open the latest k9 resource access audit spreadsheet from the S3 bucket containing your reports.
Go to the Principals worksheet.
- Enable filtering for the worksheet columns
- Filter the Principal is IAM Admin column to
TRUE
You should now have a list of principals that looks like:
These are the Entra principals who can:
- create, assign, and delete roles
- create, assign, and delete policies
- create classic administrators
- elevate access
There are endless permutations of attacks and accidents an Entra principal with administration capabilities can execute in your Azure subscription. Reduce risk to your Azure subscription by reducing the set of IAM administrators to only what is necessary.
Review Questions
Ask these questions during your review:
Q. Should this principal have IAM administration capabilities?
Automated delivery processes, operations teams, and security teams usually need an IAM principal with IAM administration capabilities. This capability often varies by environment. For example, you may allow application development teams to administer IAM in a development environment, but not production.
Automated delivery processes will often have principals that include terms like: ci, cicd, devops, delivery, jenkins, github, circleci, cdk, terraform, tfc, and other full or abbreviated names for continuous integration and delivery tools.
Q. Is this principal still in use?
It’s common to find administrator-level principals that were created for a test or an incident and then forgotten. Additionally, if the principal has been used in 90 days, then the principal might not be necessary or at least it may not need to be an administrator. Check the Principal Last Used column for the principal on the Principals worksheet (we’ll do a full unused Azure principal review in Kata 2).
Q. If the principal is an Entra user, is MFA enabled?
All Entra users with IAM administration capabilities should have multi-factor authentication (MFA) enabled to protect that privileged user from abuse via phishing and other attacks that target people.
Q. If the principal is an Entra service principal, what types of active credentials exist?
Check the ‘Active Credential Types’ column to see what types of credentials exist and are active for the principal. k9 reports: passwords, OAuth2 client secrets, and certificate keys. You can review those in detail using Kata 3 Review Entra Service Principal credentials.
Q. How many excess IAM administrators did you find?
A good starting definition of an ‘Excess IAM administrator’ is an IAM admin having one or more of the following properties:
- was last used more than 90 days ago
- the principal name does not indicate it is an admin or part of a delivery or operational process
Recent Comments